samesite cookies; public suffix
Hi dev team!
Quick question. I couldnt find railway.app (and up.railway.app) on the public suffix list. Maybe I'm missing something (not a security expert), but does this mean that a custom domain is necessary to enforce samesite cookies?
Best,
Kasper
6 Replies
Project ID:
N/AN/A
Luckily the web is a little more secure than I feared, as cookies by default seem to be set for the request domain.
I am still curious why railway is not (I think) on the public suffix list. Is this intentional for some feature?
Not sure what the public suffix list is, but usually a load balancer goes in between your user and infra so all traffic goes to the same domain. So maybe you need to setup a reverse proxy using somthing like nginx
The public suffix list is how browsers know at which level of a domain new domains can be registered. Its how it knows that me.com and you.com are not the same domain. If services allow people to register new domains withing their domain (like me.up.railway.app and you.up.railway.app), they can register themselves on the public suffix list so that the browser sees these as different domains.
This is among other things relevant for cookies. It's not as dangerous as I feared because cookies are by default set on the most specific domain. But I think it might be possible for me to set cookies at *.up.railway.app that every (non custom) domain would receive. Not super dangerous, but could be used maliciously. Another benefit of the public suffix list is that it can be used by browsers to improve the user experience, by knowing which urls to treat as different domains.
Anyway, my problem was already 'solved', but it might be usefull for railway to register their suffix. I rhink most hosting platforms (heroku, netlify, etc) are on there as well.
cc @gschier and @char8 so they get visibility into possible domain/networking improvements
Cheers for raising this @Kasper
You're welcome!