Skip to main content
This page explains how the Offline iFrame viewer bundle is delivered and how to host it securely.
The Offline iFrame bundle is provided by Resistant AI during enablement.
Documentation uses placeholders for the bundle URL to prevent uncoordinated deployments.

Delivery models

Option 1 — Self-hosted

Resistant AI provides you with a versioned Offline iFrame bundle. You host the bundle inside your own infrastructure and load it in an <iframe>. Pros
  • Works in restricted / controlled networks
  • No dependency on external asset hosting
  • Easier to meet internal security requirements
Cons
  • You are responsible for deployment and version updates
Operational guidance
  • Pin to a specific version of the bundle in production.
  • Roll out updates in a controlled manner (staging → production).
Self-hosting gives you maximum control, but you are responsible for tracking bundle updates and rolling them out.

Option 2 — Resistant AI–hosted static bundle

Resistant AI can provide a hosted static bundle URL after enablement. This is asset hosting only (the viewer still renders from the data you provide via postMessage()). Implications
If your security posture allows it, we recommend using the Resistant AI–hosted static bundle. It reduces maintenance overhead because updates are managed as part of our release process (you still control when to adopt changes by pinning to an approved version where available).

iFrame source placeholder

Use a placeholder variable for the iframe src (bundle URL is provided during enablement): 
<iframe
  id="rai-offline-iframe"
  src="<OFFLINE_IFRAME_URL_PROVIDED_BY_RESISTANT_AI>"
  allow="clipboard-read; clipboard-write"
  referrerpolicy="no-referrer"
  style="width: 100%; height: 100%; border: 0;"
></iframe>
If you self-host the bundle, treat it like any internal web asset:
  • Serve over HTTPS
  • Restrict embedding with Content-Security-Policy: frame-ancestors ...
  • Ensure your app allows framing the bundle via frame-src / child-src
  • Limit who can access the bundle URL (internal only)
  • Keep versions controlled (avoid unreviewed updates in production)