This page details the security requirements third-party add-ons have to fulfill.
Origin restrictions
An origin is a URL with a scheme (protocol), host (domain), and port. Two URLs have the same origin when they share the same scheme, host, and port. Sub-origins are permitted. For more information, see RFC 6454.
These resources share the same origin as they have the same scheme, host, and port components:
https://www.example.comhttps://www.example.com:443https://www.example.com/sidePanel.html
The following constraints are enforced when working with origins:
All origins used in the operation of your add-on must use
httpsas the protocol.The
addOnOriginsfield in the add-on manifest must be populated with the origins that your add-on is using.The entries in the
addOnOriginsfield must be a list of CSP host source compatible values. For examplehttps://*.addon.example.comorhttps://main-stage-addon.example.com:443. Resource paths are not allowed.This list is used to:
Set the
frame-srcvalue of the iframes containing your application.Validate the URLs that your add-on is using. The origin used in the following locales must be part of the origins listed in the
addOnOriginsfield in the manifest:The
sidePanelUrifield in the add-on manifest. For more information, see Build a Meet Add-on.The
sidePanelUrlandmainStageUrlin theAddonScreenshareInfoobject. For more information, see Promote an add-on to users through screen sharing.The
sidePanelUrlandmainStageUrlin theCollaborationStartingState. For more information, see Use the collaboration starting state.
Validate the origin of the site that's calling the
MeetAddonScreenshare.exposeToMeetWhenScreensharingmethod.
If your application uses URL navigation inside the iframe, all origins that are being navigated to must be listed in the
addOnOriginsfield. Note that wildcard subdomains are permitted. For example,https://*.example.com. However, we strongly advise against using wildcard subdomains with a domain you don't own, such asweb.appwhich is owned by Firebase.