Following Apple's iOS 14, Online Merchants And Marketers Flooded Mozilla's PSL

12/04/2021

Public Suffix List (PSL) is a catalog of certain internet domain names. The initiative by the Mozilla community volunteers is to maintain a list of top-level domains (TLDs) and domains that should be treated as one to prevent the mixing of cookies between distinct domains.

This is to to set a cookie at a domain level so it could be used to on all of its subdomains, even if the subdomains are not related to each other or owned by the same organization.

The initiative that is maintained by Mozilla's open-source community volunteers, helps various apps and projects, helping them to distinguish themselves between a separate TLD/suffix and a subdomain.

And following the privacy enhancements by Apple on iOS 14, and Facebook's suggestion that said the PSL is a remedy for Apple's App Tracking Transparency (ATT) framework, online merchants and marketers are flooding the Mozilla volunteers with requests.

Soon after Facebook stated that domains in the PSL would be honored as a part of their domain verification process, online store owners rushed to the volunteers of the PSL, wishing their domains to be added to PSL.

PSL list
A snippet from the Mozilla Public Suffix List (PSL), taken on April 12, 2021. (Source: https://publicsuffix.org/list/public_suffix_list.dat)

This however, was taken a bit wrong.

With many users opting-out from tracking using their Apple devices, merchants and marketers are having a hard time as their ads serving will be limited, and that their campaigns are unable to collect data for personalization and analysis.

With Apple's privacy approach hurting businesses, Facebook, the social giant where many online merchants and marketers use its Pixel-tracking feature, suggested that people include their domains to Mozilla's PSL, in order for an optimized ad delivery.

"This would enable businesses to verify their eTLD+1 domains if the hosting domain (eTLD) is registered in the Public Suffix List," Facebook said.

"For example, if 'myplatform.com' is a registered domain to the Public Suffix List, then an advertiser 'jasper' with the subdomain 'jasper.myplatform.com' would be able to verify 'jasper.myplatform.com'."

However, according to Mozilla, an earlier version of the page had Facebook mistakenly imply PSL as a potential remedy.

And this isn't what PSL is supposed to do.

How Apple's iOS 14 release may affect your ads and reporting

In an interview with BleepingComputer, a Mozilla spokesperson said that:

"The Public Suffix List was started by Mozilla many years ago to identify domains that are actually not standalone domains but suffixes like or tokyo.jp."

"Today, the maintainers are, simply volunteers from the Web community. Naturally, more volunteers are always welcome!"

"But the best thing that companies can do to support this project is, understand whether or not it's appropriate for them to request additions to the list."

"A surprising number of people and projects depend on this dataset, and mistakenly adding a domain to the list can quite often lead to unexpected issues down the road."

PSL exists so that cookies from different domains are not mixed up or become accessible by domains they shouldn't be accessible to.

The original purpose of PSL, is to help apps, web browsers, and services parsing PSL to make the distinction between what qualifies as a separate TLD and what is a mere subdomain.

The PSL initiative is ran by a number of volunteers. And people flooding them with request is the last thing they may want to experience.

"We at PSL often get a first request from a new submitter, followed by getting questions, then refinements once they see a change is needed, so each request can take a cumulative amount of time," explained a PSL volunteer and gTLD industry expert Jothan Frakes

"The validation process takes some time as well. Someone can break their expected cookie behavior in the first request unintentionally if they don't understand what they are asking for - and there's no SLAs or other things involved, other than to ensure that a person is in fact [the] operator of a domain that they submit by checking in DNS for a specific record tied to the pull request."