We built an architecture to securely serve applications that provide all the latest and greatest designer APIs out of the box at launch. Here's how it works:
Build:, bringing the technology of their choice (React, Vue, JavaScript, etc.)
Bundling: We released a CLI tool that allows developers to run a single command to bundle their applications and upload them to Webflow. A command can also be used when developing applications on the local host.
Launch: The application in the designer is injected into the iframe. Before rendering their entry point ( ), we first inject our own suite of Designer API JavaScript into the HTML that heads them. This exposes all designer APIs to the application and allows the latest version of each API to be available immediately upon launch.
Security: The application is hosted on a paraguay phone numbers different domain than Webflow Designer to help mitigate cross-site scripting (XSS) attacks. Additionally, we have a content security policy in place to ensure that apps only load where we expect them.
Applications ⇔ Webflow Communication
Once the application is launched and the JavaScript suite is injected into it, we need a way to communicate between the iframe (the application) and the host (the Webflow designer). To do this, we use (MDN files) as well as the internal JSON-RPC library to transfer JSON between the two sources. We need to ensure that the payload sent from the application is valid, so we have a middle layer that validates the JSON payload. Here is an example of what happens when you set the page title using
Handle request
The central logic of the Designer API resides in the Webflow Designer code library, called the "host". Internally, we use the Flux architecture to manage state across the entire application. Therefore, many Designer APIs are enhancing state or dispatching Flux operations. A high-level example of how we handle a request is shown below for updating the page title:
We set up a "responder" to listen to the API to be executed by setPageTitle.
Once the API is executed (and we have verified the payload) we can retrieve the id from PagesStore
If we can't find the page, we'll pass back an error response handled by the client.
We then merge the updated state into PagesStore
Internally, we are listening for status updates and syncing the data to the server when a change is detected.
Finally, we pass back a tuple (an array containing two items).
The first item in the array is the response we want to send back to the client. In the above example, we return null to this API.
The second item is the updated status. We have a Flux reducer that takes the second array item and merges it with the main state of Webflow Designer.