Configure Freighter to "allow_frames"

[aristidesstaffieri]

What problem does your feature solve?

Some applications, like Unity WebGL apps, could require communication between Freighter's API and an iframe. We currently do not allow frames.

Is this a valid use case?
What are the security implications of this change?

What would you like to see?

Freighter configured to "allow_frames"

What alternatives are there?

Not turning this on.

[towa-hi]

We're building a Unity WebGL app hosted on itch.io. Itch.io serves apps from a separate domain (html-classic.itch.zone) in an iframe, preventing our freighter-sdk from communicating with the Freighter extension unless "allow_frames" is true for contentScript.min.js. Basically all sites that host webGL browser apps work like this.

Directing users to the hosted URL within itch.io's iframe works but is inconvenient. Enabling allow_frames in the manifest would let Unity (and all WebGL) apps in iframes connect to the Freighter extension without requiring self-hosting.

I don't know what the security implications are, but Metamask enables allow_frames in its manifest, and WebGL apps on itch.io connect to the Metamask extension without issue.

I've tested the change and confirmed our issue is specifically due to allow_frames. The attached image shows our app invoking setAllowed() from within an iframe after updating the manifest.