Proposal: Public Suffix API #676
Conversation
mckenfra
force-pushed
the
publicsuffix
branch
from
960f99d
to
0f09b4a
Compare
mckenfra
force-pushed
the
publicsuffix
branch
from
638833b
to
3301526
Compare
| by default to be the last domain label of the domain name, or alternatively | ||
| the domain name could be considered invalid. | ||
|
|
||
| **Note:** it may be more performant to allow unknown suffixes and assume a single-label |
There was a problem hiding this comment.
I'm not too concerned about the performance aspect of this; any IPC to handle the API call is likely more expensive than a look up in the PSL.
The proposal does not describe why unknown suffixes should be supported. Could you elaborate when one would want and when one does not want public suffixes? And offer a recommendation on default behavior that is not dependent on (likely not relevant) performance considerations?
It's probably worth pointing out explicitly that there may be web pages displayed in the browser that are not on a registrable domain, e.g. when a local intranet has custom non-public host names.
There was a problem hiding this comment.
I will update this section regarding unknown suffixes as you suggest.
On the performance point: I am concerned about performance of this API, because if it turns out to be slower than extensions' own public suffix implementations, then they may not use this API. In particular, Use Cases 1 (Filter Requests by Organization) and 3 (Detect Third-Party Requests) in this proposal are performance-sensitive, because they obtain the registrable domain for every request (not just top-level pages) as the user browses.
There was a problem hiding this comment.
If it's faster for the extension to use an internal list, wouldn't that imply that we should really improve our implementation?
| | PSL Feature | Requirement | Discussion | | ||
| |------------------------|-------------|------------| | ||
| | Allow Private Suffixes | Yes | including all suffixes in PSL means more information about third-party boundaries | | ||
| | Allow Unknown Suffixes | Yes | provides better performance | |
There was a problem hiding this comment.
Why are Unknown suffixes required in this case? Theoretically better performance does not automatically translate to a functional requirement.
There was a problem hiding this comment.
Assuming there is no performance benefit from allowing unknown suffixes, I will revisit this requirement.
| base?: string, | ||
| // The Private-suffixed registrable domain. | ||
| // Null if an error occurred, or if the domain has no matching Private suffix. | ||
| private?: string, |
There was a problem hiding this comment.
Do we really need all three options (domain, base, private)?
- (input)
domainis redundant, because the extension can keep track of the parameters that it had sent to the API. - Requiring
baseandprivatemay require two lookups in the PSL, even if the extension does not need it. An extension interested in both can call the API twice withexcludePrivateSuffixesset to true and false.
Given this, what do you think of reducing the number of options to just one registrableDomain?
There was a problem hiding this comment.
Calling the API twice with excludePrivateSuffixes set to true and false has the following potential issues:
Duplication of work
- Must parse/canonicalize the same input domain parameter on each API call.
- The PSL lookup involves removing each label in turn from the input domain and testing the remaining suffix until a match is found. Therefore on the second API call, the same unmatching candidate suffixes that have already been tested in the first API call will again be retested. The difference will be that the algorithm keeps going further in terms of removing labels with the
excludePrivateSuffixes=truecall.
Duplication of returned arrays
- If the registrable domains array obtained with
excludePrivateSuffixes=falsehappens to only contain ICANN domains (because no matching private suffixes exist), then the second API call withexcludePrivateSuffixes=truewill return exactly the same registrable domains array again.
Note that my proposal does not require "two lookups". One possible implementation would simply continue removing labels after finding a private suffix until the ICANN suffix is found, i.e. not a full lookup, but a continuation of the current lookup. Even better, a more optimal implementation would have the corresponding ICANN suffix pre-calculated and stored with every private suffix, such that no further work would be needed to determine the ICANN suffix upon matching a private suffix.
I am happy to remove domain in the result, because I agree this can be inferred from the array position.
|
|
||
| If no matching suffix is found in the PSL for a `domain` parameter, then unless it is determined | ||
| to be specifically [invalid](#6-invalid-domain-parameter), it should be assumed the domain has a | ||
| single-label suffix. |
There was a problem hiding this comment.
What is the source for the required assumption of "single-label" suffix?
This proposal does not include an example where known vs unknown matters, but in Firefox specifically, there is at least one example where it matters (https://bugzilla.mozilla.org/show_bug.cgi?id=1621168): In determining whether to issue a search query or whether to try a navigation, a PSL lookup is made:
- If valid, attempt to navigate.
- If invalid, use search engine.
Unknown entries in the PSL should also trigger a search query, but unconditionally making it return a single label would rule out that use.
There was a problem hiding this comment.
I am happy to remove this assumption, and instead add an option to the API allowing users to opt-in to this behaviour of assuming a single-label suffix. I was guided in my analysis by the following:
- Google Chrome's Public Suffix implementation makes this assumption, I believe. See GetDomainAndRegistry: "If no matching rule is found in the effective-TLD data (or in the default data, if the resource failed to load), the last subcomponent of the host is assumed to be the registry."
- tltds also makes this assumption in its implementation. (tltds is a javascript library for obtaining Public Suffixes that is used by popular extensions such as bitwarden password manager and violentmonkey.) However, there is also an open tltds issue caused by this assumption.
- Use Cases 1 (Filter Requests by Organization) and 3 (Detect Third-Party Requests) in this proposal are performance-sensitive, because they obtain the registrable domain for every request (not just top-level pages) as the user browses. I wanted to reduce the chance of making users' browsers feel permanently slower after installing these sorts of extensions. This assumption of a single-label suffix by default may allow a faster implementation due to avoiding an explicit PSL lookup for all single-label TLDs.
- Use Case 2 (Group Domains in UI) in this proposal may benefit from this assumption, because without it all unknown-suffixed domains would be grouped together.
There was a problem hiding this comment.
Hey, I'm the maintainer of tldts and wanted to clarify that the issue linked is about tldts-experimental, a faster but less accurate implementation of tldts. The main tldts package (which most projects are using) is fully accurate, and behaves in a slightly different way by returning a single label in case no rule was found matching the last label (or anything more specific), but will also return two flags: isIcann and isPrivate, which allow to know where the matching rule came from (i.e. the ICANN or PRIVATE section of the public suffix list). If both of these flags are false, then we can assume that the fallback behavior of using the last label as public suffix was triggered. For example:
$ npx tldts https://example.thissuffixdoesnotexist
{
"domain": "example.thissuffixdoesnotexist",
"domainWithoutSuffix": "example",
"hostname": "example.thissuffixdoesnotexist",
"isIcann": false,
"isIp": false,
"isPrivate": false,
"publicSuffix": "thissuffixdoesnotexist",
"subdomain": ""
}I lack context on this spec but this might allow to combine the single-label suffix fallback behavior with the use-cases outlined by @Rob--W above.
There was a problem hiding this comment.
The main use-cases for the PSL are isValidUrl(...) which does not want this behavior (because you want to know if the TLD is known) and isSameSite(...) for which it almost doesn't matter.
It only helps if you have made up TLDs. printer.homenet and backup.homenet would both have an empty eTLD and eTLD+1 would be "homenet". If you assume the last label must be a TLD then you end up with the correct behavior.
However, since most browsers currently do not update their PSL, the "made up TLD" situation can also arise when a new TLD gets introduced.
I think the correct solution here is to make the API isValidURL(...) check the last label and isSameSite(...) to assume that it is a valid TLD. But maybe there are use-cases that I'm not seeing which need a third option.
| or Punycode. | ||
|
|
||
| When settling the promise returned by `getRegistrableDomain()`, the resulting | ||
| domain name should be converted to Unicode from Punycode by default. |
There was a problem hiding this comment.
Why should the API convert the domain to Unicode by default? When the input is the host name from a URL, it would be reasonable to expect a valid hostname. I'd argue that punycode is the more sane default.
Extensions can bundle the custom library/logic to convert punycode to unicode if desired, because the algorithm is well known and fixed.
There was a problem hiding this comment.
I can change this to returning punycode by default, with an API option to convert to unicode. Unicode registrable domains are required by Use Case 2 (Group Domains in UI) in this proposal.
|
|
||
| #### 2. Multiple Suffixes per Domain | ||
|
|
||
| If a domain name ends with a suffix listed in the Private section of the PSL, |
There was a problem hiding this comment.
Maybe stress that in almost all cases you want to use the full PSL. If you're trying to attribute abuse at some point you want to go from "a.foo.com" and "b.foo.com" and "c.foo.com" are all distributing malware to "foo.com" is distributing malware. That's the only reason I can think of, though and maybe that should instead be a generic "attribute to all higher labels".
|
|
||
| ##### Example | ||
|
|
||
| | Domain name | Private suffix | ICANN suffix | |
There was a problem hiding this comment.
It's called a public suffix so calling it a private suffix here might be a bit confusing. Private section suffix?
| "owner" of a suffix is a private organization offering a service for clients | ||
| to take ownership of subdomains underneath its own ICANN-suffixed domain. | ||
|
|
||
| #### 2. Multiple Suffixes per Domain |
There was a problem hiding this comment.
There can be multiple suffixes per domain but the distinction between private section and ICANN section is a bit arbitrary. There could be multiple entities acting as "registrars" in a domain.
|
|
||
| #### 1. ICANN vs Private | ||
|
|
||
| The PSL it is divided into two sections: ICANN suffixes and Private (i.e. non-ICANN) |
| on the use case, when returning the *registrable domain / eTLD+1* for a domain name, | ||
| either Unicode or Punycode may be preferred. | ||
|
|
||
| **Note:** the [PSL algorithm](https://github.com/publicsuffix/list/wiki/Format#formal-algorithm) |
There was a problem hiding this comment.
I think this might be a made up requirement. (That wiki page really needs some work.) The algorithm is pretty trivial and just needs to compare labels for equality so any encoding should be fine.
| * automatically calculate the set of organization names and *registrable domain / eTLD+1*s | ||
| from a user-specified set of domain names, and propose these as filtering rules for | ||
| the user to choose | ||
| * prevent users from mistakenly specifying a *public suffix / eTLD* as a filtering rule, |
There was a problem hiding this comment.
This would probably be a mistake. There are unresolved, lengthy, ancient discussions on this elsewhere but basically, at the moment, public suffixes sometimes have websites.
|
|
||
| | PSL Feature | Requirement | Discussion | | ||
| |------------------------|-------------|------------| | ||
| | Allow Private Suffixes | Yes & No | some filters may require private suffixes, others ICANN-only | |
There was a problem hiding this comment.
The PSL exists because filtering by organization requires the information on the PSL so only using the ICANN section seems just wrong here.
There was a problem hiding this comment.
Another reason why I dislike this is, that the distinction between an ICANN/IANA TLD and an eTLD is - in practice - poorly defined.
The "official" ICANN/IANA TLD is only the last label. There is an IANA list and another list for gTLDs.
However, the PSL is trying to gather information from the official registrars and include that. To maintain the PSL we try to get in touch with the registrars to get them to update their "official" subdomains or to ask questions but we often fail.
Look at the.au section of the list, they cannot agree what their TLDs are but they are in the ICANN section. .bd even has a wildcard *.bd entry in the ICANN section. .co.uk is in the ICANN section but the actual IANA TLD is still only .uk.
| |------------------------|-------------|------------| | ||
| | Allow Private Suffixes | Yes & No | some filters may require private suffixes, others ICANN-only | | ||
| | | | preventing user mistake may require both types of suffix | | ||
| | Allow Unknown Suffixes | Yes | provides better performance | |
There was a problem hiding this comment.
Afaiu this would only make a difference when given a single label. But a single label is either not a valid URL or it is a TLD. If you're trying to look up isValidURL(...) you don't want the optimization because it breaks the use-case. If you're looking up isSameSite(...) then the optimization for a single label is irrelevant because you have to compare them anyway.
| // { domain: "a..b", error: "Invalid domain name", }, | ||
| // ] | ||
| // | ||
| export function getRegistrableDomains( |
There was a problem hiding this comment.
Are callers gaining anything from calling this with an array instead of calling the other function multiple times?
|
|
||
| ### Schema | ||
|
|
||
| A new API `publicSuffix` is added as follows: |
There was a problem hiding this comment.
I've dug into PSL use-cases a couple of time now. I think it might be better to make the API
isValidURL(...) and isSameSite(...). That should be enough for use-cases (1.) and (3.) above. For use case (2.) you're restricted to comparison based sorting algorithms but that's probably okay in practice.
There was a problem hiding this comment.
@remusao, if you have feedback on this I would love to hear it!
There was a problem hiding this comment.
As @Rob--W just pointed out in chat, there are some user-interface use-cases which would still need the getRegistrableDomain function. For example, highlighting in the URL bar or giving a name to a group of same-site URLs.
I still think it would be good to have an explicit API for the two cases mentioned above.
| #### 3. PSL Special Rules | ||
|
|
||
| The lookup performed by `getRegistrableDomain()` should adhere to the | ||
| [PSL algorithm](https://github.com/publicsuffix/list/wiki/Format#formal-algorithm). |
There was a problem hiding this comment.
I support doing it this way but we will have to talk about it because that is not what browsers are currently doing.
That situation has been unresolved for a long time and people have been working around it or ignoring it. I suggest we simply defer to what the browsers are already doing here because that is what we want.
| | punycode = false (default) | example.مليسيا | | ||
| | punycode = true | example.xn--mgbx4cd0ab | | ||
|
|
||
| #### 6. Invalid domain parameter |
There was a problem hiding this comment.
This is important to keep in mind.isSameSite("100.200.30.2", "100.200.31.2") should probably return false so even if the last label is assumed to be a TLD (and thus not checked) there should be an exception that checks for IPv4 addresses.
|
|
||
| | Permission Added | Suggested Warning | | ||
| | ---------------- | ----------------- | | ||
| | publicSuffix | N/A | |
There was a problem hiding this comment.
This seems fine but it should explain why the browser is not more fingerprintable, for example, by arguing that the browser version is already available.
|
|
||
| ### Abuse Mitigations | ||
|
|
||
| This does not expose any new non-public data so there are no new abuse vectors. |
There was a problem hiding this comment.
As stated above, it does expose which version of the PSL is used.
|
|
||
| ### Open Web API | ||
|
|
||
| The purpose of this API is to eliminate the potential for inconsistency between |
There was a problem hiding this comment.
This is a bit at odds with the desire to retrieve version information.
| // | ||
| // Gets the PSL dataset version if available | ||
| // | ||
| export function getVersion(): string?; |
There was a problem hiding this comment.
@simon-friedberger let me know that the PSL has been updated with a VERSION metadata item like this: publicsuffix/list#1808 (comment)
Should we mention that here and agree on using that as the version we return?
There was a problem hiding this comment.
I'd be fine with that.
I am also fine with leaving the version method off altogether if it were to be a blocker to approving the proposal.
After all, there are many existing APIs that are dependent on the result of the public suffix list without exposing versioning information.
There was a problem hiding this comment.
I definitely agree that this shouldn't be a blocker. However, I hope it will be non-controversial. I expect most (likely all) browser vendors don't have easy access to this information today but it should be fairly trivial to get access to.
This formalizes #231 into a concrete proposal.