Mozilla volunteers have recently been flooded with online merchants and marketers’ requests for their domains to be added to what’s called a Public Suffix List (PSL).
Public Suffix List (PSL) is an initiative of the Mozilla community volunteers to maintain a list of top-level domains (TLDs) and domains that should be treated as one to prevent the mixing of cookies between distinct domains.
Although maintained by Mozilla’s open-source community volunteers, the list is honored by various apps and projects and helps them distinguish between a separate TLD/suffix and a subdomain.
However, recent privacy enhancements brought forth by Apple have led to online marketers flooding Mozilla with requests for their domains to be added to the list after Facebook suggested this as a remedy for the newer privacy enhancements.
Apple’s iOS 14.5 hits online ads, merchants, and analytics
Recently, Apple introduced a new privacy feature in version 14.5 of iOS, iPadOS, and tvOS, which asks users to grant permissions to apps or websites that track them.
Apps and websites tracking users by collecting specific data also need to comply with Apple’s App Tracking Transparency (ATT) framework.
iOS 14.5 users prompted to grant permission to an app or website tracking them via cookies
The policies introduced by Apple’s ATT framework forbid data collection and sharing unless users explicitly opt-in to enable tracking (cookies) on devices running iOS 14.5.
But, as more and more users opt-out of tracking on Apple devices, online ad networks and stores will be limited in serving ads or collecting personalization and analytics data from users, impacting businesses.
Since Facebook Pixel, Facebook’s analytics platform, was also impacted by these changes introduced by Apple, Facebook proposed some workarounds that online businesses could use.
For businesses interested in delivering ads optimized for conversion events, Facebook’s advice was for businesses to verify their domains.
But the company added, they would also respect domains included in Mozilla’s Public Suffix List (PSL).
“This would enable businesses to verify their eTLD+1 domains if the hosting domain (eTLD) is registered in the Public Suffix List.”
“For example, if ‘myplatform.com’ is a registered domain to the Public Suffix List, then an advertiser ‘jasper’ with the subdomain ‘jasper.myplatform.com’ would be able to verify ‘jasper.myplatform.com’,” explained Facebook.
However, according to Mozilla, an earlier version of the page had Facebook mistakenly imply PSL as a potential remedy.
In simple words, PSL exists so that cookies from different domains are not mixed up or become accessible by domains they shouldn’t be accessible to.
This is because there is no authoritative way on the internet of knowing what is a proper Top-level domain (TLD) and what is a sub-domain.
An example is, the .uk and .co.uk TLD extensions. co.uk is not a “.uk” (sub)domain of but a separate TLD.
As such, cookies set for *.uk domains, should not be accessible by *.co.uk domains.
And, that is the original purpose of PSL—it helps apps, web browsers, and services parsing PSL make the distinction between what qualifies as a separate TLD and what is a mere subdomain.
For example, web browsers will not accept cookies being set by a server for any domain present on the PSL, since the “domain” is now treated as a public suffix (or TLD).
A snippet from the latest copy of PSL is shown below:
A snippet from the Mozilla Public Suffix List (PSL), as of today
Mozilla’s PSL volunteers swamped with requests
Soon after Facebook stated that domains in the PSL would be honored as a part of their domain verification process, online store owners rushed to flood the maintainers of the grand old PSL with requests to have their domains added.
Multiple issue threads spun up on GitHub have PSL maintainers raising their concerns and even rejecting requests [1, 2, 3, 4].
As a result of Apple’s ATT framework, online advertisers, such as those using Facebook’s pixel-based tracking mechanism for measuring conversions, might find their cookies blocked.
This could greatly impact (reduce) the efficacy of ad targeting and performance measurement in some cases, mainly for eCommerce platforms that allow a lot of distinct subdomains for every storefront.
For example, booksforcheap.shopnow.com, familypizza.shopnow.com, midnightcookies.shopnow.com, and so on.
Benjamin Savage, a Facebook engineer, explained that PCM could not be supported by Facebook as of this time by taking Etsy and its merchants as an example:
“We can’t support these merchants using ‘Private Click Measurement’ right now. The way the spec is currently written, ALL ads that run on facebook.com and direct to ANY part of etsy.com would be eligible to take credit for ANY conversion fired from ANY part of etsy.com.”
“Unfortunately, this is not a particularly useful statistic for the individual merchants who sell their wares on etsy.com,” explained Savage.
The addition of etsy.com to PSL, in this example, will ensure the subdomains are treated as separate properties (origins) and allow different store owners to individually collect metrics, such as Private Click Measurement (PCM) specific to their store.
But, this was never the original purpose of the PSL.
A Mozilla representative told BleepingComputer:
“The Public Suffix List was started by Mozilla many years ago to identify domains that are actually not standalone domains but suffixes like co.uk or tokyo.jp.”
“Today, the maintainers are, simply volunteers from the Web community. Naturally, more volunteers are always welcome!”
“But the best thing that companies can do to support this project is, understand whether or not it’s appropriate for them to request additions to the list.”
“A surprising number of people and projects depend on this dataset, and mistakenly adding a domain to the list can quite often lead to unexpected issues down the road,” a Mozilla spokesperson told BleepingComputer.
A PSL volunteer and gTLD industry expert Jothan Frakes told BleepingComputer that PSL is a group of volunteers that are helping maintain a widely used resource, and don’t want to get swamped by a thundering herd of requests that may or may not have been appropriate, to begin with:
“We at PSL often get a first request from a new submitter, followed by getting questions, then refinements once they see a change is needed, so each request can take a cumulative amount of time.”
“The validation process takes some time as well. Someone can break their expected cookie behavior in the first request unintentionally if they don’t understand what they are asking for – and there’s no SLAs or other things involved, other than to ensure that a person is in fact [the] operator of a domain that they submit by checking in DNS for a specific record tied to the pull request,” Frakes explained to BleepingComputer in an email interview.
All of this can put a considerable burden on the PSL community of volunteers.
Frakes stated that he is a big fan of what Apple is striving to achieve with these newly introduced privacy enhancements but hoped that this issue could be worked out in the near future.
BleepingComputer contacted Apple and Facebook for comment well in advance of publishing this article, but we have not heard back.