Version 1, Update 66

This update introduces the optional networkAccess key to the plugin manifest.

Add the networkAccess to your plugin's manifest.json file to specify the domains that your plugin is permitted to access. When networkAccess is applied, if your plugin makes a network request to a domain that is not specified in the list of permitted domains, that request is blocked.

For example:

{
  "name": "MyPlugin",
  "id": "737805260747778092",
  "api": "1.0.0",
  "main": "code.js",
  "ui": "ui.html",
  "networkAccess": {
    "allowedDomains": ["https://my-app.cdn.com", "wss://socket.io", "*.example.com", "example.com/api/",  "exact-path.com/content"]
  }
}

When you publish your plugin, the list of domains that you specify for networkAccess is displayed on your plugin's Community page. This information is also visible for org admins when plugins are reviewed for approval.

To try this out:

1. In the manifest.json file for your plugin, add the following:

   "networkAccess": {
     "allowedDomains": ["none"]
   }

none is a special keyword for allowedDomains that prevents any network access from your plugin. 2. In Figma, create a new Figma or FigJam file and add your plugin. Try to use the plugin as normal. 3. Check the developer console. If your plugin makes network requests, such as calls to an API or fetching images, Figma blocks the requests and throws content-security policy (CSP) errors. 4. To fix the CSP errors, in your plugin manifest, replace ["none"] with the domains that your plugin needs to access.

For more information about network access, see:

• How Plugins Run
• Making Network Requests
• Plugin Manifest