The apps system can be roughly divided into these major components or areas:
The iframe that an app is rendered into is isolated from Deskpro so it acts like a sandbox. App files may even be served from a CDN on a different domain. Same-origin browser policies block any normal communication between frames, which means there's no way for an app to try and steal data from the parent page.
🧐 So the challenge becomes: how do we enable an app to talk to Deskpro?
An app is not useful if it can't actually interact with Deskpro. E.g. how do we "get a ticket" or "get the users email address".
There is an API for establishing a communication channel between an iframe and the parent — this is the postMessage API.
This is an async API, and requries the parent to explicitly listen to messages emitted by a child, and the child explicitly sends messages to the parent, limited to specific target URLs.