@marcan don’t get me wrong I use HA and appreciate the contributions of every developer. But sometimes they make odd decisions [1]. Keeping the hardcoded links is bad, but refusing PRs and locking the conversation is just mind boggling to me.
[1] https://github.com/home-assistant/architecture/issues/156#issuecomment-478183627
@Mietz right, more elaboration, and maybe not only - but there's no easy way to solve it:
when the index.html is loaded, it has to find the path to all the assets, so, many developers make the assumption that it will always be running on the root so just use /index.js or whatever, and this, for the most part, just works.
and you can't just use ./index.js because that will break as soon as you navigate to a different directory (either via traditional navigation or SPA nav)
you can, either store a config in the browser telling the web app where the , which is how Jellyfin does it iirc, which has the issue of you have to find the initial config (or ask the user), implement a custom asset loader, handle issues where the config on the server is out of sync of the client - basically a lot of work
or, modify the html files on the server - which is janky and requires you to add a html parser on the server, and can lead to issues with updates
@tay @Mietz @marcan It is also the only secure choice.
Security boundaries in HTTP are designed around origins. So multiple applications within an origin are part of the same security domain and can compromise all.
So only supporting / as base also enforces a separate security domain.
And sorry, if you can configure one domain name, you can configure multiple, and create multiple security domains.
Nils
taylor 
waldi