Hello schemers,
Lassi asked me to forward this information here. When you have a domain
that works like a top-level domain (TLD) such as .org or .com you don't
want to allow e.g. mallory.tld to set or read cookies for alice.tld. This
is important for the security of the web sites, as they can otherwise
access each other's user data.
So browers need to know which domain names operate as TLDs. The domain
name .scheme.org is going to be acting in the same way as a TLD, so e.g.
mallory.scheme.org will be able to set and read cookies for
alice.scheme.org, unless something is done about this.
Fortunately there is a fix for the problem. Some TLDs already have
sub-domains where all user domains go, like .co.uk, so browsers can't
just use the heuristic of looking for a single dot. Instead they have a
list of suffixes (like .co.uk or .debian.net). This is called ths Public
Suffix List.
I recommend that the owner of scheme.org requests the domain to be added
to the Public Suffix List. The web site is <https://publicsuffix.org/>.
Having the domain on the list will ensure that browsers deal with it
correctly.
--
Göran Weinholt | https://weinholt.se/
Debian Developer | 73 de SA6CJK