Guides

Canvas limitations

Suggest Edits

Client only

Canvas apps are single-file HTML applications. They cannot run server-side code. Apart from loading resources from CDNs (see Fetching external resources), they generally cannot connect to external servers.

No included database

Canvas apps do not have an included way to persist data. This will change in the future. If you have your own server that can persist data, a canvas app can connect to it after disabling the CSP (see Fetching external resources). Alternatively, you can read/write data by sending messages to a server bot that you control.

File drag-and-drop

Dragging a file from outside to inside the canvas app does not work reliably on chromium based browsers.

Drag-and-drop within the canvas app is possible across all browsers.

Local storage

Browser local storage APIs are disabled for canvas apps.

Webcam

The webcam is disabled for canvas apps.

Clipboard

Canvas apps can write to the clipboard, but cannot read from the clipboard.

History API

Canvas apps cannot use the History API.

Links/navigation

Same-origin links (such as <a href="/about">) are not possible in canvas apps.

Cross-origin links (such as <a href="https://quora.com/about" target="_blank">) are supported, however they require that the user elects to allow untrusted resources (example). When a user clicks a link with target="_blank" the following occurs:

  1. The Allow untrusted resources confirmation is displayed
  2. If the user clicks Allow all, the canvas bot will reload
  3. If the user clicks the link again, the link opens in a new tab

alert() / confirm()

alert and confirm APIs do not work in canvas apps. Calling these methods will log an error message to the browser console.

File downloads

File downloads are not supported.

For image/video downloads, we recommend rendering the image so the user can right-click and select Save as to save the file.

Fetching external resources

Canvas apps can load libraries/resources from a set of trusted origins such as cdnjs.cloudflare.com and cdn.jsdelivr.net.

View trusted origins

Canvas apps have strict security restrictions that prevent them from connecting with untrusted origins. If the canvas app tries to load an untrusted resource, the Allow untrusted external resources confirmation will show. If the user clicks Allow all, the canvas app will reload without the security restrictions, and will then be allowed to load any resource.

To avoid triggering the Allow untrusted external resources confirmation, we recommended only loading JavaScript libraries or CSS frameworks from a trusted origin.

Example: https://poe.com/CSPBannerExample

Updated about 3 hours ago