Security notes for Orivo.
This page explains how Orivo handles account security, preview isolation, third-party libraries, and public-site protections.
Account-Based Workspace
Orivo uses an account-based model for editor access and project storage. Authentication is handled with secure sessions, and project data is tied to the signed-in account rather than relying on anonymous browser-only use.
Preview Isolation
User code runs inside an isolated preview iframe. The preview sandbox is restricted, external resources are filtered through an allowlist, and exported previews open without exposing the parent window.
External Libraries
Optional CDN libraries can be enabled by the user inside the workspace. Those third-party libraries remain subject to their own licenses, terms and update policies.
Marketing Site
The marketing site uses stricter security policies than the prototype preview and avoids runtime Google Fonts loading on the static version. It is intended to behave like a normal public website.
Support Handling
Support requests sent while signed in are attached to the current account context. That keeps follow-up safer, reduces mismatched billing/support conversations, and ensures replies are handled against the profile email used for the request.
Orivo is a frontend coding environment, so user-authored HTML, CSS, and JavaScript are intentionally executable inside the preview. Security hardening reduces risk, but it does not replace careful use of third-party code.