This page details the security requirements third-party add-ons have to fulfill.
Origin restrictions
An origin is a URL with a scheme (protocol), host (domain), and port. Two URLs have the same origin when they share the same scheme, host, and port. Sub-origins are permitted. For more information, see RFC 6454.
These resources share the same origin as they have the same scheme, host, and port components:
https://example.comhttps://example.com:80https://*.example.com
The following constraints are enforced when working with origins:
All origins used in the operation of your add-on must use
httpsas the protocol.The
addOnOriginsfield in the add-on manifest must be populated with the origins that your add-on is using.The entries in the
addOnOriginsfield must be a list of CSP host source compatible values. For examplehttps://*.addon.example.comorhttps://main-stage-addon.example.com:443.This list is used to:
Set the
frame-srcvalue of the iframes containing your application.Validate the URLs that your add-on is using. The origin used in the following locales must be part of the origins listed in the
addOnOriginsfield in the manifest:The
sidePanelUrifield in the add-on manifest. For more information, see Build a Meet Add-on.The
sidePanelUrlandmainStageUrlin theAddonScreenshareInfoobject. For more information, see Promote an add-on to users through screen sharing.The
sidePanelUrlandmainStageUrlin theCollaborationStartingState. For more information, see Use the collaboration starting state.
Validate the origin of the site that's calling the
MeetAddonScreenshare.exposeToMeetWhenScreensharingmethod.
If your application uses URL navigation inside the iframe, all origins that are being navigated to must be listed in the
addOnOriginsfield.