When github used to host "pages" under github.com I remember registering "blog.github.com" (and reporting obviously). If you take the social-engineering into account the list should be made long: login, support, status, help, ...<p>Just to say, the list could be made much longer (eg: login)
Thanks, this was very informative.<p>I wonder how the pull requests for the public suffix domains are being checked. Can somebody use it as an attack surface by adding the victim's domain in that list and effectively blocking their website from setting cookies?
Faced with similar issues, I maintain a python library called python-usernames[1] with list of closed to 400 reserved words[2].<p>Publishing this as a library helps a lot collecting the wordlist over time and be able to use the same list in all my projects.<p>[1] <a href="https://github.com/theskumar/python-usernames" rel="nofollow">https://github.com/theskumar/python-usernames</a><p>[2] <a href="https://github.com/theskumar/python-usernames/blob/master/usernames/reserved_words.py#L4" rel="nofollow">https://github.com/theskumar/python-usernames/blob/master/us...</a>
See also <a href="https://www.ietf.org/rfc/rfc2142.txt" rel="nofollow">https://www.ietf.org/rfc/rfc2142.txt</a>
I would suggest adding "autodiscover" to the list of disallowed hosts.
It is used by Microsoft Outlook and Exchange ActiveSync clients (e.g. in smartphones) to automatically detect the correct server settings.
Also, you should include the name of your service itself, especially if users can produce content.<p>Edit: for similar reasons to blog./login./support. etc. (just read other comments)
Well, that would have been helpful when I announced <a href="http://www.browser-details.com" rel="nofollow">http://www.browser-details.com</a> on HN - it allows you to reserve a subdomain and it never even occurred to me that I'd have to restrict them (apart from the obvious regex).<p>So a thoughtful HNer taught me a lesson and reserved "www". Took me a second to figure out why the site didn't behave as expected...
A popular MS Exchange cloud provider is <a href="http://webmail.domainlocalhost.com" rel="nofollow">http://webmail.domainlocalhost.com</a><p>Seriously. domainlocalhost.com.
Just compiled the list and added a few others:<p><a href="https://zimbatm.github.io/hostnames-and-usernames-to-reserve/" rel="nofollow">https://zimbatm.github.io/hostnames-and-usernames-to-reserve...</a><p>Feel free to use for your next PaaS !
I have handled this by only allowing more-than-one-word names to be use as subdomains, and made a slug out out of it, like so:<p>My Name => my-name.site.com<p>Is there any gotcha's here for me?