Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I think they mean https://en.wikipedia.org/wiki/Public_Suffix_List


So they achieved a 25% performance increase all from better parsing and a better algorithm for this[1] list? That's unexpected indead. I would love to see a blogpost with details on that.

[1] https://publicsuffix.org/list/public_suffix_list.dat


They changed the implementation from always iterating over this 6000 length array: https://github.com/fduraffourg/servo/blob/8bb853f64354b2cc1b... to a HashSet which is only filled once based on a text file. The domain list also more easily updated now with a python script.


Given that they know the list at compile time I wonder if they could do faster e.g. by using https://github.com/sfackler/rust-phf to generate a perfect hash function over the set.


Why are there actual services in that list? I see all the variations of blogspot.com for example, which is definitely not an eTLD. Are services providing subdomain registration supposed to talk to Mozilla and get themselves added to it? I don't see deviantart in there.


Services which allow their users to post custom HTML and JavaScript to their own subdomains (without filtering to exclude scripts) need to go on that list to prevent eg evil.blogspot.com from stealing cookies that were set on innocent.blogspot.com


Why is that the responsibility of the browser and not the website's owner?


Nothing profound, just historical reasons.

To really show the problem, you have to do something like contrast how "blogspot.com" is a top-level site, one level below a TLD, but so is bbc.co.uk, one level below what "co.uk". The naive "count one element" doesn't work, or all of "co.uk" would share cookies. And it turns out that now there just isn't much you can do other than have a huge table. Sure, we'd probably do it differently if we had it to do all over again, but, we don't.


You misunderstood. I fully understand why a count based approach cannot work. I don't understand why, should I want to create a service like blogspot, I would have to have my URL added in there.


You don't have to add it there. You can make it secure anyway. Public suffix list will mean that should your security get messed up, the browser prevents this anyway.


I don't understand either, with user generated subdomains I thought it was common practice to use a completely different domain for all trusted activity.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: