Networking
Board web apps are first-class network clients. Server-backed, multiplayer, and realtime use cases are all supported. The packaged browser that runs your app allows outbound HTTPS and WebSocket connections, with no domain allowlist and no connect-src content-security policy, so you can reach your own API, a realtime provider, an analytics endpoint, a CDN, or anything else your app needs.
Restrictions
- TLS is required. Use
https://andwss://. Plainhttp://andws://are blocked as mixed content. - Top-level navigation is pinned to your bundle. Your app cannot navigate the top frame to another site.
- Cross-origin iframes are blocked.
Declaring origins (after beta)
There is nothing to configure today. After beta, we plan to add a per-app capability declaration in your bundle’s harness config, where you list the external origins your app talks to (your API, your realtime provider, analytics, any CDNs) so publishing channels can audit what an app reaches. It will be additive and announced ahead of time, so nothing you ship today breaks.
What is worth doing now: keep a running list of the external origins your app depends on, so filling in that declaration later is quick.