While researching security and how it’s done on github.io as an example, I ran into the 
Public Suffix List today. It’s actually fascinating to skim through the list itself.
It’s wild that such a low-tech approach is the solution to a security feature in browsers. Even more so when you realize that it takes some time to update the PSL in your browser. For example, chatgpt.site was added to the list on June 9th but is not yet in the list for Google Chrome (blob: 5eabc92d51226369bf800473de55787951809886) . And cookies are still set for the top-level domain in my version (148.0.7778.181):
Firefox also accepts these cookies, even though their version of the list is more recent and they should have an auto update mechanism in place.
Daniel Stenberg, creator of curl, describes the PSL as follows:
If you ask me, this is one of the ugliest parts of cookie functionality.
Daniel Stenberg, creator of curl
I am inclined to agree with that.