The Boundary That Broke How a Public Suffix List Bug Led to Cross-Site Cookie Confusion
- by Staff
In the complex architecture of the internet, few components are as obscure yet foundational as the public suffix list, a critical resource that governs how browsers determine cookie boundaries between websites. Maintained as a public project overseen by Mozilla and supported by contributions from internet stakeholders, the list defines domains that should not be treated as privately owned—essentially, the top-level boundaries under which sites cannot set cookies for each other. Entries like “.com”, “.co.uk”, or “.gov” are well understood. But in July 2023, a subtle but damaging bug involving ICANN’s newly delegated top-level domains caused a breakdown in cookie isolation across some websites, allowing unexpected sharing of session data, user preferences, and potentially authentication tokens between unrelated domains. What should have been airtight domain-level separation became porous, and the bug exposed just how brittle this foundational trust mechanism can be.
The problem stemmed from the inclusion—and more critically, the improper handling—of a small number of new generic top-level domains (gTLDs) that had been added under ICANN’s gTLD expansion program. Domains such as “.foo”, “.zip”, and “.mov” entered the DNS root in 2022 and 2023 with the intention of serving new naming ecosystems for creative, branded, or technical purposes. While their use was debated within the browser and security communities, their delegation proceeded. What developers did not anticipate, however, was that the absence—or misclassification—of these new gTLDs in the public suffix list would cause browsers to treat full second-level domains under them as if they were private domains. This created the condition for cookie leakage between what were, in fact, entirely unrelated sites.
To understand the bug, one must grasp how browsers use the public suffix list. If “.co.uk” is on the list, then “example.co.uk” and “other.co.uk” are treated as isolated zones. Neither can set a cookie for “.co.uk” that would be shared across both sites. But if a new TLD like “.zip” is missing from the list—or not recognized as a public suffix—then a domain like “malicious.zip” could potentially set cookies for the entire “.zip” namespace. A user visiting “docs.zip” or “downloads.zip” afterward might unknowingly carry over that cookie, enabling subtle tracking or even session hijacking in specific conditions. The bug manifested in exactly this way: browser behavior defaulted to trusting new TLDs as if they were single-site islands, rather than multi-tenant environments.
The issue was first publicly noticed by a security researcher who observed that navigating between two seemingly unrelated “.mov” domains resulted in shared cookies. His initial suspicion pointed to misconfigured HTTP headers or third-party JavaScript, but deeper inspection revealed that the browser’s internal cookie partitioning logic was at fault. The public suffix list, a plaintext file updated through Git-based commits, had not yet classified some of the newest TLDs as public suffixes. As a result, browsers using a stale or incomplete version of the list permitted domain-wide cookies across the entire TLD.
The implications were serious. While not a direct remote code execution vulnerability or password leak, the bug undermined the Same-Origin Policy—one of the cornerstones of web security. It allowed for subtle but dangerous cross-site tracking and behavior manipulation, particularly in environments where the same users accessed multiple domains under the same new TLD. Advertisers, analytics providers, or even attackers could use one “.zip” site to set persistent tracking cookies that would be read by other “.zip” sites visited later. If authentication tokens were mistakenly scoped too broadly, session takeover became theoretically possible.
The cross-site cookie confusion was further exacerbated by browser inconsistencies. While Chromium-based browsers such as Chrome and Edge were most affected due to their reliance on local copies of the public suffix list, Firefox and Safari had varying update cadences and patch mechanisms. Mobile browsers lagged even further behind. Developers attempting to mitigate the issue were forced to use manual cookie scoping, adding domain attributes and expiration constraints to reduce exposure. But the burden shifted unfairly onto developers, many of whom were unaware of the internal list’s existence, let alone its fragility.
ICANN itself was not directly at fault in maintaining the public suffix list—it delegates domain zones but does not operate the PSL project. However, its aggressive rollout of TLDs with ambiguous utility triggered the flaw. Critics pointed to the ill-defined boundaries between what constituted a brand, a namespace, and a potential attack surface. Should “.zip” have ever been granted TLD status, given its strong association with file formats? Should more rigid public suffix registration policies have been in place before delegation? These questions, once academic, became immediate concerns.
Mozilla responded by fast-tracking updates to the public suffix list and issuing guidance for TLD onboarding. Google patched Chrome’s behavior within a week, adding the affected TLDs to its internal list and adjusting how broadly cookies could be scoped by default. Emergency advisories went out to enterprise IT departments, content management platforms, and web security vendors. Still, the damage—primarily reputational and architectural—had already spread.
The public suffix list bug of 2023–2024 was not a breach in the traditional sense. No servers were hacked. No encryption was broken. But the misbehavior cut to the heart of how trust is negotiated between websites in a global namespace. It reminded the internet community that the infrastructure of the web is not static; it is constantly evolving, and sometimes dangerously so. The lines that define “same site” are not drawn in DNS alone—they are inferred through tools like the PSL, maintained by volunteers and silently relied upon by billions of users.
Today, the public suffix list continues to evolve with tighter controls and improved testing infrastructure. New TLDs must now pass security reviews for cookie scope risks. Browser vendors cross-check suffix updates with automated regression testing. But the incident lives on as a critical chapter in the annals of domain name failures—not because of a typo or a branding oversight, but because a deeply technical assumption failed quietly and globally. In a networked world where even the tiniest boundary matters, the smallest list can break the biggest trust.
In the complex architecture of the internet, few components are as obscure yet foundational as the public suffix list, a critical resource that governs how browsers determine cookie boundaries between websites. Maintained as a public project overseen by Mozilla and supported by contributions from internet stakeholders, the list defines domains that should not be treated…