Add choreoapps.dev to private section

[ayomawdb]

Public Suffix List (PSL) Submission

Checklist of required steps

• Description of Organization

• Robust Reason for PSL Inclusion

• DNS verification via dig

• Each domain listed in the PRIVATE section has and shall maintain at least two years remaining on registration, and we shall keep the _psl TXT record in place in the respective zone(s).

Submitter affirms the following:

• We are listing any third-party limits that we seek to work around in our rationale such as those between IOS 14.5+ and Facebook (see Issue #1245 as a well-documented example)

• Cloudflare
• Let's Encrypt
• MAKE SURE UPDATE THE FOLLOWING LIST WITH YOUR LIMITATIONS! REMOVE ENTRIES WHICH DO NOT APPLY AS WELL AS REMOVING THIS LINE!

• This request was not submitted with the objective of working around other third-party limits.

• The submitter acknowledges that it is their responsibility to maintain the domains within their section. This includes removing names which are no longer used, retaining the _psl DNS entry, and responding to e-mails to the supplied address. Failure to maintain entries may result in removal of individual entries or the entire section.

• The Guidelines were carefully read and understood, and this request conforms to them.
• The submission follows the guidelines on formatting and sorting.

• A role-based email address has been used and this inbox is actively monitored with a response time of no more than 30 days.

Abuse Contact:

• Abuse contact information (email or web form) is available and easily accessible.

  URL where abuse contact or abuse reporting form can be found:

https://wso2.com/security/
https://security.docs.wso2.com/en/latest/security-reporting/abuse-report/

---

For PRIVATE section requests that are submitting entries for domains that match their organization website's primary domain, please understand that this can have impacts that may not match the desired outcome and take a long time to rollback, if at all.

To ensure that requested changes are entirely intentional, make sure that you read the affectation and propagation expectations, that you understand them, and confirm this understanding.

PR Rollbacks have lower priority, and the volunteers are unable to control when or if browsers or other parties using the PSL will refresh or update.

(Link: about propagation/expectations)

• Yes, I understand. I could break my organization's website cookies and cause other issues, and the rollback timing is acceptable. Proceed anyways.

---

Description of Organization

Choreo is a Developer Platform designed to streamline the process of building cloud-native applications. It offers developers a platform equipped with tools and services essential for the entire application lifecycle, from design and development to deployment and governance. Choreo's primary focus is to simplify and accelerate the cloud-native application development process.

Choreo is engineered by WSO2 LLC. I am Ayoma Wijethunga, serving as an Associate Director/Architect at WSO2. I lead the Security & Compliance Team, ensuring that our products and services meet the security standards. I am submitting this request on behalf of WSO2 to ensure that Choreo is accurately represented in the public-suffix-list. Our objective with this submission is to enhance domain handling and security measures for our platform users.

Organization Website:

https://console.choreo.dev
https://wso2.com/choreo/

Reason for PSL Inclusion

Web services and applications facilitated by Choreo are hosted on a unique subdomain structure, as illustrated by URLs such as https://###.e1-us-east-azure.choreoapps.dev. This subdomain configuration poses challenges when implementing standard cookie security protection mechanisms available in today's browsers, like the SameSite attribute.

Given the intricacies of our subdomain setup, these default protections are not effective as intended. Each subdomain is hosting an independent service owned and operated by different users of Choreo. To improve our security measures and safe user experience, we propose adding *.choreoapps.dev to the public suffix list. By doing so, we aim to fully utilize the inherent security capabilities of modern browsers, thereby enhancing the safety and reliability of web applications deployed through Choreo.

We commit to maintaining a term of more than 2 years to remain listed in the PSL.

There have been no past Issues or PRs related to this submission or section.

Number of users this request is being made to serve:

Choreo has about 23,000 organizations registered on the platform, and close to 51,300 individual users registered under the 23,000 organizations. Number of end users this request would serve is much larger number, and depends on the number of consumers for each application/service hosted on Choreo platform.

DNS Verification

% dig +short TXT _psl.choreoapps.dev
"https://github.com/publicsuffix/list/pull/2680"

[simon-friedberger]

Can you please put redirects in place such that the public suffixes redirect to your company website for people to find the abuse information more easily?

[groundcat]

• Expiration (Must STAY >2y)
  • BLOCKER: choreoapps.dev expires 2026-04-16 (~1.3 years from today) Fails minimum 2-year requirement - domain must be renewed
• Organization description
  • Choreo (by WSO2) is established platform for cloud-native apps
  • Submitter is Associate Director/Architect at WSO2
  • Serves 23,000 organizations and 51,300+ users
• Reasoning/PSL Inclusion
  • Clear explanation of multi-tenant subdomain isolation needs
  • Valid security use case (SameSite cookies, cross-origin isolation)
• Email address
  • Uses role-based email: choreo-security+publicsuffixlist@wso2.com
• Abuse contact
  • Abuse reporting available at wso2.com/security
  • Per simon-friedberger: choreoapps.dev should redirect to company site for easier abuse contact discovery

[ayomawdb]

Thanks @groundcat for the update, and apologies about missing this one. I'll get the two remaining requirements sorted within next week. Thanks @simon-friedberger for your feedback!

[Hardanish-Singh]

LGTM!

[simon-friedberger]

LGTM!

Please don't positively review your own PRs. Especially when you haven't even fixed the issues we pointed out.