Plugin Security
Plugins run third-party code inside the Livespace interface, so every plugin passes through several security boundaries before — and while — it is embedded. This page describes what your application must comply with.
HTTPS requirement
All plugin URLs must use HTTPS. Plain HTTP addresses are rejected during registration.
Domain allowlist
Livespace maintains an allowlist of approved domains. A plugin URL is only accepted if its domain appears on this list.
Plugins hosted on Livespace infrastructure are approved automatically. Plugins hosted on external infrastructure (any domain not owned by Livespace) must go through a manual review and approval process before they can be registered. Without this approval, the system rejects the URL at registration time.
To request approval for an external domain, contact Livespace support with:
- The domain you intend to host your plugin on.
- A brief description of the application.
- The name of the Livespace account it will be used in.
Approval is typically completed within a few business days.
Important
This allowlist is the primary security boundary between Livespace and third-party applications. It ensures that only vetted, known origins can be embedded in customer accounts.
Iframe sandbox
Livespace embeds every plugin in an HTML sandboxed iframe. The sandbox grants a fixed set of capabilities and blocks everything else, so the embedded application cannot perform sensitive browser actions (such as top-level navigation of the host page or opening modal dialogs) that an ordinary web page could.
The following capabilities are enabled. Any capability not listed here is blocked.
| Sandbox permission | What it allows your application to do |
|---|---|
allow-scripts |
Run JavaScript. |
allow-same-origin |
Keep its own origin — read and write its own cookies and localStorage, and make same-origin requests. |
allow-forms |
Submit HTML forms. |
allow-popups |
Open new windows or tabs (for example window.open() or target="_blank" links). |
allow-downloads |
Trigger file downloads. |
Note
This capability set is managed by Livespace and is the same for every plugin. It is not configurable per plugin.
Origin validation
Livespace validates the origin of every postMessage it receives from the plugin iframe against the domain allowlist. Messages from non-allowlisted origins are silently ignored.
Your plugin does not need to implement its own outbound origin check, but it must always validate event.data.type on every incoming message before acting on it. See Context Messages for the recommended defensive handler.