Skip to main content

Hi,


I’m new to the Figma plugin. When reading the Figma API document, I understand that my plugin during development ran on the sandbox provided by Figma (It’s compiled to Wasm at runtime).


But, my concern is: If my plugin is not public, is this automatically uploaded to Figma cloud or not? (In fact, I don’t want it to happen). Currently, I assume that the sandbox locates on a local Browser, is that correct?


Thank you so much!

figma.com

Hi Mr.Tank,


Thank you so much for spend your time for this matter.


I also think as you and already carefully read two link above in today. But, I can’t find details description that figma.com is in accepted domain list by default or not. That why I have this concern.


For sandbox, by using console windows, I see Figma load compiler from static resource shimxxx-cpp.js.br and shimxxx.js.asm (I’m on mobile, so I cannot see details file name) when it launch. I have assumption that when run plugin in development, the compile is perform by local browser. But I not confidence for this. How about your opinions?


Thank you again for your support!


Regard,



It’s not entirely clear which list you’re talking about.



Could you clarify what you mean by “compile” here?


Hi Tank,



It’s not entirely clear which list you’re talking about.



I mean networkAccess/allowedDomains on manifest.json. Because I Figma describe: . If your plugin renders a website in an iframe, network access limits only apply directly to the website's domain on

https://www.figma.com/plugin-docs/how-plugins-run/ Now, I have ideas that, I will try connecting to figma.com on my Plugin, it’ll clear my concern. I’ll share my result later.



Could you clarify what you mean by “compile” here



As my understanding, in the first version (since 2019) Figma use Realms to create sandbox with restricted rights for Plugin source code (according to the link:https://www.figma.com/blog/how-we-built-the-figma-plugin-system/) . But, later in when Realms Shim had a security issue (Oct 2, 2019), they change to use QuickJS (An update on plugin security | Figma Blog) It’s will compiled the plugin source to WebAssembly (That’s compile I mention here).


Figma

Thank you so much for your help.



network requests to any domains (equivalent to "allowedDomains": ["*"] )



Just for sharing: I was trying, but when not defining this block all requests are blocked by default.




But this, I think, has nothing to do with uploading to the Figma server.



I also think so. I am just curious because don’t have any documentation from Figma for that.



But Realm seems to still be used for the developer’s VM



It uses developer VM, in case we had the “Use developer VM” option enabled.



And here you can see which open source libraries Figma uses:



Thank you for your information.



Please note the error: blocked by CORS policy.



Try for this resource:


https://static.figma.com/api/figma-extension-api-0.0.1.css

When:



  1. The manifest is missing the networkAccess property;



"networkAccess": {
"allowedDomains": ["*"],
"reasoning": "Test"
}




"networkAccess": {
"allowedDomains": ["https://*.figma.com"]
}




"networkAccess": {
"allowedDomains": ["none"]
}

And this manifest property will not affect the upload to the server during publishing, because it only affects the plugin itself.


Reply