This update introduces the optional networkAccess
key to the widget manifest.
Add the networkAccess
to your widget's manifest.json
file to limit the domains that your widget is permitted to access. When networkAccess
is applied, if your widget makes a network request to a domain that is not specified in the list of permitted domains, that request is blocked.
For example:
{
"name": "MyWidget",
"id": "737805260747778093",
"api": "1.0.0",
"widgetApi": "1.0.0",
"editorType": ["figma", "figjam"],
"containsWidget": true,
"main": "code.js",
"ui": "ui.html",
"networkAccess": {
"allowedDomains": ["https://my-app.cdn.com", "wss://socket.io", "*.example.com", "example.com/api/", "exact-path.com/content"]
}
}
When you publish your widget, the list of domains that you specify for networkAccess
is displayed on your widget's Community page. This information is also visible for org admins when widgets are reviewed for approval.
To try this out:
- In the
manifest.json
file for your widget, add the following:"networkAccess": {
"allowedDomains": ["none"]
}none
is a special keyword forallowedDomains
that prevents any network access from your widget. - In Figma, create a new Figma or FigJam file and add your widget. Try to use the widget as normal.
- Check the developer console. If your widget makes network requests, such as calls to an API or fetching images, Figma blocks the requests and throws content-security policy (CSP) errors.
- To fix the CSP errors, in your widget manifest, replace
["none"]
with the domains that your widget needs to access.
For more information about network access, see: