[FEATURE] Enable media playback in Cowork artifact sandbox (video/audio/HLS)
Preflight Checklist
- [x] I have searched existing requests and this feature hasn't been requested yet
- [x] This is a single feature request (not multiple features)
Problem Statement
Cowork artifacts block all outbound network access from the sandboxed iframe — including <video> elements, fetch(), XHR, and HLS.js streaming. This prevents any media-rich plugin from playing video or audio inline.
Test Results
| Test | Result | Error |
|------|--------|-------|
| MP4 <video src="..."> | Blocked | Media load rejected by URL safety check |
| fetch() to public HTTPS | Blocked | Failed to fetch |
| HLS.js via CORS proxy | Blocked | manifestLoadError (HTTP 0) |
| fetch() to localhost | Blocked | Failed to fetch |
| <iframe src="http://localhost:..."> | Blocked | No request received |
| Cloudflare tunnel (public HTTPS) | Blocked | Failed to fetch |
Note: <script src="https://cdnjs.cloudflare.com/..."> loads fine — HLS.js initializes. But all runtime network access is blocked (fetch, XHR, video src, audio src, WebSocket).
Why This Matters
- No AI platform currently supports inline video playback. This would be a first.
- Unlocks an entire plugin category: video, audio, podcasts, live streams, music.
- Related requests: #22903 (real-time visual pipes), #12676 (native video file support), #29602 (sandbox network allowlist).
Proposed Solution
Any of these would solve it:
- Allowlisted domains per plugin — Plugins declare permitted media origins in their manifest (e.g.,
allowedMediaOrigins: ["*.akamaized.net"]). The sandbox permits<video>/<audio>to those domains only. Scoped, auditable, opt-in.
- Native media artifact type — A first-class video/audio component in the artifact system, like HTML/React artifacts today. The platform handles playback securely outside the sandbox.
- Relaxed sandbox for media elements only — Allow
<video>and<audio>to load external sources while keepingfetch()/XHR restricted. Media elements consume content rather than exfiltrate data, making them lower risk.
Alternative Solutions
Current workaround is handing the HLS stream URL to the OS via vlc:// protocol or direct link, which opens playback in VLC or the default browser. Functional but defeats the purpose of inline playback within Cowork.
Priority
High - Significant impact on productivity
Feature Category
MCP server integration
Use Case Example
- User asks Claude in Cowork: "Show me live news channels"
- MCP plugin returns channel data (name, logo, HLS stream URL)
- Claude generates an HTML artifact with a channel grid
- User clicks a channel - video plays inline in the artifact
- User asks "What else is on?" - Claude updates the artifact
Step 4 currently fails because the artifact sandbox blocks the video element from loading the HLS stream. Every other step works today.
Additional Context
Tested on Cowork (Claude Desktop, macOS), April 2026. HTML artifacts only — React artifacts can't load CDN scripts like HLS.js.
Related issues: #22903, #12676, #29602
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗