Public Boundary

Security

XCON Viewer is viewer-only. It renders declarative UI documents without executing application behavior.

Allowed

Structured screen data, public component properties, safe inline styles, local resource URLs, and metadata needed for viewer rendering.

Blocked

JavaScript execution, event handlers, action references, backend/database sections, unsafe URLs, raw HTML injection by default, and runtime business logic.

Security References

Security model specification
Invalid example with blocked properties
JSON Schema restrictions

Public XCON is a document format and renderer surface, not an application runtime.