Similar projects and alternatives to list
OPS - Build and Run Open Source Unikernels. Quickly and easily build and deploy open source unikernels in tens of seconds. Deploy in any language to any cloud.
Less time debugging, more time building. Scout APM allows you to find and fix performance issues with no hassle. Now with error monitoring and external services monitoring, Scout is a developer's best friend when it comes to application development.
Reviews and mentions
Let's Encrypt certificate limit
1 project | reddit.com/r/selfhosted | 15 Jan 2022
Show HN: Takingnames.io Beta – The first domain name provider for self-hosters
1 project | news.ycombinator.com | 6 Jan 2022
This is really neat! There's growing number of self-hosters that I'm sure will find this useful.
May I suggest using a separate domain for tunnels, and adding it to the [public suffix list](https://github.com/publicsuffix/list)?
From what I can tell, takingnames.io subdomains are able to access the takingnames.io auth cookie. Having a separate domain would mitigate this.
URLs are not hyperlinked properly
1 project | reddit.com/r/apolloapp | 29 Dec 2021
Sure that might work for those 2 in particular, but really he should be using something like https://publicsuffix.org, a Mozilla project meant to do exactly this.
URLs with two top-level domains don’t include the main domain name
1 project | reddit.com/r/apolloapp | 21 Nov 2021
Spook: Side channel attack which targets Chrome
1 project | news.ycombinator.com | 22 Sep 2021
You might be thinking of the Public Suffix List? https://publicsuffix.org/
Though, that one doesn't include tumblr.
This link doesn’t show the actual domain name in the present just the edu.au
1 project | reddit.com/r/apolloapp | 4 Sep 2021
This is a use case where the PSL should be applied.
How to set cookies between Heroku domains?
1 project | reddit.com/r/webdev | 6 Aug 2021
Browsers us a thing called Public Suffix List (https://publicsuffix.org) to limit what domains a cookie can be assigned to in order to prevent just what you are trying to do. As it happens, herokuapp.com is on that list, so you won’t be able to set any cookies for the shared domain, only the individual subdomains.
Public Suffix List
1 project | reddit.com/r/hackernews | 16 Jul 20214 projects | news.ycombinator.com | 14 Jul 2021
> Getting a domain listed is pretty hard.
I disagree. I've made two PRs  to that list to add domains where we assign subdomains to mutually untrusted parties to ensure proper cookie security for these.
Both times the turn-around times were less than a week. In my first PR I even made a small mistake, because I did not read the instructions correctly. I promptly corrected it (< 5 minutes later) and the maintainer then merged my PR like 2 minutes later.
However I properly researched what the PSL does for us and what it does not before filing the PR. Also the domains do not hold anything other than customer data (similar to github.io).4 projects | news.ycombinator.com | 14 Jul 2021
2021.06.08 Certificate Lifetime Incident
1 project | news.ycombinator.com | 9 Jun 2021
They're not really free: "This feature is available for customers on an App Service Plan of Basic and above (free and shared tiers are not supported)." They're GoDaddy certificates, and their price is charged back through the App Service pricing.
Similarly, Azure Front Door also has "free" certificates, but they just integrate it into the relatively high cost of the service.
If you want certificates for some other unrelated IaaS or PaaS service... Microsoft says no. They want their margin.
Back to GoDaddy: their attitude is very 1990s, so they sometime use manual approval for certificates. This makes ARM Templates that normally take minutes to deploy just hang and take hours, or even fail.
Worse, they don't use the DNS address you requested for your certificate for validation. They use the "TLD", but there is no such concept in the Domain Name System, so this is unreliable at best. Validation is 100% broken by design and cannot be made to work for many domains. For example, in Australia, App Service Certificates cannot ever be used for subdomains of act.gov.au, nsw.gov.au, and nt.gov.au!
PS: For people who are unaware, the concept of the TLD is at best a fuzzy one, and is decided by the informally maintained Public Suffix list, which is currently managed by Mozilla. It's not an RFC, it's not a standard, and isn't suitable for certificate validation. See: https://publicsuffix.org/
This is one of the key philosophical differences between Let's Encrypt and GoDaddy. When issuing automated, free certificates, manual labour for validation is not a viable approach and hence Let's Encrypt eliminated all such sources of informal, error-prone, manually verified sources. GoDaddy hasn't changed their validation approach in decades, because for $70/year, this kind of inefficiency is acceptable.
To put things in perspective: GoDaddy has a support phone number. For certificates! They're literally 1KB files with two numbers and some text in them. Why do they need support!?
Non-technical security best-practices for open source projects
1 project | news.ycombinator.com | 5 Jun 2021
I wonder if the right approach here is for HN to just use the public suffix list , and then sites like SourceHut should be added to it.
Site Isolation in Firefox
2 projects | news.ycombinator.com | 18 May 2021
This provides more technical details: <https://hacks.mozilla.org/2021/05/introducing-firefox-new-si...>, which should be more interesting to HN than a marketing announcement.
In particular, it seems that "site" isn't precisely defined. It seems to be based on domains, but backed by a human-curated list of "sites": <https://github.com/publicsuffix/list>.
So it's different than Chrome's "every webpage gets a separate process".
Cookie not getting sent back for com.au subdomain
1 project | reddit.com/r/webdev | 5 May 2021
(1) I looked at the public suffix list to see if that was an issue, but com.au is present in the list
W3C slaps down Google's proposal to treat multiple domains as same origin
3 projects | news.ycombinator.com | 9 Apr 2021
mystore.shopify.com is definitely hosted by Shopify but it's content is a totally isolated entity. You can trust laptops.shopify.com but this trust should not automatically transfer to fakestore.shopify.com. In the same way if you have a valid account on laptops.shopify.com, the browser shouldn't allow fakestore.shopify.com to emit a request and buy something on laptops.shopify.com with your valid session on your behalf, even though they're on the base domain.
You have also the parallel problem of how do you transfer the trust you have on google.co.uk to youtube.co.jp only based on the domain info you have.
This all to say that using only domain names to resolve ownership is a hard problem, since ages browsers use a crowdsourced list  to get around this issue but recently it proved not to scale very well, specially after Apple's move to use this list as part of their "Limit Ad Tracking" solution.
publicsuffix/list is an open source project licensed under Mozilla Public License 2.0 which is an OSI approved license.
Are you hiring? Post a new remote job listing for free.