Hey @PhilipGrove, thanks for following up on this.
Unfortunately, customer-managed egress won’t help. We know the domain we want to call and we could declare it in the manifest. Unfortunately, declaring it also alters the behavior of Forge APIs such as Forge router.open in a way that makes a secure OAuth flow implementation tricky.
The core problem is that the Forge platform aims to improve security by disabling certain browser features, but this comes at the cost of blocking industry-standard implementations. Adding the “Allow for popups from frames” permissions reinstates the “standard” browser behavior.
If we are not allowed to use this feature for A4A, we will find workarounds, but it will come at the cost of user experience.
I do not deny that the Forge platform behavior can help to improve security in the common case. But it comes at the cost of disabling other viable scenarios, and I feel there should be room for justified exceptions for these. By using the “Allow for popups from frames” we are opening the door for some attack vectors. But I’d argue that if we try to fit into A4A and work around the Forge platform’s restrictions, we will do as well.