Re: Public suffix list Göran Weinholt 29 Nov 2020 09:39 UTC

"Jakub T. Jankiewicz" <xxxxxx@onet.pl> writes:

>> So browers need to know which domain names operate as TLDs. The domain
>> name .scheme.org is going to be acting in the same way as a TLD, so e.g.
>> mallory.scheme.org will be able to set and read cookies for
>> alice.scheme.org, unless something is done about this.
>
> I don't think that Web allow to set cookies for different domains, that is
> impossible, there is something called Origin in browser, which is domain +
> port + protocol. And only if it's the same cookies are sent. Do you have any
> article that will show this is not the case?
>
> I think that the public suffix is only needed for browsers that hide the
> part of the URL. I read somewhere that Chrome is considering do that for
> instance if page is mallory.scheme.org it will only show scheme.org in
> address bar, unless browser is told that scheme.org is like TLD. This is the
> only reason I can know of when this is needed.
>
> There are no any security reason why scheme.org would need to be like TLD,
> unless you have something that will confirm what you're saying.

I should have included a reference for this, of course. I might very
well be wrong in my explanation or maybe my information is out of date,
but I'm referring to "supercookies":

<https://en.wikipedia.org/wiki/HTTP_cookie#Supercookie>

I think this bug report demonstrates quite well how it was before the
PSL: <https://bugzilla.mozilla.org/show_bug.cgi?id=252342>.

This is also one of the reason for having the PSL, listed on
<https://publicsuffix.org/>:

| It allows browsers to, for example:
|
| * Avoid privacy-damaging "supercookies" being set for high-level
|   domain name suffixes
| * Highlight the most important part of a domain name in the user
|   interface
| * Accurately sort history entries by site

--
Göran Weinholt   | https://weinholt.se/
Debian Developer | 73 de SA6CJK