When github used to host "pages" under github.com I remember registering "blog.github.com" (and reporting obviously). If you take the social-engineering into account the list should be made long: login, support, status, help, ...
Just to say, the list could be made much longer (eg: login)
I wonder how the pull requests for the public suffix domains are being checked. Can somebody use it as an attack surface by adding the victim's domain in that list and effectively blocking their website from setting cookies?
I would suggest adding "autodiscover" to the list of disallowed hosts.
It is used by Microsoft Outlook and Exchange ActiveSync clients (e.g. in smartphones) to automatically detect the correct server settings.
Well, that would have been helpful when I announced http://www.browser-details.com on HN - it allows you to reserve a subdomain and it never even occurred to me that I'd have to restrict them (apart from the obvious regex).
So a thoughtful HNer taught me a lesson and reserved "www". Took me a second to figure out why the site didn't behave as expected...
Email addresses and domain names are case-ignoring so you should never allow usernames that differ only in case. Allowing only lower case is an easy way to do this.
So instead of converting to lowercase, store them with case preserved but do a case insensitive uniqueness check (and probably allow any case for login).
or just force all lowercase and keep the support burden lower and save yourself a ton of trouble when dealing with foreign systems. Add a rule on incoming e-mail to convert all addresses for the local domain to lowercase to complete the package.
It probably depends on whether we're talking about making your own users, like the original link, or allowing users to interface with other systems, like entering an email address.
Yes, this seems to be the right behavior for case-insensitive things like DNS names as well. If a user inputs one, preserve the case when you store it, but do case-insensitive comparisons.
Yes, and its a pain in the butt error to track down. I was helping a friend with an old postfix / cyrus server with some custom software and case sensitivity was the final cause of bad mail delivery. Gotta love the combo of a bad config and an old mainframe app sending in all uppercase.
The local part of an email address is not required to be case-insensitive, except for the Postmaster address. RFC 822: "The domain-dependent string is uninterpreted, except by the final sub-domain; the rest of the mail service merely transmits it as a literal string."
However, there are too many services smashing the case of the local part to either lower or upper case that case-sensitive names have become nigh impossible to use.
Just to say, the list could be made much longer (eg: login)