Public Suffix List/Uses: Difference between revisions
Tomfitzhenry (talk | contribs) |
(→To Be Investigated: all workers are origin-bound) |
||
| Line 80: | Line 80: | ||
* It is possible to configure Firefox such that whether a Referer is sent can depend on whether the two sites are in the same registered domain. | * It is possible to configure Firefox such that whether a Referer is sent can depend on whether the two sites are in the same registered domain. | ||
* Providers are distinguished from each other in the Social API via registered domain. | * Providers are distinguished from each other in the Social API via registered domain. | ||
==Standards== | ==Standards== | ||
Revision as of 07:40, 23 May 2014
This page attempts to list all the known uses of the Public Suffix List, to help us work out what problems any replacement for it would need to solve.
The PSL website has a list, on which this one is based, and this data may migrate there later.
In this document, the "registered domain" is the part of a domain consisting of the public suffix plus one additional label. ("Registered" can also be "Registrable" if the domain is not yet registered; we ignore this for linguistic convenience.)
The modern PSL has two sections, the ICANN area and the PRIVATE area, delimited by structured comments. Most applications use both areas without distinction; if an application uses only one or the other, that is noted (where known).
The PRIVATE area exists because some registered domain owners wish to delegate subdomains to mutually-untrusting parties, and therefore wish to have them occupy different origins, as far as web browsers are concerned. Getting added to the PSL is an effective way to accomplish this. Entries in this part of the PSL come from many pseudo-NICs such as CentralNIC (owner of e.g. eu.com and us.org), and companies such as Amazon, Google, GitHub, Heroku, Microsoft and Red Hat, who provide cloud services. They are segregated into a different part of the PSL because some applications need to distinguish between the two types.
Browsers
Many of the uses in browsers boil down to their need to distinguish which sites are controlled by the same entity and which are not, for example to implement the Same Origin Policy, or some equivalent.
Common
Cookies
Browsers restrict the domains for which cookies can be set, to avoid "supercookies" being set for e.g. "co.uk", which would allow sites to track users across multiple domains owned by different entities.
Local Storage Objects
For reasons identical to cookies, browsers restrict the domains for which Local Storage Objects (LSOs) can be set to domains.
document.domain
The document.domain attribute is used to enable pages on different hosts of a domain to access each others' DOMs. Browsers restrict the values to which the document.domain property can be set, to maintain the same origin policy. See the HTML5 spec for the algorithm.
URL Bar
Both Firefox and Chrome highlight the registered domain within the UI when displaying a page address.
General UI
Both Firefox and Chrome make use of the PSL to order entries within their interfaces for managing cookies and local data.
Chrome
URL Bar
Chrome uses a combined search and URL bar. "name-shaped" queries - such as foo.com - query the PSL to determine whether the entered text is likely a search or a domain name. A term of "com" will be treated as a search for the phrase "com", because the term does not resolve to a registered domain (as it is just a public suffix). A term for "foo.com" is treated as a navigation, because it does contain a registered domain ("foo.com")
For this purpose, PRIVATE domains are ignored, permitting navigation to domains like "appspot.com", which are listed within the private section.
Certificates
Chrome will reject wildcard certificates (*.foo.bar) if foo.bar is a Public Suffix.
For this purpose, PRIVATE domains are ignored, permitting certificates for domains like "*.appspot.com"
Safe Browsing
Chrome uses the PSL to restrict Safe Browsing exceptions to registered domains. That is, if a domain is believed to have hosted malware/phishing, and a user chooses to proceed, that exception is remembered at the level of a registered domain.
For this purpose, PRIVATE domains are ignored, although this may change in the future.
Multi-process Architecture
Chrome implements of a multi-process architecture involving a singular "browser" process and multiple "renderer" processes. It uses the PSL to identify pages that cannot script each other, helping to determine when to create a new renderer process.
It does not make a distinction between private domains and ICANN-delegated domains.
SDCH
Chrome implements Shared Dictionary Compression over HTTP (SDCH) [1]. It uses the PSL to determine whether or not a given dictionary may be shared between services.
It does not make a distinction between private domains and ICANN-delegated domains.
Firefox
Downloads
Firefox uses the registered domain to sort entries in the Download Manager.
DOM Storage Manager and Permissions
Firefox sets quotas in the DOM Storage Manager, and sets other site-based permissions, based on registered domain.
Miscellaneous
- In login prompts, the displayed domain name is stripped back to the registered domain.
- It is possible to configure Firefox such that whether a Referer is sent can depend on whether the two sites are in the same registered domain.
- Providers are distinguished from each other in the Social API via registered domain.
Standards
CAB Forum Baseline Requirements
The CAB Forum Baseline Requirements, in section 11.1.3, require that CAs, before issuing a wildcard certificate, make sure that such a certificate is not for *.public.suffix, e.g. *.co.uk. (Or, that the entity actually owns the entirety of the public suffix, which could be true for suffixes in the PRIVATE area).
DMARC
The DMARC draft RFC uses the PSL to determine the "organizational domain". This is where the DMARC algorithm looks for DNS records relating to DMARC. (This usage should probably exclude the PRIVATE area, but the draft does not currently say that it should.)
HTML5
As noted above, the HTML5 standard references the PSL when defining how the document.domain property should be implemented.
Other
Services
- WhoisMind uses the PSL to get the registered domain name out of inputted URLs.
- Certificate Transparency Watch uses the PSL to allow querying for all SSL certificate for domains, but not TLDs. For example, http://api.ct-watch.tom-fitzhenry.me.uk/domain/mozilla.org 200s, but http://api.ct-watch.tom-fitzhenry.me.uk/domain/org 404s .
Programming Languages and Libraries
- The Go Language uses the public suffix to determine whether or not Internet users can register domain names under the given domain.
- Guava provides an interface for Java applications to query the Public Suffix List
- publicsuffix is a Python library based on the PSL.
- tldextract is another Python library.
- libsoup contains a tld-parser.py which appears to consume the PSL. It is apparently based on a tld-parser.c.