Add webflow.io and webflowtest.io

[wf-ankit]

Public Suffix List (PSL) Pull Request (PR) Template

Each PSL PR needs to have a description, rationale, indication of DNS validation and syntax checking, as well as a number of acknowledgements from the submitter. This template must be included with each PR, and the submitting party MUST provide responses to all of the elements in order to be considered.

Checklist of required steps

• Description of Organization

• Robust Reason for PSL Inclusion

• DNS verification via dig

• Run Syntax Checker (make test)

• Each domain listed in the PRIVATE section has and shall maintain at least two years remaining on registration, and we shall keep the _PSL txt record in place in the respective zone(s) in the affected section

Submitter affirms the following:

• We are listing any third-party limits that we seek to work around in our rationale such as those between IOS 14.5+ and Facebook (see Issue #1245 as a well-documented example)

• This request was not submitted with the objective of working around other third-party limits

• The Guidelines were carefully read and understood, and this request conforms
• The submission follows the guidelines on formatting and sorting

---

For Private section requests that are submitting entries for domains that match their organization website's primary domain, please understand that this can have impacts that may not match the desired outcome and take a long time to rollback, if at all.

To ensure that requested changes are entirely intentional, make sure that you read the affectation and propagation expectations, that you understand them, and confirm this understanding.

PR Rollbacks have lower priority, and the volunteers are unable to control when or if browsers or other parties using the PSL will refresh or update.

(Link: about propagation/expectations)

• Yes, I understand. I could break my organization's website cookies etc. and the rollback timing, etc is acceptable. Proceed.

---

Description of Organization

Webflow provides software as a service for visually creating responsive website, publishing, hosting, SEO, ecommerce capabilities. It is used by 1.5+ million designers and enterprise companies across the globe.

I am a Security Engineer at Webflow and work on the application security side of things

Organization Website: https://webflow.com

Reason for PSL Inclusion

Webflow customers are able to host their sites as a subdomain under webflow.io while webflowtest.io subdomains are used for internal testing. These domains should be listed for following reasons

• Domain abuse - while we actively find and shut down spam/phishing subdomains, some spam check sites flag the entire domain
• Cookie security - site cookies can be set at the domain level exposing the cookie to other sites
• Analytics pollution - Google Analytics and FB pixel cookie integrations result in analytics cookies getting set at domain level
• Site Settings - without PSL, site settings changes in the browser apply for all customer sites at the same time

Number of users this request is being made to serve: Estimate is 2 million+ subdomains served on webflow.io and a few hundred for the test domain webflowtest.io

DNS Verification via dig

dig +short TXT _psl.webflow.io
"https://github.com/publicsuffix/list/pull/1722"

dig +short TXT _psl.webflowtest.io
"https://github.com/publicsuffix/list/pull/1722"

Results of Syntax Checker (make test)

All tests pass

[dnsguru]

Experiencing high volume of questions, generally, so please be patient as this project is volunteer resourced.

[wf-ankit]

Experiencing high volume of questions, generally, so please be patient as this project is volunteer resourced.

@dnsguru I totally understand that volunteer contributions are based on personal time and availability. If there anything pending on my side to help move forward on this? Webflow team is really looking forward to enable PSL for their domains.

[simon-friedberger]

If webflowtest.io is only used for internal testing, why should it be added to the PSL?

[wf-ankit]

If webflowtest.io is only used for internal testing, why should it be added to the PSL?

@simon-friedberger Webflow as well as our trusted partners use webflowtest.io subdomains for acceptance testing. Having an environment that closely resembles the production environment is the goal, so that we are able to simulate the same cookie behavior that is seen with the addition of PSL, on both prod and acceptance. This will help us reduce production issues while they can be caught in acceptance.

[simon-friedberger]

• Expiration (Note: Must STAY >2y at all times)
  • webflow.io expires 2028-05-08
  • webflowtest.io expires 2028-04-03
• DNS _psl entries
• Tests pass
• Sorting
• Reasoning/Organization description

[simon-friedberger]

Please provide an e-mail address which isn't tied to a particular employee.

[wf-ankit]

@simon-friedberger sorry for the delay. We can use [email protected]. Let me know if this email change needs to be reflected in the PR. I see that you already approved the PR.

[simon-friedberger]

Yes, please update!

[wf-ankit]

Done!

[dnsguru]

Simon has approved. I am running tests, and will merge if they pass.