Skip to content

Commit

Permalink
Define hosts' public suffix and registrable domain, as well as same site
Browse files Browse the repository at this point in the history
This provides the underpinnings needed for document.domain, cookies, WebAuthn, Token Binding, Cross-Origin-Resource-Policy, etc. For new features, please stick to same origin as it is both safer and likely more future proof.
  • Loading branch information
mikewest authored and annevk committed Jun 7, 2018
1 parent ac532ae commit 6a9f7ea
Showing 1 changed file with 118 additions and 0 deletions.
118 changes: 118 additions & 0 deletions url.bs
Original file line number Diff line number Diff line change
Expand Up @@ -272,6 +272,124 @@ for further processing.
U+0020 SPACE, U+0023 (#), U+0025 (%), U+002F (/), U+003A (:), U+003F (?), U+0040 (@), U+005B ([),
U+005C (\), or U+005D (]).

<p>A <a for=/>host</a>'s <dfn for=host export>public suffix</dfn> is the portion of a
<a for=/>host</a> which is included on the <cite>Public Suffix List</cite>. To obtain
<var>host</var>'s <a for=host>public suffix</a>, run these steps: [[!PSL]]

<ol>
<li><p>If <var>host</var> is not a <a>domain</a>, then return null.

<li><p>Return the <a for=host>public suffix</a> obtained by executing the
<a href="https://publicsuffix.org/list/">algorithm</a> defined by the Public Suffix List on
<var>host</var>. [[!PSL]].
</ol>

<p>A <a for=/>host</a>'s <dfn for=host export>registrable domain</dfn> is a <a>domain</a> formed by
the most specific public suffix, along with the domain label immediately preceeding it, if any. To
obtain <var>host</var>'s <a for=host>registrable domain</a>, run these steps:

<ol>
<li><p>If <var>host</var>'s <a for=host>public suffix</a> is null or <var>host</var>'s
<a for=host>public suffix</a> <a for=host>equals</a> <var>host</var>, then return null.

<li><p>Return the <a for=host>registrable domain</a> obtained by executing the
<a href="https://publicsuffix.org/list/">algorithm</a> defined by the Public Suffix List on
<var>host</var>. [[!PSL]]
</ol>

<div class=example id=example-host-psl>
<table>
<tr>
<th>Host input
<th>Public suffix
<th>Registrable domain
<tr>
<td><code>com</code>
<td><code>com</code>
<td><i>null</i>
<tr>
<td><code>example.com</code>
<td><code>com</code>
<td><code>example.com</code>
<tr>
<td><code>www.example.com</code>
<td><code>com</code>
<td><code>example.com</code>
<tr>
<td><code>sub.www.example.com</code>
<td><code>com</code>
<td><code>example.com</code>
<tr>
<td><code>EXAMPLE.COM</code>
<td><code>com</code>
<td><code>example.com</code>
<tr>
<td><code>github.io</code>
<td><code>github.io</code>
<td><i>null</i>
<tr>
<td><code>whatwg.github.io</code>
<td><code>github.io</code>
<td><code>whatwg.github.io</code>
<tr>
<td><code>إختبار</code>
<td><code>xn-kgbechtv</code>
<td><i>null</i>
<tr>
<td><code>example.إختبار</code>
<td><code>xn-kgbechtv</code>
<td><code>example.xn-kgbechtv</code>
<tr>
<td><code>sub.example.إختبار</code>
<td><code>xn-kgbechtv</code>
<td><code>example.xn-kgbechtv</code>
</table>
</div>

<p>Two <a for=/>hosts</a>, <var>A</var> and <var>B</var> are said to be
<dfn for=host export>same site</dfn> with each other if either of the following statements are true:

<ul class=brief>
<li><p><var>A</var> <a for=host>equals</a> <var>B</var> and <var>A</var>'s
<a for=host>registrable domain</a> is non-null.

<li><p><var>A</var>'s <a for=host>registrable domain</a> is <var>B</var>'s
<a for=host>registrable domain</a> and is non-null.
</ul>

<div class=example id=example-same-site>
<p>Assuming that <code>suffix.example</code> is a <a for=host>public suffix</a> and that
<code>example.com</code> is not:

<ul>
<li><p><code>example.com</code>, <code>sub.example.com</code>, <code>other.example.com</code>,
<code>sub.sub.example.com</code>, and <code>sub.other.example.com</code> are all <a>same site</a>
with each other (and themselves), as their <a for=host>registrable domains</a> are
<code>example.com</code>.

<li><p><code>registrable.suffix.example</code>, <code>sub.registrable.suffix.example</code>,
<code>other.registrable.suffix.example</code>, <code>sub.sub.registrable.suffix.example</code>,
and <code>sub.other.registrable.suffix.example</code> are all <a>same site</a> with each other
(and themselves), as their <a for=host>registrable domains</a> are
<code>registrable.suffix.example</code>.

<li><p><code>example.com</code> and <code>registrable.suffix.example</code> are not
<a>same site</a> with each other, as their <a for=host>registrable domains</a> differ.

<li><p><code>suffix.example</code> is not <a>same site</a> with <code>suffix.example</code>, as
it is a <a for=host>public suffix</a>, and therefore has a null
<a for=host>registrable domain</a>.
</ul>
</div>

<p class=warning>Specifications should avoid depending on "<a for=host>public suffix</a>",
"<a for=host>registrable domain</a>", and "<a>same site</a>". The public suffix list will diverge
from client to client, and cannot be relied-upon to provide a hard security boundary. Specifications
which ignore this advice are encouraged to carefully consider whether URLs' schemes ought to be
incorporated into any decision made based upon whether or not two <a for=/>hosts</a> are
<a>same site</a>. HTML's <a>same origin-domain</a> concept is a reasonable example of this
consideration in practice.


<h3 id=idna>IDNA</h3>

Expand Down

2 comments on commit 6a9f7ea

@GPHemsley
Copy link
Member

@GPHemsley GPHemsley commented on 6a9f7ea Jun 24, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are there plans to make use of these definitions within the URL spec itself? I don't think there are many other definitions in the URL spec that go unused within it.

@annevk
Copy link
Member

@annevk annevk commented on 6a9f7ea Jun 24, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps by an API at some point. I recommend not commenting directly on commits by the way, those comments tend to get lost.

Please sign in to comment.