Browsers use the concept of a "site" to determine the authorization and security boundary between different resources on the internet. Many technologists have a reasonable intuitive understanding of how to distinguish one site from another. However, there are details around schemes a and the concept of the "effective top level domain" that come to play.

An excellent brief is at

 E. Kitamura, “Understanding ‘same-site’ and ‘same-origin,’web.dev, 10-Jun-2020, updated 25-Jan-2023.

Schemes

Originally sites were considered the same, even if they had different schemes: eg http or https. However, confidence in the identity of the site is substantially different when secured by TLS. Adding the scheme as part of the consideration of whether a site was the same or different helps strengthen security boundaries.  The prior understanding of site is considered "schemeless same-site."

Effective top level domain (eTLD)

Kitamura explains the effective top level domain (eTLD) but it's useful to understand the fragility, construction, and management of the list of public domains, that is, the part of the fully qualified domain name (FQDN) that is controlled by a registrar. These fragments act like the literal top level domain in that the part of the FQDN to the left of the effective top level domain identifies the authoritative party. For example, .com is a classic TLD but .co.uk functions in the same way.

To understand the governance model, see this blog post and the referenced report.

M3AAWG. “The Present and Future of the Public Suffix List.Messaging, Malware and Mobile Anti-Abuse Working Group, May 23, 2023.

  • No labels