Comment by jefftk
5 years ago
Have you considered requesting that your domain be added to the public suffix list? https://publicsuffix.org/
If subdomains of your domain should be treated as independent sites, the public suffix list is (sadly) how you communicate that to browsers.
(Disclosure: I work for Google, speaking only for myself)
Fascinating. I had never heard of this, and cloudfront.net is in there, which might provide a clue as to why Google only blacklisted our subdomain and not the whole thing (imagine that!).
Is there any downside to being on this list?
> Is there any downside to being on this list?
If example.com were on list then a cookie set on a.example.com couldn't be read on b.example.com. In this case that would probably be a good thing, since the subdomains represent independent sites, but if a site were erroneously added that could be a problem (mail.yahoo.com and groups.yahoo.com should share login cookies, for example).
The list was originally created to handle cookies, but more recently it's been used for other notions of "site", like cache sharding.
This is the first time I hear about https://publicsuffix.org/ Will definitely check it out. Maybe that will help me solve this problem. Thanks a lot!
> the public suffix list is (sadly) how you communicate that to browsers
Sadly, indeed. Had they never heard of DNS?
How would you propose handling this with DNS? Here are some things it covers:
* a.example.com and b.example.com are the same site
* a.co.uk and b.co.uk are not the same site
* a.cloudfront.net and b.cloudfront.net are not the same site
* a.higashikawa.hokkaido.jp and b.higashikawa.hokkaido.jp are not the same site
* a.example.higashikawa.hokkaido.jp and b.example.higashikawa.hokkaido.jp are the same site
There is a proposal to do something similar using response headers and .well-known urls: https://github.com/privacycg/first-party-sets
3 replies →