Skip to content

Plugin Security

Plugins run third-party code inside the Livespace interface, so every plugin passes through several security boundaries before — and while — it is embedded. This page describes what your application must comply with.

HTTPS requirement

All plugin URLs must use HTTPS. Plain HTTP addresses are rejected during registration.

Domain allowlist

Livespace maintains an allowlist of approved domains. A plugin URL is only accepted if its domain appears on this list.

Plugins hosted on Livespace infrastructure are approved automatically. Plugins hosted on external infrastructure (any domain not owned by Livespace) must go through a manual review and approval process before they can be registered. Without this approval, the system rejects the URL at registration time.

To request approval for an external domain, contact Livespace support with:

  • The domain you intend to host your plugin on.
  • A brief description of the application.
  • The name of the Livespace account it will be used in.

Approval is typically completed within a few business days.

Important

This allowlist is the primary security boundary between Livespace and third-party applications. It ensures that only vetted, known origins can be embedded in customer accounts.

Iframe sandbox

Livespace embeds every plugin in an HTML sandboxed iframe. The sandbox grants a fixed set of capabilities and blocks everything else, so the embedded application cannot perform sensitive browser actions (such as top-level navigation of the host page or opening modal dialogs) that an ordinary web page could.

The following capabilities are enabled. Any capability not listed here is blocked.

Sandbox permission What it allows your application to do
allow-scripts Run JavaScript.
allow-same-origin Keep its own origin — read and write its own cookies and localStorage, and make same-origin requests.
allow-forms Submit HTML forms.
allow-popups Open new windows or tabs (for example window.open() or target="_blank" links).
allow-downloads Trigger file downloads.

Note

This capability set is managed by Livespace and is the same for every plugin. It is not configurable per plugin.

Origin validation

Livespace validates the origin of every postMessage it receives from the plugin iframe against the domain allowlist. Messages from non-allowlisted origins are silently ignored.

Your plugin does not need to implement its own outbound origin check, but it must always validate event.data.type on every incoming message before acting on it. See Context Messages for the recommended defensive handler.