Public Suffix List/Uses

From MozillaWiki
Jump to: navigation, search

This page attempts to list all the known uses of the Public Suffix List, to help us work out what problems any replacement for it would need to solve.

The PSL website has a list, on which this one is based, and this data may migrate there later.

In this document, the "registered domain" is the part of a domain consisting of the public suffix plus one additional label. ("Registered" can also be "Registrable" if the domain is not yet registered; we ignore this for linguistic convenience.)

The modern PSL has two sections, the ICANN area and the PRIVATE area, delimited by structured comments. Most applications use both areas without distinction; if an application uses only one or the other, that is noted (where known).

The PRIVATE area exists because some registered domain owners wish to delegate subdomains to mutually-untrusting parties, and therefore wish to have them occupy different origins, as far as web browsers are concerned. Getting added to the PSL is an effective way to accomplish this. Entries in this part of the PSL come from many pseudo-NICs such as CentralNIC (owner of e.g. and, and companies such as Amazon, Google, GitHub, Heroku, Microsoft and Red Hat, who provide cloud services. They are segregated into a different part of the PSL because some applications need to distinguish between the two types.


Many of the uses in browsers boil down to their need to distinguish which sites are controlled by the same entity and which are not, for example to implement the Same Origin Policy, or some equivalent.



Browsers restrict the domains for which cookies can be set, to avoid "supercookies" being set for e.g. "", which would allow sites to track users across multiple domains owned by different entities.


The document.domain attribute is used to enable pages on different hosts of a domain to access each others' DOMs. Browsers restrict the values to which the document.domain property can be set, to maintain the same origin policy.


The IsSearchProviderInstalled() method uses Public Suffix.


Both Firefox and Chrome highlight the registered domain within the UI when displaying a page address.

General UI

Both Firefox and Chrome make use of the PSL to order entries within their interfaces for managing cookies and local data.



Chrome uses a combined search and URL bar. "name-shaped" queries - such as - query the PSL to determine whether the entered text is likely a search or a domain name. A term of "com" will be treated as a search for the phrase "com", because the term does not resolve to a registered domain (as it is just a public suffix). A term for "" is treated as a navigation, because it does contain a registered domain ("")

For this purpose, PRIVATE domains are ignored, permitting navigation to domains like "", which are listed within the private section.


Chrome will reject wildcard certificates (* if is a Public Suffix.

For this purpose, PRIVATE domains are ignored, permitting certificates for domains like "*"

Safe Browsing

Chrome uses the PSL to restrict Safe Browsing exceptions to registered domains. That is, if a domain is believed to have hosted malware/phishing, and a user chooses to proceed, that exception is remembered at the level of a registered domain.

For this purpose, PRIVATE domains are ignored, although this may change in the future.

Multi-process Architecture

Chrome implements of a multi-process architecture involving a singular "browser" process and multiple "renderer" processes. It uses the PSL to identify pages that cannot script each other, helping to determine when to create a new renderer process.

It does not make a distinction between private domains and ICANN-delegated domains.

(annevk remark: This is a direct fallout from document.domain, not sure it should count as a distinct use.)


Chrome implements Shared Dictionary Compression over HTTP (SDCH) [1]. It uses the PSL to determine whether or not a given dictionary may be shared between services.

It does not make a distinction between private domains and ICANN-delegated domains.



Firefox uses the registered domain to sort entries in the Download Manager.

DOM Storage Manager and Permissions

Firefox sets quotas in the DOM Storage Manager, and sets other site-based permissions, based on registered domain.


  • In login prompts, the displayed domain name is stripped back to the registered domain.
  • It is possible to configure Firefox such that whether a Referer is sent can depend on whether the two sites are in the same registered domain.
  • Providers are distinguished from each other in the Social API via registered domain.

Internet Explorer

Integrate somehow.


CAB Forum Baseline Requirements

The CAB Forum Baseline Requirements, in section 11.1.3, require that CAs, before issuing a wildcard certificate, make sure that such a certificate is not for *.public.suffix, e.g. * (Or, that the entity actually owns the entirety of the public suffix, which could be true for suffixes in the PRIVATE area).


The DMARC draft RFC uses the PSL to determine the "organizational domain". This is where the DMARC algorithm looks for DNS records relating to DMARC. (This usage should probably exclude the PRIVATE area, but the draft does not currently say that it should.)


As noted above, the HTML Standard references the PSL for document.domain and IsSearchProviderInstalled().



Programming Languages and Libraries

  • The Go Language uses the public suffix to determine whether or not Internet users can register domain names under the given domain.
  • Guava provides an interface for Java applications to query the Public Suffix List
  • Public Suffix List API is a Java library.
  • publicsuffix is a Python library based on the PSL.
  • tldextract is another Python library.
  • libsoup contains a which appears to consume the PSL. It is apparently based on a tld-parser.c.