MV3 policy for injecting iframes to web pages

[Zihua Li]

Hi, I'm the author of the Slab for Chrome extension: https://chromewebstore.google.com/detail/slab-for-chrome/nfkdkjjhioogcpdklmkocdhmjcpdflgg. The extension consists of two parts both showing inside a web page injected by a content script of the extension: https://share.slab.com/FmhTqfWX. Currently, the UI for both parts is rendered by code inside the bundle.

My question is: can we change both parts to use an <iframe> hosted on our website? Would this violate the MV3 remote hosted code policy: https://developer.chrome.com/docs/extensions/develop/migrate/remote-hosted-code? Just wanted to confirm before investing engineering effort.

Thank you very much!

[Oliver Dunk]

Hi Zihua,

Could you share some more context about:

(a) What renders inside each iframe / what actions the user can take?

(b) What data the iframe needs from the page? What does it need to be able to do the page?

There are no blanket policies against an extension adding an iframe, but we do need to be able to understand how the extension's capabilities will be used. An extension which used postMessage to send a significant amount of data about the page to the iframe, for example, may violate our policies as it is then unclear what the third-party site will do with that.

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/7941634a-81ba-4a38-8e00-0ade71b04475n%40chromium.org.

[Zihua Li]

Hi Oliver,

Our app (slab.com) is a wiki SaaS service so companies have their internal docs in it. The two parts are:

1. On the right side there's a sidebar, which lists recent docs of the user's company.

2. Click on a doc in the sidebar would open another UI: doc card. A doc card shows the content of a doc.

So the answer your questions:

(a) mentioned above

(b) the iframe doesn't need anything from the page. Users may copy content from their Slab doc to the page. An example use case is the user go to Google Docs to write, and they need some content in Slab, so they open the Slab extension, find their docs, and open it on the page so that they can refer/copy content.

[Oliver Dunk]

Hi Zihua,

Thanks for the extra context. While the final determination always happens during review, that sounds like something that I would expect to be ok.

If you do ever add messaging that allows the iframe to speak to the extension, just be very mindful of what privileges you are giving it and that these fit your extension's purpose and are not too broad.

Hope that helps,

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB