> Portal Navigation:
> 
> - Append `.md` to any URL under `https://dev.wix.com/docs/` to get its markdown version.
> - Pages are either content pages (article or reference text) or menu pages (a list of links to child pages).
> - To get a menu page, truncate any URL to a parent path and append `.md` (e.g. `https://dev.wix.com/docs/sdk.md`, `https://dev.wix.com/docs/sdk/core-modules.md`).
> - Top-level index of all portals: https://dev.wix.com/docs/llms.txt
> - Full concatenated docs: https://dev.wix.com/docs/llms-full.txt

## Resource: About Frontend Security

## Article: About Frontend Security

## Article Link: https://dev.wix.com/docs/develop-websites-sdk/code-your-site/best-practices/about-frontend-security.md

## Article Content:

# About Frontend Security

Wix enforces security restrictions in the frontend rendering environment to protect site visitors and ensure that apps and custom code operate in their granted permissions. These restrictions prevent unauthorized access to sensitive data such as access tokens and cookies, and block code from manipulating the browser environment in ways that could compromise site security.

These measures apply to all code running on the frontend of a Wix site, including [custom code](https://dev.wix.com/docs/develop-websites-sdk/code-your-site/build-a-custom-frontend/custom-code/about-custom-code.md), site code written with the Wix JavaScript SDK, and code from installed apps.

## How it works

Wix's frontend security model builds on 2 core principles: isolation and immutability.

- **Isolation**: Each app installed on a site receives its own scoped access token. This ensures that an app can only access the resources and permissions it was granted during installation. Apps can't access each other's tokens or escalate their own permissions.
- **Immutability**: Critical browser APIs and global objects are protected from being overwritten or manipulated. This prevents code from intercepting authentication flows, stealing sensitive data, or altering core JavaScript behavior.

When these protections detect an unauthorized operation, they either silently block it or throw an error with a specific [error code](#error-codes).

## Restricted browser APIs

Wix restricts or modifies the following browser APIs in the frontend rendering environment.

### Network requests

Wix actively prevents code from accessing or interfering with sensitive operations like authentication tokens and internal network requests. To do this, Wix replaces the built-in browser `fetch` and `XMLHttpRequest` implementations with secured versions. These secured versions:

- Can't be replaced or reassigned. If your code attempts to redefine `window.fetch` or `XMLHttpRequest` with a custom implementation, the reassignment has no effect.
- Block requests to internal access token URLs. Direct calls to Wix's internal authentication services fail.

This means techniques that involve replacing or wrapping built-in browser methods to intercept network traffic don't work on Wix sites.

### Cookie access

Wix restricts the `document.cookie` API. Code that attempts to read or write Wix internal cookies or security cookies fails silently. The operation has no effect, and no error is thrown.

### Window and document operations

When code calls `window.open` or `document.open` to open a new window on the same domain as the site, the returned object is empty instead of a reference to the new window. This prevents code from using the opened window to rewrite global objects or access cookies.

### iframe restrictions

Wix applies the following restrictions to iframes created by frontend code:

- iframes opened on the same domain as the site, or without a specified domain, are automatically sandboxed. This prevents them from accessing parent window globals or making same-origin API calls.
- The `srcdoc` attribute is blocked. Attempts to set `srcdoc` on an iframe result in an error.

### Locked global objects

Wix locks the following objects and their prototypes to prevent overwriting, extending, or manipulating their methods:

- `URL`, `JSON`
- `String`, `Number`, `Object`, `Reflect`
- `TextEncoder`, `TextDecoder`
- `encodeURIComponent`, `decodeURIComponent`
- `addEventListener`, `removeEventListener`
- `XMLHttpRequestEventTarget`, `EventTarget`
- Service Worker APIs

Code that attempts to modify these objects, or override their methods or prototypes will generally fail and throw errors.

### Timer restrictions

`setTimeout` and `setInterval` don't accept a string as their first argument. This prevents dynamic code evaluation through timers.

Pass a callback instead of a string:

```javascript
// This works
setTimeout(() => {
  console.log('Hello');
}, 1000);

// This doesn't work
setTimeout('console.log("Hello")', 1000);
```

## Troubleshooting

If your code isn't working as expected, it may be affected by frontend security restrictions. Check the browser console for errors and review the following common symptoms:
- **Network requests fail or behave unexpectedly**: Your code may be attempting to replace or wrap the built-in `fetch` or `XMLHttpRequest` implementations, or trying to call restricted internal URLs. Use the standard browser APIs as-is without replacing them.
- **Cookie operations have no effect**: Reading or writing Wix internal cookies fails silently. Use the Wix JavaScript SDK for data storage instead.
- **`window.open` returns an empty object**: This happens when opening a window on the same domain as the site. Cross-domain windows aren't affected.
- **iframe is sandboxed unexpectedly**: Same-domain iframes are automatically sandboxed. Use a cross-origin iframe with `postMessage` for parent-child communication.
- **Global object modifications don't take effect**: Locked objects like `URL`, `JSON`, `String`, and `Object` can't be extended or modified.
- **`setTimeout`/`setInterval` fails**: Pass a callback instead of a string as the first argument.

## See also

- [About Identities](https://dev.wix.com/docs/develop-websites-sdk/code-your-site/authorization/about-identities.md)
- [About Elevation](https://dev.wix.com/docs/develop-websites-sdk/code-your-site/authorization/about-elevation.md)
- [About Custom Code](https://dev.wix.com/docs/develop-websites-sdk/code-your-site/build-a-custom-frontend/custom-code/about-custom-code.md)