User auth with identitytoolkit.googleapis.com and remote code execution in MV3

[Pawel Kacprzak]

I'm in the process of updating my extension to MV3 and adding some extra features that require authorized access. What I'm doing right now is that in order to authorize a user in the extension, I do the following:

1. User click on a "Log in" button which redirects them to a website where they can log in to their account

2. Upon successful login, the website sends a message to the extension with a custom auth token

3. The extension uses firebase/auth and the received token to authorize the user in the extension

This works fine in development but I have a few questions for production build:

1. After debugging requests coming from the extension, it looks like firebase/auth uses https://identitytoolkit.googleapis.com/v1/accounts:signInWithCustomToken endpoint to sign in a user. I don't have this host added to host_permissions in manifest.json and the requests seem to work just fine. Can I leave it like that or do I have to add this endpoint to host_permissions? If possible I'd prefer to not add it to avoid handling permission warnings and/or requesting optional_host_permissions.

2. I installed Firebase from npm (https://www.npmjs.com/package/firebase) with version 9. Regarding the "no remote code execution" in MV3, can I somehow be sure that Firebase (or any other 3rd party installed packages) won't violate this rule?

3. My extension injects <iframe> into websites when triggered, e.g. embedded YouTube video player. Regarding the "no remote code execution" in MV3, can we be totally sure that injecting iframes like that, which in fact execute some JS but do that in an "isolated world", won't violate this rule?

Thanks,

Pawel