[FEATURE] Enable media playback in Cowork artifact sandbox (video/audio/HLS)
Preflight Checklist
- [x] I have searched existing requests and this feature hasn't been requested yet
- [x] This is a single feature request (not multiple features)
Problem Statement
Cowork artifacts block all outbound network access from the sandboxed iframe — including <video> elements, fetch(), XHR, and HLS.js streaming. This prevents any media-rich plugin from playing video or audio inline.
Test Results
| Test | Result | Error |
|------|--------|-------|
| MP4 <video src="..."> | Blocked | Media load rejected by URL safety check |
| fetch() to public HTTPS | Blocked | Failed to fetch |
| HLS.js via CORS proxy | Blocked | manifestLoadError (HTTP 0) |
| fetch() to localhost | Blocked | Failed to fetch |
| <iframe src="http://localhost:..."> | Blocked | No request received |
| Cloudflare tunnel (public HTTPS) | Blocked | Failed to fetch |
Note: <script src="https://cdnjs.cloudflare.com/..."> loads fine — HLS.js initializes. But all runtime network access is blocked (fetch, XHR, video src, audio src, WebSocket).
Why This Matters
- No AI platform currently supports inline video playback. This would be a first.
- Unlocks an entire plugin category: video, audio, podcasts, live streams, music.
- Related requests: #22903 (real-time visual pipes), #12676 (native video file support), #29602 (sandbox network allowlist).
Proposed Solution
Any of these would solve it:
- Allowlisted domains per plugin — Plugins declare permitted media origins in their manifest (e.g.,
allowedMediaOrigins: ["*.akamaized.net"]). The sandbox permits<video>/<audio>to those domains only. Scoped, auditable, opt-in.
- Native media artifact type — A first-class video/audio component in the artifact system, like HTML/React artifacts today. The platform handles playback securely outside the sandbox.
- Relaxed sandbox for media elements only — Allow
<video>and<audio>to load external sources while keepingfetch()/XHR restricted. Media elements consume content rather than exfiltrate data, making them lower risk.
Alternative Solutions
Current workaround is handing the HLS stream URL to the OS via vlc:// protocol or direct link, which opens playback in VLC or the default browser. Functional but defeats the purpose of inline playback within Cowork.
Priority
High - Significant impact on productivity
Feature Category
MCP server integration
Use Case Example
- User asks Claude in Cowork: "Show me live news channels"
- MCP plugin returns channel data (name, logo, HLS stream URL)
- Claude generates an HTML artifact with a channel grid
- User clicks a channel → video plays inline in the artifact
- User asks "What else is on?" → Claude updates the artifact
Step 4 currently fails because the artifact sandbox blocks the <video> element from loading the HLS stream. Every other step works today.
Additional Context
Tested on Cowork (Claude Desktop, macOS), April 2026. HTML artifacts only — React artifacts can't load CDN scripts like HLS.js.
Related issues: #22903, #12676, #29602
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗