<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Learn more about the Public Suffix List</title> <link rel="stylesheet" href="/styles.css"> <!--[if lt IE 9]><script src="http://html5shiv.googlecode.com/svn/trunk/html5.js"></script><![endif]--> </head> <body> <div id="page"> <header> <h1 class="site-title"> <a href="/" title="Return to the Public Suffix List homepage">Public Suffix List</a> </h1> </header> <nav> <ul> <li> <a href="/learn/">Learn More</a> </li> <li> <a href="/list/">The List</a> </li> <li> <a href="/submit/">Submit Amendments</a> </li> </ul> </nav> <section> <h2> Learn more about the Public Suffix List </h2> <p> The Public Suffix List is a cross-vendor initiative to provide an accurate list of domain name suffixes, maintained by the hard work of Mozilla volunteers and by submissions from registries, to whom we are very grateful. </p> <p> The usefulness of this can be seen if we take the example of cookies. In the past, browsers used an algorithm which only denied setting wide-ranging cookies for top-level domains with no dots (e.g. <samp>com</samp> or <samp>org</samp>). However, this did not work for top-level domains where only third-level registrations are allowed (e.g. <samp>co.uk</samp>). In these cases, websites could set a cookie for <samp>.co.uk</samp> which would be passed onto every website registered under <samp>co.uk</samp>. </p> <p> Since there was and remains no algorithmic method of finding the highest level at which a domain may be registered for a particular top-level domain (the policies differ with each registry), the only method is to create a list. This is the aim of the Public Suffix List. </p> <p> Software using the Public Suffix List will be able to determine where cookies may and may not be set, protecting the user from being tracked across sites. </p> <p> As well as this, the Public Suffix List can also be used to support features such as site grouping in browsers. By knowing where the user-controlled section of the domain name begins and ends, browsers can group cookies and history entries by site in a way that couldn't easily be done before. </p> <p> Some use the PSL to determine what is a valid domain name and what isn't. <b>This is dangerous</b>. gTLDs and ccTLDs are constantly updating, coming and going - and certainly not static. If the PSL is incorporated in a static manner, and your software does not regularly receive PSL updates, it will erroneously think that valid TLDs are not valid, or conversely treat decommissioned TLDs that should be invalid as valid. The DNS should be the proper source for this information, despite the performance benefits of some local source to pre-empt network latency. If you must use the PSL for this purpose, please do not bake static copies of the PSL into your software without update mechanisms that are frequently checking for its frequent updates and incorporating them. </p> <h3> Uses </h3> <p> These are some of the uses of the list we know about. If you are using it for something else, you are encouraged to tell us, because it helps us to assess the potential impact of changes. For that, you can use the <a href="https://groups.google.com/forum/#!forum/publicsuffix-discuss">psl-discuss</a> mailing list, where we consider issues related to the maintenance, format and semantics of the list. Note: please <em>*do not*</em> use this mailing list to <a href="/submit/">request additions</a> to the PSL's data. </p> <h4> Firefox </h4> <ul> <li> Restricting cookie setting </li> <li> Restricting the setting of the document.domain property </li> <li> Sorting in the download manager </li> <li> Sorting in the cookie manager </li> <li> Searching in history </li> <li> Domain highlighting in the URL bar </li> </ul> <p> In the future it may be used for, for example, restricting DOM Storage allowances on a per-domain basis. </p> <h4> Chromium/Google Chrome (<a href="https://chromium.googlesource.com/chromium/src/+/master/net/tools/tld_cleanup/tld_cleanup.cc">pre-processing</a>, <a href="https://chromium.googlesource.com/chromium/src/+/master/net/tools/dafsa/make_dafsa.py">DAFSA builder</a>, <a href="https://chromium.googlesource.com/chromium/src/+/master/net/base/registry_controlled_domains/registry_controlled_domain.cc">parser</a>) </h4> <ul> <li> Restricting cookie setting </li> <li> Determining whether entered text is a search or a website URL </li> <li> Determining whether wildcard subdomains are allowed in <a href="https://github.com/GoogleChrome/OriginTrials">Origin Trial</a> tokens </li> </ul> <h4> Opera </h4> <ul> <li> Restricting cookie setting </li> <li> Restricting the setting of the document.domain property </li> </ul> <h4> Internet Explorer </h4> <ul> <li>Restricting cookie setting</li> <li>Domain highlighting in the URL bar</li> <li>Zone determination </li> <li>ActiveX opt-in list security restriction</li> </ul> <h4> Other Apps </h4> <p> <a href="https://www.qt.io/">Qt</a> uses it to restrict cookie setting from version 4.7.2 onwards. </p> <p> <a href="https://github.com/crawler-commons/crawler-commons">Crawler-Commons</a> is a suite of tools for building a web crawler, and it uses the PSL. </p> <h4> Libraries </h4> <p> C, Perl and PHP: <a href="https://github.com/usrflo/registered-domain-libs/">regdom-libs</a> includes libraries for working with the Public Suffix List. </p> <p> C: <a href="https://github.com/rockdaboot/libpsl">libpsl</a>, a fast offline PSL lookup library in C </p> <p> C: <a href="http://www.github.com/stricaud/faup">Faup</a>, a command line tool with a C library and Python bindings </p> <p> C#: <a href="https://github.com/tinohager/Nager.PublicSuffix">Nager.PublicSuffix</a> </p> <p> Elixir: <a href="https://github.com/seomoz/publicsuffix-elixir">publicsuffix-elixir</a> </p> <p> Erlang: <a href="https://github.com/sinkovsky/publicsuffix_erlang">publicsuffix_erlang</a> </p> <p> Go: <a href="https://godoc.org/golang.org/x/net/publicsuffix">x/net/publicsuffix</a> </p> <p> Go: <a href="https://github.com/joeguo/tldextract">tldextract</a> </p> <p> Go: <a href="https://simonecarletti.com/code/publicsuffix-go/">publicsuffix-go</a> </p> <p> Haskell: <a href="https://github.com/wereHamster/publicsuffix-haskell">publicsuffix-haskell</a> </p> <p> Java: <a href="https://github.com/hamano/regdom4j/">regdom-libs</a> has a Java port too </p> <p> Java: <a href="https://github.com/google/guava">Guava</a> - Google's core Java libraries - has a <a href="https://google.github.io/guava/releases/snapshot/api/docs/com/google/common/net/InternetDomainName.html">PSL-using class</a> </p> <p> Java: <a href="https://github.com/whois-server-list/public-suffix-list">Java API for the Public Suffix List</a> </p> <p> JavaScript: <a href="https://github.com/gorhill/publicsuffixlist.js">publicsuffixlist.js</a> </p> <p> JavaScript: <a href="https://github.com/oncletom/tld.js">tld.js</a> </p> <p> TypeScript: <a href="https://github.com/remusao/tldts">tldts</a> </p> <p> Lua: <a href="https://github.com/daurnimator/lua-psl">lua-psl</a> </p> <p> .NET: <a href="https://github.com/louislouw/Louw.PublicSuffix">Louw.PublicSuffix</a>. </p> <p> Objective-C: <a href="https://github.com/kejinlu/KKDomain">KKDomain</a> </p> <p> Perl: <a href="https://metacpan.org/pod/Domain::PublicSuffix">Domain::PublicSuffix</a> </p> <p> PHP: <a href="https://github.com/jeremykendall/php-domain-parser">php-domain-parser</a> </p> <p> Python: <a href="https://pypi.python.org/pypi/publicsuffix2/">publicsuffix2</a> </p> <p> Python: <a href="https://pypi.python.org/pypi/publicsuffixlist">publicsuffixlist</a> </p> <p> Python: <a href="https://pypi.python.org/pypi/tldextract/">tldextract</a> </p> <p> Raku: <a href="https://raku.land/zef:jjatria/PublicSuffix">PublicSuffix</a> - a static automatically updated interface </p> <p> Ruby: <a href="https://github.com/weppos/publicsuffix-ruby">publicsuffix-ruby</a> gem </p> <p> Rust: <a href="https://github.com/rushmorem/publicsuffix">publicsuffix</a> - a super-fast dynamic implementation that can be updated at runtime </p> <p> Rust: <a href="https://github.com/addr-rs/psl">psl</a> - an even faster static implementation, compiled down to native Rust code </p> <p> Rust: <a href="https://github.com/addr-rs/addr">addr</a> - a public suffix list based domain name and email address parser </p> <p> Rust: <a href="https://github.com/addr-rs/psl-types">psl-types</a> - common types for the public suffix implementation crates </p> <p> Swift: <a href="https://github.com/Dashlane/SwiftDomainParser">Dashlane/SwiftDomainParser</a> </p> <p> There's also a list of libraries in various languages in the comments on this <a href="http://stackoverflow.com/questions/288810/get-the-subdomain-from-a-url">Stack Overflow question</a>. </p> <h4> Standards </h4> <ul> <li> <a href="http://dmarc.org/">DMARC</a> </li> <li> <a href="http://cabforum.org/">CAB Forum Baseline Requirements</a>. The Baseline Requirements ban the issuance of wildcard certs where the wildcard is the next label immediately after a registry-controlled label, and suggests using the "ICANN DOMAINS" section of the Public Suffix List for determining what's registry-controlled. </li> <li> <a href="http://www.w3.org/TR/html5/">HTML 5</a> (document.domain) </li> </ul> <h4> Other </h4> <ul> <li> Let's Encrypt uses it for <a href="https://letsencrypt.org/docs/rate-limits/">rate limiting</a> applications to their CA. If you just need an exception from their rate limits, please do not request a change to the PSL, but instead use their form, linked from <a href="https://letsencrypt.org/docs/rate-limits/">their documentation</a>. This is a faster way to achieve what you want, and the PSL is really not intended as a means to work around third party limits. </li> <li> <a href="https://cloudflare.com/">Cloudflare</a> uses the PSL in a number of ways, but most notably limits a domain to be available in only one account unless present in the PSL. Again, third party limits are not something the PSL was designed for, so addressing account splitting with Cloudflare directly is the appropriate solution. </li> <li> The <a href="https://tranco-list.eu/">Tranco</a> service that is widely used by security researchers uses the PSL as a means to aggregate domain listings sourced from Alexa, Majestic and Cisco Umbrella. </li> </ul> </section> </div> <footer> <div> <p> Copyright &#169; 2007&#8211;21 <a href="https://www.mozilla.org/">Mozilla Foundation</a>. </p> </div> </footer> </body> </html>