Closed Bug 797147 Opened 7 years ago Closed 6 years ago

Update PSL for .UK

Categories

(Core :: Networking: Domain Lists, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla19

People

(Reporter: weppos, Assigned: weppos)

Details

Attachments

(1 file)

Email received today at submission@... from registry.

> Please accept this change request for .uk related domains (see the attached unified diff).
>  
> Thank you,
> Nominet NOC Team
> Nominet UK

Patch

--- effective_tld_names.dat	2012-10-02 16:08:02.000000000 +0100
+++ effective_tld_names.dat_uk_changes_121002	2012-10-02 16:13:16.000000000 +0100
@@ -6001,18 +6001,17 @@
 // uk : http://en.wikipedia.org/wiki/.uk
 *.uk
 *.sch.uk
+*.nhs.uk
+*.police.uk
 !bl.uk
 !british-library.uk
-!icnet.uk
 !jet.uk
 !mod.uk
 !nel.uk
-!nhs.uk
 !nic.uk
 !nls.uk
 !national-library-scotland.uk
 !parliament.uk
-!police.uk
 
 // us : http://en.wikipedia.org/wiki/.us
 us
Attached patch Patch for .UKSplinter Review
Patch for the UK entry, based on the submitted patch. It includes the changes, the comment and the items are now sorted alphabetically.
Attachment #667181 - Flags: review?(gerv)
Attachment #667181 - Flags: review?(gerv) → review+
Hi Gerv,

the patch passed review but haven't been committed yet.
Is there any issue with it?

-- Simone
https://hg.mozilla.org/mozilla-central/rev/0d4a69564d17
Assignee: nobody → weppos
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Flags: in-testsuite-
Resolution: --- → FIXED
Target Milestone: --- → mozilla19
I'm pretty sure that these 2 new rules are both incorrect!
  *.nhs.uk
  *.police.uk

*.sch.uk is correct, because the domain names all seem to consist of...
  <school>.<local_authority>.sch.uk
Examples:
  http://www.crossleyheath.calderdale.sch.uk/
  http://www.ags.bucks.sch.uk/

But a quick Google search for nhs.uk only finds domain names that don't appear to match the new *.nhs.uk rule.
Examples:
  http://www.nhs.uk/
  http://www.nhsdirect.nhs.uk/
  http://www.jobs.nhs.uk/
  htpp://www.fitfortravel.nhs.uk/

Likewise, a quick Google search for police.uk only finds domain names that don't appear to match the new *.police.uk rule.
Examples:
  http://www.police.uk/
  http://www.sussex.police.uk/
  http://www.warwickshire.police.uk/

I think that the *.nhs.uk and *.police.uk rules should be removed, so that the *.uk rule applies instead.
In the case of nhs.uk, I was contacted by someone from their DNS service (see <www.addressing.nhs.uk>) to make sure that they don't have "cookie leakage" across all their subdomains. They're all independent units (various hospitals and research labs etc ...), and not 1 single large domain. That happened during bug 669792 (with gov.uk), and they wanted to avoid the same problem. Sharing cookies would be a big organizational problem, and potentially a privacy problem too.

The rule is now *.nhs.uk, which is not an error. The star is pointing to the subdomain, not to a host ! All hosts inside jobs.nhs.uk can share a cookie, but there would be no cookie leakage to fitfortravel.nhs.uk for instance. Ever instance can nest additional levels inside their own subdomain if they like, but for the PSL file, it's all one large subdomain. calderdale.sch.uk is an example for this.

www.nhs.uk is a bit of a problem (and the same is happening with every TLD apparently). "www" is not the name of the host, but is actually the name of the subdomain, as far as the PSL file is concerned. That would be similar to a host called www.com for instance. The problem is that cookies can not be shared to any other servers (for example image.www.nhs.uk), unless an exception is added to the PSL file.
(In reply to Jo Hermans from comment #6)
> That happened during bug 669792 (with gov.uk), and they wanted to avoid the same
> problem.

I appreciate the "cookie leakage" concern, but please note that the fix for bug 669792 only involved removing the exception rule.  It did not involve adding a *.gov.uk rule!

http://hg.mozilla.org/mozilla-central/rev/9411dffc948b

> The rule is now *.nhs.uk, which is not an error. The star is pointing to the
> subdomain, not to a host !

Disagree.  Consider Example 4 on http://publicsuffix.org/list :
 4. *.tokyo.jp
 4. Cookies may be set for foo.bar.tokyo.jp.
    Cookies may not be set for bar.tokyo.jp.

> All hosts inside jobs.nhs.uk can share a cookie,

IIUC, you are (incorrectly) implying that cookies _can_ be set for bar.tokyo.jp !

> but there would be no cookie leakage to fitfortravel.nhs.uk for instance.

Let's look at another example - co.uk.  How does the PSL prevent cookie leakage between, say, comodo.co.uk and google.co.uk?  Answer: the *.uk rule.

There is no *.co.uk rule.  If there was, it would prevent www1.google.co.uk and www2.google.co.uk from sharing cookies.

<snip>
> www.nhs.uk is a bit of a problem (and the same is happening with every TLD
> apparently). "www" is not the name of the host, but is actually the name of
> the subdomain, as far as the PSL file is concerned. That would be similar to
> a host called www.com for instance. The problem is that cookies can not be
> shared to any other servers (for example image.www.nhs.uk), unless an
> exception is added to the PSL file.

http://publicsuffix.org/list/ says:
6. The public suffix is the set of labels from the domain which directly match the labels of the prevailing rule (joined by dots).
7. The registered or registrable domain is the public suffix plus one additional label.

So, given the *.nhs.uk rule, this means that...
  www.nhs.uk is a public suffix
  jobs.nhs.uk is a public suffix
  anything.www.nhs.uk is a registrable domain
  www.jobs.nhs.uk is a registrable domain
  subdomain.anything.www.nhs.uk is a registrable domain plus 1 subdomain
  subdomain.www.jobs.nhs.uk is a registrable domain plus 1 subdomain

Surely this can't be right?
It looks like *.nhs.uk sometimes makes sense, so I can understand why it was proposed.  Examples:
  https://jobs.scot.nhs.uk/
  http://www.show.scot.nhs.uk/
  http://www.knowledge.scot.nhs.uk/
  http://www.sehd.scot.nhs.uk/
  http://www.nhsdirect.wales.nhs.uk/

However, since there are plenty of cases where *.nhs.uk doesn't make sense, surely these should be treated as exceptions to the general case *.uk rule...

-*.nhs.uk
+scot.nhs.uk
+wales.nhs.uk

?
Rob: this patch came from the .uk registry, so we have to start from the position that they know what they are doing.

However, I agree that this does seem a bit odd. Simone: can you reply to the submitter, pointing at this bug, and asking them to read it and confirm that this is, in fact, definitely what they want?

Gerv
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: FIXED → ---
(In reply to Gervase Markham [:gerv] from comment #9)
> Rob: this patch came from the .uk registry, so we have to start from the
> position that they know what they are doing.

Sure.

> However, I agree that this does seem a bit odd. Simone: can you reply to the
> submitter, pointing at this bug, and asking them to read it and confirm that
> this is, in fact, definitely what they want?

Any update?
Note that Firefox is not the only consumer of the PSL.

A rule like *.nhs.uk means that www.nhs.uk _is not a hostname_.  Chrome, for example, will therefore refuse to allow users to navigate to it by default.

It's clear from actual usage however that www.nhs.uk is a hostname that works perfectly well.  (And probably sees reasonable real-world usage.)

Therefore, IMO it's inappropriate to have a rule like *.nhs.uk, regardless of whether a registry submitted it, because it clearly conflicts with the real world.  The consequences of this for Chrome are bad enough that we would have to fork the PSL were this to stick (because non-navigable real websites are much worse than theoretical cookie leakage), which we very much do not want.

(In fact, it's actually even worse than this; nhs.uk (sans www) is itself directly navigable, and redirects to www.nhs.uk.  See also bug 743725, which covers the same problem for gov.uk.)

I think comment 8 is correct here: the best we can do is to add individual xyz.nhs.uk rules.
Simone: were you able to get back in touch with the registry? I would rather have them in this conversation than take unilateral steps, but I agree with pkasting that this is reasonably important to resolve quickly.

Gerv
Gerv, didn't have the time to check the progress of the issue yet. I'll do it today or tomorrow.

-- Simone
Jo Hermans' comments in comment #6 suggest that the correct rule for the NHS is "nhs.uk" - i.e. allow them to be covered by the "*.uk" rule and say nothing about them specifically in the PSL. This would permit www.nhs.uk to work fine and be navigable in Chrome, albeit without being able to share cookies with anyone else. But that's what they say they want.

It could be that we also want individual <something>.nhs.uk rules, e.g. wales.nhs.uk, but we can add those later at our leisure.

Same for the police, as Rob points out. 

"nhs.uk" and "gov.uk" are both directly navigable, it is true, but they aren't advertised here in the UK as far as I've seen, so I wouldn't worry about that.

I am conscious of time here because I want to do a PSL uplift before ESR 17 ships (bug 802658). So I think that unless we manage to establish communications with Nominet in the next day or two, we should change to removing all references to nhs.uk and police.uk and let them be covered by the *.uk rule (as comment 2 suggests). This is the best option in absence of a clear confirmation from Nominet that the relevant stakeholders want this odd behaviour and they have understood all the consequences.

Gerv
I'm fine with that.  I would prefer a world where "*.uk" itself got replaced with the complete list of 2LDs, but that's not really pertinent to this bug.
I'm sorry for the late response. I'm travelling and I had very busy weeks.

I sent an email to Nominet and I asked them to join the conversation.
Hopefully, they will let us know about their point of view.

-- Simone
We've not heard back, and ESR 17 is approaching. I have made the change outlined in comment 14 as a temporary measure until we can confirm what Nominet want.

https://hg.mozilla.org/integration/mozilla-inbound/rev/05b11a8d1ace

Gerv
https://hg.mozilla.org/mozilla-central/rev/05b11a8d1ace
Status: REOPENED → RESOLVED
Closed: 7 years ago7 years ago
Resolution: --- → FIXED
Sorry, I should have said to leave this open.

weppos: any news from Nominet?

Gerv
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
I resent another email to Nominet.
Nominet say:

Hi Simone,

We have discussed this internally, and we believe that the list, as it currently stands, is correct, and is doing the right thing.

We will go back to our colleagues at the nhs and the police and will raise another change if it is required.

Apologies for the delay in sorting this out.

Regards

Michael Daly

Michael A Daly
SA Team Lead
Nominet
Status: REOPENED → RESOLVED
Closed: 7 years ago6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.