Important Cross-Origin Isolation Update for Adobe Express Add-on Developers | by Kerri Shotts | Nov, 2024
Adobe Express will soon enforce cross-origin isolation for Chromium-based browsers (including Chrome, Microsoft Edge, Opera, and others). This change may negatively impact your add-on’s functionality due to stricter rules enforced by the browser. You’ll want to ensure that any add-ons you’ve developed or are building now work in this new environment.
Note: We expect the enforcement of cross-origin isolation headers to begin around the end of 2024. We’ll provide an update here and in our documentation the moment we have a more certain date.
This change may impact your add-on’s access to external resources, especially if your add-on relies on iframes to display content or support payment flows. This could also impact add-ons that make fetch calls or display images from external sources. If your external source is not properly configured, users may see missing content or may encounter silent failures if your add-on can’t load a remote resource. Since this results in a poor experience, developers must ensure that their add-ons work in this new environment.
Currently, this change only impacts Chromium-based browsers (e.g., Chrome, Edge, Opera, etc.). This change also applies to add-ons running on Android devices if you’ve developed a mobile add-on. Firefox and Safari browsers are not impacted.
Note: This affects all add-ons even if they aren’t published in the add-on marketplace. This includes both private and internally distributed add-ons.
Types of Failures
Some failures will be more obvious than others, but all can negatively impact the user experience of your add-on.
- If a nested iframe fails to load, Chrome and Chromium-based browsers display a very obvious error message inside the iframe indicating that the domain “refused to connect”.
- If an image fails to load, you may notice missing images in your add-on’s user interface. You should also see failures in the Network section of the browser’s developer tools.
- If a network call fails due to JavaScript code, you should see warning and error messages in the browser’s developer tools.
Until Adobe Express enables these headers by default, you can verify that your add-on will function correctly by applying local header overrides. We’ve provided full instructions on simulating these headers in our developer documentation.
What should you test?
While most add-ons are likely to be unaffected by this change, you should double-check any flows that access external content or embed resources from other domains in your add-on’s user interface. This includes purchase flows, loading external content in iframes, displaying assets from external domains, and adding content to the user’s document that originates from an external domain.
Check out the documentation for more detail.
If you do encounter issues in your add-on related to cross-origin isolation, these are generally easy to address. You should check your add-on as soon as possible however—if you rely on a third-party service, you may have to do more work to address any cross-origin isolation issues.
Read our documentation for more detail on fixing issues.
You should review the documentation for complete details about cross-origin isolation which includes steps on setting up your local environment for testing. You should also keep an eye on the changelog as the documentation will be updated over time.
While we expect that the majority of add-ons are not impacted or affected, we are performing smoke tests for currently published add-ons to double-check. If we encounter any add-ons with failures, we’ll reach out to the developers of the affected add-ons. However, it is wise for all add-on developers to test their add-ons since they know their add-on inside and out.
All new add-ons published to the marketplace will be reviewed with these headers in place. If the reviewer finds a problem with your submission related to cross-origin isolation that impacts the usability of your add-on, the reviewer will reject your add-on.
If you have issues testing your add-on or addressing any issues relating to this change, don’t hesitate to let us know.
