Serious Issues with MV3 Restrictions – Captchas and API Calls

[LXGIC]

Hello everyone,

I’m writing to highlight some serious issues with the new Manifest V3 restrictions, which I find to be completely unacceptable.

Firstly, it’s nearly impossible to load captcha solutions like Google ReCAPTCHA under these new rules. Captchas are essential for ensuring user security, yet these restrictions make it nearly impossible to use them correctly. This isn’t about protecting users; it’s censorship that severely damages their web experience.

Moreover, based on the warning email I just received, it seems that contacting an external API and executing code based on its response is now prohibited. This restriction makes it incredibly difficult to develop interactive extensions that rely on online services. It’s outrageous. The code is contained within the app, yet these rules prevent basic functionalities from being implemented.

This isn’t just a security measure—it’s actively harming the user experience. Users will find their extensions broken with no viable alternatives or overly complex, non-ergonomic solutions. What do you think they’ll say? They’re not going to blame Google Chrome; they’ll blame the developers, without realizing that Google has intentionally crippled these extensions. This is utterly ridiculous.

It’s time to reconsider these restrictions before more damage is done.

Regards.

[Oliver Dunk]

Hi,

I'd be happy to talk through the options in each of these cases.

While I'm not familiar with any specific captcha services, I assume the issue you are running into is that they load external scripts which are blocked by the default CSP in Manifest V3. In that case, you could consider loading them in a sandboxed frame (different to the `sandbox` attribute) which can have a looser CSP: https://developer.chrome.com/docs/extensions/reference/manifest/sandbox.

The policy issue you mentioned is related to the Additional requirements for Manifest V3. It's ok to execute code already in your extension package based on the response - for example, enabling or disabling a feature or changing the parameters to a function. In other words, using remote data is ok. What isn't allowed is executing code from a remote source as this was being abused by extensions to run code that hadn't gone through the Chrome Web Store review process. If you think your extension was compliant, feel free to share the extension ID and I can take a look.

In both cases, these are changes made based on what we were seeing and in order to keep users safe. I know it can be some additional work to comply with these, and we understand that and try to reduce that as much as possible.

If you have any follow-up questions, I'd be happy to help.

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/df9b8801-27fc-4342-a317-c3af382db498n%40chromium.org.

[LXGIC]

Hello, thank you for your quick reply.

The problem isn't with the CSP. I've just received an email from the Chrome Web Store asking me to modify my extension within 30 days before it's deleted. The code hasn't changed in 1 year and that's all I get now.

Blue Argon:
- Dynamic script injected ‘https://www.google.com/recaptcha/api.js?render=explicit’
- Some background code extension that use Chrome APIs based on the response (to update declarativeNetRequest rules). I really does not understand this one.

Red Titanium: Obscured code but my code is only minified. Is this Chrome's way of saying my code is poorly written?

My problem here is that the extension I created requires dynamic rules to be updated on the fly for the simple reason that the extension allows the user to load external content from certain sites without ads and without loading malicious content. These sites use mechanisms to bypass the security introduced by Chrome, such as anti 3rd party cookies and dynamic domain names, which makes it virtually impossible to systematically go through the Chrome Web Store to get the extension to work.

Firstly, to my knowledge, the Chrome Web Store doesn't have an API that allows you to dynamically submit an extension update. Static rules can't be used either, because these clever guys change certain headers dynamically on a case-by-case basis.

[LXGIC]

PS: I've just seen that it is indeed possible to publish the extension dynamically via https://developer.chrome.com/docs/webstore/using-api. The problem is always that the review takes too long and it's not realistic for my use case to use static rules as this depends largely on the user's IP and ASN.

[Oliver Dunk]

Would you be able to share your extension ID? We have a different review verdict for violations of the remote hosted code policy, so it sounds like something different may be the cause here.

If you're looking to dynamically change rules in the Declarative Net Request API, you can add dynamic and session rules as described here: https://developer.chrome.com/docs/extensions/reference/api/declarativeNetRequest#dynamic-and-session-rules

While I appreciate your frustration, please do remember that everyone is acting in good faith. We'll always do our best to help you if your use case is within our policies :)

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

[woxxom]

>  While I appreciate your frustration, please do remember that everyone is acting in good faith.

Considering every criticism as a personal attack is kinda petty and this excuse (acting in good faith) is terrible, because good intentions pave the road to hell. Only movie villains and literally insane people do bad things intentionally, while in real life people do the wrong things while having good intentions. Thing is, everyone is biased, because bias is an intrinsic consequence of having knowledge, which is why one's own opinion of one's intentions is entirely useless, as well as the opinion of those who share one's bias and one's echo chamber. The facts show that ManifestV3 breaks a lot more than necessary without providing measurable benefits.

[LXGIC]

Dear Chrome Extensions Community,

I am writing to share a deeply troubling experience that I believe every developer here needs to be aware of. My extension, "Animeo TV" (ID: gkgeceefcekjbbjekmipjiimofjbapdo), was recently suspended by the Chrome Web Store. This happened right after a discussion with Oliver Dunk, where he hinted at potential concerns with my extension. To my dismay, my extension was suspended just a few days later.

Let me be clear: there is nothing malicious about my extension. Yet, Google's approach has been nothing short of aggressive and dismissive. Rather than engaging in a meaningful dialogue or attempting to understand the true functionality of my extension, they have taken the path of censorship. They seem to interpret anything they don’t fully grasp as malicious or non-compliant, and then swiftly act to remove it without giving developers a fair chance to defend or explain their work.

Worse still, they publicly label legitimate extensions with harmful and defamatory messages like, "The extension Example has been disabled because it contained malicious software." This is not only misleading but damaging to the reputation of honest developers who are trying to contribute positively to the platform.

Google’s practices in this regard are not about protecting users; they are about control and censorship under the guise of "security." They are quick to spy on our work, making snap judgments and shutting down anything that doesn’t fit within their narrow view.

As developers, we deserve better. We deserve transparency, fairness, and the opportunity to defend our work before it’s tarnished by baseless accusations. Google’s current approach is harmful, not just to individual developers like myself but to the entire ecosystem. It stifles innovation, promotes fear, and undermines trust in the platform.

I urge the community to stand up against these unfair practices. We need to demand that Google treat developers with the respect and fairness we deserve. If they can do this to me, they can do it to any one of us. Let's not allow this kind of behavior to continue unchallenged.

Thank you for your attention, and I hope this sparks a necessary conversation about the rights and treatment of developers on this platform.

Best regards.

[Oliver Dunk]

Just to close the loop, I replied to this here: https://groups.google.com/a/chromium.org/g/chromium-extensions/c/Tb5gESC9uOM/m/W5PySnA3AQAJ

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB