dist/ folder and run inside a sandboxed iframe. The sandbox is strict (allow-scripts only — no allow-same-origin), so a small set of browser APIs behave differently than they would in a normal page.
This page is an opinionated list of what we’ve tested. If a library you want isn’t here, it likely works — try it and tell us how it went. If we move a library to Blocked, it’s because we’ve seen it fail.
Runtime
Sandbox + CSP
Blocks render withsandbox="allow-scripts" (no allow-same-origin). The document has an opaque origin, so any API that depends on a real origin (cookies, storage, top-frame access) is unavailable.
The CSP defaults to 'none' for everything except:
To fetch from a third-party API, declare it in
chatblocks.json:UI + styling
Supported.tailwindcss (via the Vite plugin), lucide-react (icons — import individually for tree-shaking), clsx + tailwind-merge.
Conditional. @fontsource/* to self-host Google Fonts (inlines as data: URLs).
Animation
Supported.framer-motion (~100 kB gz, declarative + gesture), @react-spring/web (~25 kB, spring physics), gsap (~70 kB, imperative timelines), lottie-web (~50 kB, After Effects JSON). CSS animations + the Web Animations API need no dependency and are often enough for hover/transition/keyframe work.
Charts + data viz
Supported.recharts (~95 kB), chart.js + react-chartjs-2 (~70 kB), @visx/* (~30 kB low-level d3 primitives), d3 (import sub-packages like d3-scale and d3-shape for ~20 kB).
3D + canvas
Supported.three (~150 kB) and @react-three/fiber + @react-three/drei (~60 kB).
State + data
Supported.zustand (~3 kB), jotai (~5 kB), @tanstack/react-query (~35 kB), swr (~10 kB).
Tables + lists
Supported.@tanstack/react-table (~15 kB headless), @tanstack/react-virtual (~5 kB virtualization).
Utilities
Supported.date-fns (import named functions), zod, embla-carousel-react.
Network
Supported.fetch, Request, Response — subject to the CSP connect-src allowlist above.
Conditional. WebSocket and EventSource — both gated by the same connect-src rules (use wss:// for WebSockets).