Webassembly in trustworthy Chrome extensions

[Kieran McElhinney]

In the article Trustworthy Chrome Extensions, by default it states well will be able to use minification but not obfuscation.

The question however is what does this mean for webassembly modules used in Chrome extensions?

https://blog.chromium.org/2018/10/trustworthy-chrome-extensions-by-default.html?m=1

Thanks
Kieran

[ja...@chromium.org]

Hi Kieran,

Web Assembly itself is not disallowed, but the obfuscation policy still applies. If your extension appears to deliberately use WASM modules to make functionality difficult for our review team to understand, it will be considered a violation. Please note that WASM may also lead to longer review times for your extension.

Best,

James

[Chid Gilovitz]

Hi Kieran and James,

this goes back a while but is biting our team at the moment, and I haven't been able to find much other documentation on this issue. I hope you can shed some light on our situation.

Our extension depends on a library which contains some compiled webassembly code used for cryptographic functions. An update to our extension has been rejected under the code readability policy due to obfuscated code. The reviewers have pointed to the compiled wasm code as the source of the issue. We know that several other extensions are using exactly the same library, and we also know that some very popular extensions contain compiled wasm (eg uBlock Origin), so clearly it is acceptable to include wasm in the published extension.

James, your comment suggests that the decision regarding whether or not WASM is considered a violation is quite subjective. What can we do, as consumers of a dependency containing wasm, to make it clear to the reviewers that nothing malicious is taking place?