Possible to use Appcheck verified backend?
Craig
Violation reference ID: Blue Argon
Technical Requirements - Additional Requirements for Manifest V3:
- Violation:Including remotely hosted code in a Manifest V3 item.
- Violating Content:
- Code snippet: popup.js: gapiScript: 'https://apis.google.com/js/api.js', recaptchaV2Script: 'https://www.google.com/recaptcha/api.js', recaptchaEnterpriseScript: 'https://www.google.com/recaptcha/enterprise.js?render='
Corresponds to notification ID: Blue Argon
The intent of this policy is to ensure that Manifest V3 extensions are not including remotely hosted code.
Common reasons for rejectionIncluding a <script> tag that points to a resource that is not within the extension's package.
Using JavaScript's eval()` method or other mechanisms to execute a string fetched from a remote source.
Building an interpreter to run complex commands fetched from a remote source, even if those commands are fetched as data.
Double check all code for references to external JavaScript files, which should be replaced with internal extension files.
Review the Manifest V3 migration guide Improve extension security for a walkthrough on alternatives to execution of arbitrary strings and remotely hosted code.
Patrick Kettner
reCAPTCHA and gapi require their libraries to be loaded at runtime from their CDN, which is fundamentally incompatible with the standard extension surfaces (at least as far as what is allowed on the store). If you load the functions through an iframe (either in an offscreen document, or in a sandboxed iframe, then it would be allowed.
--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/64bafa86-68da-4e9a-888a-5ef9ad64c11dn%40chromium.org.