You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Each domain listed in the PRIVATE section has and shall maintain at least two years remaining on registration, and we shall keep the _psl TXT record in place in the respective zone(s).
Submitter affirms the following:
We are listing any third-party limits that we seek to work around in our rationale such as those between IOS 14.5+ and Facebook (see Issue #1245 as a well-documented example)
NONE
This request was not submitted with the objective of working around other third-party limits.
The submitter acknowledges that it is their responsibility to maintain the domains within their section. This includes removing names which are no longer used, retaining the _psl DNS entry, and responding to e-mails to the supplied address. Failure to maintain entries may result in removal of individual entries or the entire section.
The Guidelines were carefully read and understood, and this request conforms to them.
The submission follows the guidelines on formatting and sorting.
A role-based email address has been used and this inbox is actively monitored with a response time of no more than 30 days.
Abuse Contact:
Abuse contact information (email or web form) is available and easily accessible.
URL where abuse contact or abuse reporting form can be found:
Please report directly to [email protected]
For PRIVATE section requests that are submitting entries for domains that match their organization website's primary domain, please understand that this can have impacts that may not match the desired outcome and take a long time to rollback, if at all.
To ensure that requested changes are entirely intentional, make sure that you read the affectation and propagation expectations, that you understand them, and confirm this understanding.
PR Rollbacks have lower priority, and the volunteers are unable to control when or if browsers or other parties using the PSL will refresh or update.
Yes, I understand. I could break my organization's website cookies and cause other issues, and the rollback timing is acceptable. Proceed anyways.
Description of Organization
Bubble.io is a no-code platform for building web applications using a visual editor, workflow automation, and a built-in database. It supports API integrations, user authentication, and plugins for extended functionality. Applications are hosted and scaled on Bubble's infrastructure. It is used for developing web apps, marketplaces, business tools, etc without writing traditional code.
I am a software engineer on Bubble's platform team.
Adding bubble.io and bubbleapps.io to the Public Suffix List would ensure that subdomains like app1.bubbleapps.io and app2.bubbleapps.io are treated as separate entities, ensuring cookies separation and cross-app security risks such as session hijacking. This is crucial for Bubble.io as a multi-tenant platform, where different users create apps under the same domain.
Number of users this request is being made to serve:
Estimated 4.7 million
merlinzhao
changed the title
add bubbleapps.io and cdn.bubble.io to suffix list
add bubbleapps.io and cdn.bubble.io to public_suffix_list.dat
Feb 6, 2025
Adding bubble.io and bubbleapps.io to the Public Suffix List would ensure that subdomains like app1.bubbleapps.io and app2.bubbleapps.io are treated as separate entities, ensuring cookies separation and cross-app security risks such as session hijacking. This is crucial for Bubble.io as a multi-tenant platform, where different users create apps under the same domain.
Have you considered implementing __Host- prefixed cookies as an initial security measure for your subdomain isolation needs, while also exploring other application-level controls that could provide boundaries between apps without relying on the Public Suffix List?
Adding bubble.io and bubbleapps.io to the Public Suffix List would ensure that subdomains like app1.bubbleapps.io and app2.bubbleapps.io are treated as separate entities, ensuring cookies separation and cross-app security risks such as session hijacking. This is crucial for Bubble.io as a multi-tenant platform, where different users create apps under the same domain.
Have you considered implementing __Host- prefixed cookies as an initial security measure for your subdomain isolation needs, while also exploring other application-level controls that could provide boundaries between apps without relying on the Public Suffix List?
We are currently exploring _Host as well. The team has decided that we would also want to add our domains to PSL as an additional security measure.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
merlinzhao
changed the title
Public Suffix List (PSL) Submission
Checklist of required steps
Description of Organization
Robust Reason for PSL Inclusion
DNS verification via dig
Each domain listed in the PRIVATE section has and shall maintain at least two years remaining on registration, and we shall keep the
_pslTXT record in place in the respective zone(s).Submitter affirms the following:
Abuse Contact:
Abuse contact information (email or web form) is available and easily accessible.
URL where abuse contact or abuse reporting form can be found:
Please report directly to [email protected]
For PRIVATE section requests that are submitting entries for domains that match their organization website's primary domain, please understand that this can have impacts that may not match the desired outcome and take a long time to rollback, if at all.
To ensure that requested changes are entirely intentional, make sure that you read the affectation and propagation expectations, that you understand them, and confirm this understanding.
PR Rollbacks have lower priority, and the volunteers are unable to control when or if browsers or other parties using the PSL will refresh or update.
(Link: about propagation/expectations)
Description of Organization
Bubble.io is a no-code platform for building web applications using a visual editor, workflow automation, and a built-in database. It supports API integrations, user authentication, and plugins for extended functionality. Applications are hosted and scaled on Bubble's infrastructure. It is used for developing web apps, marketplaces, business tools, etc without writing traditional code.
I am a software engineer on Bubble's platform team.
Organization Website:
https://bubble.io/
Reason for PSL Inclusion
Adding bubble.io and bubbleapps.io to the Public Suffix List would ensure that subdomains like app1.bubbleapps.io and app2.bubbleapps.io are treated as separate entities, ensuring cookies separation and cross-app security risks such as session hijacking. This is crucial for Bubble.io as a multi-tenant platform, where different users create apps under the same domain.
Number of users this request is being made to serve:
Estimated 4.7 million
DNS Verification