[FEATURE] Enable media playback in Cowork artifact sandbox (video/audio/HLS)

Resolved 💬 2 comments Opened Apr 10, 2026 by tocarte Closed Apr 10, 2026

Preflight Checklist

  • [x] I have searched existing requests and this feature hasn't been requested yet
  • [x] This is a single feature request (not multiple features)

Problem Statement

Cowork artifacts block all outbound network access from the sandboxed iframe — including <video> elements, fetch(), XHR, and HLS.js streaming. This prevents any media-rich plugin from playing video or audio inline.

Test Results

| Test | Result | Error |
|------|--------|-------|
| MP4 <video src="..."> | Blocked | Media load rejected by URL safety check |
| fetch() to public HTTPS | Blocked | Failed to fetch |
| HLS.js via CORS proxy | Blocked | manifestLoadError (HTTP 0) |
| fetch() to localhost | Blocked | Failed to fetch |
| <iframe src="http://localhost:..."> | Blocked | No request received |
| Cloudflare tunnel (public HTTPS) | Blocked | Failed to fetch |

Note: <script src="https://cdnjs.cloudflare.com/..."> loads fine — HLS.js initializes. But all runtime network access is blocked (fetch, XHR, video src, audio src, WebSocket).

Why This Matters

  • No AI platform currently supports inline video playback. This would be a first.
  • Unlocks an entire plugin category: video, audio, podcasts, live streams, music.
  • Related requests: #22903 (real-time visual pipes), #12676 (native video file support), #29602 (sandbox network allowlist).

Proposed Solution

Any of these would solve it:

  1. Allowlisted domains per plugin — Plugins declare permitted media origins in their manifest (e.g., allowedMediaOrigins: ["*.akamaized.net"]). The sandbox permits <video>/<audio> to those domains only. Scoped, auditable, opt-in.
  1. Native media artifact type — A first-class video/audio component in the artifact system, like HTML/React artifacts today. The platform handles playback securely outside the sandbox.
  1. Relaxed sandbox for media elements only — Allow <video> and <audio> to load external sources while keeping fetch()/XHR restricted. Media elements consume content rather than exfiltrate data, making them lower risk.

Alternative Solutions

Current workaround is handing the HLS stream URL to the OS via vlc:// protocol or direct link, which opens playback in VLC or the default browser. Functional but defeats the purpose of inline playback within Cowork.

Priority

High - Significant impact on productivity

Feature Category

MCP server integration

Use Case Example

  1. User asks Claude in Cowork: "Show me live news channels"
  2. MCP plugin returns channel data (name, logo, HLS stream URL)
  3. Claude generates an HTML artifact with a channel grid
  4. User clicks a channel → video plays inline in the artifact
  5. User asks "What else is on?" → Claude updates the artifact

Step 4 currently fails because the artifact sandbox blocks the <video> element from loading the HLS stream. Every other step works today.

Additional Context

Tested on Cowork (Claude Desktop, macOS), April 2026. HTML artifacts only — React artifacts can't load CDN scripts like HLS.js.

Related issues: #22903, #12676, #29602

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗