"Blue Argon" violation notice received

[dhama...@gmail.com]

Hi Chrome Team,

I have recently received a “Blue Argon” violation notice on my production extension from the chrome web store. I would like some more information on what can cause this. 

The Blue Argon policy mentions the following potential issues:

Common reasons for rejection

• Including a <script> tag that points to a resource that is not within the extension's package.
• Using JavaScript's `eval()`` method or other mechanisms to execute a string fetched from a remote source.
• Building an interpreter to run complex commands fetched from a remote source, even if those commands are fetched as data.

I don’t think I’m doing any of these things, and my extension has been on the web store for years without incident. Here are some potential reasons I can think of:

1. Is a remote iframe considered an issue? I load my website in an iframe on user request
2. I do not have any external script tags or eval or function constructors either. Some included libraries do seem to call eval. Is an eval(“2 + 2”) also considered a violation?
3. “Building an interpreter to run complex commands fetched from a remote source, even if those commands are fetched as data.”
   Can you expand on what this means? Is downloading configuration data considered “building an interpreter”? I fetch some config data remotely like for doing split testing, displaying promo offers to the users, etc., all this is loading JSON not any code.

Can you please shed some light on if any of these above mentioned cases could be considered a Blue Argon violation?

[Oliver Dunk]

Hi,

If you haven't already, I would suggest filling out https://support.google.com/chrome_webstore/contact/one_stop_support as the team there should be able to provide some more guidance on your specific situation.

To answer your general questions:

Is a remote iframe considered an issue? I load my website in an iframe on user request

This is evaluated on a case by case basis but is usually ok. This could change if you are passing sensitive data into the iframe, for example, as there is then a risk that the remote code does something unexpected with that data which we would be unable to review.

I do not have any external script tags or eval or function constructors either. Some included libraries do seem to call eval. Is an eval(“2 + 2”) also considered a violation?

Eval is blocked by the default CSP, so any calls will fail. That said, I could imagine that the reviewers may flag this. Would you be comfortable sharing what library you were using?

Can you expand on what this means? Is downloading configuration data considered “building an interpreter”?

Fetching JSON which is purely configuration for features that already exist in your extension is completely fine. It would only be an issue if you were using this configuration to violate another policy (for example, fetching a URL to load remote scripts from). Building an interpreter refers to writing something that takes data from a server and treats it as code, running through it line by line. It doesn't sound like this is what you are doing :)

Hope that helps,

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/fede901e-db54-4a51-9359-e6e0718dcbf6n%40chromium.org.