Runtime asset policy
Approved CDNs
Approved CDN policy keeps runtime imports predictable and safe. The goal is to preserve broad creator flexibility without opening dangerous host lanes.
Host allowlist policy for reliable and safe runtime asset loading.
Implementation focus
Consult this page whenever you add third-party scripts, assets, or external package delivery sources.
Expected outcomes
- Validate external asset hosts against runtime safety policy.
- Avoid brittle imports that fail under sandbox enforcement.
- Maintain consistent behavior across web, player, and embed contexts.
Related documentation
Published runtime script CDNs
Used by `<script src="...">` in shipped HTML vibes.
https://cdn.jsdelivr.nethttps://cdnjs.cloudflare.comhttps://unpkg.comhttps://esm.shhttps://ga.jspm.iohttps://jspm.dev
Studio-only compatibility
These are allowed for Studio preview compatibility, not as part of the published runtime script trust boundary.
https://cdn.tailwindcss.com
Auth and identity connect origins
These hosts are the documented first-class providers for app-network integrations. They are not the browser runtime's full egress boundary: in allow-https mode, vibes still keep connect-src open to https and wss.
https://clerk.accounts.devhttps://*.clerk.comhttps://*.clerk.serviceshttps://*.clerkstage.devhttps://identitytoolkit.googleapis.comhttps://securetoken.googleapis.com
Backend platform connect origins
https://*.appwrite.globalhttps://*.appwrite.networkhttps://*.convex.cloudhttps://*.convex.sitehttps://*.firebaseio.comhttps://firestore.googleapis.comhttps://*.hasura.apphttps://*.nhost.runhttps://*.supabase.cohttps://*.supabase.in
Data service connect origins
https://*.algolia.nethttps://*.algolianet.comhttps://*.typesense.nethttps://*.upstash.iohttps://*.redis.cloud
Common public API origins
https://api.github.comhttps://api.openai.com
Font stylesheet origins
https://fonts.googleapis.comhttps://fonts.bunny.nethttps://rsms.me
Font file origins
https://fonts.gstatic.comhttps://fonts.bunny.nethttps://rsms.mehttps://cdnjs.cloudflare.comhttps://r2cdn.perplexity.ai
Known image compatibility origins
These are common/tested passive image hosts. They are not the full runtime passive-image boundary: in allow-https mode, ordinary HTTPS image hosts are permitted while executable script trust stays curated separately.
https://images.unsplash.comhttps://images.pexels.comhttps://cdn.pixabay.comhttps://i.imgur.comhttps://res.cloudinary.comhttps://images.ctfassets.nethttps://img.clerk.comhttps://images.clerk.devhttps://*.vercel.app
Known media compatibility origins
These are common/tested passive media hosts. They are not the full runtime passive-media boundary: in allow-https mode, ordinary HTTPS media hosts are permitted while script trust remains narrow.
https://videos.pexels.comhttps://media.giphy.comhttps://res.cloudinary.comhttps://*.vercel.apphttps://*.public.blob.vercel-storage.com
Passive storage-backed asset origins
These hosts are passive-only. They should not be treated as general script or connect trust.
https://*.s3.amazonaws.comhttps://storage.googleapis.comhttps://*.storage.googleapis.comhttps://*.blob.core.windows.nethttps://*.blob.storage.azure.nethttps://*.public.blob.vercel-storage.comhttps://*.r2.cloudflarestorage.comhttps://*.backblazeb2.comhttps://*.digitaloceanspaces.comhttps://*.wasabisys.com
Practical guidance
- For frontend dependencies, prefer npm imports in JSX/TSX and let Vibecodr manage mirroring and pinning.
- For HTML demos that need CDN scripts, stay on this approved host list for consistent runtime behavior.
- API and storage integrations should use HTTPS endpoints and avoid embedding secrets in client-side code or query strings.
- If you need a provider that is not listed here, request it so we can evaluate security, reliability, and long-term compatibility.