Iframes in web extension popover?

Add-ons addons.mozilla.org
#1

Hi all,

I am working on a web extension that uses functionality from a remote source (that I own). My plan is to include an iframe in the plugin’s popover screen, and the src attribute would be a URL to a website that I own. For example:

<iframe
  width="430"
  height="410"
  src="https://www.mywebsite.com"
/>

I was wondering if this would be acceptable for the reviewers? I noticed that it’s been discouraged to use remote scripts because the code could be changed without notice. https://extensionworkshop.com/documentation/develop/build-a-secure-extension/

However, if I owned the source of the website, I would know when the changes would occur. Also, since my users expect my extension to have a consistent user experience with the website, users would not be surprised by changes.

Thank you in advance!

Safe insertAdjacentHTML with user input? Or I should avoid it anyway?
#2

Interesting question. I haven’t thought of iframes as being “remote scripts”, since you are not running external script “internally” in your extension. But your question makes me in doubt, so I really like to know too if iframes are (or can be?) regarded as remote scripts?..
Note: I would add the sandbox attribute to your iframe and only give the permissions needed for the iframe to work. Something like:

<iframe sandbox="allow-scripts allow-popups" src="..." ... >