Clarification on remotely hosted code in Manifest V3 world

[go green]

Hi Simeon,

In the MV3 world, for an extension that sets the default New Tab Page, would it be ok to load the New Tab Page content in an iframe? 

For e.g., the extension will request host permission for www.domain.com and will contain a resource page in the extension, say newtabpage.html. It will load the contents of that page in an iframe like below:

<html>

    <body>

        <iframe src="https://www.domain.com/newtabpage.html" />

    </body>

</html>

Thanks

[go green]

just following up on this - 

@dotproto or anyone else who are able to, would you please clarify whether this mode of loading data external to the Extension is allowed in the new world?

[guest271314]

What are you trying to achieve? What is the purpose of the <iframe>? By New Tab page do you mean chrome-search://local-ntp/local-ntp.html? Have you tested the code locally?

[Matt Gaspar]

local-ntp.html with an iframe to a remote page sounds like what go green is looking to achieve. Messaging around remote code has been focused on scripts, so this will be good to clarify.

[guest271314]

I am still not gathering what the purpose of including the default "New Tab" page in an <iframe> is?

The default "New Tab" page, if enabled, contains "tiles", "cards", search suggestion code, voice search code, etc.

It is possible to set the default search engine to any URL you want, to run your own search service.

[go green]

> I am still not gathering what the purpose of including the default "New Tab" page in an <iframe> is?

I meant including a custom "new tab" page to be used in place of browser's default new tab page. Having it in an iframe helps me provide customized user experience  

[guest271314]

I normally disable "cards" and "tiles" at first run of Chromium and Chrome and set the default value for the search engine to one other than those listed by default. Even when setting about:blank at chrome://settings/onStartup => Open a specific page or set of pages and chrome://settings/appearance => Show home button I have not found a way for location.href to not be chrome-search://local-ntp/local-ntp.html and loading local-ntp and mv-single and the about:blank in log-doodle-iframe - even though I have no use for the voice search and other JavaScript loaded at the New Tab page. According to https://cloud.google.com/docs/chrome-enterprise/policies/?policy=NewTabPageLocation it should be possible to set a Policy https://stackoverflow.com/a/40350505 to set the URL for New Tab however the documentation does not state that chrome-search://local-ntp/local-ntp.html will not be loaded in any event. I have not yet tested setting New Tab using a Policy.

[go green]

I am referring to the following setting in the manifest to override the new tab page:

"chrome_url_overrides" : {
"newtab": "custom-page.html"
}

[Simeon Vincent]

Go Green,

I don't have a hard answer for you because we don't have an updated policy that I can refer to and discuss. That said, what we're trying to achieve with this change is to make extensions safer by allowing reviewers to see, understand, and assess the risks that the extension poses to end users. From that point of view, making the NTP just a frame for web content doesn't feel to me like it follows the spirit of that objective.

While I do not have a concrete answer to your question, I would encourage you not to go this route. Instead, I would suggest considering other ways to customize your end user experience. For example, could you get a JSON object with user specific customizations at runtime? Can you bake a known set of options into the extension itself? 

If you'd like to get more specific about your use case I'm happy to kick around ideas here.

> Messaging around remote code has been focused on scripts, so this will be good to clarify. - mattyg…@

That's largely because remote JS is a major attack vector, but as I mentioned above our main focus is risk assessment.

Hypothetically, let's say all known uses of HTML fragments and iframes are non-malicious, but due to the RHC restrictions attackers migrate from remote JS to remotely rendered HTML content. In this scenario CWS would most likely have to take an aggressive position against remotely loaded HTML in order to protect users.

Cheers,

Simeon - @dotproto

Chrome Extensions DevRel

[go green]

Thank you Simeon, for the taking the time to explain in such detail. Very helpful and much appreciated.

[go green]

Hi Simeon @dotproto,

I have a couple more questions on this thread related to remote code.

1. Would it be ok to show Google Ads on the new tab page?
2. Can we continue to use Google recaptcha on the new tab page? 

We don't collect any user data or personally identifiable information for either of the above. I did see some info on this thread related to ads but it was from back in May 2020 so it would be nice if you could please provide any latest updates and clarification on these.
https://groups.google.com/a/chromium.org/g/chromium-extensions/c/1YmQqsL-O18/m/orabI4shAwAJ

Thanks

[Simeon Vincent]

1. Would it be ok to show Google Ads on the new tab page?

I'm no expert here, but I believe Google Ads is what advertisers buy ad space for whatever they're selling while AdSense is what folks use to monetize blogs and such. Per the Ads in Products section of the Developer Program Policy, AdSenes cannot be used in extensions. 

 2. Can we continue to use Google recaptcha on the new tab page?

I'm not aware of a policy reason why you wouldn't be, but that may be ignorance on my part. Some web services require that their libraries are loaded from their servers. I do not know if reCAPTCHA is such a service, but assuming you can bundle reCAPTCHA libraries in your extension I don't see why this wouldn't work.

The bigger question for me is why would you need reCAPTCHA in a new tab page? 🤔

Simeon - @dotproto

Chrome Extensions DevRel

[Stefan Gündhör]

https://github.com/jimmywarting/StreamSaver.js might be a good example of added functionality via iframe.

The service worker of StreamSaver does not work well inside Chrome Extensions, so hosting the iframe remotely is the only option to download files in a streaming manner in chrome extensions, at least up to Chrome 87.

Extension Reviewers can still see which data is transferred between the extension (that is very privileged) and the iframe (that is much less privileged).

If there was ever any plan on not allowing externally hosted iframes inside pages of chrome extensions, what would be the expected lead time for prior notification? Because I'm sure there are a lot of legit extensions out there that rely on what's possible today and what has been announced for Manifest v3 so far (which, as to my knowledge, does NOT include a ban of iframes with remote origins inside extension pages).

Regards,

Stefan

[Varun Namasingh]

I had a similar question.

Is there an official response on whether iframes will be allowed inside of Chrome Extensions in Manifest V3? And to Stefan's point, going forward, is there any guarantee on whether this will continue to be allowed?

My company is planning on making a substantial investment into a chrome extension, and we want to ensure we choose an architecture that will not become unsupported in the future.

[Kevin Jennison]

To weigh in on why an extension developer might use an iframe on the new tab page: Chrome hasn't reliably supported highlighting/clearing the omnibar when setting the new tab page to an HTTPS website, and the iframe is a workaround. See this feature request:

https://bugs.chromium.org/p/chromium/issues/detail?id=766331

As far as I can tell, the spirit of the remote code restriction shouldn't affect iframes, given the code doesn't run in a privileged environment. Still, it would be good to get confirmation of that.

[Stefan Gündhör]

Yesterday the Content Policies have been updated with special notes for Manifest v3. 

They say nothing about banning iframes with remote sources.

So it would be good to hear an official statement if extensions that depend on such (with legitimate reasons) are at least "safe for now" and will have enough time to migrate to a different concept, if that should ever change in the future.

Like one of the posters noted before: there are companies making substantial investments into chrome extensions and have to pick technological concepts today that will at least last for some years. Saying "hey, that may or may not change in an unspecified timeframe if we consider it necessary" is not something that can be used well for planning ahead.

So, any insight in what is planned for the future would be appreciated a lot.

The updated Content Policies:

https://developer.chrome.com/docs/webstore/program_policies/#content_policies

[Gillian Chesnais]

I am working on an extension that requires users to sign up and be signed in to use.

In the context of users who are already signed up and signed in, what are the restrictions with loading an html page from my service in an iframe?

[hrg...@gmail.com]

On Friday, February 5, 2021 at 11:18:54 AM UTC-3 va...@interviewschedule.com wrote:

My company is planning on making a substantial investment into a chrome extension, and we want to ensure we choose an architecture that will not become unsupported in the future.

2015: NPAPI is no longer supported, causing hundreds of extensions to stop working.

2020: Chrome Apps are no longer supported. Thousands of apps will just no longer work.

2022: PPAPI  will no longer be supported. Solutions that relied on it will die.

202X: Major breaking change to the Extensions API, which will render an unknown number of extensions unusable, and many more with reduced functionality and user experience.

And much, much, MUCH! more at: https://killedbygoogle.com

Moral of the story: There's one thing you can be sure about... whichever Google technology your company decides to rely on, it will be the wrong decision.

 

[bradcush]

Hi Simeon,

To the first point @gogreen has mentioned and what you said in your response above...

> "Some web services require that their libraries are loaded from their servers."

We have a situation where we do need to load a third-party library from their servers and don't have an option to bundle it with our software. The context of our situation is we have and new tab opened showing a UI for our application (I think it's still considered a context script even if we own the page if I'm not mistaken) that itself loads a separate iframe which in turn loads this third-party script. We do this to sandbox the script and communicate with it by sending messages between our main frame and this iframe.

As referenced in https://developer.chrome.com/docs/webstore/program_policies/#content_policies:
> Including a <script> tag that points to a resource that is not within the extension's package

It seems your recommendation is inline with the quote above but would there be any difference in how this is treated in our case since we use an iframe with a <script> tag and it's not directly requested form the main frame. Are you able to shed any additional light on this type of case? Also curious on Googles position about any use of a CDN for script resources as it seems that wouldn't be allowed.

Also one more side question but as this is only mention for MV3 do you see any chance that Google could take a position stricter for MV2 extensions and start enforcing some of what's proposed around remotely hosted code restrictions for MV2 extensions?

Thanks!

Bradley

[Wesley Bacon]

somehow I got to this forum from the source page of a google slide

[Владимир Янкович]

You feel lucky.

вторник, 9 февраля 2021 г. в 00:47:01 UTC+3, wesley...@dpschools.org:

[Emanuela Dance]

I was wondering the same thing, then I found this, which seems to me to include the whole area of iframes with external content. Can anyone confirm?

"Externalize logic with a remote service—Consider migrating application logic from the extension to a remote web service that your extension can call. (Essentially a form of message passing.) This provides you the ability to keep code private and change the code on demand while avoiding the extra overhead of resubmitting to the Chrome Web Store." (https://developer.chrome.com/docs/extensions/mv3/intro/mv3-migration/#remotely-hosted-code)