There are multiple possibilities when implementing a custom method for Extensibility.
Hexagon recommends that custom client Extensibility code should always be hosted on a server in a different domain. This can mitigate any browser security concerns.