Add-on security
Stay organized with collections
Save and categorize content based on your preferences.
This page details the security requirements third-party add-ons
have to fulfill.
Origin restrictions
An origin is a URL with a scheme (protocol), host (domain), and port. Two URLs
have the same origin when they share the same scheme, host, and port.
Sub-origins are permitted. For more information, see RFC
6454.
These resources share the same origin as they have the same scheme, host, and
port components:
https://www.example.comhttps://www.example.com:443https://www.example.com/sidePanel.html
The following constraints are enforced when working with origins:
All origins used in the operation of
your add-on must use https as the protocol.
The addOnOrigins field in the add-on
manifest must be
populated with the origins that your add-on is
using.
The entries in the addOnOrigins field must be a list of CSP host
source
compatible values. For example https://*.addon.example.com or
https://main-stage-addon.example.com:443. Resource
paths
are not allowed.
This list is used to:
Set the
frame-src
value of the iframes containing your application.
Validate the URLs that your add-on is using.
The origin used in the following locales must be part of the origins
listed in the addOnOrigins field in the manifest:
Validate the origin of the site that's calling the
exposeToMeetWhenScreensharing()
method.
If your application uses URL navigation inside the iframe, all origins that
are being navigated to must be listed in the addOnOrigins field. Note that
wildcard subdomains are permitted. For example,
https://*.example.com. However, we strongly advise against using wildcard
subdomains with a domain you don't own, such as web.app which is owned by
Firebase.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-28 UTC.
[null,null,["Last updated 2025-08-28 UTC."],[],[],null,["# Add-on security\n\nThis page details the security requirements third-party add-ons\nhave to fulfill.\n\nOrigin restrictions\n-------------------\n\nAn origin is a URL with a scheme (protocol), host (domain), and port. Two URLs\nhave the same origin when they share the same scheme, host, and port.\nSub-origins are permitted. For more information, see [RFC\n6454](https://www.ietf.org/rfc/rfc6454.txt).\n\nThese resources share the same origin as they have the same scheme, host, and\nport components:\n\n- `https://www.example.com`\n- `https://www.example.com:443`\n- `https://www.example.com/sidePanel.html`\n\nThe following constraints are enforced when working with origins:\n\n1. All [origins](/workspace/meet/add-ons/guides/overview#origin) used in the operation of\n your add-on must use `https` as the protocol.\n\n2. The `addOnOrigins` field in the [add-on\n manifest](/workspace/meet/add-ons/guides/deploy-add-on#create-deployment) must be\n populated with the origins that your add-on is\n using.\n\n The entries in the `addOnOrigins` field must be a list of [CSP host\n source](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#host-source)\n compatible values. For example `https://*.addon.example.com` or\n `https://main-stage-addon.example.com:443`. [Resource\n paths](https://developer.mozilla.org/en-US/docs/Learn/Common_questions/Web_mechanics/What_is_a_URL#path_to_resource)\n are not allowed.\n\n This list is used to:\n - Set the\n [`frame-src`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src)\n value of the iframes containing your application.\n\n - Validate the URLs that your add-on is using.\n The origin used in the following locales must be part of the origins\n listed in the `addOnOrigins` field in the manifest:\n\n - The `sidePanelUri` field in the add-on\n manifest. For more information, see\n [Deploy a Meet add-on](/workspace/meet/add-ons/guides/deploy-add-on#create-deployment).\n\n - The `sidePanelUrl` and `mainStageUrl` properties in the\n [`AddonScreenshareInfo`](/workspace/meet/add-ons/reference/websdk/screenshare_api.addonscreenshareinfo)\n object. For more information, see\n [Promote an add-on to users through screen\n sharing](/workspace/meet/add-ons/guides/promote#screen_sharing).\n\n - The `sidePanelUrl` and `mainStageUrl` properties in the\n [`ActivityStartingState`](/workspace/meet/add-ons/reference/websdk/addon_sdk.activitystartingstate).\n For more information on activity starting state, see [Collaborate using a Meet add-on](/workspace/meet/add-ons/guides/collaborate-in-the-add-on).\n\n - Validate the origin of the site that's calling the\n [`exposeToMeetWhenScreensharing()`](/workspace/meet/add-ons/reference/websdk/screenshare_api.meetaddonscreenshare.exposetomeetwhenscreensharing)\n method.\n\n3. If your application uses URL navigation inside the iframe, all origins that\n are being navigated to must be listed in the `addOnOrigins` field. Note that\n wildcard subdomains are permitted. For example,\n `https://*.example.com`. However, we strongly advise against using wildcard\n subdomains with a domain you don't own, such as `web.app` which is owned by\n Firebase."]]
