Hi,
I’m new to the Figma plugin. When reading the Figma API document, I understand that my plugin during development ran on the sandbox provided by Figma (It’s compiled to Wasm at runtime).
But, my concern is: If my plugin is not public, is this automatically uploaded to Figma cloud or not? (In fact, I don’t want it to happen). Currently, I assume that the sandbox locates on a local Browser, is that correct?
Thank you so much!
The code for your plugin in development is not uploaded to the Figma server until you publish it.
Regarding the sandbox, you can find out more here:
Hi Mr.Tank,
Thank you so much for spend your time for this matter.
I also think as you and already carefully read two link above in today. But, I can’t find details description that figma.com is in accepted domain list by default or not. That why I have this concern.
For sandbox, by using console windows, I see Figma load compiler from static resource shimxxx-cpp.js.br and shimxxx.js.asm (I’m on mobile, so I cannot see details file name) when it launch. I have assumption that when run plugin in development, the compile is perform by local browser. But I not confidence for this. How about your opinions?
Thank you again for your support!
Regard,
It’s not entirely clear which list you’re talking about.
Could you clarify what you mean by “compile” here?
Hi Tank,
It’s not entirely clear which list you’re talking about.
I mean networkAccess/allowedDomains on manifest.json. Because I Figma describe: . If your plugin renders a website in an iframe, network access limits only apply directly to the website's domain on
https://www.figma.com/plugin-docs/how-plugins-run/ Now, I have ideas that, I will try connecting to figma.com on my Plugin, it’ll clear my concern. I’ll share my result later.
Could you clarify what you mean by “compile” here
As my understanding, in the first version (since 2019) Figma use Realms to create sandbox with restricted rights for Plugin source code (according to the link:https://www.figma.com/blog/how-we-built-the-figma-plugin-system/) . But, later in when Realms Shim had a security issue (Oct 2, 2019), they change to use QuickJS (An update on plugin security | Figma Blog) It’s will compiled the plugin source to WebAssembly (That’s compile I mention here).
You control this list of allowed domains yourself. In addition, this property is optional. If you do not add this property to your manifest, then by default you will be able to make network requests to any domains (equivalent to "allowedDomains": ["*"]). If your plugin does not make any network requests, then you can specify ["none"]. But this, I think, has nothing to do with uploading to the Figma server.
Yes, compilation is performed by the JavaScript engine on the client side. But Realm seems to still be used for the developer’s VM. Here’s a recent thread on the forum: "Failed to load realm" error when reopened Figma Widget.
And here you can see which open source libraries Figma uses:
Thank you so much for your help.
network requests to any domains (equivalent to
"allowedDomains": ["*"])
Just for sharing: I was trying, but when not defining this block all requests are blocked by default.
But this, I think, has nothing to do with uploading to the Figma server.
I also think so. I am just curious because don’t have any documentation from Figma for that.
But Realm seems to still be used for the developer’s VM
It uses developer VM, in case we had the “Use developer VM” option enabled.
And here you can see which open source libraries Figma uses:
Thank you for your information.
Please note the error: blocked by CORS policy.
Try for this resource:
https://static.figma.com/api/figma-extension-api-0.0.1.css
When:
networkAccess property;"networkAccess": {
"allowedDomains": ["*"],
"reasoning": "Test"
}
"networkAccess": {
"allowedDomains": ["https://*.figma.com"]
}
"networkAccess": {
"allowedDomains": ["none"]
}
And this manifest property will not affect the upload to the server during publishing, because it only affects the plugin itself.