[Manifest V3] Extension Rejected for “Remotely-Hosted Code”

552 views
Skip to first unread message

Yureshwar Ravuri

unread,
Jul 15, 2025, 11:06:30 AMJul 15
to Chromium Extensions
Hi,

We are working on an Open Source Chrome extension: Digital Assistant Client

We've had our Chrome Extension published on the Chrome Web Store for quite some time. Recently, while submitting a new version with only minor enhancements (no major changes or new dependencies), the update was surprisingly rejected with the following violation:

"Including remotely-hosted code in a Manifest V3 item."

This was unexpected. We haven’t added any externally hosted scripts. However, in the violation details, the following URL was mentioned:

Our extension is built using React + TypeScript, and we’ve been using the ReactGA npm package for event tracking with Google Analytics. Importantly, this library is bundled during the build process—we are not loading it remotely at runtime.

This implementation has been part of our extension for a long time and never triggered any issues until now.

Has anyone else encountered this recently?
Why is this suddenly being flagged now as a violation under Manifest V3?
Is using ReactGA (which internally references gtag.js) considered a breach even if it’s bundled?

Any guidance or insights would be greatly appreciated!

Thanks in advance.

Patrick Kettner

unread,
Jul 15, 2025, 11:24:58 AMJul 15
to Yureshwar Ravuri, Chromium Extensions
Hi Yureshwar
Without seeing your code its hard to say. It could be a mistake that you could appeal. If it is loading in remote code at runtime, then that is a violation and it was just missed during reviews in the past. 
There is no requirement to use or not use react-ga, just that any library being loaded comes from the package itself (or is loaded in sandboxed iframe). We have a tutorial on how to use GA4 in extensions, for what thats worth.

all the best
patrick

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/d7295874-9c98-4388-a7be-06e2a49512e4n%40chromium.org.

Okeowo Aderemi

unread,
Jul 15, 2025, 12:29:40 PMJul 15
to Patrick Kettner, Yureshwar Ravuri, Chromium Extensions
Are you using Firebase in your project ?, I had the same issue too and wrote about it https://dojovader.github.io/chrome-extension/firebase/#remote-hosted-code-rhc 


To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CAPAuxoAbkfiy%3D-nB-7n_-AfGgWfgqPBA2nmTp9R47LFdMXCHTw%40mail.gmail.com.


--
Shopify Developer / Front-end Engineer / Fullstack

Visit my Website http://okeowoaderemi.com
Visit my Linkedin

Patrick Kettner

unread,
Jul 15, 2025, 1:41:24 PMJul 15
to yureshwar ravuri, Okeowo Aderemi, Chromium Extensions
I saw the project, I meant the compiled code you submitted for review. 

On Tue, Jul 15, 2025 at 1:39 PM yureshwar ravuri <yure...@gmail.com> wrote:
Hi Okeowo & Patrick,

Thanks for the quick response. I am not using any Firebase in my project Okeowo.

@Patrick Kettner : You can find our code here 

Thanks & Regards,
Yureshwar Ravuri
Mob: +91 9030003889
Mail: yure...@gmail.com

Patrick Kettner

unread,
Jul 15, 2025, 1:52:55 PMJul 15
to yureshwar ravuri, Okeowo Aderemi, Chromium Extensions
In UDAPluginSDK, UDASdk and UDALoad you are creating and appending a script tag, and referencing https://www.googletagmanager.com/gtag/js. Unfortunately, I do not have the time to live debug the build in order to check if anything is actually being loaded from those sources, but I would hazard a guess that reviewers saw something similar. If your extension (including libraries like react-ga that are used by your extension) load a remote source like https://www.googletagmanager.com/gtag/js, then that would be a violation. If you are certain you are never loading a remote resource, then an appeal would be in order. I would also highly recommend you update your tree shaking or build process in general to remove references to remote resources like that, as it could easily cause false positives in the future.

On Tue, Jul 15, 2025 at 1:43 PM yureshwar ravuri <yure...@gmail.com> wrote:
It is there under the distribution folder Patrick. Here is the link

Thanks & Regards,
Yureshwar Ravuri
Mob: +91 9030003889
Mail: yure...@gmail.com

yureshwar ravuri

unread,
Jul 16, 2025, 7:59:01 AMJul 16
to Okeowo Aderemi, Patrick Kettner, Chromium Extensions
Hi Okeowo & Patrick,

Thanks for the quick response. I am not using any Firebase in my project Okeowo.

@Patrick Kettner : You can find our code here 

Thanks & Regards,
Yureshwar Ravuri
Mob: +91 9030003889
Mail: yure...@gmail.com


On Tue, Jul 15, 2025 at 9:59 PM Okeowo Aderemi <okeowo...@gmail.com> wrote:

yureshwar ravuri

unread,
Jul 16, 2025, 7:59:03 AMJul 16
to Patrick Kettner, Okeowo Aderemi, Chromium Extensions
It is there under the distribution folder Patrick. Here is the link

Thanks & Regards,
Yureshwar Ravuri
Mob: +91 9030003889
Mail: yure...@gmail.com

On Tue, Jul 15, 2025 at 11:10 PM Patrick Kettner <patrick...@google.com> wrote:

yureshwar ravuri

unread,
Jul 17, 2025, 5:59:42 AMJul 17
to Patrick Kettner, Okeowo Aderemi, Chromium Extensions
Thanks Patrick,

I am going to change my approach for the integration of gtag. Will post the solution once my approach gets approved.

Thanks & Regards,
Yureshwar Ravuri
Mob: +91 9030003889
Mail: yure...@gmail.com

Reply all
Reply to author
Forward
0 new messages