Multi-Tenant Pluggable Widget Framework

Designing a frontend framework that hosts third-party extensions—dynamically loaded at runtime based on tenant configurations. This article covers the architectural decisions behind systems like VS Code extensions, Figma plugins, and Shopify embedded apps: module loading strategies (Webpack Module Federation vs SystemJS), sandboxing techniques (iframe, Shadow DOM, Web Workers, WASM), manifest and registry design, the host SDK API contract, and multi-tenant orchestration that resolves widget implementations per user or organization.

Widget framework architecture: tenant configuration determines which widgets load; registry provides manifests and URLs; loader mounts widgets into contribution points; SDK mediates communication.

Abstract

A pluggable widget framework is a microkernel architecture: minimal core system + dynamically loaded extensions. The core decisions are:

Loading strategy: How does remote code enter the host?
- Module Federation: optimal sharing, webpack-only, trusted code
- SystemJS/import maps: standards-based, flexible, moderate performance
- iframe: complete isolation, highest security, communication overhead
Isolation boundary: How much can widgets affect the host?
- Same-origin (Module Federation): full DOM access, shared memory—trust required
- iframe sandbox: separate browsing context, postMessage only
- Shadow DOM: CSS isolation only, same JS context
- WASM sandbox (Figma model): isolated JS engine, strongest security
Extension points: Where can widgets appear?
- Contribution points: named slots in the UI that widgets register for
- Declarative via manifest: host reads manifest, renders widget in appropriate slot
Multi-tenancy: How do different tenants get different widgets?
- Tenant config service: maps tenant ID → enabled widget IDs
- Registry resolution: widget ID → implementation URL
- Feature flags: toggle widgets per tenant without redeployment

Key numbers:

Aspect	Module Federation	iframe	WASM Sandbox
Load overhead	~50ms (shared deps)	~100-200ms (full context)	~300-500ms (engine init)
Memory per widget	Shared with host	Separate heap (~10-50MB)	Separate (~5-20MB)
Communication latency	Microseconds	~1-5ms (postMessage)	~0.5-2ms (WASM boundary)
Security	Same origin trust	Strong isolation	Strongest isolation

The Challenge

Extensibility without deployments: Third parties add features without modifying host code. VS Code has 40,000+ extensions; the core team didn’t build them.

Multi-tenant customization: Enterprise SaaS customers demand unique workflows. Widget A for Tenant X, Widget B for Tenant Y—without forking the codebase.

Ecosystem growth: A platform with extension capabilities attracts developers who build features you never considered.

Browser Constraints

Main thread budget: Loading and initializing widgets competes with the host application. A poorly designed loader blocks the UI during startup.

Memory limits: Each iframe creates a separate JavaScript heap. Loading 10 widgets as iframes can consume 100-500MB—problematic on mobile devices (50-100MB practical limit).

Network overhead: Fetching widget bundles from different origins means separate HTTP connections, no shared caching of common dependencies.

Security Requirements

Untrusted code execution: Third-party developers may write malicious or buggy code. Without isolation, a widget can:

Access user credentials stored in localStorage
Modify any DOM element, including login forms
Make requests to any origin (CSRF)
Crash the host application

Defense in depth:

Threat	Mitigation
DOM manipulation	iframe sandbox, separate browsing context
CSS pollution	Shadow DOM, iframe
Data exfiltration	CSP, sandbox restrictions
CPU exhaustion	Web Worker isolation, timeout enforcement
Memory leaks	Widget lifecycle management, unload on deactivation

Scale Factors

Factor	Small Scale	Large Scale
Widgets loaded	1-5	50-100
Tenants	1-10	10,000+
Widget registry size	10-20 widgets	1,000+ widgets
Update frequency	Weekly	Continuous
Widget developers	Internal team	Third-party ecosystem

Design Paths

Path 1: Webpack Module Federation

Module Federation: host and remotes share dependencies (React) via singleton negotiation; widgets load as federated modules.

How it works:

Module Federation (Webpack 5+) allows separate webpack builds to share code at runtime. The host declares remotes (external builds to consume) and shared dependencies (libraries to deduplicate).


5 collapsed lines
1
const { ModuleFederationPlugin } = require("webpack").container
2

3
module.exports = {
4
  // ... other config
5
  plugins: [
6
    new ModuleFederationPlugin({
7
      name: "host",
8
      remotes: {
9
        // Static remotes (known at build time)
10
        widgetA: "widgetA@https://cdn.example.com/widget-a/remoteEntry.js",
11
        // Dynamic remotes resolved at runtime
12
        widgetB: `promise new Promise(resolve => {
13
          const remoteUrl = window.__WIDGET_REGISTRY__["widgetB"];
14
          const script = document.createElement("script");
15
          script.src = remoteUrl;
16
          script.onload = () => resolve(window.widgetB);
17
          document.head.appendChild(script);
18
        })`,
19
      },
20
      shared: {
21
        react: { singleton: true, requiredVersion: "^18.0.0" },
22
        "react-dom": { singleton: true, requiredVersion: "^18.0.0" },
23
      },
24
    }),
2 collapsed lines
25
  ],
26
}


5 collapsed lines
1
const { ModuleFederationPlugin } = require("webpack").container
2

3
module.exports = {
4
  plugins: [
5
    new ModuleFederationPlugin({
6
      name: "widgetA",
7
      filename: "remoteEntry.js",
8
      exposes: {
9
        "./Widget": "./src/Widget", // What this remote offers
10
      },
11
      shared: {
12
        react: { singleton: true, requiredVersion: "^18.0.0" },
13
        "react-dom": { singleton: true, requiredVersion: "^18.0.0" },
14
      },
15
    }),
16
  ],
17
}

Runtime loading:


3 collapsed lines
1
import React, { Suspense, lazy } from "react";
2

3
// Dynamic import of federated module
4
const WidgetA = lazy(() => import("widgetA/Widget"));
5

6
export function WidgetSlot({ widgetId }: { widgetId: string }) {
7
  // In production: resolve widget ID to remote dynamically
8
  return (
9
    <Suspense fallback={<WidgetSkeleton />}>
10
      <WidgetA />
11
    </Suspense>
12
  );
13
}

Dependency sharing mechanics:

Host starts, loads remoteEntry.js for each remote
Remote entry registers available modules and shared dependencies
When host imports a remote module, federation checks shared scope
If compatible version exists, reuse; otherwise, load remote’s bundled copy
singleton: true ensures only one instance (critical for React context)

Best for:

Trusted first-party widgets (internal teams)
Micro-frontend architectures with shared design systems
Performance-critical scenarios where bundle size matters

Device/network profile:

Works well on: Desktop, fast networks, trusted widget sources
Struggles on: Untrusted third-party code (no isolation), slow networks (remote entry overhead)

Implementation complexity:

Aspect	Effort
Initial setup	High (webpack config complexity)
Adding new widgets	Low (configure remote URL)
Version management	Medium (shared version negotiation)
Security	Low (same-origin trust model)

Real-world example:

Shopify’s Hydrogen uses Module Federation for composable storefronts. Multiple teams build sections independently; the storefront shell loads them at runtime with shared Remix/React dependencies.

Trade-offs:

Shared dependencies reduce duplicate downloads (30-50% smaller total payload)
Same JavaScript context—widgets can access host globals
Webpack-only (no native Vite support as of 2025; use vite-plugin-federation)
Version mismatches cause runtime errors

Security consideration: Module Federation provides no isolation. Widgets execute in the same origin with full DOM access. Use only for trusted code or combine with additional sandboxing.

Path 2: iframe Sandbox

iframe sandbox: widget runs in isolated browsing context; communication via postMessage only.

How it works:

The <iframe sandbox> attribute creates a separate browsing context with restricted capabilities. By default, a sandboxed iframe:

Cannot execute scripts
Cannot submit forms
Cannot access parent DOM
Cannot navigate the top-level browsing context
Cannot use plugins

Capabilities are granted explicitly:

1
<iframe
2
  src="https://widget.example.com/widget-a"
3
  sandbox="allow-scripts allow-same-origin"
4
  allow="clipboard-read; clipboard-write"
5
  csp="script-src 'self'; style-src 'self' 'unsafe-inline'"
6
></iframe>

Sandbox attribute options:

Attribute	Grants
`allow-scripts`	JavaScript execution
`allow-same-origin`	Treats content as same origin (dangerous with allow-scripts)
`allow-forms`	Form submission
`allow-popups`	Window.open(), target=“_blank”
`allow-modals`	alert(), confirm(), prompt()
`allow-top-navigation`	Navigate parent window

Security warning: Never combine allow-scripts and allow-same-origin for untrusted content. The iframe can remove its own sandbox attribute and escape.

Communication via postMessage:

1
interface WidgetMessage {
2
  type: string
3
  requestId: string
4
  payload: unknown
5
}
6

7
class WidgetBridge {
8
  private iframe: HTMLIFrameElement
9
  private pendingRequests = new Map<string, { resolve: Function; reject: Function }>()
10
  private trustedOrigin: string
11

12
  constructor(iframe: HTMLIFrameElement, trustedOrigin: string) {
13
    this.iframe = iframe
14
    this.trustedOrigin = trustedOrigin
15
    window.addEventListener("message", this.handleMessage)
16
  }
17

18
  private handleMessage = (event: MessageEvent<WidgetMessage>) => {
19
    // CRITICAL: Always validate origin
20
    if (event.origin !== this.trustedOrigin) return
21

22
    const { type, requestId, payload } = event.data
23

24
    if (type === "API_RESPONSE" && this.pendingRequests.has(requestId)) {
25
      const { resolve } = this.pendingRequests.get(requestId)!
26
      this.pendingRequests.delete(requestId)
27
      resolve(payload)
28
    }
29
  }
30

31
  async call(method: string, args: unknown[]): Promise<unknown> {
32
    const requestId = crypto.randomUUID()
33

34
    return new Promise((resolve, reject) => {
35
      this.pendingRequests.set(requestId, { resolve, reject })
36

37
      this.iframe.contentWindow?.postMessage(
38
        { type: "API_CALL", requestId, method, args },
39
        this.trustedOrigin, // CRITICAL: Specify target origin
40
      )
41

42
      // Timeout to prevent hanging requests
43
      setTimeout(() => {
44
        if (this.pendingRequests.has(requestId)) {
45
          this.pendingRequests.delete(requestId)
46
          reject(new Error(`Widget call timed out: ${method}`))
47
        }
48
      }, 5000)
49
    })
50
  }
51
}

1
// Inside the iframe: SDK shim that talks to host
2
const hostSDK = {
3
  async showNotification(message: string): Promise<void> {
4
    return callHost("showNotification", [message])
5
  },
6

7
  async getData(key: string): Promise<unknown> {
8
    return callHost("getData", [key])
9
  },
10
}
11

12
function callHost(method: string, args: unknown[]): Promise<unknown> {
13
  const requestId = crypto.randomUUID()
14

15
  return new Promise((resolve) => {
16
    const handler = (event: MessageEvent) => {
17
      if (event.data.requestId === requestId && event.data.type === "API_RESPONSE") {
18
        window.removeEventListener("message", handler)
19
        resolve(event.data.payload)
20
      }
21
    }
22
    window.addEventListener("message", handler)
23

24
    window.parent.postMessage(
25
      { type: "API_CALL", requestId, method, args },
26
      "*", // Widget doesn't know host origin; host validates on receive
27
    )
28
  })
29
}
30

31
// Expose SDK to widget code
32
;(window as any).hostSDK = hostSDK

Best for:

Untrusted third-party widgets
Payment forms, authentication widgets (PCI/SOC2 compliance)
Widgets that need strong isolation guarantees

Device/network profile:

Works well on: All devices, any network (self-contained)
Struggles on: Mobile (memory overhead), many simultaneous widgets

Implementation complexity:

Aspect	Effort
Initial setup	Medium (iframe + postMessage)
Adding new widgets	Low (point to URL)
Performance tuning	High (message serialization overhead)
Security	Low (browser provides isolation)

Real-world example:

Figma plugins use iframe for UI rendering combined with a WASM sandbox for document manipulation. The iframe displays the plugin UI; a separate QuickJS WASM sandbox runs the logic that reads/writes the Figma document.

Trade-offs:

Strongest browser-native isolation
Each iframe creates separate JS heap (10-50MB overhead)
postMessage serialization adds 1-5ms latency per call
No shared dependencies (duplicate React, etc.)
Cross-origin communication requires careful origin validation

Path 3: Shadow DOM + Web Components

Shadow DOM: CSS isolation via encapsulated DOM tree; JavaScript shares host context.

How it works:

Shadow DOM creates an encapsulated DOM subtree with its own style scope. Styles inside don’t leak out; external styles don’t leak in.

1
class WidgetContainer extends HTMLElement {
2
  private shadow: ShadowRoot
3

4
  constructor() {
5
    super()
6
    // 'closed' prevents external access to shadow root
7
    this.shadow = this.attachShadow({ mode: "closed" })
8
  }
9

10
  async loadWidget(widgetUrl: string) {
11
    // Fetch widget bundle
12
    const response = await fetch(widgetUrl)
13
    const widgetCode = await response.text()
14

15
    // Create isolated style scope
16
    const style = document.createElement("style")
17
    style.textContent = await this.fetchWidgetStyles(widgetUrl)
18

19
    // Create widget container
20
    const container = document.createElement("div")
21
    container.className = "widget-root"
22

23
    this.shadow.appendChild(style)
24
    this.shadow.appendChild(container)
25

26
    // Execute widget code in this context
27
    // WARNING: No JS isolation—widget code runs in host context
28
    const widgetModule = new Function("container", "hostSDK", widgetCode)
29
    widgetModule(container, window.hostSDK)
30
  }
31
}
32

33
customElements.define("widget-container", WidgetContainer)

CSS isolation guarantees:

Widget styles scoped to shadow root
Host styles don’t affect widget (unless using CSS custom properties)
Widget cannot style host elements
::part() and CSS variables allow controlled customization

1
/* Widget internal styles (inside shadow DOM) */
2
.button {
3
  /* This .button won't conflict with host's .button */
4
  background: var(--widget-primary, blue); /* Customizable via CSS var */
5
}

1
/* Host can customize via CSS custom properties */
2
widget-container {
3
  --widget-primary: red; /* Passes through shadow boundary */
4
}

Best for:

Design system components with style encapsulation
Trusted widgets that need CSS isolation but not JS isolation
Web Components-based architectures

Device/network profile:

Works well on: All modern browsers, any device
Struggles on: Scenarios requiring JavaScript isolation

Implementation complexity:

Aspect	Effort
Initial setup	Low (native browser API)
CSS isolation	Low (automatic)
JS isolation	None (same context)
Framework integration	Medium (React/Vue wrappers needed)

Trade-offs:

Lightweight: No separate heap or context
CSS isolation is complete
No JavaScript isolation—widgets can access globals, DOM, etc.
Requires combining with other techniques for untrusted code

Path 4: WASM Sandbox (Figma Model)

WASM sandbox: JavaScript engine (QuickJS) compiled to WebAssembly runs plugin logic; separate iframe renders UI.

How it works:

Figma’s approach: compile a JavaScript engine (QuickJS) to WebAssembly. Plugin code runs inside this embedded JS engine—completely isolated from the host JavaScript context.

Why QuickJS + WASM?

No eval(): Running untrusted JS usually requires eval() or new Function(), which CSP blocks. QuickJS interprets JS without these.
Capability-based security: WASM provides no default I/O. Plugin only accesses what the host explicitly provides via API.
Deterministic execution: Same code, same inputs → same outputs. Useful for collaborative features.


5 collapsed lines
1
import { newQuickJSWASMModule, QuickJSWASMModule, QuickJSContext } from "quickjs-emscripten"
2

3
class PluginSandbox {
4
  private vm: QuickJSWASMModule
5
  private context: QuickJSContext
6

7
  async initialize() {
8
    this.vm = await newQuickJSWASMModule()
9
    this.context = this.vm.newContext()
10

11
    // Expose host API to sandbox
12
    this.exposeHostAPI()
13
  }
14

15
  private exposeHostAPI() {
16
    const hostAPI = this.context.newObject()
17

18
    // Expose showNotification
19
    const showNotification = this.context.newFunction("showNotification", (msgHandle) => {
20
      const message = this.context.getString(msgHandle)
21
      // Call actual host notification system
22
      window.hostNotifications.show(message)
23
      return this.context.undefined
24
    })
25

26
    this.context.setProp(hostAPI, "showNotification", showNotification)
27
    this.context.setProp(this.context.global, "figma", hostAPI)
28

29
    showNotification.dispose()
30
    hostAPI.dispose()
31
  }
32

33
  async executePlugin(code: string): Promise<void> {
34
    const result = this.context.evalCode(code)
11 collapsed lines
35
    if (result.error) {
36
      const error = this.context.dump(result.error)
37
      result.error.dispose()
38
      throw new Error(`Plugin error: ${JSON.stringify(error)}`)
39
    }
40
    result.value.dispose()
41
  }
42

43
  dispose() {
44
    this.context.dispose()
45
    this.vm.dispose()
46
  }
47
}

Two-part plugin architecture (Figma):

UI iframe: Renders plugin UI using HTML/CSS. Communicates with logic via postMessage.
WASM sandbox: Runs plugin logic. Has access to Figma document API. No DOM access.

This separation prevents plugins from both manipulating the document AND accessing arbitrary DOM.

Best for:

Highest security requirements
Platforms where plugins manipulate sensitive documents
When you cannot trust third-party code at all

Device/network profile:

Works well on: Desktop, modern mobile (WASM support universal since 2017)
Struggles on: Low-memory devices (WASM instance overhead), very complex plugins (QuickJS slower than V8)

Implementation complexity:

Aspect	Effort
Initial setup	Very High (custom sandbox)
API surface design	High (every API must be explicitly exposed)
Performance tuning	High (WASM boundary crossing)
Security	Low (isolation is architectural)

Trade-offs:

Strongest isolation (capability-based security)
300-500ms initialization overhead (loading WASM module)
QuickJS performance ~10-30x slower than V8
Complex to implement; consider using existing libraries (quickjs-emscripten)
Plugin capabilities are exactly what you expose—no accidental surface

Decision Matrix

Factor	Module Federation	iframe Sandbox	Shadow DOM	WASM Sandbox
JS Isolation	None	Strong	None	Strongest
CSS Isolation	None	Complete	Complete	N/A (no DOM)
Shared dependencies	Yes	No	Manual	No
Load time	Fast (50ms)	Medium (100-200ms)	Fast (10ms)	Slow (300-500ms)
Memory per widget	Shared	10-50MB	Shared	5-20MB
Communication	Direct	postMessage (1-5ms)	Direct	WASM boundary (~1ms)
Trust model	Same-origin	Untrusted	Same-origin	Untrusted
Browser support	Webpack only	Universal	Universal	Universal

Decision Framework

Decision tree for selecting widget isolation strategy based on trust level and security requirements.

The Registry and Manifest

Manifest Structure

Every widget declares its capabilities, entry points, and requirements via a manifest file. This enables the host to:

Validate widget compatibility before loading
Render UI contributions without loading widget code
Enforce permission boundaries

1
{
2
  "$schema": "https://widgets.example.com/manifest.schema.json",
3
  "id": "com.example.video-player",
4
  "name": "Premium Video Player",
5
  "version": "2.1.0",
6
  "description": "HD video player with adaptive streaming",
7
  "author": {
8
    "name": "Example Corp",
9
    "email": "widgets@example.com",
10
    "url": "https://example.com"
11
  },
12

13
  "host": {
14
    "minVersion": "3.0.0",
15
    "maxVersion": "4.x"
16
  },
17

18
  "main": "./dist/widget.js",
19
  "styles": "./dist/widget.css",
20
  "remoteEntry": "./dist/remoteEntry.js",
21

22
  "contributes": {
23
    "slots": [
24
      {
25
        "id": "content-area",
26
        "component": "VideoPlayer",
27
        "props": {
28
          "defaultQuality": "auto"
29
        }
30
      }
31
    ],
32
    "commands": [
33
      {
34
        "id": "video-player.play",
35
        "title": "Play Video"
36
      },
37
      {
38
        "id": "video-player.pause",
39
        "title": "Pause Video"
40
      }
41
    ],
42
    "settings": [
43
      {
44
        "id": "video-player.autoplay",
45
        "type": "boolean",
46
        "default": false,
47
        "title": "Autoplay videos"
48
      }
49
    ]
50
  },
51

52
  "permissions": ["storage.local", "network.fetch", "ui.notifications"],
53

54
  "dependencies": {
55
    "react": "^18.0.0",
56
    "react-dom": "^18.0.0"
57
  },
58

59
  "activationEvents": ["onSlot:content-area", "onCommand:video-player.play"],
60

61
  "sandbox": {
62
    "type": "iframe",
63
    "allow": ["scripts", "forms"],
64
    "csp": "script-src 'self'; style-src 'self' 'unsafe-inline'"
65
  }
66
}

Key manifest fields:

Field	Purpose
`id`	Globally unique identifier (reverse domain notation)
`host.minVersion`	Minimum host version for compatibility
`main`	Entry point for widget code
`remoteEntry`	Module Federation entry (if applicable)
`contributes.slots`	UI contribution points
`contributes.commands`	Registered commands
`permissions`	Required host capabilities
`activationEvents`	When to load the widget
`sandbox`	Isolation requirements

Contribution Points (Slots)

Contribution points are named locations in the host UI where widgets can render content. The host declares available slots; widgets register for slots they want to fill.

1
interface Slot {
2
  id: string
3
  multiple: boolean // Can multiple widgets contribute?
4
  props: Record<string, unknown> // Props passed to widget
5
}
6

7
interface SlotContribution {
8
  widgetId: string
9
  slotId: string
10
  component: string
11
  priority: number
12
}
13

14
class SlotRegistry {
15
  private slots = new Map<string, Slot>()
16
  private contributions = new Map<string, SlotContribution[]>()
17

18
  registerSlot(slot: Slot) {
19
    this.slots.set(slot.id, slot)
20
  }
21

22
  registerContribution(contribution: SlotContribution) {
23
    const existing = this.contributions.get(contribution.slotId) || []
24
    existing.push(contribution)
25
    existing.sort((a, b) => b.priority - a.priority)
26
    this.contributions.set(contribution.slotId, existing)
27
  }
28

29
  getContributionsForSlot(slotId: string): SlotContribution[] {
30
    const slot = this.slots.get(slotId)
31
    if (!slot) return []
32

33
    const contributions = this.contributions.get(slotId) || []
34
    return slot.multiple ? contributions : contributions.slice(0, 1)
35
  }
36
}

1
function ContributionPoint({ slotId }: { slotId: string }) {
2
  const contributions = useSlotContributions(slotId)
3

4
  return (
5
    <div className="contribution-point" data-slot={slotId}>
6
      {contributions.map((contribution) => (
7
        <WidgetRenderer
8
          key={contribution.widgetId}
9
          widgetId={contribution.widgetId}
10
          component={contribution.component}
11
        />
12
      ))}
13
    </div>
14
  )
15
}

Slot patterns from VS Code:

Slot Type	Example	Behavior
`viewContainer`	Sidebar panels	Multiple widgets, tabbed
`view`	Tree views	Single widget per view
`statusBarItem`	Status bar	Multiple, ordered by priority
`menu`	Context menus	Multiple, grouped

The registry is a service that maps widget IDs to their manifests and entry points. It handles:

Widget discovery and search
Version resolution
Dependency validation
URL resolution for loading

1
interface RegistryEntry {
2
  id: string
3
  manifest: WidgetManifest
4
  versions: {
5
    version: string
6
    url: string
7
    checksum: string
8
    publishedAt: Date
9
  }[]
10
}
11

12
interface ResolvedWidget {
13
  id: string
14
  version: string
15
  manifestUrl: string
16
  entryUrl: string
17
  checksum: string
18
}
19

20
class WidgetRegistry {
21
  private baseUrl: string
22
  private cache = new Map<string, RegistryEntry>()
23

24
  constructor(baseUrl: string) {
25
    this.baseUrl = baseUrl
26
  }
27

28
  async resolve(widgetId: string, versionConstraint: string = "latest"): Promise<ResolvedWidget> {
29
    // Fetch registry entry
30
    const entry = await this.fetchEntry(widgetId)
31

32
    // Resolve version constraint (semver)
33
    const version = this.resolveVersion(entry.versions, versionConstraint)
34
    if (!version) {
35
      throw new Error(`No version matching ${versionConstraint} for ${widgetId}`)
36
    }
37

38
    // Validate host compatibility
39
    const manifest = await this.fetchManifest(version.url)
40
    this.validateHostCompatibility(manifest)
41

42
    return {
43
      id: widgetId,
44
      version: version.version,
45
      manifestUrl: `${version.url}/manifest.json`,
46
      entryUrl: `${version.url}/${manifest.main}`,
47
      checksum: version.checksum,
48
    }
49
  }
50

51
  private async fetchEntry(widgetId: string): Promise<RegistryEntry> {
52
    if (this.cache.has(widgetId)) {
53
      return this.cache.get(widgetId)!
54
    }
55

56
    const response = await fetch(`${this.baseUrl}/widgets/${widgetId}`)
57
    if (!response.ok) {
58
      throw new Error(`Widget not found: ${widgetId}`)
59
    }
60

61
    const entry = await response.json()
62
    this.cache.set(widgetId, entry)
63
    return entry
64
  }
65

66
  private resolveVersion(
67
    versions: RegistryEntry["versions"],
68
    constraint: string,
69
  ): RegistryEntry["versions"][0] | undefined {
70
    if (constraint === "latest") {
71
      return versions[0] // Assumes sorted by version desc
72
    }
73

74
    // Semver matching
75
    return versions.find((v) => satisfies(v.version, constraint))
76
  }
77

78
  private validateHostCompatibility(manifest: WidgetManifest) {
79
    const hostVersion = getHostVersion()
80
    const { minVersion, maxVersion } = manifest.host
81

82
    if (minVersion && !gte(hostVersion, minVersion)) {
83
      throw new Error(`Widget requires host >= ${minVersion}`)
84
    }
85
    if (maxVersion && !satisfies(hostVersion, maxVersion)) {
86
      throw new Error(`Widget incompatible with host ${hostVersion}`)
87
    }
88
  }
89
}

Registry API design:

1
GET /widgets                    # List all widgets (paginated)
2
GET /widgets/{id}               # Get widget metadata
3
GET /widgets/{id}/versions      # List versions
4
GET /widgets/{id}@{version}     # Get specific version
5
POST /widgets                   # Publish new widget (authenticated)
6
DELETE /widgets/{id}@{version}  # Unpublish version (admin)

Host SDK (Extension API)

API Contract

The host exposes a controlled API surface that widgets use to interact with the system. This creates a stable contract and security boundary.

1
interface HostSDK {
2
  // Lifecycle
3
  readonly version: string
4
  onActivate(callback: () => void): Disposable
5
  onDeactivate(callback: () => void): Disposable
6

7
  // UI
8
  showNotification(options: NotificationOptions): Promise<void>
9
  showModal(options: ModalOptions): Promise<ModalResult>
10
  registerCommand(id: string, handler: CommandHandler): Disposable
11

12
  // Data
13
  getData<T>(key: string): Promise<T | undefined>
14
  setData<T>(key: string, value: T): Promise<void>
15
  subscribeToData<T>(key: string, callback: (value: T) => void): Disposable
16

17
  // Storage (widget-scoped)
18
  storage: {
19
    get<T>(key: string): Promise<T | undefined>
20
    set<T>(key: string, value: T): Promise<void>
21
    delete(key: string): Promise<void>
22
  }
23

24
  // Network (proxied through host)
25
  fetch(url: string, options?: RequestInit): Promise<Response>
26

27
  // Events
28
  onEvent(eventType: string, handler: EventHandler): Disposable
29
  emitEvent(eventType: string, payload: unknown): void
30
}
31

32
interface Disposable {
33
  dispose(): void
34
}
35

36
interface NotificationOptions {
37
  type: "info" | "warning" | "error"
38
  message: string
39
  duration?: number
40
  actions?: { label: string; action: () => void }[]
41
}

SDK Implementation for iframe Widgets

1
class IframeSDKHost {
2
  private iframe: HTMLIFrameElement
3
  private widgetId: string
4
  private handlers = new Map<string, Function>()
5

6
  constructor(iframe: HTMLIFrameElement, widgetId: string) {
7
    this.iframe = iframe
8
    this.widgetId = widgetId
9
    window.addEventListener("message", this.handleMessage)
10
  }
11

12
  private handleMessage = async (event: MessageEvent) => {
13
    // Validate origin matches expected widget origin
14
    if (!this.isValidOrigin(event.origin)) return
15

16
    const { type, requestId, method, args } = event.data
17
    if (type !== "SDK_CALL") return
18

19
    try {
20
      const result = await this.executeMethod(method, args)
21
      this.respond(requestId, { success: true, result })
22
    } catch (error) {
23
      this.respond(requestId, { success: false, error: String(error) })
24
    }
25
  }
26

27
  private async executeMethod(method: string, args: unknown[]): Promise<unknown> {
28
    // Permission check
29
    const permission = this.getRequiredPermission(method)
30
    if (permission && !this.hasPermission(permission)) {
31
      throw new Error(`Permission denied: ${permission}`)
32
    }
33

34
    switch (method) {
35
      case "showNotification":
36
        return this.showNotification(args[0] as NotificationOptions)
37

38
      case "getData":
39
        return this.getData(args[0] as string)
40

41
      case "setData":
42
        return this.setData(args[0] as string, args[1])
43

44
      case "storage.get":
45
        return this.widgetStorage.get(this.widgetId, args[0] as string)
46

47
      case "fetch":
48
        // Proxy fetch to enforce CORS and CSP
49
        return this.proxyFetch(args[0] as string, args[1] as RequestInit)
50

51
      default:
52
        throw new Error(`Unknown method: ${method}`)
53
    }
54
  }
55

56
  private respond(requestId: string, response: unknown) {
57
    this.iframe.contentWindow?.postMessage(
58
      { type: "SDK_RESPONSE", requestId, ...response },
59
      "*", // iframe origin already validated on receive
60
    )
61
  }
62

63
  private getRequiredPermission(method: string): string | undefined {
64
    const permissionMap: Record<string, string> = {
65
      showNotification: "ui.notifications",
66
      fetch: "network.fetch",
67
      "storage.get": "storage.local",
68
      "storage.set": "storage.local",
69
    }
70
    return permissionMap[method]
71
  }
72
}

1
class WidgetSDK implements HostSDK {
2
  private pendingRequests = new Map<
3
    string,
4
    {
5
      resolve: (value: unknown) => void
6
      reject: (error: Error) => void
7
    }
8
  >()
9

10
  constructor() {
11
    window.addEventListener("message", this.handleResponse)
12
  }
13

14
  private handleResponse = (event: MessageEvent) => {
15
    const { type, requestId, success, result, error } = event.data
16
    if (type !== "SDK_RESPONSE") return
17

18
    const pending = this.pendingRequests.get(requestId)
19
    if (!pending) return
20

21
    this.pendingRequests.delete(requestId)
22

23
    if (success) {
24
      pending.resolve(result)
25
    } else {
26
      pending.reject(new Error(error))
27
    }
28
  }
29

30
  private call<T>(method: string, args: unknown[] = []): Promise<T> {
31
    return new Promise((resolve, reject) => {
32
      const requestId = crypto.randomUUID()
33
      this.pendingRequests.set(requestId, { resolve: resolve as any, reject })
34

35
      window.parent.postMessage({ type: "SDK_CALL", requestId, method, args }, "*")
36

37
      // Timeout after 10 seconds
38
      setTimeout(() => {
39
        if (this.pendingRequests.has(requestId)) {
40
          this.pendingRequests.delete(requestId)
41
          reject(new Error(`SDK call timeout: ${method}`))
42
        }
43
      }, 10000)
44
    })
45
  }
46

47
  // Public API implementation
48
  get version(): string {
49
    return "1.0.0"
50
  }
51

52
  async showNotification(options: NotificationOptions): Promise<void> {
53
    return this.call("showNotification", [options])
54
  }
55

56
  async getData<T>(key: string): Promise<T | undefined> {
57
    return this.call("getData", [key])
58
  }
59

60
  storage = {
61
    get: <T>(key: string) => this.call<T>("storage.get", [key]),
62
    set: <T>(key: string, value: T) => this.call<void>("storage.set", [key, value]),
63
    delete: (key: string) => this.call<void>("storage.delete", [key]),
64
  }
65

66
  // ... other methods
67
}
68

69
// Export singleton
70
export const hostSDK = new WidgetSDK()

Multi-Tenant Orchestration

Tenant Configuration Resolution

The tenant config service maps tenant identifiers to their widget configurations. This enables per-tenant customization without code changes.

Multi-tenant widget loading flow: tenant config determines widget IDs; registry resolves to URLs; CDN serves bundles.

1
interface TenantWidgetConfig {
2
  widgetId: string
3
  version?: string // Optional: defaults to "latest"
4
  slot: string
5
  config?: Record<string, unknown> // Widget-specific config
6
  enabled: boolean
7
}
8

9
interface TenantConfig {
10
  tenantId: string
11
  widgets: TenantWidgetConfig[]
12
  featureFlags: Record<string, boolean>
13
  theme?: ThemeConfig
14
}
15

16
class TenantConfigService {
17
  private configCache = new Map<string, TenantConfig>()
18
  private baseUrl: string
19

20
  constructor(baseUrl: string) {
21
    this.baseUrl = baseUrl
22
  }
23

24
  async getConfig(tenantId: string): Promise<TenantConfig> {
25
    // Check cache first
26
    if (this.configCache.has(tenantId)) {
27
      return this.configCache.get(tenantId)!
28
    }
29

30
    const response = await fetch(`${this.baseUrl}/tenants/${tenantId}/config`)
31
    if (!response.ok) {
32
      // Fall back to default config
33
      return this.getDefaultConfig(tenantId)
34
    }
35

36
    const config = await response.json()
37
    this.configCache.set(tenantId, config)
38
    return config
39
  }
40

41
  private getDefaultConfig(tenantId: string): TenantConfig {
42
    return {
43
      tenantId,
44
      widgets: [], // No widgets by default
45
      featureFlags: {},
46
    }
47
  }
48

49
  async refreshConfig(tenantId: string): Promise<TenantConfig> {
50
    this.configCache.delete(tenantId)
51
    return this.getConfig(tenantId)
52
  }
53
}

1
interface LoadedWidget {
2
  id: string
3
  version: string
4
  slot: string
5
  instance: WidgetInstance
6
  state: "loading" | "active" | "error" | "inactive"
7
}
8

9
class WidgetOrchestrator {
10
  private tenantConfig: TenantConfigService
11
  private registry: WidgetRegistry
12
  private loadedWidgets = new Map<string, LoadedWidget>()
13
  private slotRegistry: SlotRegistry
14

15
  async initialize(tenantId: string) {
16
    // 1. Fetch tenant configuration
17
    const config = await this.tenantConfig.getConfig(tenantId)
18

19
    // 2. Filter enabled widgets
20
    const enabledWidgets = config.widgets.filter((w) => w.enabled)
21

22
    // 3. Resolve all widgets in parallel
23
    const resolutions = await Promise.allSettled(
24
      enabledWidgets.map((w) => this.registry.resolve(w.widgetId, w.version)),
25
    )
26

27
    // 4. Load successfully resolved widgets
28
    for (let i = 0; i < resolutions.length; i++) {
29
      const resolution = resolutions[i]
30
      const widgetConfig = enabledWidgets[i]
31

32
      if (resolution.status === "fulfilled") {
33
        await this.loadWidget(resolution.value, widgetConfig)
34
      } else {
35
        console.error(`Failed to resolve ${widgetConfig.widgetId}:`, resolution.reason)
36
        // Continue loading other widgets
37
      }
38
    }
39
  }
40

41
  private async loadWidget(resolved: ResolvedWidget, config: TenantWidgetConfig) {
42
    const loadedWidget: LoadedWidget = {
43
      id: resolved.id,
44
      version: resolved.version,
45
      slot: config.slot,
46
      instance: null!,
47
      state: "loading",
48
    }
49

50
    this.loadedWidgets.set(resolved.id, loadedWidget)
51

52
    try {
53
      // Fetch manifest to determine loading strategy
54
      const manifest = await this.fetchManifest(resolved.manifestUrl)
55

56
      // Load based on sandbox type
57
      const instance = await this.createWidgetInstance(manifest, resolved, config)
58

59
      loadedWidget.instance = instance
60
      loadedWidget.state = "active"
61

62
      // Register contribution points
63
      this.registerContributions(manifest, resolved.id)
64
    } catch (error) {
65
      loadedWidget.state = "error"
66
      console.error(`Failed to load widget ${resolved.id}:`, error)
67
    }
68
  }
69

70
  private async createWidgetInstance(
71
    manifest: WidgetManifest,
72
    resolved: ResolvedWidget,
73
    config: TenantWidgetConfig,
74
  ): Promise<WidgetInstance> {
75
    const sandboxType = manifest.sandbox?.type || "none"
76

77
    switch (sandboxType) {
78
      case "iframe":
79
        return this.createIframeWidget(resolved, manifest, config)
80

81
      case "shadow-dom":
82
        return this.createShadowDomWidget(resolved, manifest, config)
83

84
      case "wasm":
85
        return this.createWasmWidget(resolved, manifest, config)
86

87
      case "none":
88
      default:
89
        return this.createFederatedWidget(resolved, manifest, config)
90
    }
91
  }
92

93
  private async createIframeWidget(
94
    resolved: ResolvedWidget,
95
    manifest: WidgetManifest,
96
    config: TenantWidgetConfig,
97
  ): Promise<IframeWidgetInstance> {
98
    const iframe = document.createElement("iframe")
99

100
    // Apply sandbox restrictions
101
    const sandbox = manifest.sandbox!
102
    iframe.sandbox.add(...sandbox.allow.map((a) => `allow-${a}`))
103

104
    // Set CSP via attribute (embedded enforcement)
105
    if (sandbox.csp) {
106
      iframe.setAttribute("csp", sandbox.csp)
107
    }
108

109
    iframe.src = resolved.entryUrl
110

111
    return new IframeWidgetInstance(iframe, resolved.id, config.config)
112
  }
113

114
  async unloadWidget(widgetId: string) {
115
    const widget = this.loadedWidgets.get(widgetId)
116
    if (!widget) return
117

118
    widget.state = "inactive"
119

120
    // Cleanup instance
121
    await widget.instance.dispose()
122

123
    // Remove contributions
124
    this.slotRegistry.removeContributions(widgetId)
125

126
    this.loadedWidgets.delete(widgetId)
127
  }
128
}

Feature Flag Integration

1
interface FeatureFlagService {
2
  isEnabled(flag: string, context: FlagContext): boolean
3
  getVariant<T>(flag: string, context: FlagContext): T | undefined
4
}
5

6
interface FlagContext {
7
  tenantId: string
8
  userId?: string
9
  environment: "production" | "staging" | "development"
10
}
11

12
class WidgetFeatureFlags {
13
  private flags: FeatureFlagService
14

15
  isWidgetEnabled(widgetId: string, tenantConfig: TenantWidgetConfig, context: FlagContext): boolean {
16
    // 1. Check tenant config first
17
    if (!tenantConfig.enabled) return false
18

19
    // 2. Check feature flag override
20
    const flagKey = `widget.${widgetId}.enabled`
21
    if (this.flags.isEnabled(flagKey, context) === false) {
22
      return false
23
    }
24

25
    // 3. Check rollout percentage
26
    const rolloutFlag = `widget.${widgetId}.rollout`
27
    const rollout = this.flags.getVariant<number>(rolloutFlag, context)
28
    if (rollout !== undefined) {
29
      const userHash = this.hashUser(context.userId || context.tenantId)
30
      return userHash < rollout
31
    }
32

33
    return true
34
  }
35

36
  private hashUser(userId: string): number {
37
    // Deterministic hash for consistent experience
38
    let hash = 0
39
    for (let i = 0; i < userId.length; i++) {
40
      hash = (hash << 5) - hash + userId.charCodeAt(i)
41
      hash |= 0
42
    }
43
    return Math.abs(hash) % 100
44
  }
45
}

Browser Constraints

Main Thread Budget

Widget loading competes with the host application for main thread time. Poor loading strategies cause jank.

Loading waterfall (problematic):

1
[Host init]--[Fetch config]--[Fetch widget A]--[Parse A]--[Fetch widget B]--[Parse B]
2
                                                                              |
3
                                                                         [First paint]

Optimized loading:

1
[Host init]--[Fetch config]--[Render host skeleton]
2
                    |
3
                    ├──[Fetch A]──[Parse A]
4
                    └──[Fetch B]──[Parse B]
5
                                      |
6
                              [Progressive paint]

1
async function loadWidgetsOptimized(widgetConfigs: TenantWidgetConfig[]) {
2
  // 1. Render skeleton immediately
3
  renderSkeletons(widgetConfigs)
4

5
  // 2. Start all fetches in parallel
6
  const fetchPromises = widgetConfigs.map((config) => fetchWidgetBundle(config.widgetId))
7

8
  // 3. Process widgets as they complete (not waiting for all)
9
  for await (const result of raceSettled(fetchPromises)) {
10
    if (result.status === "fulfilled") {
11
      // Yield to main thread between widget initializations
12
      await yieldToMain()
13
      await initializeWidget(result.value)
14
    }
15
  }
16
}
17

18
function yieldToMain(): Promise<void> {
19
  return new Promise((resolve) => {
20
    if ("scheduler" in window && "yield" in (window as any).scheduler) {
21
      ;(window as any).scheduler.yield().then(resolve)
22
    } else {
23
      setTimeout(resolve, 0)
24
    }
25
  })
26
}
27

28
async function* raceSettled<T>(promises: Promise<T>[]): AsyncGenerator<PromiseSettledResult<T>> {
29
  const remaining = new Set(promises.map((p, i) => i))
30

31
  while (remaining.size > 0) {
32
    const results = await Promise.race(
33
      Array.from(remaining).map(async (i) => {
34
        try {
35
          const value = await promises[i]
36
          return { index: i, status: "fulfilled" as const, value }
37
        } catch (reason) {
38
          return { index: i, status: "rejected" as const, reason }
39
        }
40
      }),
41
    )
42

43
    remaining.delete(results.index)
44
    yield results.status === "fulfilled"
45
      ? { status: "fulfilled", value: results.value }
46
      : { status: "rejected", reason: results.reason }
47
  }
48
}

Memory Limits

Device Type	Practical JS Heap Limit	Widget Budget
Low-end mobile	50-100MB	5-10MB per widget
Mid-range mobile	200-300MB	20-30MB per widget
Desktop	500MB-1GB	50-100MB per widget

Memory management strategies:

1
class WidgetMemoryManager {
2
  private readonly maxTotalMemory: number
3
  private readonly maxWidgetMemory: number
4
  private activeWidgets = new Map<string, WidgetMemoryStats>()
5

6
  constructor(config: { maxTotalMemory: number; maxWidgetMemory: number }) {
7
    this.maxTotalMemory = config.maxTotalMemory
8
    this.maxWidgetMemory = config.maxWidgetMemory
9

10
    // Monitor memory pressure
11
    if ("memory" in performance) {
12
      this.startMemoryMonitoring()
13
    }
14
  }
15

16
  canLoadWidget(estimatedMemory: number): boolean {
17
    const currentUsage = this.getTotalUsage()
18
    return currentUsage + estimatedMemory <= this.maxTotalMemory
19
  }
20

21
  onWidgetOverMemory(widgetId: string) {
22
    console.warn(`Widget ${widgetId} exceeded memory limit`)
23

24
    // Option 1: Unload widget
25
    // this.unloadWidget(widgetId);
26

27
    // Option 2: Notify widget to reduce memory
28
    this.notifyWidget(widgetId, "MEMORY_PRESSURE")
29
  }
30

31
  private startMemoryMonitoring() {
32
    setInterval(() => {
33
      const memory = (performance as any).memory
34
      const usedRatio = memory.usedJSHeapSize / memory.jsHeapSizeLimit
35

36
      if (usedRatio > 0.9) {
37
        // Critical memory pressure
38
        this.handleMemoryPressure("critical")
39
      } else if (usedRatio > 0.7) {
40
        // Warning level
41
        this.handleMemoryPressure("warning")
42
      }
43
    }, 5000)
44
  }
45

46
  private handleMemoryPressure(level: "warning" | "critical") {
47
    // Unload inactive widgets first
48
    for (const [widgetId, stats] of this.activeWidgets) {
49
      if (!stats.visible && level === "critical") {
50
        this.unloadWidget(widgetId)
51
      }
52
    }
53
  }
54
}

Storage Quotas

Widgets need persistent storage but share quotas with the host:

Storage Type	Quota	Widget Strategy
localStorage	5MB	Avoid; use IndexedDB
IndexedDB	50% of disk (Chrome)	Namespace per widget
Cache API	50% of disk	Careful eviction

1
class WidgetStorageManager {
2
  private db: IDBDatabase | null = null
3
  private readonly storeName = "widget_storage"
4

5
  async initialize() {
6
    this.db = await this.openDatabase()
7
  }
8

9
  private openDatabase(): Promise<IDBDatabase> {
10
    return new Promise((resolve, reject) => {
11
      const request = indexedDB.open("widget_host", 1)
12

13
      request.onerror = () => reject(request.error)
14
      request.onsuccess = () => resolve(request.result)
15

16
      request.onupgradeneeded = (event) => {
17
        const db = (event.target as IDBOpenDBRequest).result
18
        if (!db.objectStoreNames.contains(this.storeName)) {
19
          db.createObjectStore(this.storeName, { keyPath: "key" })
20
        }
21
      }
22
    })
23
  }
24

25
  async get<T>(widgetId: string, key: string): Promise<T | undefined> {
26
    const compositeKey = `${widgetId}:${key}`
27
    return this.dbGet(compositeKey)
28
  }
29

30
  async set<T>(widgetId: string, key: string, value: T): Promise<void> {
31
    const compositeKey = `${widgetId}:${key}`
32

33
    // Check quota before write
34
    const estimate = await navigator.storage.estimate()
35
    const usageRatio = (estimate.usage || 0) / (estimate.quota || 1)
36

37
    if (usageRatio > 0.9) {
38
      // Evict old widget data
39
      await this.evictOldData(widgetId)
40
    }
41

42
    return this.dbSet(compositeKey, value)
43
  }
44

45
  async getWidgetUsage(widgetId: string): Promise<number> {
46
    // Estimate storage used by this widget
47
    const keys = await this.getWidgetKeys(widgetId)
48
    let totalSize = 0
49

50
    for (const key of keys) {
51
      const value = await this.dbGet(key)
52
      totalSize += new Blob([JSON.stringify(value)]).size
53
    }
54

55
    return totalSize
56
  }
57
}

Real-World Implementations

VS Code Extensions

Context: Desktop code editor with 40,000+ extensions.

Architecture:

Extensions run in separate Extension Host process (Node.js)
UI extensions use webview (Chromium iframe with restricted API)
Communication via IPC (Inter-Process Communication)

Key design decisions:

Decision	Rationale
Separate process	Misbehaving extensions can’t crash editor
Activation events	Lazy loading—extensions load only when needed
Contribution points	Declarative UI integration via `contributes` manifest
Sandboxed webviews	HTML panels isolated from VS Code DOM

Manifest example:

1
{
2
  "name": "my-extension",
3
  "activationEvents": ["onLanguage:javascript"],
4
  "contributes": {
5
    "commands": [{ "command": "ext.doThing", "title": "Do Thing" }],
6
    "menus": {
7
      "editor/context": [{ "command": "ext.doThing" }]
8
    }
9
  }
10
}

Outcome: Extensions enhance functionality without affecting editor stability. Process isolation means extension crashes are recoverable.

Figma Plugins

Context: Web-based design tool; plugins manipulate design documents.

Architecture:

UI layer: Standard iframe for plugin UI
Logic layer: QuickJS JavaScript engine compiled to WASM
Document access only through controlled API

Why WASM sandbox?

Cannot use eval() (security)
Plugins must not access Figma’s DOM
Need deterministic execution for collaborative editing

Two-process model:

1
Plugin UI (iframe) ←→ postMessage ←→ Plugin Logic (WASM) ←→ Figma API ←→ Document

Security properties:

Plugin cannot access browser APIs directly
Plugin cannot manipulate Figma’s UI
All document operations go through audited API
Plugin code runs in capability-constrained sandbox

Trade-off accepted: QuickJS is ~10-30x slower than V8. Acceptable because document operations are the bottleneck, not JavaScript execution.

Source: How Figma Built the Plugin System

Shopify Embedded Apps

Context: E-commerce platform; apps extend merchant admin functionality.

Architecture:

Apps run in iframe embedded in Shopify admin
Communication via App Bridge SDK (postMessage abstraction)
OAuth for authentication; session tokens for API access

App Bridge SDK:

1
import { createApp } from "@shopify/app-bridge"
2
import { Redirect, Toast } from "@shopify/app-bridge/actions"
3

4
const app = createApp({
5
  apiKey: "api-key",
6
  shopOrigin: "myshop.myshopify.com",
7
})
8

9
// Show toast notification (rendered by Shopify, not iframe)
10
const toast = Toast.create(app, { message: "Order updated", duration: 5000 })
11
toast.dispatch(Toast.Action.SHOW)
12

13
// Navigate within Shopify admin
14
const redirect = Redirect.create(app)
15
redirect.dispatch(Redirect.Action.ADMIN_PATH, "/orders")

Multi-tenancy model:

Each Shopify store is a tenant
Apps install per-store with store-specific credentials
App Bridge passes shop context on every request

Security properties:

Apps cannot access other stores’ data
OAuth scopes limit API access per app
iframe sandbox prevents DOM manipulation

Source: Shopify App Bridge Documentation

Salesforce Lightning Web Components

Context: Enterprise CRM with third-party components from multiple ISVs.

Architecture:

Components run in Lightning Web Security (LWS) virtual environment
Namespace isolation: c-myComponent vs partner-theirComponent
Shadow DOM for style encapsulation

Lightning Web Security:

1
┌─────────────────────────────────────────┐
2
│            Salesforce Page              │
3
├─────────────────────────────────────────┤
4
│  ┌──────────────┐  ┌──────────────┐     │
5
│  │ Namespace A  │  │ Namespace B  │     │
6
│  │ (Virtual Env)│  │ (Virtual Env)│     │
7
│  │  Component1  │  │  Component2  │     │
8
│  └──────────────┘  └──────────────┘     │
9
└─────────────────────────────────────────┘

Security properties:

Components in different namespaces cannot access each other’s resources
Distorted global objects prevent prototype pollution
API calls go through Salesforce proxy with permission checks

Trade-off: Slightly different JavaScript semantics (global object distortion). Most code works unchanged; edge cases require adaptation.

Source: Lightning Web Security Architecture

Common Pitfalls

1. Loading All Widgets Eagerly

The mistake: Fetching and initializing all widgets on page load regardless of visibility.

Example: Dashboard with 20 widgets; user only sees 4 above the fold. Loading all 20 blocks main thread for 2+ seconds.

Why it happens: Simpler implementation; deferred loading requires tracking visibility.

Solution:

1
class LazyWidgetLoader {
2
  private observer: IntersectionObserver
3
  private pendingWidgets = new Map<Element, string>()
4

5
  constructor() {
6
    this.observer = new IntersectionObserver(
7
      this.handleIntersection,
8
      { rootMargin: "100px" }, // Preload slightly before visible
9
    )
10
  }
11

12
  registerSlot(element: Element, widgetId: string) {
13
    this.pendingWidgets.set(element, widgetId)
14
    this.observer.observe(element)
15
  }
16

17
  private handleIntersection: IntersectionObserverCallback = (entries) => {
18
    for (const entry of entries) {
19
      if (entry.isIntersecting) {
20
        const widgetId = this.pendingWidgets.get(entry.target)
21
        if (widgetId) {
22
          this.loadWidget(widgetId, entry.target)
23
          this.pendingWidgets.delete(entry.target)
24
          this.observer.unobserve(entry.target)
25
        }
26
      }
27
    }
28
  }
29
}

2. Missing Origin Validation in postMessage

The mistake: Handling all messages without checking origin.

1
// DANGEROUS: No origin check
2
window.addEventListener("message", (event) => {
3
  if (event.data.type === "WIDGET_REQUEST") {
4
    handleWidgetRequest(event.data) // Attacker can send messages too
5
  }
6
})

Impact: Attacker opens your site in iframe, sends malicious messages, triggers actions with user’s credentials.

Solution:

1
const TRUSTED_ORIGINS = new Set(["https://widget1.example.com", "https://widget2.example.com"])
2

3
window.addEventListener("message", (event) => {
4
  // CRITICAL: Always validate origin
5
  if (!TRUSTED_ORIGINS.has(event.origin)) {
6
    console.warn("Rejected message from untrusted origin:", event.origin)
7
    return
8
  }
9

10
  handleWidgetRequest(event.data)
11
})

3. Shared Dependency Version Conflicts

The mistake: Host uses React 18, widget bunled with React 17, both load.

Impact: Two React instances cause context mismatches, hooks fail mysteriously.

Solution:

1
// webpack.config.js (host)
2
new ModuleFederationPlugin({
3
  shared: {
4
    react: {
5
      singleton: true,
6
      requiredVersion: "^18.0.0",
7
      strictVersion: true, // Fail if incompatible
8
    },
9
  },
10
})

Also validate in registry:

1
function validateWidgetCompatibility(manifest: WidgetManifest) {
2
  const hostReact = "18.2.0"
3
  const widgetReact = manifest.dependencies?.react
4

5
  if (widgetReact && !satisfies(hostReact, widgetReact)) {
6
    throw new Error(`Widget requires React ${widgetReact}, host has ${hostReact}`)
7
  }
8
}

The mistake: Loading widgets but never unloading them when no longer needed.

Impact: Memory grows unbounded; 50 widgets loaded over time, only 5 visible.

Solution:

1
interface WidgetInstance {
2
  activate(): Promise<void>
3
  deactivate(): Promise<void>
4
  dispose(): Promise<void>
5
}
6

7
class WidgetLifecycleManager {
8
  private activeWidgets = new Map<string, WidgetInstance>()
9
  private visibleWidgets = new Set<string>()
10

11
  async handleVisibilityChange(widgetId: string, visible: boolean) {
12
    const widget = this.activeWidgets.get(widgetId)
13
    if (!widget) return
14

15
    if (visible) {
16
      this.visibleWidgets.add(widgetId)
17
      await widget.activate()
18
    } else {
19
      this.visibleWidgets.delete(widgetId)
20
      await widget.deactivate()
21

22
      // Unload after period of invisibility
23
      setTimeout(() => {
24
        if (!this.visibleWidgets.has(widgetId)) {
25
          this.unloadWidget(widgetId)
26
        }
27
      }, 60000) // 1 minute
28
    }
29
  }
30

31
  private async unloadWidget(widgetId: string) {
32
    const widget = this.activeWidgets.get(widgetId)
33
    if (widget) {
34
      await widget.dispose()
35
      this.activeWidgets.delete(widgetId)
36
    }
37
  }
38
}

The mistake: Synchronously parsing and executing large widget bundles.

Impact: UI freezes during widget load; user sees blank screen.

Solution:

1
async function initializeWidgetAsync(code: string, container: Element) {
2
  // Parse in chunks using requestIdleCallback
3
  const chunks = splitIntoChunks(code, 50000) // 50KB chunks
4

5
  for (const chunk of chunks) {
6
    await new Promise<void>((resolve) => {
7
      requestIdleCallback(
8
        () => {
9
          // Parse chunk
10
          parseChunk(chunk)
11
          resolve()
12
        },
13
        { timeout: 100 },
14
      )
15
    })
16
  }
17

18
  // Initialize widget after parsing
19
  await new Promise<void>((resolve) => {
20
    requestAnimationFrame(() => {
21
      mountWidget(container)
22
      resolve()
23
    })
24
  })
25
}

Conclusion

Building a multi-tenant pluggable widget framework requires navigating three axes:

Security vs Performance: iframe/WASM isolation is safest but has overhead; Module Federation is fast but trusts widgets
Flexibility vs Complexity: More extension points enable richer widgets but increase API surface to maintain
Per-tenant customization vs Operational simplicity: Feature flags add deployment complexity but enable fine-grained control

Recommended starting points by use case:

Scenario	Isolation	Loading	Registry
Internal micro-frontends	Module Federation	Module Federation	npm/internal registry
Third-party app marketplace	iframe + postMessage	Dynamic script	Custom registry + OAuth
High-security (financial)	WASM sandbox	Dynamic fetch	Signed manifests
Design tool plugins	WASM (logic) + iframe (UI)	Controlled loader	Curated store

Key design decisions to make early:

What’s your trust model? Internal-only vs open marketplace changes everything
What API surface will you support? Once published, it’s hard to change
How will you version the host SDK? Widgets depend on stability
How do you handle widget failures? Graceful degradation vs hard failure

The frameworks that succeed (VS Code, Figma, Shopify) share a common pattern: minimal core, maximal extensibility through well-defined contribution points, and strong isolation boundaries. Start with clear boundaries; relaxing them later is easier than adding them.

Appendix

Prerequisites

Understanding of JavaScript module systems (ES modules, CommonJS)
Familiarity with webpack or Vite bundling
Knowledge of browser security model (same-origin policy, CSP)
Basic understanding of iframe and postMessage APIs

Terminology

Term	Definition
Module Federation	Webpack 5 feature allowing multiple builds to share code at runtime
Contribution Point	Named extension point in host UI where widgets can render
Manifest	JSON file declaring widget metadata, capabilities, and requirements
Activation Event	Trigger that causes a widget to load (e.g., slot visible, command invoked)
Sandbox	Restricted execution environment limiting widget capabilities
postMessage	Browser API for cross-origin communication between windows/iframes
Shadow DOM	Browser API for encapsulated DOM subtree with style isolation
WASM	WebAssembly; binary instruction format for sandboxed execution
QuickJS	Lightweight JavaScript engine; can be compiled to WASM for sandboxing
Singleton	Shared dependency constraint ensuring only one instance loads

Summary

Widget frameworks follow the microkernel pattern: minimal core + pluggable extensions
Isolation strategies trade security for performance (iframe > WASM > Shadow DOM > Module Federation)
Manifests declare capabilities declaratively; host renders contributions without loading all code
Multi-tenancy uses config service + feature flags to determine per-tenant widget sets
Registry resolves widget IDs to versioned URLs with compatibility validation
Host SDK provides controlled API surface; widgets cannot access arbitrary host internals
Memory and main thread budgets constrain how many widgets can load simultaneously

References

Module Federation:

Webpack Module Federation Documentation - Official webpack docs
Module Federation Deep Dive - Architecture details

Browser Sandboxing:

iframe sandbox - MDN - Sandbox attribute reference
Content Security Policy - MDN - CSP documentation
Playing Safely in Sandboxed IFrames - web.dev - Security guidance

Shadow DOM:

Using Shadow DOM - MDN - API reference
Shadow DOM Encapsulation - CSS-Tricks - Practical guide

Production Implementations:

VS Code Extension Host - Architecture documentation
How Figma Built the Plugin System - WASM sandbox approach
Shopify App Bridge - iframe + SDK pattern
Salesforce Lightning Web Security - Namespace isolation

Multi-Tenancy:

ConfigCat Multi-Tenant Feature Flags - Feature flag patterns
AWS AppConfig Multi-Tenant Configuration - Config service architecture

Communication Patterns:

Window.postMessage - MDN - API reference
Secure Cross-Window Communication - Security best practices