Knowledge (XXG)

Public Suffix List

Source 📝

635: 158:", HTTP cookies set by related-domain attackers for high-level domain name suffixes. In other words, a page at foo.example.co.uk might normally have access to cookies at bar.example.co.uk, but example.co.uk should be walled off from cookies at example2.co.uk, to prevent a same-site attack, since the latter two domains could be registered by different owners. 394:
The PSL is maintained by a web browser producer and is kept current by volunteers on a best-effort basis. It contains a list of points in the hierarchical namespace at which registrations take place, and is used to identify the boundary between so-called "public" names (below which registrations can
184:
The PSL has been seen as a tool for a variety of goals related to security, privacy, usability and resource management which can be in tension with each other, leading to maintenance difficulties and operational challenges. Ideas for effective approaches such as dbound, HTTP State Tokens and First
121:, because registrars control only the top level. The Public Suffix List is intended to enumerate all domain suffixes controlled by registrars, as well as those controlled privately such as 132:
consists of the online resources which can be controlled by the registrant of a domain name. That includes resources available via the domain and all its sub-domains. Two domains are
70:. They use it for features such as allowing cookie registration, detecting domain names in the address bar and site grouping. It is also used in many other tools such as 89:
A "public suffix" is one under which Internet users can directly register names. Some examples of public suffixes are ".com", ".co.uk" and "pvt.k12.ma.us".
575: 54:(MPL). The list has been shown to have numerous issues to do with privacy and security, mostly caused by applications using outdated versions. 109:(TLDs), Internet users cannot always register the next level of domain, such as "co.uk" or "wy.us", because these may be controlled by 600:"New interaction between IOS 14.5 PCM and Facebook Pixel causing increase in PSL inclusion requests · Issue #1245 · publicsuffix/list" 387: 196:
and unclear guidance from Facebook led to a flood of inappropriate requests for domains to be added to the Public Suffix List.
395:
occur, such as ".com" or ".org.uk") and the private names (organizational names) that domain registrars create within them.
39:), and contain commonly used suffixes like com, net and co.uk, as well as private suffixes like appspot.com and github.io. 650: 31:
suffixes under which independent organisations can register their own sites. Entries on the list are referred to as
193: 147:
attack can arise if the Public Suffix List is incorrect, or if browsers or sites are not properly configured.
50:
web browser, but it is widely used in many different internet technologies with varying success, under the
51: 110: 508: 408: 382: 67: 285: 43: 260: 481: 655: 378: 144: 106: 75: 634: 169: 307: 644: 63: 213: 599: 155: 28: 79: 489:
ICANN Security and Stability Advisory Committee (SSAC) Reports and Advisories
122: 433:"Can I take Your Subdomain? Exploring Same-Site Attacks in the Modern Web" 185:
Party Sets have been explored without consensus yet on good alternatives.
533: 239: 140:
i.e. they share a suffix that is not included in the Public Suffix List.
576:"Mozilla flooded with requests after Apple privacy changes hit Facebook" 509:"SSAC Advisory on the Use of Static TLD / Suffix Lists | ICANN Features" 62:
A copy of the list is stored by all modern browsers, including Firefox,
47: 482:"SAC070 - ICANN SSAC Advisory on the Use of Static TLD / Suffix Lists" 432: 27:) is a community-maintained list of rules that describe the internet 456: 329: 162: 555: 71: 261:"364745 - Treat PSL matching consistently across all platforms" 189: 113:. By contrast, users can register second level domains within 409:"Subdomain security is substandard, say security researchers" 168:
Highlighting the most important part of a domain name in the
46:
created the PSL for the security and privacy policies of the
628: 353: 480:
Kumari, Warren; Akkerhuis, Jaap; Fältström, Patrik (2015),
175:
Improving the sorting of browser history entries by site.
82:are known to use it for per-site rate limiting. 556:"DNS Query Privacy Revisited | blabs.apnic.net" 87: 383:"Additional Background Information for dbound" 8: 633: 457:"Learn more about the Public Suffix List" 330:"Learn more about the Public Suffix List" 205: 7: 286:"Cookies and the Public Suffix List" 165:policy records for email subdomains. 310:. Daniel Stenberg. 10 January 2024 214:"Public Suffix List - MozillaWiki" 14: 188:In 2021, privacy enhancements in 16:Catalog of Internet domain names 1: 554:Huston, Geoff (2020-09-10). 150:Some uses for the list are: 532:Sleevi, Ryan (2021-06-17), 238:Sleevi, Ryan (2024-01-22), 33:effective top-level domains 672: 437:Can I Take Your Subdomain? 194:Identifier for Advertisers 288:. Heroku. 11 October 2013 192:14.5 related to Apple's 136:if they are in the same 143:Security issues like a 91: 85:According to Mozilla, 52:Mozilla Public License 407:Dobberstein, Laura. 354:"Public Suffix List" 535:sleevi/psl-problems 413:www.theregister.com 241:sleevi/psl-problems 651:Domain Name System 513:features.icann.org 44:Mozilla Foundation 21:Public Suffix List 381:(13 April 2015). 265:bugs.chromium.org 111:domain registrars 107:top-level domains 663: 637: 632: 631: 629:Official website 614: 613: 611: 610: 596: 590: 589: 587: 586: 580:BleepingComputer 572: 566: 565: 563: 562: 551: 545: 544: 543: 542: 529: 523: 522: 520: 519: 505: 499: 498: 497: 496: 486: 477: 471: 470: 468: 467: 461:publicsuffix.org 453: 447: 446: 444: 443: 429: 423: 422: 420: 419: 404: 398: 397: 379:Murray Kucherawy 375: 369: 368: 366: 364: 358:publicsuffix.org 350: 344: 343: 341: 340: 334:publicsuffix.org 326: 320: 319: 317: 315: 304: 298: 297: 295: 293: 282: 276: 275: 273: 271: 257: 251: 250: 249: 248: 235: 229: 228: 226: 224: 218:wiki.mozilla.org 210: 74:. Services like 671: 670: 666: 665: 664: 662: 661: 660: 641: 640: 627: 626: 623: 618: 617: 608: 606: 598: 597: 593: 584: 582: 574: 573: 569: 560: 558: 553: 552: 548: 540: 538: 531: 530: 526: 517: 515: 507: 506: 502: 494: 492: 484: 479: 478: 474: 465: 463: 455: 454: 450: 441: 439: 431: 430: 426: 417: 415: 406: 405: 401: 377: 376: 372: 362: 360: 352: 351: 347: 338: 336: 328: 327: 323: 313: 311: 306: 305: 301: 291: 289: 284: 283: 279: 269: 267: 259: 258: 254: 246: 244: 237: 236: 232: 222: 220: 212: 211: 207: 202: 182: 60: 17: 12: 11: 5: 669: 667: 659: 658: 653: 643: 642: 639: 638: 622: 621:External links 619: 616: 615: 591: 567: 546: 524: 500: 472: 448: 424: 399: 370: 345: 321: 299: 277: 252: 230: 204: 203: 201: 198: 181: 178: 177: 176: 173: 170:user interface 166: 159: 59: 56: 15: 13: 10: 9: 6: 4: 3: 2: 668: 657: 654: 652: 649: 648: 646: 636: 630: 625: 624: 620: 605: 601: 595: 592: 581: 577: 571: 568: 557: 550: 547: 537: 536: 528: 525: 514: 510: 504: 501: 490: 483: 476: 473: 462: 458: 452: 449: 438: 434: 428: 425: 414: 410: 403: 400: 396: 391: 390:working group 389: 384: 380: 374: 371: 359: 355: 349: 346: 335: 331: 325: 322: 309: 308:"PSL in Curl" 303: 300: 287: 281: 278: 266: 262: 256: 253: 243: 242: 234: 231: 219: 215: 209: 206: 199: 197: 195: 191: 186: 179: 174: 171: 167: 164: 160: 157: 153: 152: 151: 148: 146: 141: 139: 135: 131: 126: 124: 120: 116: 112: 108: 104: 100: 96: 90: 86: 83: 81: 77: 76:Let's Encrypt 73: 69: 65: 57: 55: 53: 49: 45: 40: 38: 34: 30: 26: 22: 607:. Retrieved 603: 594: 583:. Retrieved 579: 570: 559:. Retrieved 549: 539:, retrieved 534: 527: 516:. Retrieved 512: 503: 493:, retrieved 491:, p. 32 488: 475: 464:. Retrieved 460: 451: 440:. Retrieved 436: 427: 416:. Retrieved 412: 402: 393: 386: 373: 361:. Retrieved 357: 348: 337:. Retrieved 333: 324: 312:. Retrieved 302: 290:. Retrieved 280: 268:. Retrieved 264: 255: 245:, retrieved 240: 233: 221:. Retrieved 217: 208: 187: 183: 156:supercookies 149: 142: 137: 133: 129: 128:An internet 127: 118: 114: 102: 98: 94: 92: 88: 84: 61: 41: 36: 32: 24: 20: 18: 119:example.com 29:domain name 645:Categories 609:2021-07-04 585:2021-07-04 561:2021-07-05 541:2021-07-04 518:2021-07-05 495:2021-07-05 466:2024-03-12 442:2021-07-04 418:2021-07-04 339:2024-03-12 314:31 January 292:19 January 247:2024-03-12 200:References 154:Avoiding " 117:, such as 80:Cloudflare 145:same-site 123:github.io 161:Finding 656:Mozilla 134:related 48:Firefox 604:GitHub 363:18 May 270:18 May 223:18 May 180:Issues 101:, and 93:While 64:Chrome 485:(PDF) 163:DMARC 138:site, 68:Opera 37:eTLDs 388:IETF 365:2017 316:2024 294:2014 272:2017 225:2017 130:site 105:are 78:and 72:CURL 66:and 58:List 42:The 19:The 190:iOS 115:com 95:com 25:PSL 647:: 602:. 578:. 511:. 487:, 459:. 435:. 411:. 392:. 385:. 356:. 332:. 263:. 216:. 125:. 103:us 99:uk 97:, 612:. 588:. 564:. 521:. 469:. 445:. 421:. 367:. 342:. 318:. 296:. 274:. 227:. 172:. 35:( 23:(

Index

domain name
Mozilla Foundation
Firefox
Mozilla Public License
Chrome
Opera
CURL
Let's Encrypt
Cloudflare
top-level domains
domain registrars
github.io
same-site
supercookies
DMARC
user interface
iOS
Identifier for Advertisers
"Public Suffix List - MozillaWiki"
sleevi/psl-problems
"364745 - Treat PSL matching consistently across all platforms"
"Cookies and the Public Suffix List"
"PSL in Curl"
"Learn more about the Public Suffix List"
"Public Suffix List"
Murray Kucherawy
"Additional Background Information for dbound"
IETF
"Subdomain security is substandard, say security researchers"
"Can I take Your Subdomain? Exploring Same-Site Attacks in the Modern Web"

Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.