Add-on security

This page details the security requirements third-party add-ons have to fulfill.

Origin restrictions

An origin is a URL with a scheme (protocol), host (domain), and port. Two URLs have the same origin when they share the same scheme, host, and port. Sub-origins are permitted. For more information, see RFC 6454.

These resources share the same origin as they have the same scheme, host, and port components:

  • https://*

The following constraints are enforced when working with origins:

  1. All origins used in the operation of your add-on must use https as the protocol.

  2. The addOnOrigins field in the add-on manifest must be populated with the origins that your add-on is using.

    The entries in the addOnOrigins field must be a list of CSP host source compatible values. For example https://* or

    This list is used to:

  3. If your application uses URL navigation inside the iframe, all origins that are being navigated to must be listed in the addOnOrigins field.