SameSite Cookie[1] is supported in major browsers[2]. These browsers change their default value on the SameSite cookie attribute to enforce more privacy-preserving defaults recently[3]. The SameSite cookie operation is based on Public Suffix[4]. What is the Public Suffix? What is the difference from the Domain Name?
A domain’s “public suffix” is the portion of a domain that is controlled by a public registry, such as “com”, “co.uk”, and “pvt.k12.wy.us” [PSL]. A domain’s “registrable domain” is the domain’s public suffix plus the label to its left. That is, for “https://www.site.example“, the public suffix is “example”, and the registrable domain is “site.example”. This concept is defined more rigorously in [PSL], which specifies a formal algorithm to obtain both.
https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05
The Public Suffix List, as known as Effective Top-level Domain[5], is a catalogue of certain Internet domain names. The Internet domain name register as Top-level (e.g. .com / .net / .edu), secondary level domain (e.g. .net.au / .edu.hk / .co.uk) or even third level (e.g. .vic.gov.au). The Public Suffix is the one which allows the general public or organisation to register their domain name on top of it. The browser will be based on the Public Suffix List make the decision if the request is the Same-site request or Cross-site request.
Question: I understand the Same-site Request and Cross-site Request, but why do we need a new list, when we can make a decision on the Domain name?
Answer: As some of the Internet Domains require different rules for security or policy concern. Here are two examples
Sub-domains under the Same Domain but should be considered as different “domains”
One of the well-known examples is github.io[6]. .io is the Top-Level domain, and obviously Github registers its brand name as the second-level domain. Github.io allows users to register their projects as the subdomain of github.io. So different project websites under the Github.io should not consider the other project cookie as the First-party cookie. The github.io is the Effective Top-Level Domain, which should behave similarly to .com. All the sub-domains under github.io are the different domains owned by different organisations or people.
Different Domains but should be considered as part of a “Larger Organisation”
If you have worked on some projects related to the Australian government, you may know about this. The ACT, NSW and NT State Government department domains (act.gov.au, nsw.gov.au and nt.gov.au) are not considered as Public Suffix, while QLD, SA, TAS, VIC and WA (qld.gov.au, sa.gov.au, tas.gov.au, vic.gov.au and wa.gov.au) are considered as Public Suffix[6]. This means that the different departments in ACT, NSW or NT will consider other department website cookie as the first-party cookie, while it is not the case in QLD, SA, TAS, VIC and WA.
To view the full list of the Public Suffix, you can visit https://publicsuffix.org/list/ or download the data file directly.
Reference:
- SameSite cookies MDN Web Doc – https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
- ‘SameSite’ cookie attribute – https://caniuse.com/#feat=same-site-cookie-attribute
- Incrementally Better Cookies – IEFT Internet Draft – https://tools.ietf.org/html/draft-west-cookie-incrementalism-01
- Public Suffix List – https://publicsuffix.org/
- Public Suffix List – Mozilla Wiki – https://wiki.mozilla.org/Public_Suffix_List
- Based on the information retrieved on 13 June 2020 from https://publicsuffix.org/list/public_suffix_list.dat