Windows Hello

Webauthn doesn’t work in iframes so I want to redirect user from my extension’s signin page to my website’s signin page and then back to extension like this:

  1. Sign in page of my extension
    moz-extension://105c5ced/signin.html

  2. Web page hosted on webauthn.mywebsite.com
    https://webauthn.mywebsite.com/v1/signin.html

  3. Dashboard page of my extension
    moz-extension://105c5ced/pages/dashboard.html

By doing so do I violate any Add-on Policy defined by Mozilla here:
https://extensionworkshop.com/documentation/publish/add-on-policies/ ?

You mean by executing remote script? I don’t think so. Only if your remote page would be able to control your extension or if you were executing javascript hosted outside of your extension inside of your extension.

The whole idea here is that your extension should behave consistently - so not being able to turn malicious simply by changing some remote javascript file.

This is essentially what an OAuth flow (even though this is probably a non-standard flow) would look like. So far OAuth flows have been accepted in extensions.

There’s a dedicated API for doing (proper) OAuth from within extensions (since I think you can’t redirect to extension pages from web content directly, due to it being a privilege upgrade): https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/identity