About Frontend Security

Wix enforces security restrictions in the frontend rendering environment to protect site visitors and ensure that apps and custom code operate in their granted permissions. These restrictions prevent unauthorized access to sensitive data such as access tokens and cookies, and block code from manipulating the browser environment in ways that could compromise site security.

These measures apply to all code running on the frontend of a Wix site, including custom code, site code written with the Wix JavaScript SDK, and code from installed apps.

How it works

Wix's frontend security model builds on 2 core principles: isolation and immutability.

  • Isolation: Each app installed on a site receives its own scoped access token. This ensures that an app can only access the resources and permissions it was granted during installation. Apps can't access each other's tokens or escalate their own permissions.
  • Immutability: Critical browser APIs and global objects are protected from being overwritten or manipulated. This prevents code from intercepting authentication flows, stealing sensitive data, or altering core JavaScript behavior.

When these protections detect an unauthorized operation, they either silently block it or throw an error with a specific error code.

Restricted browser APIs

Wix restricts or modifies the following browser APIs in the frontend rendering environment.

Network requests

Wix actively prevents code from accessing or interfering with sensitive operations like authentication tokens and internal network requests. To do this, Wix replaces the built-in browser fetch and XMLHttpRequest implementations with secured versions. These secured versions:

  • Can't be replaced or reassigned. If your code attempts to redefine window.fetch or XMLHttpRequest with a custom implementation, the reassignment has no effect.
  • Block requests to internal access token URLs. Direct calls to Wix's internal authentication services fail.

This means techniques that involve replacing or wrapping built-in browser methods to intercept network traffic don't work on Wix sites.

Cookie access

Wix restricts the document.cookie API. Code that attempts to read or write Wix internal cookies or security cookies fails silently. The operation has no effect, and no error is thrown.

Window and document operations

When code calls window.open or document.open to open a new window on the same domain as the site, the returned object is empty instead of a reference to the new window. This prevents code from using the opened window to rewrite global objects or access cookies.

iframe restrictions

Wix applies the following restrictions to iframes created by frontend code:

  • iframes opened on the same domain as the site, or without a specified domain, are automatically sandboxed. This prevents them from accessing parent window globals or making same-origin API calls.
  • The srcdoc attribute is blocked. Attempts to set srcdoc on an iframe result in an error.

Locked global objects

Wix locks the following objects and their prototypes to prevent overwriting, extending, or manipulating their methods:

  • URL, JSON
  • String, Number, Object, Reflect
  • TextEncoder, TextDecoder
  • encodeURIComponent, decodeURIComponent
  • addEventListener, removeEventListener
  • XMLHttpRequestEventTarget, EventTarget
  • Service Worker APIs

Code that attempts to modify these objects, or override their methods or prototypes will generally fail and throw errors.

Timer restrictions

setTimeout and setInterval don't accept a string as their first argument. This prevents dynamic code evaluation through timers.

Pass a callback instead of a string:

Copy

Troubleshooting

If your code isn't working as expected, it may be affected by frontend security restrictions. Check the browser console for errors and review the following common symptoms:

  • Network requests fail or behave unexpectedly: Your code may be attempting to replace or wrap the built-in fetch or XMLHttpRequest implementations, or trying to call restricted internal URLs. Use the standard browser APIs as-is without replacing them.
  • Cookie operations have no effect: Reading or writing Wix internal cookies fails silently. Use the Wix JavaScript SDK for data storage instead.
  • window.open returns an empty object: This happens when opening a window on the same domain as the site. Cross-domain windows aren't affected.
  • iframe is sandboxed unexpectedly: Same-domain iframes are automatically sandboxed. Use a cross-origin iframe with postMessage for parent-child communication.
  • Global object modifications don't take effect: Locked objects like URL, JSON, String, and Object can't be extended or modified.
  • setTimeout/setInterval fails: Pass a callback instead of a string as the first argument.

See also

Did this help?