Default posture
External domains are block-by-default for uploaded games. Domains are reviewed because game code runs in a public iframe and can affect player privacy, safety, and trust.
Approval is scoped to the disclosed purpose and does not create a global permission for all games.
External domains are not remote scripts
Domain approval is for network calls such as APIs, multiplayer services, analytics, storage, or CDN asset hosts.
Approved domains are added only to the game runtime connect-src policy, including HTTPS and secure WebSocket access for the exact approved hostname.
It does not allow remote JavaScript execution. Bundle engine and library scripts into the uploaded ZIP instead of loading them from cdnjs, unpkg, jsDelivr, or similar CDNs.
Usually acceptable reasons
- A developer-owned multiplayer backend.
- A leaderboard, save, or account API required by the game.
- An approved analytics endpoint.
- An approved storage or CDN endpoint required by the game export.
- Some platform-trusted bundled multiplayer SDKs may be recognized automatically for connect-only access. Custom backends, data APIs, analytics, auth, storage, and CDN asset hosts still require review.
What to disclose
- Domain name or host:port endpoint.
- Why the game calls it.
- What data is sent or received.
- Whether the call is required for the game to start.
- Whether the domain belongs to you, your engine, or a third-party service.
Usually prohibited
- External ad scripts or ad networks.
- Remote engine or library scripts loaded from third-party CDNs.
- External payment scripts or checkout flows.
- Phishing, suspicious scripts, fingerprinting, crypto, NFT, or gambling APIs.