iframe usage

250 views
Skip to first unread message

Ohad Dahan

unread,
Jul 12, 2024, 8:04:27 AMJul 12
to Chromium Extensions
My understanding of https://developer.chrome.com/docs/extensions/how-to/security/sandboxing-eval is that I can use iframes as I see fit, no specific limitations since they're sandboxed.

In my specific case, I have multiple clients, extension/mobile/desktop and developing the UI for each separately is painful.
Hence I want to move all the UI to the server and all clients, including the extension will use an iframe to load their UI.

I will use MessageChannel to communicate with the iframe , to facilitate interactions with chrome API as needed.

Wanted to make sure this is ok and doesn't violate store policies. 

Stefan Van Damme

unread,
Jul 12, 2024, 5:13:19 PMJul 12
to Chromium Extensions, Ohad Dahan
Hi there,

Yes that is allowed on the Chrome Web Store. For example, I created a Chrome extension that can load website content in an iframe. With my Page Sidebar Chrome extension, I can open any website in the Chrome browser side panel. And use background -> iframe communication with a script.

Thanks,

ka...@couponfollow.com

unread,
Jul 15, 2024, 3:22:56 AMJul 15
to Chromium Extensions, Stefan Van Damme, Ohad Dahan
Hey Ohad, I'm curious, so you're planning to have basically a SPA hosted somewhere from your infrastructure and display it in an iframe opened by your extension? So, for example, whenever your extension is meant to display a popup, it will create an iframe pointing to your server?
It sounds interesting tbh. From my experience - dealing with iframe size can be painful, but it depends on the use case ofc.

Ohad Dahan

unread,
Jul 16, 2024, 8:25:49 PMJul 16
to Chromium Extensions, ka...@couponfollow.com, Stefan Van Damme, Ohad Dahan
Yes, that's the plan.
Technically the size isn't really an issue since I can send a message to the parent frame to change it if needed, also extension are usually static in size anyway so not a big issue either way.

ka...@couponfollow.com

unread,
Jul 19, 2024, 3:28:25 AMJul 19
to Chromium Extensions, Ohad Dahan, ka...@couponfollow.com, Stefan Van Damme
Would be good to hear from someone on the Chrome team, but I feel that it could violate the policy. 
I mean if I load the view from my server, as a template or whatever, including scripts required for the view to work, then the Chrome team can't reliably review my extension when it's submitted, right? And even if you claim your view doesn't include any scripts, they can't be sure.
Ofc the scripts can be harmless, purely visual, etc, but on the other hand, one can build an extension that will proxy commands from the server-hosted scripts to extensions API. Tricky subject, but if such views are allowed, that would greatly speed up development and experimentation.

Oliver Dunk

unread,
Jul 22, 2024, 5:24:15 AMJul 22
to ka...@couponfollow.com, Chromium Extensions, Ohad Dahan, Stefan Van Damme
Hi all,

The most important piece here is the proxying of calls to extension APIs from a remote script. If the capabilities exposed are reasonable, and it is clear what they would be used for and why that is needed for your extension, you should be ok.

There is no specific policy that prohibits hosting UI outside of your extension bundle but we do still need to be able to determine the functionality of your extension, which is something that is assessed during review.

I hope that helps.

Thanks,
Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB


--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/d1a9a4f1-da61-457c-942e-7199e9c7fe60n%40chromium.org.

Ohad Dahan

unread,
Jul 22, 2024, 9:50:11 AMJul 22
to Chromium Extensions, ka...@couponfollow.com, Ohad Dahan, Stefan Van Damme
I don't think Google checks the code other than automatic testing and maybe a quick manual test.
They allow using WASM hence they can't even check the source of some extensions.
Furthermore, I actually personally reported some malicious extensions and nothing was done, so the process might be much looser than. you imagine. 

ka...@couponfollow.com

unread,
Jul 24, 2024, 4:28:09 AMJul 24
to Chromium Extensions, Ohad Dahan, ka...@couponfollow.com, Stefan Van Damme
Hey Oliver, thank you for your response.

> There is no specific policy that prohibits hosting UI outside of your extension bundle but we do still need to be able to determine the functionality of your extension, which is something that is assessed during review.

How can you assess the functionality during the review if the extension uses UI hosted on a remote server? It can be completely changed after you review it, right? It's like a SPA, one can deploy a new version at any given moment. Or I got it wrong? For example, if we host the UI of the main extension popup (visible after you click the icon), including styles, and scripts to handle the UI, is that OK from your perspective? The popup would be essentially just a shell to load the iframe with a URL to our server with a SPA.

Ohad Dahan

unread,
Jul 24, 2024, 4:30:38 AMJul 24
to Chromium Extensions, ka...@couponfollow.com, Ohad Dahan, Stefan Van Damme
The specifics of your UI aren't really that important to Google, but more critical is what you do with the permissions you requested.
That will still be exposed in the code you submit to review.

At least that's my assumption.

Oliver Dunk

unread,
Jul 24, 2024, 4:36:12 AMJul 24
to Ohad Dahan, Chromium Extensions, ka...@couponfollow.com, Stefan Van Damme
I don't think Google checks the code other than automatic testing and maybe a quick manual test.

Unfortunately we're somewhat careful about what we share in public, but there is more to review. The best resource is likely this video we published earlier in the year: https://www.youtube.com/watch?v=BHIZUT_m7AM
 
The specifics of your UI aren't really that important to Google, but more critical is what you do with the permissions you requested. That will still be exposed in the code you submit to review.

Yes, this is a good summary. As well as the permissions you request, any extension APIs will need to be called by sending a message from the iframe to the extension, and that code will need to be submitted. This can't catch everything of course, but we make the best judgement we can about the relevance of what an extension has access to compared to its stated single use, and also the risk associated with what it is capable of.
Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB
--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.

ka...@couponfollow.com

unread,
Jul 24, 2024, 4:42:43 AMJul 24
to Chromium Extensions, Oliver Dunk, Chromium Extensions, ka...@couponfollow.com, Stefan Van Damme, Ohad Dahan
Thanks, it sounds reasonable.
Reply all
Reply to author
Forward
0 new messages