Figma removed `window.figma` on view-only pages today

Let’s start with some background.

Our team of designers began using Figma for design and delivery last year, for which we have purchased over 200 enterprise seats. Initially, the delivery process was quite pleasant, up until Figma started charging for Dev Mode. Before the existence of Dev Mode, engineers using the Inspect Panel’s viewing functionality was sufficient for us. We did not anticipate Figma making “minor adjustments” to the Inspect Panel for view-only users to make Dev Mode more appealing. Engineers have been complaining that they can no longer efficiently view design drafts or copy CSS code as before (not referring to Dev Mode beta, but the original Inspect Panel before Dev Mode). Some engineering teams have even asked if the designers could switch back to Sketch, as the delivery efficiency in view-only mode has severely deteriorated. However, with many designers in our team and significant effort invested in building component libraries on Figma, and all business design drafts being produced with it, as written in this article, our design assets have now become hostages forcing users to purchase Dev Mode seats.

I’ve always believed that selling Dev Mode in this manner would not work well with teams like ours: engineers are spread across various teams, making it hard to convince all engineering teams why switching to a better design tool means they have to pay extra to maintain their efficiency (previously, tools like Sketch + Sketch Measure were sufficient).

It’s not that Dev Mode is useless; it offers many useful features. However, compared to the original Inspect panel, it doesn’t offer significant advantages for our scenario. Instead, functionalities like viewing/copying CSS are critical for delivery, which were available when we first tried Figma. And some features we really wanted, like running our own Figma plugins. Figma only provides a runtime environment for our extensively developed plugins, which are used 95%+ of the time in design mode (which we paid quite a lot), yet requires all engineers to pay, which is absurd.

Of course, Figma “kindly” recorded tutorial videos guiding users on how to use functionalities like copying CSS in read-only mode, knowing well that what users need is to have this functionality back in the Inspect Panel, not hidden behind several layers of context menus. These barriers are deliberately designed, and the Figma team knows better than anyone which features are essential and which are just nice-to-haves.

Switching to Figma has been a great improvement for designers, which we all acknowledge. However, crippling free users (engineers) to semi-forcefully sell Dev Mode has already harmed your paying users.

Back to the post title.

After encountering the issues mentioned above, and having experience developing Figma plugins, we knew from Figma’s documentation that every page has a global window.figma object, and the community had some attempts to optimize engineers’ experience in view-only mode based on this loophole. So, we developed a browser extension that brings the hidden copy CSS functionality directly accessible through the browser extension panel, and made outputs from our own Figma plugins more user-friendly. After providing the plugin to engineers, they found these functionalities very useful (actually just shortening the operation path of functionalities that should have been readily available but were hidden), and were able to coexist peacefully with Figma again. Of course, we considered that if Figma one day removes this global object, the plugin would become unusable. However, we thought Figma wouldn’t be so petty. If they were confident in the value provided by Dev Mode, why would they block a browser extension that was developed in just a few days? Is merely providing output/copy CSS functionalities, which were free for every user before Dev Mode, enough to make Dev Mode unsellable? If so, the Figma team should reflect on the actual value of Dev Mode.

But it turns out we were too optimistic. Whether Figma noticed this or other similar plugins, starting today, Figma has removed the window.figma from all pages in view-only mode, making it impossible for us to use this API to obtain current selected node information, rendering a browser extension that was only born a few days ago practically unusable. I can’t help but ask the Figma team, we can currently use “Duplicate to your drafts” in our own editing mode to use the browser plugin to get CSS codes, are you planning to block this as well?

18 Likes

I am deeply disappointed and dissatisfied with Figma’s recent decision to remove windows.figma . This change has disrupted our workflows and reduced the flexibility and autonomy of users on the platform. As a long-time user, I hope Figma will take our feedback into consideration and find a way to balance user needs with software development. :confused:

1 Like

Figma has changed so much, and not always for the better.
I know designers might take some time to adapt, but I have moved my own design prototypes to https://penpot.app/.

3 Likes

Hi everyone,
Thanks for sharing your feedback and reporting this!

We made this change made to address an issue in our permission system, but the change had a broader impact than we intended. In the coming weeks, we’ll re-introduce access to the Plugin API (the window.Figma object) for users who are viewing a file in design mode.
We will keep you posted, thanks for your patience in the meantime!

5 Likes

I’m glad Figma has solved this previous “dangerous vulnerability”

Because “view-only pages” means that for general designer users, Plugins cannot be used.

The “dangerous vulnerability” of “window.Figma” allows a small number of users to bypass this restriction and use the Plugins function. This is definitely a security issue.

Designers who share view-only pages do not consider that their pages can be used to extract arbitrary information using plug-ins, which can cause deception.

Please do not revert this vulnerability, as it will invalidate Figma’s permission mechanism and expose general users to “dangerous vulnerabilities.” Unless Figma opens the “view-only pages” Plugins entrance to everyone.

:warning:
forgive my frankness,
this is a permission vulnerability, as for most users View-only pages mean no access to Plugins

however, a minority of hackers can gain this access, leading to deception and data leakage

Your work team is in the same company and trust each other, so permissions are not important to you.

But many designers will face their clients, and the “View-page” page will be shared with people who do not have an absolute trust relationship.

For designers who face customers directly, they don’t expect that “View-page” pages will be used by tools like fubukicss , because they see that their own “View-page” pages have no plugins entry, and they think that others can’t either.

Please note that I’m not complaining about tools like “fubukicss”, they are great.

What I mean is that if “View-only” pages do not have a plugins enter, window.Figma will be a vulnerability. If you want to open window.Figma, please open the plugins enter to everyone.

I have been asked multiple times on Twitter, but you have avoided the same question for at least 3 times. I’m gonna ask you here again: what kind of data was unexpectedly leaked? Can you give an example?

I’ve already given example:

For designers who face customers directly, they don’t expect that “View-page” pages will be used by tools like fubukicss , because they see that their own “View-page” pages have no plugins entry, and they think that others can’t either.

Tell me why there is no Plugins entry for view-only pages?

If you are dissatisfied with Figma’s permission design, please call on Figma to officially open the plugins enter for view-only pages to everyone.

Rather than opening up a security hole that only a few people know and exploit

This is not an example. You are claiming the API exposes things that shouldn’t be exposed. I’m asking for an example. The extension you mentioned merely put things view-only users already have access to from Figma’s own UI inside a panel. What is the real part that causes damage to your expectation?

Figma claims that there is a window.figma in every Figma window. “only a few people know” is maybe because many people like you didn’t read the docs.

1 Like

This is Figma’s product design. Of course I also want plugins to be loaded in view-only pages, which I already suggested to the Figma team for a few times. And again Chrome extensions are not Figma plugins.

And I’m done here until you provide a substantively valid example.

With all due respect, you are only thinking about yourself

Ordinary users don’t know technical terms like “window.Figma” at all. They only know that plugins cannot be used on “only-view” pages.

Development documentation should be no more descriptive than what is promised to the average user. This is why this is a security vulnerability

I don’t know why you ignored the example I gave, I just want to say, please consider most users, not just yourself

Is the Figma Team aware that re-introduce access to the Plugin API is a controversial decision?

Hi, What is the update on this? when is it gonna be available?

H i,Do you have any plans for this product? Everyone hopes for a result.

@Celine_Figma Any updates?

Hi everyone! Thank you for all your feedback.
Here is an update from the product team:

We’re working to create a more nuanced fix that will bring back access to the Plugin API for users viewing files. We expect this fix to land sometime in the next few months.

We’ll update this thread when it’s available. Thanks for your patience in the meantime!