Add notion.site as private eTLD

[jesscodez]

Public Suffix List (PSL) Pull Request (PR) Template

Each PSL PR needs to have a description, rationale, indication of DNS validation and syntax checking, as well as a number of acknowledgements from the submitter. This template must be included with each PR, and the submitting party MUST provide responses to all of the elements in order to be considered.

Checklist of required steps

• Description of Organization

• Robust Reason for PSL Inclusion

• DNS verification via dig

• Run Syntax Checker (make test)

• Each domain listed in the PRIVATE section has and shall maintain at least two years remaining on registration, and we shall keep the _PSL txt record in place in the respective zone(s) in the affected section (yes, until 12/08/27)

Submitter affirms the following:

• We are listing any third-party limits that we seek to work around in our rationale such as those between IOS 14.5+ and Facebook (see Issue #1245 as a well-documented example)

• This request was not submitted with the objective of working around other third-party limits

• The Guidelines were carefully read and understood, and this request conforms
• The submission follows the guidelines on formatting and sorting

---

For Private section requests that are submitting entries for domains that match their organization website's primary domain, please understand that this can have impacts that may not match the desired outcome and take a long time to rollback, if at all.

To ensure that requested changes are entirely intentional, make sure that you read the affectation and propagation expectations, that you understand them, and confirm this understanding.

PR Rollbacks have lower priority, and the volunteers are unable to control when or if browsers or other parties using the PSL will refresh or update.

(Link: about propagation/expectations)

• Yes, I understand. I could break my organization's website cookies etc. and the rollback timing, etc is acceptable. Proceed.

---

Description of Organization

Notion is a connected workspace that provides consumer and business (SaaS) users with tools for documentation, task management, project tracking, etc. In the most typical use case, users create and edit page content, which can be private or easily shared with other users in their organization.

Notion Sites is a product that allows users to "publish" their pages to the broader web, essentially creating a website without any coding required. (Comparable products include Github Pages and Squarespace). Each user can publish pages under their own unique *.notion.site domain, e.g. user A might publish delightful-strawberry-123.notion.site and user B might publish lucky-stone-567.notion.site).

I am an engineer on the Trust Engineering team at Notion, which is a subteam of Security, and have been collaborating with the Notion Sites product team to de-risk our features and prevent abuse.

Organization Website: https://www.notion.so/

Reason for PSL Inclusion

We'd like notion.site to be on the PSL in order to:

• Restrict these apps' use of cookies to their own personal subdomain. Even though Notion itself serves the pages for each subdomain (less custom code/javascript), this isolation guarantees security to each of our customers (e.g. in the case of some iframe exploit).
• Avoid domain reputation from a.notion.site affecting that of b.notion.site, given that a and b are distinct content creators. This also seems to be best practice, given that similar site hosting platforms have entries in the PSL.

Our domain ownership of notion.site was recently renewed and extends until Dec 8, 2027 (> 2 years from now).

Number of users this request is being made to serve: There are ~5 million distinct "workspaces" that have published pages with their own *.notion.site domain, and we expect this to grow.

DNS Verification via dig

> dig TXT +short _psl.notion.site
"https://github.com/publicsuffix/list/pull/1958"

Results of Syntax Checker (make test)

Yes, tests passed:

Click for full output

jyao@Jessicas-MacBook-Pro ~/list  (jyao/add-notion-site-to-etld) $ make test
cd linter;                                \
	  ./pslint_selftest.sh;                     \
	  ./pslint.py ../public_suffix_list.dat;
-n test_NFKC:
OK
-n test_allowedchars:
OK
-n test_dots:
OK
-n test_duplicate:
OK
-n test_exception:
OK
-n test_punycode:
OK
-n test_section1:
OK
-n test_section2:
OK
-n test_section3:
OK
-n test_section4:
OK
-n test_spaces:
OK
-n test_wildcard:
OK
test -d libpsl || git clone --depth=1 https://github.com/rockdaboot/libpsl;   \
	  cd libpsl;                                                                    \
	  git pull;                                                                     \
	  echo "EXTRA_DIST =" >  gtk-doc.make;                                          \
	  echo "CLEANFILES =" >> gtk-doc.make;                                          \
	  autoreconf --install --force --symlink;
Already up to date.
autopoint: using AM_GNU_GETTEXT_REQUIRE_VERSION instead of AM_GNU_GETTEXT_VERSION
glibtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, 'build-aux'.
glibtoolize: linking file 'build-aux/ltmain.sh'
glibtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'.
glibtoolize: linking file 'm4/libtool.m4'
glibtoolize: linking file 'm4/ltoptions.m4'
glibtoolize: linking file 'm4/ltsugar.m4'
glibtoolize: linking file 'm4/ltversion.m4'
glibtoolize: linking file 'm4/lt~obsolete.m4'
configure.ac:1: warning: file `version.txt' included several times
configure.ac:4: warning: file `version.txt' included several times
aclocal.m4:765: AM_INIT_AUTOMAKE is expanded from...
configure.ac:4: the top level
configure.ac:369: warning: file `version.txt' included several times
configure.ac:10: installing 'build-aux/compile'
configure.ac:4: installing 'build-aux/missing'
fuzz/Makefile.am: installing 'build-aux/depcomp'
cd libpsl && ./configure -q -C --enable-runtime=libicu --enable-builtin=libicu --with-psl-file=/Users/jyao/list/public_suffix_list.dat --with-psl-testfile=/Users/jyao/list/tests/tests.txt && make -s clean && make -s check -j4
configure: WARNING: --enable-builtin=libicu is deprecated, use --enable-builtin (enabled by default)
config.status: creating po/POTFILES
config.status: creating po/Makefile
Making clean in po
Making clean in include
Making clean in src
rm -f ./so_locations
Making clean in tools
 rm -f psl
Making clean in fuzz
 rm -f libpsl_icu_fuzzer libpsl_icu_load_fuzzer libpsl_icu_load_dafsa_fuzzer
Making clean in tests
 rm -f test-is-public test-is-public-all test-is-cookie-domain-acceptable test-is-public-builtin test-registrable-domain
Making clean in msvc
Making check in po
Making check in include
Making check in src
  CC       libpsl_la-psl.lo
  CC       libpsl_la-lookup_string_in_fixed_set.lo
  CCLD     libpsl.la
ld: warning: dylib (/opt/homebrew/Cellar/icu4c/74.2/lib/libicuuc.dylib) was built for newer macOS version (14.0) than being linked (13.3)
ld: warning: dylib (/opt/homebrew/Cellar/icu4c/74.2/lib/libicudata.dylib) was built for newer macOS version (14.0) than being linked (13.3)
Making check in tools
  CC       psl.o
  CCLD     psl
ld: warning: dylib (/opt/homebrew/Cellar/icu4c/74.2/lib/libicuuc.dylib) was built for newer macOS version (14.0) than being linked (13.3)
ld: warning: dylib (/opt/homebrew/Cellar/icu4c/74.2/lib/libicudata.dylib) was built for newer macOS version (14.0) than being linked (13.3)
Making check in fuzz
  CC       main.o
  CC       libpsl_load_dafsa_fuzzer.o
  CC       libpsl_fuzzer.o
  CC       libpsl_load_fuzzer.o
  CCLD     libpsl_icu_fuzzer
  CCLD     libpsl_icu_load_fuzzer
  CCLD     libpsl_icu_load_dafsa_fuzzer
ld: warning: dylib (/opt/homebrew/Cellar/icu4c/74.2/lib/libicuuc.dylib) was built for newer macOS version (14.0) than being linked (13.3)
ld: warning: dylib (/opt/homebrew/Cellar/icu4c/74.2/lib/libicudata.dylib) was built for newer macOS version (14.0) than being linked (13.3)
ld: warning: dylib (/opt/homebrew/Cellar/icu4c/74.2/lib/libicuuc.dylib) was built for newer macOS version (14.0) than being linked (13.3)
ld: warning: dylib (/opt/homebrew/Cellar/icu4c/74.2/lib/libicudata.dylib) was built for newer macOS version (14.0) than being linked (13.3)
ld: warning: dylib (/opt/homebrew/Cellar/icu4c/74.2/lib/libicuuc.dylib) was built for newer macOS version (14.0) than being linked (13.3)
ld: warning: dylib (/opt/homebrew/Cellar/icu4c/74.2/lib/libicudata.dylib) was built for newer macOS version (14.0) than being linked (13.3)
PASS: libpsl_icu_load_dafsa_fuzzer
PASS: libpsl_icu_fuzzer
PASS: libpsl_icu_load_fuzzer
============================================================================
Testsuite summary for libpsl 0.21.5
============================================================================
# TOTAL: 3
# PASS:  3
# SKIP:  0
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 0
============================================================================
Making check in tests
  CC       common.o
  CC       test-is-cookie-domain-acceptable.o
  CC       test-is-public.o
  CC       test-is-public-all.o
  CC       test-is-public-builtin.o
  CC       test-registrable-domain.o
  CCLD     test-is-public
  CCLD     test-is-cookie-domain-acceptable
  CCLD     test-is-public-all
  CCLD     test-is-public-builtin
libtool: warning: '-no-install' is ignored for aarch64-apple-darwin23.3.0
libtool: warning: '-no-install' is ignored for aarch64-apple-darwin23.3.0
libtool: warning: assuming '-no-fast-install' instead
libtool: warning: assuming '-no-fast-install' instead
libtool: warning: '-no-install' is ignored for aarch64-apple-darwin23.3.0
libtool: warning: '-no-install' is ignored for aarch64-apple-darwin23.3.0
libtool: warning: assuming '-no-fast-install' instead
libtool: warning: assuming '-no-fast-install' instead
ld: warning: dylib (/opt/homebrew/Cellar/icu4c/74.2/lib/libicuuc.dylib) was built for newer macOS version (14.0) than being linked (13.3)
ld: warning: dylib (/opt/homebrew/Cellar/icu4c/74.2/lib/libicudata.dylib) was built for newer macOS version (14.0) than being linked (13.3)
ld: warning: dylib (/opt/homebrew/Cellar/icu4c/74.2/lib/libicuuc.dylib) was built for newer macOS version (14.0) than being linked (13.3)
ld: warning: dylib (/opt/homebrew/Cellar/icu4c/74.2/lib/libicudata.dylib) was built for newer macOS version (14.0) than being linked (13.3)
  CCLD     test-registrable-domain
ld: warning: dylib (/opt/homebrew/Cellar/icu4c/74.2/lib/libicuuc.dylib) was built for newer macOS version (14.0) than being linked (13.3)
ld: warning: dylib (/opt/homebrew/Cellar/icu4c/74.2/lib/libicudata.dylib) was built for newer macOS version (14.0) than being linked (13.3)
ld: warning: dylib (/opt/homebrew/Cellar/icu4c/74.2/lib/libicuuc.dylib) was built for newer macOS version (14.0) than being linked (13.3)
ld: warning: dylib (/opt/homebrew/Cellar/icu4c/74.2/lib/libicudata.dylib) was built for newer macOS version (14.0) than being linked (13.3)
libtool: warning: '-no-install' is ignored for aarch64-apple-darwin23.3.0
libtool: warning: assuming '-no-fast-install' instead
ld: warning: dylib (/opt/homebrew/Cellar/icu4c/74.2/lib/libicuuc.dylib) was built for newer macOS version (14.0) than being linked (13.3)
ld: warning: dylib (/opt/homebrew/Cellar/icu4c/74.2/lib/libicudata.dylib) was built for newer macOS version (14.0) than being linked (13.3)
PASS: test-is-public-builtin
PASS: test-is-cookie-domain-acceptable
PASS: test-is-public
PASS: test-is-public-all
PASS: test-registrable-domain
============================================================================
Testsuite summary for libpsl 0.21.5
============================================================================
# TOTAL: 5
# PASS:  5
# SKIP:  0
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 0
============================================================================
Making check in msvc

[yahesh]

The new block for Notion Labs, Inc is properly located below the existing block for Noticeable.

[jesscodez]

FYI this is ready for review! Lmk if there's anything else needed in order to merge

[simon-friedberger]

• Expiration (Note: Must STAY >2y at all times)
  • notion.site expires 2027-12-08
• DNS _psl entries (Note: Must STAY in place)
• Tests pass
• Sorting (see above)
• Reasoning/Organization description

[jesscodez]

@simon-friedberger thanks for the review! Is there anything else I need to do to help this merge and/or does it auto-merge on a cadence?

[simon-friedberger]

Nothing to do, just wait for it to get merged. :)