Figma Stuck Loading? Route Figma and Static CDN Domains in Clash: Proven Steps 2026

1. Symptoms: Spinners, Empty Canvas, or Broken Fonts

The most frustrating Figma breakages behind proxies are partial loads. The left sidebar might render, account menus respond, and even real-time cursors can appear, yet the main canvas area stays a blank rectangle or shows an endless “Loading” strip. A related failure mode is typography that reverts to system stacks because static resource fetches to font and icon packs time out. Sometimes embedded prototypes or FigJam boards load while design files do not, which usually points to a different subdomain or third-party CDN missing from your rule set rather than a bad datacenter. Users often blame the exit node; mihomo logs more frequently show a handful of hostnames still mapped to a default DIRECT path or a catch-all that disagrees with the exit you expect for the product skin.

Desktop and browser differences matter. The desktop app, Electron shells, and multiple browser profiles can all maintain separate connection pools and their own DoH or secure DNS settings. Toggling a policy mid-session can leave long-lived TLS sessions on the wrong interface until a full process restart. On Windows, TUN interplays with UWP and store apps; if only one surface misbehaves, read our TUN, UWP, and loopback article in parallel. On any OS, the debugging rhythm stays the same: read what hostnames the core actually classifies before swapping upstreams.

2. Why Figma Is Not “One Domain” in the Browser

Like most modern single-page applications, the Figma experience stitches together many origins. Application logic, file metadata, and collaboration websockets often concentrate on figma.com and www.figma.com family names. Minified JavaScript, worker bundles, and cacheable static resources may be served from clearly separated subdomains or edge caches so the HTML shell can version independently from the asset pipeline. Prototype embeds, help links, and marketing pages add subdomains you might not notice until a rule misses them. Community resources and plugin marketplaces can introduce additional first-party and partner hostnames, which is why “I added figma.com to my rule file” is necessary but not sufficient for a stable build.

Clash routing is literal. If your GEOIP block sits above a new DOMAIN-SUFFIX,figma.com row in your mind but not in the file, the file order wins—and it will not. Promote the exact suffixes and names that appear in mihomo connection logs or your browser’s network tab during the failure, then place those lines above catch-alls. This mental model is the same as we describe for Sora and video CDN splits: a coherent exit across the whole asset graph, not a lucky match on the apex only.

3. Clash, Mihomo, and Rule Order (First Match Wins)

Meta-class cores such as mihomo walk the rules list from top to bottom. A broad match early in the file—DOMAIN-KEYWORD noise, a premature GEOIP,CN shortcut, or an aggressive MATCH—can eat Figma traffic before your explicit rows ever execute. The practical habit is to reserve the top of the policy stack for narrow exceptions: banking, LAN printers, and now your collaboration design bundle—then keep continent-scale shortcuts below, where they cannot override product-specific intent.

For long-term maintainability, consider folding recurring suffix lists into a RULE-SET you version in Git, and keep a small “overrides” snippet for the hostnames a client update just introduced. The discipline is identical to the merge strategy we discuss for rule providers in rule-providers and GEOIP maintenance—upstream lists help, but your own traces are authoritative when a release ships a new static hostname.

4. DOMAIN Rules: Figma, Embeds, and Common Asset Hosts

The YAML below is a starting point, not a talisman. Always reconcile suffixes with live mihomo logs in 2026, because Figma can add regional endpoints, experimental hosts, and partner edges. Place these rows above GEOIP and generic MATCH catch-alls. The placeholder PROXY-FIGMA means whichever policy group you intend for a stable, low-churn exit for the design product—often a select to a specific region, not a flapping url-test that changes countries on every auto refresh.

# DOMAIN-SUFFIX,figma.com covers static.figma.com, www.figma.com, api.figma.com, etc.
# Add fonts.googleapis.com / fonts.gstatic.com if your file uses webfonts and your logs show splits
rules:
  - DOMAIN-SUFFIX,figma.com,PROXY-FIGMA

After the baseline, reproduce the error with logging enabled, open browser devtools on the network tab, and promote any additional subdomains you see—static, embed, www variants, help or product education hosts—to explicit DOMAIN or DOMAIN-SUFFIX lines. Avoid the lazy KEYWORD,figma hammer unless you accept collateral hits on unrelated sites that include the same substring. For IPv6 dual-stack homes, also confirm AAAA behavior matches your intent; our IPv6 and TUN calibration note explains why one browser can look “more broken” than another when only half the stack is classified consistently.

When you are ready to formalize the surrounding architecture—exception ordering, rule-providers, and merge hygiene—our advanced routing and rules reference stays the companion piece to a domain snippet like the one above.

5. Google Fonts, Typefaces, and Third-Party Packs

Design files frequently pull webfonts and iconography from well-known public CDN planes such as fonts.googleapis.com and fonts.gstatic.com, in addition to any first-party Figma static resource path. If your profile sends figma.com to a high-quality exit but classifies those font domains under a different Clash path—or leaves them on DIRECT while the document shell is tunneled—rendering can stall waiting on CSS and font bytes that never arrive in time, which looks like “Figma is frozen” when it is really a font waterfall timeout.

You can either route those shared font CDNs in the same PROXY-FIGMA group for simplicity while you are actively debugging, or create a small adjacent group that tracks your chosen exit but stays consistent across sessions. The wrong trade is mixing regions between the file shell and the font pipeline during the same design session, because cache validators and CORS expectations start to look like intermittent bugs. The Gemini and Google services guide on this site also discusses Google property routing at scale if you need a broader map than a two-line font exception.

6. Policy Groups: One Coherent Exit for the Whole Session

Pick a policy group you can explain to a teammate: for example, select to a US or EU node you trust for SaaS, or a fallback list with a conservative interval. Design tools are sensitive to rapid IP churn; an url-test that flips every few seconds is a poor fit for a heavy WebGL or canvas client even if the synthetic ping looks “faster” on paper. The tunables for url-test and fallback are covered in url-test and failover—favor stable membership over bragging rights on a speedtest widget.

If you share one outbound with unrelated traffic, document that pairing. Tuning a group for 4K streaming and then wondering why a canvas client disconnects is a self-inflicted support ticket. The YAML remains the product contract, regardless of which GUI you use—migrating readers can cross-check with our CFW alternative overview so the mental model stays anchored in the file, not a retired window layout.

7. DNS, Fake-IP, and “My Rules Never Fire”

Under fake-ip, DOMAIN-based Clash routing only behaves predictably if clients query through the core’s DNS pipeline first. Operating system resolvers, browser “secure DNS” toggles, mobile Private DNS, and corporate forwarders that bypass the listener are all common reasons your carefully written DOMAIN-SUFFIX,figma.com line never appears in a decision trace—the hostname never reaches the engine in a form the rule layer can see. The pattern-level explanation is the same as in our Claude region and DNS article: fix resolver alignment first, then argue about nodes.

Concrete mitigations: define an explicit dns block with defensible default and fallback servers, avoid mixing resolvers that return radically different answers for the same Figma subdomains, and after changes, read mihomo logs to confirm the names you care about are queried where the profile expects. If you prefer redir-host or similar modes, you still need a single coherent resolver story; random per-app DoH endpoints will keep producing “it worked until I opened a second profile” illusions.

8. Sniffer, TLS SNI, and Stale IP Caches

Some sessions arrive as raw IPs first, especially when caches or long-lived keep-alives outlive a policy change, or when an earlier lookup bypassed the core. The HTTPS sniffer can recover TLS SNI to rescue classification, but it is a safety net, not a replacement for DNS hygiene. Follow the workflow in Clash Meta sniffer and SNI and verify filters still include the edge names your file actually hits.

Figma sessions open a fan-out of parallel connections: file sync, WebSockets, static packs, and analytics-style beacons. If any subset still lands on a default outbound, you can see a white canvas with a “connected” account icon—the worst kind of bug because every isolated speed test still looks fine. Log lines that show hostnames, policy decisions, and chains for each connection turn that ambiguity into a finite checklist; trust that evidence.

9. FigJam, Plugins, and Embeds

FigJam generally rides the same first-party Figma hostname family as the design product, so the same suffix bundle usually applies. The wildcards are community plugins, embedded prototypes, and partner integrations. When a board pulls in a third-party preview or script, you may need additional DOMAIN rows for that vendor after you read the name from the network log. Treat those as one-off adds rather than bloating a global keyword; precision keeps surprises predictable when the marketing site or help center updates independently from the editor.

10. Compared with Video Streaming or AI API Traffic

Unlike Netflix, the goal is not a licensed catalog in a specific country—it is a coherent SaaS static resource path with stable TLS behavior. Unlike long-video YouTube throughput tuning, the bottleneck is more often dozens of small HTTPS objects and CDN fan-out, similar to Reddit thumbnails, not sustained megabits. Compared with Cursor or DeepSeek style API-heavy IDE flows, the editor is more asset-graph than chat endpoint—so your suffix list and font exceptions matter more than raw API latency to a single host.

Stay within the laws and terms that apply in your region and the services you use. This article addresses engineering problems—misrouted split tunneling, DNS misalignment, and catch-all rules—that break legitimate work; it is not a guide to bypassing corporate policy or abusing another network’s terms.

11. Verification Checklist

When Figma misbehaves, work through the list before swapping upstreams:

If the checklist is green and the product still errors, consider account-level throttling, extension conflicts, or a genuine Figma incident—but you will have ruled out the usual Clash footguns.

12. Closing Thoughts

In 2026, a collaborative Figma or FigJam session still punishes split tunneling mistakes that leave static assets and font CDNs on a different Clash path than the editor shell. Compared with one-click VPN apps that hide their routing table, a transparent mihomo core rewards you with logs that name the exact hostnames that evaded your policy—once you learn to read them, most “infinite loading” cases collapse into rule ordering, incomplete suffix lists, or DNS and fake-ip misalignment, not a cosmic mystery.

Keep overrides in version control, diff when the desktop or web client updates, and treat every major Figma release as a reminder to re-check hostnames in traces. A carefully separated design-tool bundle in your config pairs naturally with a single trusted place to fetch clients—visit our download center for up-to-date installers, apply the checklist above, and treat the next file open as a validation drill, not a blind hop through a random node. → Download Clash for free and experience the difference