Public Suffix List/Uses: Difference between revisions
(Created page with "This page attempts to list all the known uses of the Public Suffix List, to help us work out what problems any replacement for it would need to solve. The PSL website has [ht...") |
No edit summary |
||
| Line 11: | Line 11: | ||
==Browsers== | ==Browsers== | ||
===Cookies=== | ===Common=== | ||
====Cookies==== | |||
Browsers restrict the domains for which cookies can be set, to avoid "supercookies" being set for e.g. "co.uk", which would allow sites to track users across multiple domains owned by different entities. | Browsers restrict the domains for which cookies can be set, to avoid "supercookies" being set for e.g. "co.uk", which would allow sites to track users across multiple domains owned by different entities. | ||
===document.domain=== | ====Local Storage Objects==== | ||
For reasons identical to cookies, browsers restrict the domains for which Local Storage Objects (LSOs) can be set to domains. | |||
====document.domain==== | |||
The document.domain attribute is used to enable pages on different hosts of a domain to access each others' DOMs. Browsers restrict the values to which the document.domain property can be set, to maintain the same origin policy. [http://www.w3.org/TR/html5/browsers.html#dom-document-domain See the HTML5 spec for the algorithm]. | The document.domain attribute is used to enable pages on different hosts of a domain to access each others' DOMs. Browsers restrict the values to which the document.domain property can be set, to maintain the same origin policy. [http://www.w3.org/TR/html5/browsers.html#dom-document-domain See the HTML5 spec for the algorithm]. | ||
===URL Bar=== | ====URL Bar==== | ||
Both Firefox and Chrome highlight the registered domain within the UI when displaying a page address. | |||
====General UI==== | |||
Both Firefox and Chrome make use of the PSL to order entries within their interfaces for managing cookies and local data. | |||
===Chrome=== | |||
=== | ====URL Bar==== | ||
Chrome uses a combined search and URL bar. "name-shaped" queries - such as foo.com - query the PSL to determine whether the entered text is likely a search or a domain name. A term of "com" will be treated as a search for the phrase "com", because the term does not resolve to a registered domain (as it is just a public suffix). A term for "foo.com" is treated as a navigation, because it does contain a registered domain ("foo.com") | |||
For this purpose, PRIVATE domains are ignored, permitting navigation to domains like "appspot.com", which are listed within the private section. | |||
=== | ====Certificates==== | ||
Firefox uses the registered domain to sort entries in the Download Manager | Chrome will reject wildcard certificates (*.foo.bar) if foo.bar is a Public Suffix. | ||
For this purpose, PRIVATE domains are ignored, permitting certificates for domains like "*.appspot.com" | |||
====Safe Browsing==== | |||
Chrome uses the PSL to restrict Safe Browsing exceptions to registered domains. That is, if a domain is believed to have hosted malware/phishing, and a user chooses to proceed, that exception is remembered at the level of a registered domain. | |||
For this purpose, PRIVATE domains are ignored, although this may change in the future. | |||
====Multi-process Security==== | |||
Chrome implements of a multi-process security model involving a singular "browser" process and multiple "renderer" process. It uses the PSL to determine when to create a new renderer process, on the basis that a compromise of a single renderer should not compromise data (eg: cookies, LSOs) from other origins. | |||
It does not make a distinction between private domains and ICANN-delegated domains. | |||
====SDCH==== | |||
Chrome implements Shared Dictionary Compression over HTTP (SDCH) [http://en.wikipedia.org/wiki/Shared_Dictionary_Compression_Over_HTTP]. It uses the PSL to determine whether or not a given dictionary may be shared between services. | |||
It does not make a distinction between private domains and ICANN-delegated domains. | |||
===Firefox=== | |||
====Downloads==== | |||
Firefox uses the registered domain to sort entries in the Download Manager | |||
===To Be Investigated=== | ===To Be Investigated=== | ||
| Line 50: | Line 88: | ||
==Other== | ==Other== | ||
===Services=== | |||
* [http://www.whoismind.com/ WhoisMind] uses the PSL to get the registered domain name out of inputted URLs. | * [http://www.whoismind.com/ WhoisMind] uses the PSL to get the registered domain name out of inputted URLs. | ||
===Programming Languages and Libraries=== | |||
* [http://godoc.org/code.google.com/p/go.net/publicsuffix The Go Language] uses the public suffix to determine whether or not Internet users can register domain names under the given domain. | |||
* [http://docs.guava-libraries.googlecode.com/git/javadoc/com/google/common/net/InternetDomainName.html Guava] provides an interface for Java applications to query the Public Suffix List | |||
Revision as of 21:08, 4 February 2014
This page attempts to list all the known uses of the Public Suffix List, to help us work out what problems any replacement for it would need to solve.
The PSL website has a list, on which this one is based, and this data may migrate there later.
In this document, the "registered domain" is the part of a domain consisting of the public suffix plus one additional label. ("Registered" can also be "Registrable" if the domain is not yet registered; we ignore this for linguistic convenience.)
The modern PSL has two sections, the ICANN area and the PRIVATE area, delimited by structured comments. Most applications use both areas without distinction; if an application uses only one or the other, that is noted (where known).
The PRIVATE area exists because some registered domain owners wish to delegate subdomains to mutually-untrusting parties, and therefore wish to have them occupy different origins, as far as web browsers are concerned. Getting added to the PSL is an effective way to accomplish this. Entries in this part of the PSL come from many pseudo-NICs such as CentralNIC (owner of e.g. eu.com and us.org), and companies such as Amazon, Google, GitHub, Heroku, Microsoft and Red Hat, who provide cloud services. They are segregated into a different part of the PSL because some applications need to distinguish between the two types.
Browsers
Common
Cookies
Browsers restrict the domains for which cookies can be set, to avoid "supercookies" being set for e.g. "co.uk", which would allow sites to track users across multiple domains owned by different entities.
Local Storage Objects
For reasons identical to cookies, browsers restrict the domains for which Local Storage Objects (LSOs) can be set to domains.
document.domain
The document.domain attribute is used to enable pages on different hosts of a domain to access each others' DOMs. Browsers restrict the values to which the document.domain property can be set, to maintain the same origin policy. See the HTML5 spec for the algorithm.
URL Bar
Both Firefox and Chrome highlight the registered domain within the UI when displaying a page address.
General UI
Both Firefox and Chrome make use of the PSL to order entries within their interfaces for managing cookies and local data.
Chrome
URL Bar
Chrome uses a combined search and URL bar. "name-shaped" queries - such as foo.com - query the PSL to determine whether the entered text is likely a search or a domain name. A term of "com" will be treated as a search for the phrase "com", because the term does not resolve to a registered domain (as it is just a public suffix). A term for "foo.com" is treated as a navigation, because it does contain a registered domain ("foo.com")
For this purpose, PRIVATE domains are ignored, permitting navigation to domains like "appspot.com", which are listed within the private section.
Certificates
Chrome will reject wildcard certificates (*.foo.bar) if foo.bar is a Public Suffix.
For this purpose, PRIVATE domains are ignored, permitting certificates for domains like "*.appspot.com"
Safe Browsing
Chrome uses the PSL to restrict Safe Browsing exceptions to registered domains. That is, if a domain is believed to have hosted malware/phishing, and a user chooses to proceed, that exception is remembered at the level of a registered domain.
For this purpose, PRIVATE domains are ignored, although this may change in the future.
Multi-process Security
Chrome implements of a multi-process security model involving a singular "browser" process and multiple "renderer" process. It uses the PSL to determine when to create a new renderer process, on the basis that a compromise of a single renderer should not compromise data (eg: cookies, LSOs) from other origins.
It does not make a distinction between private domains and ICANN-delegated domains.
SDCH
Chrome implements Shared Dictionary Compression over HTTP (SDCH) [1]. It uses the PSL to determine whether or not a given dictionary may be shared between services.
It does not make a distinction between private domains and ICANN-delegated domains.
Firefox
Downloads
Firefox uses the registered domain to sort entries in the Download Manager
To Be Investigated
DOM Storage quotas?
Standards
CAB Forum Baseline Requirements
The CAB Forum Baseline Requirements, in section 11.1.3, require that CAs, before issuing a wildcard certificate, make sure that such a certificate is not for *.public.suffix, e.g. *.co.uk. (Or, that the entity actually owns the entirety of the public suffix, which could be true for suffixes in the PRIVATE area).
DMARC
The DMARC draft RFC uses the PSL to determine the "organizational domain". This is where the DMARC algorithm looks for DNS records relating to DMARC. (This usage should probably exclude the PRIVATE area, but the draft does not currently say that it should.)
HTML5
As noted above, the HTML5 standard references the PSL when defining how the document.domain property should be implemented.
Other
Services
- WhoisMind uses the PSL to get the registered domain name out of inputted URLs.
Programming Languages and Libraries
- The Go Language uses the public suffix to determine whether or not Internet users can register domain names under the given domain.
- Guava provides an interface for Java applications to query the Public Suffix List