How does Firefox determine if something is a domain or a subdomain? Obviously the term subdomain is relative, so domain.com is already a subdomain of .com. But what about countries like the UK or South Africa where domains are commonly subdomains of .co.uk and .co.za?

Is there some generic way to know when a domain should be treated as a subdomain or do they basically hardcode the exceptions?

Example: does domain1.co.uk and domain2.co.uk share the same limit in Firefox? Probably not, but how does it know to treat them as separate?

I see there's a list online: http://publicsuffix.org/

There are already hardcoded lists for this that's used to limit the scope of cookies (so nobody can try to read all the cookies on *.uk).

I imagine these lists will become a real headache when the recent TLD auction is over. Is there any work being done on a more dynamic system (DNS TXT fields?)

There's a hardcoded list of TLDs in the browser's source code. They update it from time to time whenever there's a new .co.uk style TLD to add.

I bet it would still work in Firefox but it would be more expensive, because you'd need to purchase a lot of top-level domains to pull it off.

You don't need to purchase any top-level domain, just a bunch of regular domains: dearleader000001.kp, dearleader000002.kp, ....

If you are, say, the North Korean government, or have a close relationship with some small island registrar, you can register any number of domains you like for peanuts.

If you're willing to spend tens of thousands of dollars, there are better ways to mess with somebody's computer.

But at $185,000 a piece, who will be doing that?

Actually, you'd only need to buy one TLD!

Or, you could buy one regular domain and then ask to be put on the public suffix list. I'm guessing that would have the same effect for less money.

Wow, being put on the public suffix list is an interesting idea. How would one go about doing that?

Interesting question. I wonder if you could get into this list (without nefarious purpose) if you provided some major hosting service? Eg: I see k12-schools in the US are on that list, it would make sense to allow someone providing shared hosting to get on the list (to avoid users setting cross-domain cookies). Eg: appspot.com and blogspot.* is on the list[1].

More information:

  http://publicsuffix.org/submit/ (and the rest of the site, obviously)

[1] http://mxr.mozilla.org/mozilla-central/source/netwerk/dns/ef...

For those interested in changing the amount of storage per domain in firefox: about:config -> dom.storage.default_quota. Also, dom.storage.enabled to change whether you use local storage at all or not. I don't know if chrome or iexplore also give those options.

It's nice that this exploit is presented openly as a proof of concept, and includes a button to undo the damage. Many people, upon finding this, would try to use it for shadier ends.

I was wondering why it wasn't working, lol. Got stuck at 5MB for me.