The Public Suffix List (by publicsuffix)

List Alternatives

Similar projects and alternatives to list

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a better list alternative or higher similarity.

Suggest an alternative to list

Reviews and mentions

Posts with mentions or reviews of list. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2021-07-14.
  • Let's Encrypt certificate limit
    1 project | | 15 Jan 2022
  • Show HN: Beta – The first domain name provider for self-hosters
    1 project | | 6 Jan 2022
    This is really neat! There's growing number of self-hosters that I'm sure will find this useful.

    May I suggest using a separate domain for tunnels, and adding it to the [public suffix list](

    From what I can tell, subdomains are able to access the auth cookie. Having a separate domain would mitigate this.

  • URLs are not hyperlinked properly
    1 project | | 29 Dec 2021
    Sure that might work for those 2 in particular, but really he should be using something like, a Mozilla project meant to do exactly this.
  • URLs with two top-level domains don’t include the main domain name
    1 project | | 21 Nov 2021
  • Spook: Side channel attack which targets Chrome
    1 project | | 22 Sep 2021
    You might be thinking of the Public Suffix List?

    Though, that one doesn't include tumblr.

  • This link doesn’t show the actual domain name in the present just the
    1 project | | 4 Sep 2021
    This is a use case where the PSL should be applied.
  • How to set cookies between Heroku domains?
    1 project | | 6 Aug 2021
    Browsers us a thing called Public Suffix List ( to limit what domains a cookie can be assigned to in order to prevent just what you are trying to do. As it happens, is on that list, so you won’t be able to set any cookies for the shared domain, only the individual subdomains.
  • Public Suffix List
    1 project | | 16 Jul 2021
    4 projects | | 14 Jul 2021
    > Getting a domain listed is pretty hard.

    I disagree. I've made two PRs [1] to that list to add domains where we assign subdomains to mutually untrusted parties to ensure proper cookie security for these.

    Both times the turn-around times were less than a week. In my first PR I even made a small mistake, because I did not read the instructions correctly. I promptly corrected it (< 5 minutes later) and the maintainer then merged my PR like 2 minutes later.

    However I properly researched what the PSL does for us and what it does not before filing the PR. Also the domains do not hold anything other than customer data (similar to


    4 projects | | 14 Jul 2021
  • 2021.06.08 Certificate Lifetime Incident
    1 project | | 9 Jun 2021
    They're not really free: "This feature is available for customers on an App Service Plan of Basic and above (free and shared tiers are not supported)." They're GoDaddy certificates, and their price is charged back through the App Service pricing.

    Similarly, Azure Front Door also has "free" certificates, but they just integrate it into the relatively high cost of the service.

    If you want certificates for some other unrelated IaaS or PaaS service... Microsoft says no. They want their margin.

    Back to GoDaddy: their attitude is very 1990s, so they sometime use manual approval for certificates. This makes ARM Templates that normally take minutes to deploy just hang and take hours, or even fail.

    Worse, they don't use the DNS address you requested for your certificate for validation. They use the "TLD", but there is no such concept in the Domain Name System, so this is unreliable at best. Validation is 100% broken by design and cannot be made to work for many domains. For example, in Australia, App Service Certificates cannot ever be used for subdomains of,, and!

    PS: For people who are unaware, the concept of the TLD is at best a fuzzy one, and is decided by the informally maintained Public Suffix list, which is currently managed by Mozilla. It's not an RFC, it's not a standard, and isn't suitable for certificate validation. See:

    This is one of the key philosophical differences between Let's Encrypt and GoDaddy. When issuing automated, free certificates, manual labour for validation is not a viable approach and hence Let's Encrypt eliminated all such sources of informal, error-prone, manually verified sources. GoDaddy hasn't changed their validation approach in decades, because for $70/year, this kind of inefficiency is acceptable.

    To put things in perspective: GoDaddy has a support phone number. For certificates! They're literally 1KB files with two numbers and some text in them. Why do they need support!?

  • Non-technical security best-practices for open source projects
    1 project | | 5 Jun 2021
    I wonder if the right approach here is for HN to just use the public suffix list [0], and then sites like SourceHut should be added to it.


  • Site Isolation in Firefox
    2 projects | | 18 May 2021
    This provides more technical details: <>, which should be more interesting to HN than a marketing announcement.

    In particular, it seems that "site" isn't precisely defined. It seems to be based on domains, but backed by a human-curated list of "sites": <>.

    So it's different than Chrome's "every webpage gets a separate process".

  • Cookie not getting sent back for subdomain
    1 project | | 5 May 2021
    (1) I looked at the public suffix list to see if that was an issue, but is present in the list
  • W3C slaps down Google's proposal to treat multiple domains as same origin
    3 projects | | 9 Apr 2021 is definitely hosted by Shopify but it's content is a totally isolated entity. You can trust but this trust should not automatically transfer to In the same way if you have a valid account on, the browser shouldn't allow to emit a request and buy something on with your valid session on your behalf, even though they're on the base domain.

    You have also the parallel problem of how do you transfer the trust you have on to only based on the domain info you have.

    This all to say that using only domain names to resolve ownership is a hard problem, since ages browsers use a crowdsourced list [1] to get around this issue but recently it proved not to scale very well, specially after Apple's move to use this list as part of their "Limit Ad Tracking" solution.



Basic list repo stats
5 days ago

publicsuffix/list is an open source project licensed under Mozilla Public License 2.0 which is an OSI approved license.

Deliver Cleaner and Safer Code - Right in Your IDE of Choice!
SonarLint is a free and open source IDE extension that identifies and catches bugs and vulnerabilities as you code, directly in the IDE. Install from your favorite IDE marketplace today.
Find remote Go jobs at our new job board There are 5 new remote jobs listed recently.
Are you hiring? Post a new remote job listing for free.