Guide
Security and Sandbox
Use the right isolation boundary for trusted demos, user code, and AI-generated code.
Security model
Groundpack can execute code in different places. The right mode depends on whether that code is trusted.
| Mode | Use for | Boundary |
|---|---|---|
| Same-origin main thread | Trusted demos and examples | Can access the host page. |
| Same-origin worker | Trusted code that should avoid blocking UI | Worker isolation, same origin. |
| Cross-origin sandbox | Untrusted user or AI-generated code | Different origin and sandboxed iframe. |
Service worker setup
Virtual HTTP servers need a service worker so browser requests can be intercepted and forwarded to the registered virtual server.
- The demo app serves website/public/__sw__.js.
- Groundpack.boot() initializes preview routing in browsers when service workers are available.
- Public apps should drive preview iframes from server-ready or port event URLs.