Skip to content

Add canva-code.cn to the Public Suffix List#2980

Draft
richard-canva wants to merge 1 commit into
publicsuffix:mainfrom
richard-canva:add-canva-code-cn
Draft

Add canva-code.cn to the Public Suffix List#2980
richard-canva wants to merge 1 commit into
publicsuffix:mainfrom
richard-canva:add-canva-code-cn

Conversation

@richard-canva

@richard-canva richard-canva commented Jun 22, 2026

Copy link
Copy Markdown

Public Suffix List (PSL) Submission

Checklist of required steps

  • Description of Organization
  • Robust Reason for PSL Inclusion
  • DNS verification via dig
  • Each domain listed in the PRIVATE section has and shall maintain at least two years remaining on registr
    ation, and we shall keep the _psl TXT record in place in the respective zone(s).

Submitter affirms the following:

  • We are listing any third-party limits that we seek to work around in our rationale. (We are not workin
    g around any third-party limits — see rationale.)
  • This request was not submitted with the objective of working around other third-party limits.
  • The submitter acknowledges that it is their responsibility to maintain the domains within their section.This includes removing names which are no longer used, retaining the _psl DNS entry, and responding to e-mails to the supplied address.
  • The Guidelines were carefully read and understood, and this request conforms to them.
  • The submission follows the Guidelines on formatting and sorting.
  • A role-based email address has been used and this inbox is actively monitored with a response time of no more than 30 days.

Abuse Contact:

  • Abuse contact information (email or web form) is available and easily accessible.

    URL where abuse contact or abuse reporting form can be found: https://www.canva.com/en_au/help/report-content/
    Email: abuse@canva.com (monitored)

    Abuse reporting is reachable directly from the subdomains in question, not only from the Canva homepage:

    • Every published Canva Code artefact served on *.canva-code.cn carries a footer (injected by our hosting platform) linking to the report form above.
    • canva-code.cn serves a /.well-known/security.txt pointing to our abuse/security contact.

Role email: publicsuffixlist@canva.com

  • Yes, I understand. I could break my organization's website cookies and cause other issues, and the rollback timing is acceptable. Proceed anyway.

Description of Organization

Canva is an online graphic design platform supporting presentations, graphics, videos and similar features, used by ~260 million monthly active people.

Canva Code is a production platform-as-a-service offering within Canva that hosts LLM-generated and user-created Canva Code (HTML/JS/CSS bundled into a single file, embeddable via iframe in Canva designs and websites). It is already live globally on canvacode.com and canva-hosted-embed.com, which were added to the PSL in #2617. This PR extends that same production product to Canva's users in China, where it is served from canva-code.cn.

I am a backend engineer at Canva working on the Canva Code China launch, and I am submitting this on behalf of Canva.

Organization Website:

Previous Addition PRs: #2617, #2898, #2605, #1739, #1627

Reason for PSL Inclusion

Canva Code provisions each user-created application on its own subdomain so that artefacts are isolated from one another and cookies cannot be set on the parent registrable domain. Each published artefact is served from its own subdomain, for example artefact-a.canva-code.cn. Adding canva-code.cn to the PRIVATE section makes each <id>.canva-code.cn a registrable domain, which keeps one artefact from reading or setting cookies for another and prevents a single bad-actor artefact from affecting the reputation of the parent domain.

This is the same isolation model already accepted for our global Canva Code domains canvacode.com and canva-hosted-embed.com (#2617). canva-code.cn is the China counterpart of that production offering. It is a separate registrable domain (rather than a subdomain of an existing Canva zone) for two reasons: serving user-generated content to users in China requires a China-registered domain with its own ICP filing, so it cannot be served from the global .com domains; and we deliberately keep user-generated Canva Code off Canva's primary canva.cn domain to isolate its reputation from the apex brand.

We are not using the PSL to work around any third-party limits.

The domain in this section holds well over two years of registration and we will keep the _psl TXT record in place for as long as the entry remains listed.

Number of THOUSANDS of distinct users this request is being made to serve:

DNS Verification

$ dig +short TXT _psl.canva-code.cn
"https://github.com/publicsuffix/list/pull/2980"

$ dig +short TXT _psl.canva.cn
"https://github.com/publicsuffix/list/pull/2980"
"https://github.com/publicsuffix/list/pull/1627"
"https://github.com/publicsuffix/list/pull/1739"
"https://github.com/publicsuffix/list/pull/2617"
"https://github.com/publicsuffix/list/pull/2477"
"https://github.com/publicsuffix/list/pull/2605"
"https://github.com/publicsuffix/list/pull/2898"

Registration (≥ 2 years remaining):

$ whois canva-code.cn | grep -i expir
Expiration Time: 2031-05-21

@richard-canva richard-canva marked this pull request as ready for review June 26, 2026 04:14
@richard-canva

Copy link
Copy Markdown
Author

cc @lextoumbourou

@pencilnav

Copy link
Copy Markdown
Contributor

@richard-canva Please discuss internally and build a domain structure that can be covered with a few lines of wildcard entry.

This was discussed before in #2898

@pencilnav

Copy link
Copy Markdown
Contributor

@richard-canva You are using an outdated version of the PR template. Please refill the PR message using our latest template, and without any AI assist.

https://github.com/publicsuffix/list/blob/main/.github/pull_request_template.md

@richard-canva

Copy link
Copy Markdown
Author

Hi @pencilnav, Sorry for the late reply here, and apologies for the outdated template earlier — I've refilled the PR description using the current template.

On the wildcard suggestion: this PR adds a single registrable domain, canva-code.cn, so it's already one line. A PRIVATE-section entry like this already behaves as a wildcard over its subdomains — listing canva-code.cn makes every <id>.canva-code.cn a registrable domain in one line, which is the compact form you're after, and there are no sibling entries here to collapse. A literal *.canva-code.cn rule would actually break the isolation we're asking for: Canva Code artefacts are served directly at <id>.canva-code.cn (no intermediate label), so a wildcard would treat each artefact subdomain as a public suffix and push the registrable boundary one level deeper than intended. This is the same point raised for canva.link / khsj.cn in #2898. canva-code.cn is the China counterpart of our already-listed production entries canvacode.com / canva-hosted-embed.com (#2617), and can't be folded under them since serving user-generated content in China requires a separate China-registered domain with its own ICP filing.

On usage / working example: to be upfront, Canva Code in China hasn't rolled out yet, so I don't currently have active-subdomain usage figures or a verifiable working example to share — and I know from #2898 that both are expected. We're requesting inclusion ahead of rollout because the content is user-generated and we want the per-artefact isolation in place before we scale, so that a single bad-actor artefact can't affect the parent domain's reputation (recovery from such incidents has taken weeks on other Canva products).

Given that, I'll move this back to draft for now. Once canva-code.cn is serving, I'll come back with a working example and the active-subdomain usage as it stands at that point, then flip it back to ready. Thanks for your patience!

@richard-canva richard-canva marked this pull request as draft July 1, 2026 09:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants