[simonw]

Services which allow their users to post custom HTML and JavaScript to their own subdomains (without filtering to exclude scripts) need to go on that list to prevent eg evil.blogspot.com from stealing cookies that were set on innocent.blogspot.com

[scrollaway]

Why is that the responsibility of the browser and not the website's owner?

[jerf]

Nothing profound, just historical reasons.

To really show the problem, you have to do something like contrast how "blogspot.com" is a top-level site, one level below a TLD, but so is bbc.co.uk, one level below what "co.uk". The naive "count one element" doesn't work, or all of "co.uk" would share cookies. And it turns out that now there just isn't much you can do other than have a huge table. Sure, we'd probably do it differently if we had it to do all over again, but, we don't.

[scrollaway]

You misunderstood. I fully understand why a count based approach cannot work. I don't understand why, should I want to create a service like blogspot, I would have to have my URL added in there.

[Manishearth]

You don't have to add it there. You can make it secure anyway. Public suffix list will mean that should your security get messed up, the browser prevents this anyway.

[spiderfarmer]

I don't understand either, with user generated subdomains I thought it was common practice to use a completely different domain for all trusted activity.