Public Suffix List
The Public Suffix List (PSL) is a community-maintained, cross-vendor catalog of all known public suffixes in domain names, which are the portions of a domain under which internet users can directly register names, such as .com, .co.uk, or pvt.k12.ma.us.[1][2] Initiated by Mozilla in 2007 as a resource for browser manufacturers to handle domain boundaries accurately, the PSL has evolved into a broader community effort involving domain registries and volunteers to ensure it remains current and comprehensive.[1][2] Its primary purpose is to enable software, particularly web browsers like Firefox, Chrome, Safari, Opera, and Internet Explorer, to distinguish between registrable domains and their subdomains, thereby preventing privacy vulnerabilities such as supercookies that could track users across unrelated sites.[2][2] The list addresses the challenge that no universal algorithm can reliably identify public suffixes due to varying policies among top-level domain (TLD) registries, so it provides an explicit, updatable set of rules in a simple text format.[2] Maintained through submissions from TLD operators and hosted on GitHub, the PSL is updated frequently—often multiple times per month—to reflect new TLDs, policy changes, and exceptions, with software developers encouraged to integrate dynamic update mechanisms rather than static copies.[3][4][2] Beyond cookie scoping, the PSL supports key web functionalities including domain name highlighting in address bars for better user interface clarity, intelligent sorting of browser history by site rather than individual pages, and validation in standards like DMARC for email authentication and the CA/Browser Forum guidelines for certificate issuance.[2][2] Libraries such as libpsl in C and regdom-libs for multiple languages facilitate its integration into diverse applications, underscoring its role as a foundational tool for secure and user-friendly internet navigation.[2] Discussions and amendments are coordinated via a public Google Group, ensuring transparency and collaboration across the ecosystem.[1]Background
Definition and Purpose
The Public Suffix List (PSL) is a community-maintained, machine-readable catalog of rules that identifies known public suffixes—such as .com, .co.uk, and github.io—which delineate the boundaries for domain name registration managed by independent organizations like domain registries.[2] These public suffixes represent the portions of domain names that are not under the direct control of individual registrants but are instead governed by policies from top-level domain (TLD) operators or other authorities.[5] The list serves as a standardized reference to parse domain hierarchies accurately, addressing the absence of a universal algorithm for determining registrable boundaries in the Domain Name System (DNS).[5] The primary purpose of the PSL is to enhance web security and privacy by defining the scope of user-controlled domains, thereby preventing issues like overly broad cookie scoping that could allow malicious sites to set cookies across unrelated domains.[2] For instance, it ensures that cookies set on example.co.uk cannot be scoped to the entire .co.uk suffix, limiting potential tracking or cross-site scripting risks, unlike simpler TLDs like .com where second-level domains are the registrable unit.[5] Beyond cookies, the PSL supports features such as accurate site grouping in browser address bars, URL highlighting to distinguish domain parts, and subdomain restrictions in security policies.[2] A key distinction in the PSL framework is between public suffixes, which any entity can register under according to registry rules (e.g., registering example.com under the .com suffix), and registrable domains, which are the specific, user-controlled portions like example.com that sit atop a public suffix.[2] This separation helps applications identify the "eTLD+1" (effective top-level domain plus one level), enabling precise handling of domain ownership.[5] Initiated by Mozilla in the mid-2000s as a cross-vendor resource to standardize domain parsing in Firefox, the PSL is distributed under the Mozilla Public License version 2.0 to facilitate broad adoption.[6]History and Development
The Public Suffix List originated in 2007 as an initiative by the Mozilla Foundation to enhance Firefox's cookie handling mechanisms and mitigate security risks associated with domain spoofing, particularly for top-level domains with multi-level registration policies.[7] This effort addressed inconsistencies in earlier heuristic-based approaches to determining registrable domain boundaries, replacing them with an explicit, maintainable list.[5] The first public version of the list was released in March 2007, marking the beginning of its evolution from a browser-specific tool to a broader community resource.[8] Key milestones in the PSL's development include its integration into other major web browsers, such as Google Chrome and Opera, by 2010, which expanded its adoption beyond Firefox for consistent domain boundary enforcement.[2] In 2011, the list was formally split into public and private sections to accommodate non-registry-controlled suffixes like blogspot.com, following the addition of the first private entry (operaunite.com) in 2009 and aligning with RFC 6265's recommendation for standardized use in cookie scoping.[9] This expansion reflected growing recognition of private operators' needs in domain management. By 2014, the project transitioned to daily automated updates incorporating ICANN's TLD data, improving timeliness amid the proliferation of new generic top-level domains (gTLDs).[10] The PSL's maintenance has been volunteer-driven since its inception, hosted on GitHub at github.com/publicsuffix/list, where community contributions are coordinated through the publicsuffix-discuss Google Group.[11] Primary contributors include Mozilla volunteers, with significant collaboration from ICANN's Office of the Chief Technology Officer (OCTO) and the Security and Stability Advisory Committee (SSAC), as evidenced by outreach efforts starting in 2011 and the 2015 SSAC advisory SAC070 on suffix list usage.[5] Registries submit amendments for review, ensuring the list remains accurate without centralized control. In recent years, the PSL faced a notable surge in submission requests in 2021, triggered by Apple's iOS 14.5 privacy updates, which prompted marketers and platforms like Facebook to seek additions for platform-specific domains to navigate new tracking restrictions.[12] This led to temporary freezes on certain approvals to maintain the list's integrity. As of November 2025, development continues without major overhauls, focusing on regular incorporations of new gTLDs and ongoing community vetting, with the list updated as recently as May 2025 to reflect evolving DNS structures.[11] In May 2025, an update addressed concerns regarding subdomain setups on platforms like Cloudflare, reinforcing the PSL's guidelines for submissions.[11]Structure and Maintenance
Format and Rules
The Public Suffix List (PSL) is distributed as a plain-text file namedpublic_suffix_list.dat, consisting of a series of lines each representing a single rule, with comments prefixed by // for metadata such as source URLs or section delimiters.[13][6] The file is divided into two main sections: the ICANN section, which covers official top-level domains (TLDs) managed by the Internet Corporation for Assigned Names and Numbers (ICANN), such as .com and country-code TLDs like .uk; and the private section, which includes suffixes controlled by private entities or registrars, such as *.github.io for GitHub-hosted sites.[13][6]
Rules follow a simple syntax where each line specifies a domain suffix without a leading dot, using exact matches for precise suffixes (e.g., com for the .com TLD), wildcards denoted by an asterisk (*) at the beginning to cover all subdomains of a multi-level suffix (e.g., *.ck for any subdomain under the Cook Islands TLD), and exceptions prefixed by an exclamation mark (!) to exclude specific subdomains from wildcard rules (e.g., !www.ck to treat www.ck as a registrable domain rather than part of the public suffix).[13] The list supports internationalized domain names (IDNs) by including Punycode representations (e.g., xn--11b4c3d for .कॉम) alongside Unicode labels in comments for clarity.[6] As of November 2025, the PSL contains over 10,000 rules, reflecting the growing number of TLDs and private suffixes, and it lacks built-in static validation mechanisms, necessitating dynamic updates for accuracy in applications.[6][7]
To determine the public suffix for a given domain, the parsing algorithm traverses the domain components from right to left, splitting the domain by dots (e.g., www.example.co.uk becomes ["www", "example", "co", "uk"]), and matches against the PSL to find the longest applicable rule, prioritizing exceptions over wildcards and wildcards over exact matches.[13][2] If a wildcard like *.co.uk matches, the algorithm identifies the preceding label to define the registrable domain; for an exact match like co.uk, the suffix ends there, excluding any further leftward extension.[2] This process ensures the registrable (or effective) domain is isolated, such as identifying example.co.uk as the boundary for domain-specific operations like cookie scoping.[2]
For instance, in the domain sub.example.co.uk, the algorithm matches the rule co.uk as the public suffix, resulting in example.co.uk as the registrable domain, which permits cookies set on example.co.uk to apply to sub.example.co.uk but not to unrelated sites under .uk.[2]