Implement the tldts package for identifying first and third-party domains.

[mohdsayed]

Description

Since we consider subdomains as first-party, it crucial to accurately determine whether a URL is a subdomain of the provided URL

Subdomains can have various formats and can be nested to multiple levels. Additionally, different domain name patterns and top-level domains (TLDs) can introduce further complexity.
While a basic regular expression pattern could capture subdomains in simple cases, it may not cover all possible scenarios. It would not account for variations such as internationalized domain names (IDNs), complex TLDs, subdomains with hyphens, or subdomains with different levels.

Example:

Internationalized Domain Names (IDNs):

URL: https://日本.example.com
Subdomain: 日本

Complex TLDs:

URL: https://example.co.uk
Subdomain: Empty (no subdomain)
Subdomains with Hyphens:

URL: https://demo.sub-domain.example.com
Subdomain: demo.sub-domain
Subdomains with Different Levels:

URL: https://sub1.sub2.example.com
Subdomain: sub1.sub2

Therefore it is important to use a library that can handle all of these cases.

Relevant Technical Choices

• Use tldts package
• Add unit tests.
• Add missing meta tag for devtools.html

Testing Instructions

Go to any website (for example https://indianexpress.com/ ) and check if the first-party and third-party classification is correct.

[mohdsayed]

@ayushnirwal

third-party-cookie-phaseout says that

"SameSite=None; Secure;" from the blocked cookies in the “Cookies” tab. These are third-party cookies.

I am thinking if we use SameSite=None; Secure; to designate a cookie as third-party in the response header, we will still have to depend on URL comparison to identify a third-party cookie in request header.

[mohdsayed]

I think developer.mozilla.org gives a good definition

If the cookie domain and scheme match the current page, the cookie is considered to be from the same site as the page, and is referred to as a first-party cookie.

If the domain and scheme are different, the cookie is not considered to be from the same site, and is referred to as a third-party cookie.

[ayushnirwal]

I am thinking if we use SameSite=None; Secure; to designate a cookie as third-party in the response header, we will still have to depend on URL comparison to identify a third-party cookie in request header.

We can just store the name of the cookie from the request headers and query the SameSite and secure attribute from chrome.cookies.get

But that would not be enough for example take the cookie '1P_JAR' for example. I have seen this cookie used on docs.google.com and edition.cnn.com. This cookie has the SameSite=None; Secure; has its attribute, but on one site its first party and on the other its third party. To actually on for a site if a cookie is 3p comparison to the site's top level domain is needed.

[ayushnirwal]

LGTM. Just needs one more test case as mentioned above.