The document currently talks about bypassing resource limits by having malicious (or just clueless) sites register themselves as a public suffix, and hence receiving a full resource allocation for each of their cheap-to-set-up subdomains. However, such sites would go into the private section of the PSL. Applying resource limits based on only the ICANN section isn't, to my eyes, obviously flawed in the same way - it fails closed as nodded to already in the document, but at least it doesn't fail open and allow resource exhaustion attacks (as, e.g., same-origin-only resource limits would).
I think that PSL-based resource limits need a bit more discussion. My suggestion is either a demonstration how even only using the ICANN section of the PSL is vulnerable to abuse, or explicit acknowledgement in the FAQ that this is a use-case that the PSL is actually suited to and that PSL alternatives do not (currently) have an answer for.
The document currently talks about bypassing resource limits by having malicious (or just clueless) sites register themselves as a public suffix, and hence receiving a full resource allocation for each of their cheap-to-set-up subdomains. However, such sites would go into the private section of the PSL. Applying resource limits based on only the ICANN section isn't, to my eyes, obviously flawed in the same way - it fails closed as nodded to already in the document, but at least it doesn't fail open and allow resource exhaustion attacks (as, e.g., same-origin-only resource limits would).
I think that PSL-based resource limits need a bit more discussion. My suggestion is either a demonstration how even only using the ICANN section of the PSL is vulnerable to abuse, or explicit acknowledgement in the FAQ that this is a use-case that the PSL is actually suited to and that PSL alternatives do not (currently) have an answer for.