Sideloading of MV3 extension containing remote code injection

[Pallav Maheshwari]

Hi

We have a MV3 extension which has an instance of remote code injection. We don't want this extension to be published in chrome store and rather on a separate storage of ours. Users can download the extension and add it to their browsers by either enabling developer mode, and adding the extension or by using group policies to force install the extension.

We got to know that there is a chrome policy - ExtensionManifestv2Availability which would have to be enabled for using MV2 extension after the cutoff date set by google for MV3 migration.

My question is - Would MV3 extension, with remote code injection be allowed to get sideloaded in the below 2 cases :
Installing extension via Load Unpacked with Developer Mode = ON
Installed forcefully with a group organisation's IT team (ExtensionManifestv2Availability is not enabled) and Developer Mode = OFF

Thanks

[Patrick Kettner]

Hello again Pallav

I assume you mean remote code execution, yes?

> My question is - Would MV3 extension, with remote code injection be allowed to get sideloaded in the below 2 cases :

Allowed by whom? Chrome does not change how any of this is enforced based on whether or not a policy is set. There are two methods that remote hosted code are blocked. via CSP, which is not impacted by any of this, and via Chrome Web Store policy, which is also not impacted by any of this.

Whether or not a user has dev mode turned on has nothing to do with any of this. What I said multiple times in the other thread was that any extension that is capable of running via developer mode in that version of Chrome, will work. It has nothing to do with that specific user. Does it work on your computer - the developer. Yes? Then it works. No? Then it doesn't.

---

This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein.  If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message.  The opinion expressed in this mail is that of the sender and do not necessarily reflect that of Whatfix Private limited and its affiliates & subsidiaries. Thank you for your co-operation.

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/c8415a84-c4a2-4da1-ab4d-68786136d3b1n%40chromium.org.

[Pallav Maheshwari]

Hi Patrick

Let me rephrase my concern a bit :
With the current chrome version, I am able to sideload this particular MV3 extension(with RCE) and it works.
Our main concern is that once chrome store stops accepting MV2 extensions and blocks any MV3 extension with RCE, would the same restrictions(of blocking MV3 extensions with RCE) be applied to the future chrome browser versions too?