Decide what to do about




Networking: Domain Lists
4 years ago
4 years ago


(Reporter: gerv, Unassigned)


Firefox Tracking Flags

(Not tracked)


The UK entry is, or will soon be (bug 1015214):


The question is whether the PSL needs "" on the list as well as "*".

UK schools register as - e.g. or So the correct PSL entry is * However, the UK registry points out that if someone manages to spoof a site for "", e.g. by DNS manipulation, it will not be seen as a public suffix and so cookies could be set for it, which would then be sent across the entire *.* subspace.

The reason it would not be seen as a public suffix is that it wouldn't match the "*" rule, or any other long rule. It would only match the "uk" rule, so would be treated like "", and so cookies could be set.

The scenario above relies on DNS spoofing, and it's not clear at all why someone with that power would want to attack in this way, as opposed to straightforwardly spoofing the site they cared about. But there may be other vulnerabilities than cookies caused by this. 

This "loophole" or issue is caused when we have * in the PSL but not 

We could:
a) ignore the issue; it's unlikely to be a problem in practice 
b) update the algorithm which interprets the PSL to handle this case
c) add (or, more generally, any sub-parts of a more complex part) to the PSL - we'd also need to make changes in .jp.

Further investigation in bug 1015214 suggests that our Firefox C++ code can't cope with two rules which differ only in their not-ness or wildcard-ness, because it stores them in a hash keyed on the domain name only (without ! or *). Which is a bit sucky... but perhaps others have made the same mistake.

Given that, I think we should go for option a). Anyone disagree?

Option a) it is.

Last Resolved: 4 years ago
Resolution: --- → FIXED
Resolution: FIXED → WONTFIX
You need to log in before you can comment on or make changes to this bug.