Iframe limitations

As stated, plug-ins run in iframes. These iframes are subject to security policies and are therefore limited in their abilities.


Haiilo iframes are sandboxed and will only allow scripts, forms, popups and downloads.

The referrer policy is set to "strict-origin".

Permission policy

Some permission policies can be requested via the manifest. Currently the manifest allows to request

  • camera
  • geolocation
  • fullscreen

Browser privacy policy

The browser's privacy policy can strongly affect a plug-in's capabilities. This policy however is controlled by the user or by a company enforcing privacy policies on their employee's computers. Also browser manufacturers have already started to restrict iframes to improve security and privacy.


Strict privacy policies can prevent third-party cookies and therefore also the use of the localStorage. We strongly advise plug-in developers to assume the worst case when developing and not use the localStorage.

Not being able to store data in cookies or localStorage effectively means that the plug-in needs to store data via its own backend. In case you consider the initialisation model proposed in "JWT token security" you could return some or all data on init and offer backend endpoints for storage handling. Keep in mind that doing so has consequences in regards of GDPR.