Firefox PSL Override (network.psl.override_file) Not Enforcing Rules – Seeking Guidance
Jonathan Boice
Dear PSL Community,
I’m testing Firefox’s PSL override (network.psl.override_file) for local and staging environments by adding domains to effective_tld_names.dat. While Firefox recognizes the override (Services.eTLD.hasRootDomain() returns true), it does not enforce PSL restrictions on cookies or document.domain.
Issue Summary- Custom PSL file is loaded successfully
- Cookies can still be set for square.site (expected to fail)
- document.domain modifications are still allowed (expected to fail)
- No PSL enforcement logs appear in MOZ_LOG=nsEffectiveTLDService:5,PSL:5
- Does Firefox fully enforce PSL override rules, or does it only recognize them for lookups?
- Are there additional settings required for PSL enforcement?
- What is the recommended way to test and validate PSL rule enforcement before committing to a PR?
- Are there alternative ways to confirm a PSL change works correctly before submitting it?
I’d appreciate any guidance or confirmation on how Firefox handles custom PSL overrides. I want to be confident that the change is correctly applied before preparing a PR. Let me know if more details would help.
Thanks,
Jonathan
Daniel Veditz
I’m testing Firefox’s PSL override (network.psl.override_file)
While Firefox recognizes the override (Services.eTLD.hasRootDomain() returns true)
Daniel Veditz
What you really wanted to use as a test was Services.eTLD.getKnownPublicSuffixFromHost()
Ian Williams
Jonathan,
We've also encountered similar painpoints with testing PSL changes prior to submission. The general practice for the PSL is that it's incorporated at build-time, by Firefox and others.
I'm not personally able to find reference to that pref in the Firefox GitHub mirror, and the only other network.psl preference that I could find in my local Firefox installation (network.psl.onUpdate_notify) seems questionable if it's actively used or not.
How we do this: in-line with the "incorporated at build-time" mentology, we've been locally patching the $browser build process to incorporate our suggested changes to the PSL, and using that patched build to check if the PSL changes work as-expected. It's not ideal, but it gives us the most-accurate picture on how the browser will interpret the suggested changes.
We actually ended up automating a process to build PSL test environments for our internal teams. This mechanism ingests to-be-proposed PSL changes, and outputs a batteries-included virtual machine with a PSL-patched copy of a browser. This currently is designed for Firefox (their build process is simpler), but could be extended to Chrome/other browsers if needed.
This uses some paid AWS products, including CloudFormation, S3, and EC2; if there's community interest in using this, we could look at sharing this tooling more-broadly.
Regards,
--Ian
Daniel Veditz
the only other network.psl preference that I could find in my local Firefox installation (network.psl.onUpdate_notify) seems questionable if it's actively used or not.