Version 1, Update 7

This update introduces the optional networkAccess key to the widget manifest.

Add the networkAccess to your widget's manifest.json file to limit the domains that your widget is permitted to access. When networkAccess is applied, if your widget makes a network request to a domain that is not specified in the list of permitted domains, that request is blocked.

For example:

{
  "name": "MyWidget",
  "id": "737805260747778093",
  "api": "1.0.0",
  "widgetApi": "1.0.0",
  "editorType": ["figma", "figjam"],
  "containsWidget": true,
  "main": "code.js",
  "ui": "ui.html",
  "networkAccess": {
    "allowedDomains": ["https://my-app.cdn.com", "wss://socket.io", "*.example.com", "example.com/api/",  "exact-path.com/content"]
  }
}

When you publish your widget, the list of domains that you specify for networkAccess is displayed on your widget's Community page. This information is also visible for org admins when widgets are reviewed for approval.

To try this out:

1. In the manifest.json file for your widget, add the following:

   "networkAccess": {
     "allowedDomains": ["none"]
   }

none is a special keyword for allowedDomains that prevents any network access from your widget. 2. In Figma, create a new Figma or FigJam file and add your widget. Try to use the widget as normal. 3. Check the developer console. If your widget makes network requests, such as calls to an API or fetching images, Figma blocks the requests and throws content-security policy (CSP) errors. 4. To fix the CSP errors, in your widget manifest, replace ["none"] with the domains that your widget needs to access.

For more information about network access, see:

• How Widgets Run
• Making Network Requests
• Widget Manifest