Web Runtime
The Vifu Web Runtime loads deployed games as static browser assets inside a managed iframe. The game owns rendering and gameplay. Vifu owns hosting, isolation, the SDK bridge, platform service access, and runtime asset delivery.
Public project pages live on vifu.ai. Vifu-hosted game runtime entry pages and executable bundle assets live on runtime.vifu.ai in production and runtime-dev.vifu.ai in development. Backend APIs remain on api.consenger.com and api-dev.consenger.com.
Runtime Contract
| Area | Requirement |
|---|---|
| Entry | main.url points to an HTML file in build.output, usually index.html. |
| Build output | Static browser files only. No server process is run for the game. |
| Assets | Prefer relative paths from the build output. Use vifu.resources for declared data/media. |
| JavaScript | Executable code must be bundled into the artifact. Remote JS is blocked. |
| Network | Game code should not call arbitrary external APIs. Use the Vifu SDK. |
| Storage | Local browser storage is fine for temporary state. Use vifu.gameState for platform save/restore. |
| Host bridge | Use @vifu/sdk or window.vifu, not raw window.parent.postMessage(...). |
iframe Behavior
Design games to tolerate iframe constraints:
- no top-level navigation
- no required popups
- no required direct parent-window access
- responsive layout inside the frame
- pause/resume cleanly when hidden
- use
vifu.runtime.openExternal(...)for declared external links
Community and uploaded games run in a strict sandboxed iframe. The public game page does not grant allow-same-origin, so games must not depend on stable origin storage for durable player state. Use vifu.gameState for platform save/restore. Trusted first-party runtimes may receive broader iframe permissions only through an explicit platform allowlist.
Security Boundary
The runtime enforces the same boundary as vifu deploy:
- CDN JavaScript is not allowed.
- Direct external AI/backend calls are not allowed.
- Static fonts, CSS, images, and media may be allowed by category.
- Camera, microphone, workers, and eval are host-reviewed runtime rules, not public manifest switches.
The browser security layers have separate jobs:
runtime.vifu.aiisolates untrusted runtime code from the trusted web shell and API origins- iframe sandboxing limits browser capabilities
- runtime CSP limits executable scripts, resource categories, and network origins
- the host bridge is default-deny and grants only declared platform capabilities
- backend authorization still decides access to private projects, runtime sessions, credits, AI, plugins, and game state
Today, executable bundle assets are served from the runtime origin. Runtime data and media remain on Vifu API origins while those endpoints are still owned by the API layer; future runtime gateway proxying can tighten community runtime connect-src to the runtime origin.
Read Deploy Policy for the full artifact rules.
Boot Checklist
- Build the game.
- Serve the built directory locally.
- Open the entry file directly.
- Confirm the game renders before Vifu host connection.
- Confirm all local assets use relative paths or SDK resource URLs.
- Confirm
vifu.status().hostConnectedbecomes true inside Vifu.