日本語English
TrayPage Docs

What pages can and can't do

The isolated environment pages run in — which browser features are available and which are intentionally restricted.

Pages run in the viewer's browser inside a dedicated sandbox, isolated from the TrayPage app itself. This protects the login session and data of everyone you share with from scripts inside the page.

As a self-contained, single HTML document, a page has close to full expressive power. What is intentionally restricted: talking to the outside world, persisting data, and embedding other services.

Note that Markdown pages are converted to HTML server-side by TrayPage, so these restrictions rarely matter for them. The following applies mainly to HTML pages.

What works

  • JavaScript / CSS — All inline scripts and styles run. eval and WebAssembly are available.
  • CDN libraries — Load from external CDNs with <script src="https://..."> / <link href="https://...">. Chart.js, Tailwind CSS (Play CDN), Mermaid, D3, and similar work as-is.
  • Fonts, images, video, audio — Web fonts such as Google Fonts, any https-served images/video/audio, and data: / blob: URLs.
  • Graphics and interaction — Canvas / SVG / WebGL, animations, Web Workers (via blob URLs).
  • Links — Links inside a page open in a new tab.
  • Dialogs and downloadsalert / confirm / prompt, plus file saving via <a download> or blob URLs (e.g. a "Download as CSV" button).
  • Form UI — Inputs, selects, and validation work. Handle submission in JavaScript (native submission is blocked, see below).

What doesn't work

FeatureWhy, and what to do instead
External API access via fetch / XHR / WebSocketTwo-way communication with the outside is blocked. Embed all data the page needs directly in the HTML
Embedding other services with <iframe> (YouTube, Google Maps, etc.)Embeds are blocked. Add a link instead — it opens in a new tab
localStorage / sessionStorage / IndexedDB / cookiesUnavailable due to isolation; accessing them throws. Keep state in JavaScript variables (it resets on reload)
Native <form> submission (posting to an action)Blocked as an outbound channel. Handle the submit event in JavaScript
Camera, microphone, geolocation, notificationsNot available in the isolated viewing environment

Tips for instructing the AI that generates pages

Adding instructions like the following helps the AI produce HTML that respects these restrictions:

Output a single self-contained HTML file. Embed all data directly in the HTML; do not use fetch or external APIs. localStorage is unavailable, so keep state in in-memory variables. CDN libraries (script / link tags) are fine.

How it works

Data model, the review loop, visibility and permissions, viewer isolation.

MCP integration

Connection methods per client, authentication (OAuth / API tokens), and the tool reference.

On this page

What worksWhat doesn't workTips for instructing the AI that generates pages