Add canva-code.cn to the Public Suffix List#2980
Conversation
dd90211 to
ca1c413
Compare
|
@richard-canva Please discuss internally and build a domain structure that can be covered with a few lines of wildcard entry. This was discussed before in #2898 |
|
@richard-canva You are using an outdated version of the PR template. Please refill the PR message using our latest template, and without any AI assist. https://github.com/publicsuffix/list/blob/main/.github/pull_request_template.md |
|
Hi @pencilnav, Sorry for the late reply here, and apologies for the outdated template earlier — I've refilled the PR description using the current template. On the wildcard suggestion: this PR adds a single registrable domain, On usage / working example: to be upfront, Canva Code in China hasn't rolled out yet, so I don't currently have active-subdomain usage figures or a verifiable working example to share — and I know from #2898 that both are expected. We're requesting inclusion ahead of rollout because the content is user-generated and we want the per-artefact isolation in place before we scale, so that a single bad-actor artefact can't affect the parent domain's reputation (recovery from such incidents has taken weeks on other Canva products). Given that, I'll move this back to draft for now. Once |
Public Suffix List (PSL) Submission
Checklist of required steps
ation, and we shall keep the
_pslTXT record in place in the respective zone(s).Submitter affirms the following:
g around any third-party limits — see rationale.)
Abuse Contact:
Abuse contact information (email or web form) is available and easily accessible.
URL where abuse contact or abuse reporting form can be found: https://www.canva.com/en_au/help/report-content/
Email: abuse@canva.com (monitored)
Abuse reporting is reachable directly from the subdomains in question, not only from the Canva homepage:
*.canva-code.cncarries a footer (injected by our hosting platform) linking to the report form above.canva-code.cnserves a/.well-known/security.txtpointing to our abuse/security contact.Role email: publicsuffixlist@canva.com
Description of Organization
Canva is an online graphic design platform supporting presentations, graphics, videos and similar features, used by ~260 million monthly active people.
Canva Code is a production platform-as-a-service offering within Canva that hosts LLM-generated and user-created Canva Code (HTML/JS/CSS bundled into a single file, embeddable via iframe in Canva designs and websites). It is already live globally on
canvacode.comandcanva-hosted-embed.com, which were added to the PSL in #2617. This PR extends that same production product to Canva's users in China, where it is served fromcanva-code.cn.I am a backend engineer at Canva working on the Canva Code China launch, and I am submitting this on behalf of Canva.
Organization Website:
Previous Addition PRs: #2617, #2898, #2605, #1739, #1627
Reason for PSL Inclusion
Canva Code provisions each user-created application on its own subdomain so that artefacts are isolated from one another and cookies cannot be set on the parent registrable domain. Each published artefact is served from its own subdomain, for example
artefact-a.canva-code.cn. Addingcanva-code.cnto the PRIVATE section makes each<id>.canva-code.cna registrable domain, which keeps one artefact from reading or setting cookies for another and prevents a single bad-actor artefact from affecting the reputation of the parent domain.This is the same isolation model already accepted for our global Canva Code domains
canvacode.comandcanva-hosted-embed.com(#2617).canva-code.cnis the China counterpart of that production offering. It is a separate registrable domain (rather than a subdomain of an existing Canva zone) for two reasons: serving user-generated content to users in China requires a China-registered domain with its own ICP filing, so it cannot be served from the global.comdomains; and we deliberately keep user-generated Canva Code off Canva's primarycanva.cndomain to isolate its reputation from the apex brand.We are not using the PSL to work around any third-party limits.
The domain in this section holds well over two years of registration and we will keep the
_pslTXT record in place for as long as the entry remains listed.Number of THOUSANDS of distinct users this request is being made to serve:
DNS Verification
Registration (≥ 2 years remaining):