Add-on security

This page details the security requirements third-party add-ons have to fulfill.

Origin restrictions

An origin is a URL with a scheme (protocol), host (domain), and port. Two URLs have the same origin when they share the same scheme, host, and port. Sub-origins are permitted. For more information, see RFC 6454.

These resources share the same origin as they have the same scheme, host, and port components:

  • https://www.example.com
  • https://www.example.com:443
  • https://www.example.com/sidePanel.html

The following constraints are enforced when working with origins:

  1. All origins used in the operation of your add-on must use https as the protocol.

  2. The addOnOrigins field in the add-on manifest must be populated with the origins that your add-on is using.

    The entries in the addOnOrigins field must be a list of CSP host source compatible values. For example https://*.addon.example.com or https://main-stage-addon.example.com:443. Resource paths are not allowed.

    This list is used to:

  3. If your application uses URL navigation inside the iframe, all origins that are being navigated to must be listed in the addOnOrigins field. Note that wildcard subdomains are permitted. For example, https://*.example.com. However, we strongly advise against using wildcard subdomains with a domain you don't own, such as web.app which is owned by Firebase.