Widget Security Boundary
Per-widget security boundary and data inventory
Districts and reviewers asked for a single page that answers: "What does each DrawSplatTM widget actually do with student data?" This page lists every widget and game served from the DrawSplatTM static site, what it stores, what external requests it makes, and what student data (if any) it collects.
Widget Security Boundary — the short version
- Same origin, same project. Every standalone widget under
/solutions/and every game under/games/is served from the same origin as the DrawSplatTM static site. They are not iframed third parties. - No third-party advertising, analytics, or trackers. Visit counts come from Cloudflare Pages’ server-side metrics on the static-host CDN; no beacon, no tracking pixel, no third-party JS is loaded on widget pages.
- Strict Content Security Policy. Pages declare
default-src 'self',script-src 'self',style-src 'self' 'unsafe-inline',img-src 'self' data:,connect-src 'self',object-src 'none',frame-ancestors 'none'. Widgets that need an outbound request (e.g. Apps Script) extendconnect-srcwith the specific host. - No student data leaves the browser unless a backend is configured. Standalone widgets run entirely in the visitor’s browser. Only the whiteboard at
/app/whiteboard.htmltalks to a backend, and only if the district has set up the Google Apps Script or MySQL backend. - Local storage is per-widget and disclosed. Some widgets save the user’s last setup in
localStoragefor convenience. None store student-identifying data. - Permissions Policy default-off. No widget requests
camera,microphone,geolocation, orpayment. The whiteboard’s audio-note feature is the single exception — it requests microphone access only when the user explicitly clicks Record. - Image uploads. Until the Phase 1.3 / 1.4 image-upload approval queue ships, student image uploads on the whiteboard are disabled by default in the supported Apps Script deployment. Teachers and admins can still attach images; student-side uploads stay off until the moderation queue lands.
Per-widget data inventory
Every widget and game served from this site is listed below. Columns: where the widget runs, what local storage it uses, what external network requests it makes during normal play, and whether it touches student-identifying data.
Classroom widgets (/solutions/)
| Widget | localStorage / sessionStorage | External requests | Student-identifying data |
|---|---|---|---|
| Bingo Card Generator | None | None | None |
| Bingo Caller | None | None | None — player names typed at runtime stay in memory |
| Coin Flipper | None | None | None |
| Dice Roller | None | None | None — optional player names typed at runtime stay in memory |
| Dicebreaker Creator | None | None | None |
| Draw & Sketch | None | None | None |
| Fortune Wheel (teacher) | Saved setup blobs (no student data) | None | None |
| Fortune Wheel (student) | None | None | None |
| Markdown Studio | Auto-save of the current document only | None | None unless the user pastes such data into their own document |
| Meme Puzzle | None | None | None |
| Rubric Builder | Saved rubrics drafted by the user | None | Only if the user types student names into a rubric; stays in their browser |
| Story Wheel | Saved prompt sets | None | None |
| Wheel Spinner | None | None | None — entries typed at runtime stay in memory |
| Word Search Maker | None | None | None |
DrawSplatTM Games (/games/ and /solutions/dotsboxes/)
| Game | localStorage / sessionStorage | External requests | Student-identifying data |
|---|---|---|---|
| Castles & Catapults | None | None | None — optional player names typed at runtime stay in memory |
| Dots and Boxes | None | None | None — optional player names typed at runtime stay in memory |
| Flood Fill | None | None | None |
| Flow Free | None | None | None |
| Fun Quiz | None | None | None |
| Lights Out | None | None | None |
| Tangram Packing | None | None | None |
| Untangle | None | None | None |
Whiteboard and admin pages
| Page | Storage | External requests | Student-identifying data |
|---|---|---|---|
/app/whiteboard.html | Local .drawsplat.json save format; optional localStorage for preferences | Only the configured Apps Script /exec URL (if a teacher has set one) or the self-hosted MySQL backend URL | Only the data the school or district explicitly entered — e.g. student name on a turn-in. No data leaves the browser unless a backend is configured. |
/admin/admin.html (Teacher Admin) | Local admin preferences; admin passcode prompt held in memory only | Configured Apps Script /exec URL only | Admin reads / writes age band, parent requests, audit log, etc. — only when explicitly invoked by the admin. |
/parents/index.html (Family Access Tools) | None | Configured Apps Script /exec URL only, when a parent submits a request | The parent submits their own name/email plus the student name they request data for. Used only to route the ticket to the school admin. |
/community/ (Community Board) | Sign-in token (HMAC bearer) and "last visited" timestamp | The Community Apps Script /exec URL configured by the site operator | Author name + email on posts that the user voluntarily submitted to the board. Used for moderation routing. |
Network egress declaration
By default a fresh install of DrawSplatTM makes zero outbound network requests from a widget page. Outbound requests happen only when:
- A teacher has pasted an Apps Script
/execURL into Teacher Admin. The whiteboard, Family Access Tools, and Community pages then call that URL only (connect-src 'self' https://script.google.com https://*.googleusercontent.comon the relevant pages). - A district has stood up the self-hosted Node + MySQL backend and pointed the whiteboard at it. In that case the whiteboard calls
https://<district-domain>/api/drawsplat/mysql. - The visitor signs in with Google or Microsoft on the Community Board. The browser then talks to
accounts.google.com(Google Identity Services) or, for the Microsoft path, the lazy-loaded MSAL CDN script and Microsoft Graph.
No widget calls advertising, analytics, third-party-tracker, or social-network domains. The repository commit history and the inline <meta http-equiv="Content-Security-Policy"> on every page are the verifiable record.
iframe / embed posture
DrawSplatTM pages set frame-ancestors 'none' in CSP. A school portal that wants to embed a DrawSplatTM widget should run the embed in an <iframe sandbox="allow-scripts allow-same-origin"> with only the permissions the widget actually needs — never enable allow-modals, allow-popups, or allow-top-navigation unless the specific widget documents that it requires them. The portal’s own Permissions Policy should also disable camera, microphone, geolocation, payment, and usb on the embed unless the specific widget needs them.
Where this fits in the privacy story
- Terms & Privacy — the overall policy and the legal commitments.
- District Data Privacy Addendum — signature-ready template for school / district contracting.
- Texas Compliance — plain-language SCOPE / FERPA / COPPA / CIPA explainer.
- NDPA / DPA Review Packet — the bundle every reviewer typically asks for.
- Privacy Notice Builder — generate a local privacy notice for your school.