This page details the security requirements third-party add-ons have to fulfill.
Origin restrictions
An origin is a URL with a scheme (protocol), host (domain), and port. Two URLs have the same origin when they share the same scheme, host, and port. Sub-origins are permitted. For more information, see RFC 6454.
These resources share the same origin as they have the same scheme, host, and port components:
https://www.example.comhttps://www.example.com:443https://www.example.com/sidePanel.html
The following constraints are enforced when working with origins:
All origins used in the operation of your add-on must use
httpsas the protocol.The
addOnOriginsfield in the add-on manifest must be populated with the origins that your add-on is using.The entries in the
addOnOriginsfield must be a list of CSP host source compatible values. For examplehttps://*.addon.example.comorhttps://main-stage-addon.example.com:443. Resource paths are not allowed.This list is used to:
Set the
frame-srcvalue of the iframes containing your application.Validate the URLs that your add-on is using. The origin used in the following locales must be part of the origins listed in the
addOnOriginsfield in the manifest:The
sidePanelUrifield in the add-on manifest. For more information, see Deploy a Meet add-on.The
sidePanelUrlandmainStageUrlproperties in theAddonScreenshareInfoobject. For more information, see Promote an add-on to users through screen sharing.The
sidePanelUrlandmainStageUrlproperties in theActivityStartingState. For more information on activity starting state, see Collaborate using a Meet add-on.
Validate the origin of the site that's calling the
exposeToMeetWhenScreensharing()method.
If your application uses URL navigation inside the iframe, all origins that are being navigated to must be listed in the
addOnOriginsfield. Note that wildcard subdomains are permitted. For example,https://*.example.com. However, we strongly advise against using wildcard subdomains with a domain you don't own, such asweb.appwhich is owned by Firebase.