[GH-ISSUE #1326] Question: BASE URL environment variable on docker image #2324

New issue

Closed

opened 2026-03-01 17:58:12 +03:00 by kerem · 2 comments

kerem commented

2026-03-01 17:58:12 +03:00

Owner

Originally created by @tomasvanagas on GitHub (Jan 17, 2024).
Original GitHub issue: https://github.com/ArchiveBox/ArchiveBox/issues/1326

Hello, I am trying to run archivebox docker container with the base url (For example "domain.com/archivebox") but I can't find how.

Does archivebox have this functionality? If not perhaps you have any experience on how this could be achieved?

Thank you

Originally created by @tomasvanagas on GitHub (Jan 17, 2024). Original GitHub issue: https://github.com/ArchiveBox/ArchiveBox/issues/1326 Hello, I am trying to run archivebox docker container with the base url (For example "domain.com/archivebox") but I can't find how. Does archivebox have this functionality? If not perhaps you have any experience on how this could be achieved? Thank you

kerem closed this issue

2026-03-01 17:58:13 +03:00

kerem commented

2026-03-01 17:58:13 +03:00

Author

Owner

@pirate commented on GitHub (Jan 17, 2024):

Unfortunately it's not allowed for security reasons: https://github.com/ArchiveBox/ArchiveBox/issues/724#issuecomment-1448573113

Archived JS can access your cookies and anything else hosted on the same domain, so to limit the potential impact it should always be hosted on a separate subdomain or port. You can then serve a redirect from 302 domain.com/archivebox -> archivebox.domain.com.

It's the same reason why user-uploaded content is stored on xxx.googleusercontent.com instead of google.com, or raw.githubusercontent.com instead of github.com, most big companies don't keep arbitrary untrusted web content on the same domain (even subdomain) as trusted application code. https://security.googleblog.com/2012/08/content-hosting-for-modern-web.html

(and any other archiving tool that offers this feature should also be scrutinized to make sure they handle this security risk properly, I only know of one or two that do)

@pirate commented on GitHub (Jan 17, 2024): Unfortunately it's not allowed for security reasons: https://github.com/ArchiveBox/ArchiveBox/issues/724#issuecomment-1448573113 Archived JS can access your cookies and anything else hosted on the same domain, so to limit the potential impact it should always be hosted on a separate subdomain or port. You can then serve a redirect from `302 domain.com/archivebox -> archivebox.domain.com`. It's the same reason why user-uploaded content is stored on `xxx.googleusercontent.com` instead of `google.com`, or `raw.githubusercontent.com` instead of `github.com`, most big companies don't keep arbitrary untrusted web content on the same domain (even subdomain) as trusted application code. https://security.googleblog.com/2012/08/content-hosting-for-modern-web.html (and any other archiving tool that offers this feature should also be scrutinized to make sure they handle this security risk properly, I only know of one or two that do)

kerem commented

2026-03-01 17:58:13 +03:00

Author

Owner

@tomasvanagas commented on GitHub (Jan 17, 2024):

Thank you for a quick reply, haven't thought about this

@tomasvanagas commented on GitHub (Jan 17, 2024): Thank you for a quick reply, haven't thought about this

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/ArchiveBox#2324

No description provided.

Rows
Columns