Changes

The effective TLD public suffix list is an attempt to build a database of top-level domains and their respective registry's policies on domain registrations at different levels.

CurrentlyPreviously, browsers use used an algorithm which basically only denies denied setting wide-ranging cookies for top-level domains with no dots (e.g. com or org). However, this does did not work for top-level domains where only third-level registrations are allowed (e.g. co.uk). In these cases, websites can could set a cookie for co.uk which will be passed onto every website registered under co.uk.

Clearly, this is was a security risk as it allows allowed websites other than the one setting the cookie to read it, and therefore potentially extract sensitive information.

Maintaining an up-to-date list of all top-level domains and policies is clearly a vast task, and therefore each registry will be has been asked to maintain their own section of the database and email any changes to the effective TLD list maintenance team, who will then merge it with the master database. Registries for all top-level domains will be contacted by email (possibly via an ICANN mailing list) that will inform them of the intentions of the effective TLD list, how to participate and formats for data files. === Email to registries === Dear Sir, The Mozilla Project (http://www.mozilla.org/) is making a list of all "Public Suffixes". A Public Suffixes is a domain label or set of labels under which end users can directly register domains. Examples of Public Suffixes are ".net", ".org.uk" and ".pvt.k12.ca.us". This information is needed by web browsers in order to have secure cookie-setting policies, and for other security and user interface purposes. A more detailed rationale for this work can be found at http://publicsuffix.org/learn/. We have compiled an initial list of Public Suffixes, which includes data for each TLD. However, it is in your interest as a registry to make sure that your entry is correct and complete. Any errors may either cause your customers to not be able to set cookies when they should, or cause cookie information to be leaked between two domains without a trust relationship. Neither of these things is desirable. Therefore, we are writing to ask you to view the current list and, if it is incorrect, to submit updated data. A description of the format of the list, and details for sending updates is at http://publicsuffix.org/submit/; the list itself is http://publicsuffix.org/list/. We would also ask you, for the reasons given above, to institute a policy of sending updated data as soon as possible if your registration policies change in a way which requires a change in the Public Suffix List. Our data is made freely available under a liberal licence, and so can be used by other browser manufacturers and software authors who wish to institute similar security policies. We therefore hope that you will not have to notify any organisation other than us about such changes, thereby keeping the workload to a minimum. Thanking you in advance, The Mozilla Public Suffix List Team == Browser manufacturers == We have to decide how browser manufacturers can implement the effective TLD list in their browsers. There needs to be a licence that allows this applied to the list, and a method for manufacturers to know when the list is updated and update their browsers.