Is injecting an iframe into a webpage fine regarding "no remote code execution" in MV3?

[Pawel Kacprzak]

My extension injects <iframe> into websites when triggered, e.g. embedded YouTube video player. Regarding the "no remote code execution" in MV3, can we be totally sure that injecting iframes like that, which in fact execute some JS but do that in an "isolated world", won't violate this rule?

[wOxxOm]

The purpose of this restriction in MV3 is to prevent the extension authors from serving malicious code they wrote or otherwise obtained. It can't apply in this case for the obvious reason that YouTube is a known company owned by Google and doesn't serve your own code from their server. Of course some reviewer might not know it, so you may need to make an appeal. And for the sake of scientific precision, there are ways to spoof communication with any remote server by installing a MitM proxy in the user's company via social engineering (this is beyond Chrome's responsibility) or by hacking the provider's routers or the internet domain registry.

I've already suggested to make a curated list of such servers in https://crbug.com/1238213

P.S. Technically the iframe you inject doesn't run in the isolated world, it's the other way around: the isolated world of your extension exists inside the iframe (if you inject a content script there) along with the main world.

[Pawel Kacprzak]

Maybe I didn't make it clear enough but my question was about injecting an arbitrary iframe into a website's DOM (I mentioned YouTube iframe just as an example), so it can be either an iframe with a URL that I have or doesn't have control over.

I found a related discussion here https://groups.google.com/a/chromium.org/g/chromium-extensions/c/ks--r5hDNQ0/m/GQIf9xpJBAAJ, quoting Simeon:

> Let's look at an example. Say you wanted to display a map in your extension's popup using Mapbox. Today, you can embed Mapbox's <script> and <style> tags directly in your popup.html as described in their sample and you're good to go. Tomorrow, you'll need to embed an iframe points to a page (probably on your domain) that contains the map. If you need to detect interactions with the map, your sub-frame will have to postMessage those interactions to popup.html.

As I understand from this response, it's allowed, regarding the remote code execution rule, to embed an iframe into DOM and optionally communicate with it. Is my interpretation correct?

[wOxxOm]

I guess I got confused by the way you've mislabeled it as "isolated world". This exact term in the extensions platform denotes the separate execution environment for content scripts which is isolated from the main environment where the page scripts run.

Indeed ManifestV3 doesn't forbid adding frames and judging by your quote it's official.

P.S. BTW this shows that the restriction on external code in ManifestV3 doesn't make a lot of difference security-wise because the content script can send various sensitive data (obtained in other contexts such as the background script) via DOM events just as easily. The web store review team won't be able to discover it in many cases if a capable author made the extension because it's not easy finding such breaches under the bulk of complex business logic. I guess it's more of an image thing for Google to pacify the public after a series of independent investigations showed thousands of popular extensions were doing nefarious things. I'm sure they will still be able to do it in ManifestV3 without significant difficulties as the reviews are inevitably perfunctory in most cases. It reminds me an attempt of restricting the ability to use style="display:block" attributes (and the corresponding element.style.display accessors) in extension scripts that yours truly was able to prevent just before it was sealed by showing how trivial it is to circumvent.

[Pawel Kacprzak]

@wOxxOm Thanks a lot, that gives me more confidence in updating the extension to MV3. 

Regarding your P.S. - I totally agree especially considering the fact that fetching remote "configs" is allowed and in theory, a capable person could execute any arbitrary code like that. I guess this rule will at least discourage less stubborn authors to do malicious things but at the same time, it makes it for honest authors harder to deliver value to their users. I personally don't use any remote code but it raises questions like the one about iframes I asked here. 

I have another doubt regarding the "no remote code execution" in MV3 that I mentioned here: https://groups.google.com/a/chromium.org/g/chromium-extensions/c/xQmZLc8cu6Q/m/YZsJA6HkBAAJ

In short, what about including code (e.g. 3rd party module from npm) that contains parts allowing for fetching and executing remote code but in our extension, we never use that functionality? In my case, it's Firebase Auth installed from npm that includes popup auth-related code that downloads https://apis.google.com/js/api.js but the extension never executes any popup auth actions. Any opinions or official statements regarding such cases?