How to know when unrelated domains are actually part of the same site is a hard problem. The Public-suffix List approach works okay-ish for cookies, but no one's really happy enough with it to trust for riskier features, and it doesn't help organizations with multiple names (apple.com and icloud.com, google.com and youtube.com, facebook.com and fb.com, etc). As that example list shows at least two major browser vendors have a vested interest in making this work while preserving security.One conversation-starter folks are discussing is https://github.com/mikewest/first-party-sets
No comments yet.