As stated, plug-ins run in iframes. These iframes are subject to security policies and are therefore limited in their abilities.
Haiilo iframes are sandboxed and will only allow scripts, forms, popups and downloads.
The referrer policy is set to "strict-origin".
Some permission policies can be requested via the manifest. Currently the manifest allows to request
Strict privacy policies can prevent third-party cookies and therefore also the use of the localStorage. We strongly advise plug-in developers to assume the worst case when developing and not use the localStorage.
Not being able to store data in cookies or localStorage effectively means that the plug-in needs to store data via its own backend. In case you consider the initialisation model proposed in "JWT token security" you could return some or all data on init and offer backend endpoints for storage handling. Keep in mind that doing so has consequences in regards of GDPR.
Updated 29 days ago