Re: [http-state] HTTP cookie processing wrt "public suffixes"

Zhong Yu <> Thu, 21 May 2015 23:30 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 7868F1A90DC for <>; Thu, 21 May 2015 16:30:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.499
X-Spam-Status: No, score=0.499 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_52=0.6, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Vbcqepq6Pek9 for <>; Thu, 21 May 2015 16:30:25 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4001:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8DEEC1A88F0 for <>; Thu, 21 May 2015 16:30:18 -0700 (PDT)
Received: by igbsb11 with SMTP id sb11so20947001igb.0 for <>; Thu, 21 May 2015 16:30:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=pDHerF35qDuFu9rSGXNdY75f+GAES7aLtA8lZWlXH8c=; b=pvyiMtjCy1NYSbx6at2ek7qy1g1wS3/sQouBI++yk7VGPIecPDsY7PqkTH3VtZ+3qS Ecu5+qUWKKCiAsXwuVlN1U4/34twURSD8MPu8HfGKRI/1LY4U0pfSI9Ap6c4mbGDLYbN U6uMrXp7ABvVWoggqfHnRqbYMFJWPd0DjFRY5NEG5d4wdlWpqgh/YNCbxuSUDTCTkkTe KK3EEH9xzborDcGOXa1KtJLwCPOKhqRCZS9yFH0k08LHeIhmYAZl9N9QDTSIJ0LAVC19 67rXhqYY5odV1FDD/O/EQEcbNWuABNOYMa1OBZtoDxWXnLlurUvYBaDDBtpNct4T3zai WFxg==
MIME-Version: 1.0
X-Received: by with SMTP id b30mr6702933iod.84.1432251018037; Thu, 21 May 2015 16:30:18 -0700 (PDT)
Received: by with HTTP; Thu, 21 May 2015 16:30:17 -0700 (PDT)
In-Reply-To: <>
References: <>
Date: Thu, 21 May 2015 18:30:17 -0500
Message-ID: <>
From: Zhong Yu <>
To: http-state <>,
Content-Type: text/plain; charset=UTF-8
Archived-At: <>
Subject: Re: [http-state] HTTP cookie processing wrt "public suffixes"
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 21 May 2015 23:30:26 -0000

After more thoughts on the matter, it seems not uncommon that a parent
of a public suffix is not a public suffix. Besides the domains listed
in my previous email, all "*" rules in PSL imply a public suffix with
a non-public-suffix parent. For example, rule "*.bd" means that any
"" is a public suffix, but the parent, "bd", is not a public
suffix (because the public cannot directly register child domains of

With this clarified, we'll have to fix RFC6265. Currently it allows
"" to set a cookie for domain "bd". That is incorrect; and
it is not how browsers behave. I'll see if I can find a simple
algorithm to address the problem.

Zhong Yu