Define hosts' public suffix and registrable domain.

url.bs

@@ -272,6 +272,124 @@ for further processing.
 U+0020 SPACE, U+0023 (#), U+0025 (%), U+002F (/), U+003A (:), U+003F (?), U+0040 (@), U+005B ([),
 U+005C (\), or U+005D (]).
 
+<p>A <a for=/>host</a>'s <dfn for=host export>public suffix</dfn> is the portion of a
+<a for=/>host</a> which is included on the <cite>Public Suffix List</cite>. To obtain
+<var>host</var>'s <a for=host>public suffix</a>, run these steps: [[!PSL]]
+
+<ol>
+ <li><p>If <var>host</var> is not a <a>domain</a>, then return null.
+
+ <li><p>Return the <a for=host>public suffix</a> obtained by executing the
+ <a href="https://publicsuffix.org/list/">algorithm</a> defined by the Public Suffix List on
+ <var>host</var>. [[!PSL]].
+</ol>
+
+<p>A <a for=/>host</a>'s <dfn for=host export>registrable domain</dfn> is a <a>domain</a> formed by
+the most specific public suffix, along with the domain label immediately preceeding it, if any. To
+obtain <var>host</var>'s <a for=host>registrable domain</a>, run these steps:
+
+<ol>
+ <li><p>If <var>host</var>'s <a for=host>public suffix</a> is null or <var>host</var>'s
+ <a for=host>public suffix</a> <a for=host>equals</a> <var>host</var>, then return null.
+
+ <li><p>Return the <a for=host>registrable domain</a> obtained by executing the
+ <a href="https://publicsuffix.org/list/">algorithm</a> defined by the Public Suffix List on
+ <var>host</var>. [[!PSL]]
+</ol>
+
+<div class=example id=example-host-psl>
+ <table>
+  <tr>
+   <th>Host input
+   <th>Public suffix
+   <th>Registrable domain
+  <tr>
+   <td><code>com</code>
+   <td><code>com</code>
+   <td><i>null</i>
+  <tr>
+   <td><code>example.com</code>
+   <td><code>com</code>
+   <td><code>example.com</code>
+  <tr>
+   <td><code>www.example.com</code>
+   <td><code>com</code>
+   <td><code>example.com</code>
+  <tr>
+   <td><code>sub.www.example.com</code>
+   <td><code>com</code>
+   <td><code>example.com</code>
+  <tr>
+   <td><code>EXAMPLE.COM</code>
+   <td><code>com</code>
+   <td><code>example.com</code>
+  <tr>
+   <td><code>github.io</code>
+   <td><code>github.io</code>
+   <td><i>null</i>
+  <tr>
+   <td><code>whatwg.github.io</code>
+   <td><code>github.io</code>
+   <td><code>whatwg.github.io</code>
+  <tr>
+   <td><code>إختبار</code>
+   <td><code>xn-kgbechtv</code>
+   <td><i>null</i>
+  <tr>
+   <td><code>example.إختبار</code>
+   <td><code>xn-kgbechtv</code>
+   <td><code>example.xn-kgbechtv</code>
+  <tr>
+   <td><code>sub.example.إختبار</code>
+   <td><code>xn-kgbechtv</code>
+   <td><code>example.xn-kgbechtv</code>
+ </table>
+</div>
+
+<p>Two <a for=/>hosts</a>, <var>A</var> and <var>B</var> are said to be
+<dfn for=host export>same site</dfn> with each other if either of the following statements are true:
+
+<ul class=brief>
+ <li><p><var>A</var> <a for=host>equals</a> <var>B</var> and <var>A</var>'s
+ <a for=host>registrable domain</a> is non-null.
+
+ <li><p><var>A</var>'s <a for=host>registrable domain</a> is <var>B</var>'s
+ <a for=host>registrable domain</a> and is non-null.
+</ul>
+
+<div class=example id=example-same-site>
+ <p>Assuming that <code>suffix.example</code> is a <a for=host>public suffix</a> and that
+ <code>example.com</code> is not:
+
+ <ul>
+  <li><p><code>example.com</code>, <code>sub.example.com</code>, <code>other.example.com</code>,
+  <code>sub.sub.example.com</code>, and <code>sub.other.example.com</code> are all <a>same site</a>
+  with each other (and themselves), as their <a for=host>registrable domains</a> are
+  <code>example.com</code>.
+
+  <li><p><code>registrable.suffix.example</code>, <code>sub.registrable.suffix.example</code>,
+  <code>other.registrable.suffix.example</code>, <code>sub.sub.registrable.suffix.example</code>,
+  and <code>sub.other.registrable.suffix.example</code> are all <a>same site</a> with each other
+  (and themselves), as their <a for=host>registrable domains</a> are
+  <code>registrable.suffix.example</code>.
+
+  <li><p><code>example.com</code> and <code>registrable.suffix.example</code> are not
+  <a>same site</a> with each other, as their <a for=host>registrable domains</a> differ.
+
+  <li><p><code>suffix.example</code> is not <a>same site</a> with <code>suffix.example</code>, as
+  it is a <a for=host>public suffix</a>, and therefore has a null
+  <a for=host>registrable domain</a>.
+ </ul>
+</div>
+
+<p class=warning>Specifications should avoid depending on "<a for=host>public suffix</a>",
+"<a for=host>registrable domain</a>", and "<a>same site</a>". The public suffix list will diverge
+from client to client, and cannot be relied-upon to provide a hard security boundary. Specifications
+which ignore this advice are encouraged to carefully consider whether URLs' schemes ought to be
+incorporated into any decision made based upon whether or not two <a for=/>hosts</a> are
+<a>same site</a>. HTML's <a>same origin-domain</a> concept is a reasonable example of this
+consideration in practice.
+
 
 <h3 id=idna>IDNA</h3>