search

sandbox security

This page is for platform developers who want to understand the security model of the YAP widget before embedding it.

hashtag
Isolation model

The YAP widget runs inside an <iframe> from a separate origin (widget.yaphub.xyz). This means:

  • The widget cannot access your DOM

  • The widget cannot read your cookies or localStorage

  • The widget cannot call your APIs

  • The widget cannot read user input outside the iframe

  • The widget cannot navigate your top-level page

This is browser-enforced isolation — not a policy. There is no code in the widget that could perform these actions even if it tried.

hashtag
Recommended sandbox attribute

sandbox="allow-scripts allow-same-origin allow-popups"
Permission
Included
Reason

allow-scripts

Required — widget is JavaScript

allow-same-origin

Required — widget uses localStorage for anonymous identity

allow-popups

Required — external links (payment, Axiom) open in new tab

allow-top-navigation

Not needed — widget cannot redirect your page

allow-forms

Not needed — all submissions go via fetch, not form POST

allow-same-origin alone

Pointless without scripts

hashtag
What data does the widget send to YAP?

When a user sends a message, the following is transmitted to yaphub.xyz:

Nothing about your platform is included. The widget does not transmit:

  • The URL of the page it is embedded on

  • Any user data from your platform

  • Any cookies from your domain

  • The identity of the parent window

hashtag
Network requests made by the widget

The widget only communicates with:

Destination
Purpose

https://yaphub.xyz

REST API (messages, token data, leaderboard)

wss://yaphub.xyz

WebSocket (real-time messages)

https://cdnjs.cloudflare.com

Font Awesome icons

https://fonts.googleapis.com

Google Fonts

https://fonts.gstatic.com

Font files

https://app.hel.io

Token upgrade payment (only when user initiates)

No other external connections are made.

hashtag
CSP frame-ancestors

YAP uses Content-Security-Policy: frame-ancestors to restrict which domains can embed the widget. Only whitelisted domains can load it — if your domain is not on the list, the browser will refuse to display the iframe.

This means a rogue copy of your platform on a different domain cannot load the widget.

hashtag
referrerpolicy

We recommend adding referrerpolicy="no-referrer" to the iframe element:

This prevents your platform's URL from being sent in the Referer header to YAP's server when the iframe loads.

PreviousoverviewNextembed code

Was this helpful?