Plugin Storage Access

I’m creating a plugin that utilizes a 3rd party service. In order to use that service I was given an API key. While I can hardcode it in my own plugin, I’d like to eventually distribute my plugin to the community. To effectively accomplish, though, I need to be able to allow users to access local storage, set a cookie, etc. None of those things are available to me because the plugin iframe is isolated in a heavily locked-down sandbox.

For the short term, I tried to add to:
frontend/resources/plugins-runtime/index.js

this line:
“allow-same-origin”

to d.sandbox.add, however even after rebuilding, investigating the iframe in plugin-module it still doesn’t have it. Even if this worked, it’s not a long-term solution.

Any ideas from the Penpot dev team?

Yes, this is definitely something we’d like to improve in the future, but it’s something we need to approach carefully to ensure we don’t compromise the security of plugin users. For now, the best workaround I can suggest is using penpot.root.setPluginData('example', 'data') to store data at the root level of a file. It’s not ideal, but it might help in your use case.

We’ll keep looking into better solutions for these use cases! Thank you for bringing this up.