[dns-operations] Monday rant againt the uses of the Public Suffix List

Warren Kumari warren at kumari.net
Mon Jan 21 22:15:36 UTC 2013 

On Jan 21, 2013, at 4:24 PM, Vernon Schryver <vjs at rhyolite.com> wrote:

>> From: Warren Kumari <warren at kumari.net>
> 
>>> Continuing the sarcasm is too much effort, so I'll simply ask why not
>>> do DNS MX and A requests?  (both because of the fall-back-to-A-if-no-MX
> 
>> Please sir, if I run www.images.example.co.uk, can I set a cookie
>> at images.example.co.uk? How about example.co.uk? Fine Now .co.uk?
> 
> If you are running www.images.example.co.uk, then you should know
> all there is to know about cookies at www.images.example.co.uk any
> other domains at which you might legitimate want to set a cookie.
> 
> If you are an HTTP client implementor, then I think you should implement
> "disable third party cookies" with the single obvious, fast, simple,
> and--if you like--simplistic comparision without needing to check any
> PSL lists.  You should also make "disable third party cookies" on by
> default.
> 

Ok, so we seem to be talking past each other / I am doing a crappy job of explaining my point…
The PSL helps prevent the use of third party cookies, by allowing you to tell what a third party is…

Given (RFC 2109):
   * A Set-Cookie from request-host x.foo.com for Domain=.foo.com would
     be accepted.

I'm assuming you agree this this is acceptable? http://www.foo.com should be able to set a cookie for .foo.com?

I'm also assuming that you agree that http://foo.com should NOT be able to set a cookie for .com? Lots of folk have domains in .com, it would (to me) be silly for foo.com to be able to set a cookie for .com…

Luckily 2109 protects against this:
   * A Set-Cookie with Domain=.com or Domain=.com., will always be
     rejected, because there is no embedded dot.

Great, all makes sense… however….

I'm assuming you agree that x.foo.co.uk should be able to set a cookie for foo.co.uk? No point in discriminating against folk simply because they didn't register in .com (or .net or .coop).
I'm assuming you also agree that http://foo.co.uk should NOT be able to set a cookie for .co.uk? Lots of folk register in .co.uk, it would be (to me) be silly for foo.co.uk to be able to set a cookie for all of .co.uk..…

But, .co.uk has a dot, so the "no embedded dots" rule doesn't prevent this…

What you actually want to know is where in a domain label you have the bit that is specific to a registrant / entity.
In x.y.z.com it is everything up to the .com, in john.fred.mary.co.uk it is everything up to the .co.uk, in foo.tv.bo it is everything before the .tv.bo….
How did I know the rule of where in the .bo namespace entities may register? PSL…

W






> 
> Yes, I am among the many who consider third party cookies at best
> undesirable and generally willful and knowing attempts to sell or
> otherwise violate our privacy.
> 
> Yes, I've occassionally encountered web pages that apparently
> legitimately use third party cookies (i.e. without obviously trying
> to violate my privacy).  I cannot recall any cases where those web
> pages could not and should not have used other tactics.
> 
> Yes, I know all HTTP server operators "values my privacy."  However,
> the values that spammers, advertisers, governments, and other snoops
> place on my privacy differ from mine.
> 
> 
> Vernon Schryver    vjs at rhyolite.com
> 

--
Do not meddle in the affairs of dragons, for you are crunchy and taste good with ketchup.

More information about the dns-operations mailing list