From 6a9f7eacaae962b325547f33d6e30134789986a8 Mon Sep 17 00:00:00 2001 From: Mike West Date: Thu, 7 Jun 2018 11:11:56 +0200 Subject: [PATCH] Define hosts' public suffix and registrable domain, as well as same site This provides the underpinnings needed for document.domain, cookies, WebAuthn, Token Binding, Cross-Origin-Resource-Policy, etc. For new features, please stick to same origin as it is both safer and likely more future proof. --- url.bs | 118 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 118 insertions(+) diff --git a/url.bs b/url.bs index 831a890d..11b0390e 100644 --- a/url.bs +++ b/url.bs @@ -272,6 +272,124 @@ for further processing. U+0020 SPACE, U+0023 (#), U+0025 (%), U+002F (/), U+003A (:), U+003F (?), U+0040 (@), U+005B ([), U+005C (\), or U+005D (]). +

A host's public suffix is the portion of a +host which is included on the Public Suffix List. To obtain +host's public suffix, run these steps: [[!PSL]] + +

    +
  1. If host is not a domain, then return null. + +

  2. Return the public suffix obtained by executing the + algorithm defined by the Public Suffix List on + host. [[!PSL]]. +

+ +

A host's registrable domain is a domain formed by +the most specific public suffix, along with the domain label immediately preceeding it, if any. To +obtain host's registrable domain, run these steps: + +

    +
  1. If host's public suffix is null or host's + public suffix equals host, then return null. + +

  2. Return the registrable domain obtained by executing the + algorithm defined by the Public Suffix List on + host. [[!PSL]] +

+ +
+ + + + + + + + + + + + +
Host input + Public suffix + Registrable domain +
com + com + null +
example.com + com + example.com +
www.example.com + com + example.com +
sub.www.example.com + com + example.com +
EXAMPLE.COM + com + example.com +
github.io + github.io + null +
whatwg.github.io + github.io + whatwg.github.io +
إختبار + xn-kgbechtv + null +
example.إختبار + xn-kgbechtv + example.xn-kgbechtv +
sub.example.إختبار + xn-kgbechtv + example.xn-kgbechtv +
+
+ +

Two hosts, A and B are said to be +same site with each other if either of the following statements are true: + +

+ +
+

Assuming that suffix.example is a public suffix and that + example.com is not: + +

+
+ +

Specifications should avoid depending on "public suffix", +"registrable domain", and "same site". The public suffix list will diverge +from client to client, and cannot be relied-upon to provide a hard security boundary. Specifications +which ignore this advice are encouraged to carefully consider whether URLs' schemes ought to be +incorporated into any decision made based upon whether or not two hosts are +same site. HTML's same origin-domain concept is a reasonable example of this +consideration in practice. +

IDNA