Adding Akamai Shared Domains to the Public Suffix List
Akamai plans to submit a number of our shared domains to the “PRIVATE” section of the Public Suffix List (PSL) at some point on or after March 31, 2022. The PSL contains multi-party domain suffixes and is used by a wide range of client software (for example, web browsers) to implement policy decisions, such as to prevent cookies from being set on public or multi-party domains.
For example, we plan to put the domain “akamaized.net” onto the PSL. Clients with the new version of the PSL will then prevent cookies from being set directly onto cross-customer “akamaized.net” domain, but the hostname “example.akamaized.net” would still be allowed to set cookies onto “example.akamaized.net,” subject to other client policies such as “third-party cookie” restrictions.
We are in the process of analyzing customer configurations to identify cases where this change may have an impact and will be reaching out to the very small number of customers who may be affected. We believe that there will be minimal negative impact from this change, which should improve the security posture of Akamai’s customers.
Given the many uses of the PSL, it is impossible to anticipate all potential ramifications. However, many other content delivery networks (CDNs) and hosting providers include their shared domains in the PRIVATE section of the PSL and have done so for years.
Changes rolling out over time
Updates to the PSL are often incorporated directly into browser and operating system releases, so the change to incorporate these new Akamai domains will typically take effect as new versions of software incorporate the updated list and as users upgrade to new versions of software.
This means that the change will roll out over the course of months and years. For example, some major browsers incorporate PSL updates every few months but then depend on users or automated updates to upgrade to new browser versions. Due to a lack of control over the timing of these rollouts by third parties, Akamai also has no ability to halt or roll back additions if they do end up causing an impact.
Akamai’s CDN software has almost always prevented origins from passing Set-Cookie headers on these domains, but some product features and configuration options have allowed setting cookies on specific hostnames. Cookies set directly on these shared domains (rather than specific per-customer hostnames underneath them) present a security and privacy risk to other customers. Not only is setting cookies on shared Akamai domains not supported, but it is also a violation of Akamai’s acceptable use policy (AUP) from a security perspective.
Closing potential security loopholes
Some of the shared Akamai domains being added to the PSL long predate the existence of the PSL and its PRIVATE section. We are adding them now to close potential security and privacy loopholes, and to address issues that could potentially arise from the domains not being present on the PSL.
We have also seen cases where the entire shared domain is being labeled as a “Tracker” due to individual customer hostnames on the domain, so making this change will hopefully reduce the cross-customer impact due to the behavior of individual customer hostnames.
Domains being added
The set of domains that Akamai plans to add to the Public Suffix List is:
For more details and updates, see our Knowledge Base article.
While precautions have been taken in the preparation of this document, Akamai Technologies, Inc. assumes no responsibility for errors, omissions, or for damages resulting from the use of the information herein. The information herein is subject to change without notice.