Running code strings inside sandbox pages in Manifest V3

[extension_tester]

Hi,

Is it allowed to eval code strings or execute remote strings (once https://bugs.chromium.org/p/chromium/issues/detail?id=1220994 is fixed) inside sandbox pages in Manifest V3?

As I understand from this: https://bugs.chromium.org/p/chromium/issues/detail?id=1220994
it should be allowed. 

Our use case is using Google reCaptcha and communicating the results to / from an extension page via postMessage.

Is this allowed and would it be accepted in CWS?
Thank you!

[extension_tester]

Clarification: I know that's it's possible to use eval in sandbox pages, my question is whether it's permitted by the CWS policy to load a remote script via fetch and use eval to execute it inside sandboxed pages?

[Ibrahim]

From personal experience, I published a new MV3 beta version of my extension to CWS, as unlisted and it got approved.

I am using the eval function in a sandboxed page as well. The only difference is that in my case the remote script is typed by the users, not fetched from an external server automatically. Not sure if that makes any difference.

[Sudip Kumar Bhattacharya]

Hi Ibrahim,

Can you share some sample code extract demonstrating how sandbox was used for eval with MV3? 

[Ibrahim]

Hi,

I'm not sure in which part are you more interested. My extension basically sends a js string using the MessageChannel API from the content script to an iframe. Then the iframe page (which is the sandbox page declared in manifest.json) runs eval() on the received code and sends back to the content script the result through the same MessageChannel API.

[Sudip]

Hi Ibrahim,

I am looking for some MV3 compatible Sandbox sample code.

I have an extension, which was using eval in background script, which was invoked by content script using messaging. While exploring alternatives for eval in MV3, I have come across the Sandbox concept, but not getting any MV3 compatible Sandbox code samples.

If you can point me to some github repo link, or any tutorial/article, that will be helpful.

[thdoan]

@Ibrahim what if the evaluated code string needs to make some DOM manipulations (like click a button)? I don't think code existing in a sandboxed iframe page can interact with the main page the user is on. Any ideas for a workaround for this scenario?

[Ibrahim]

The only workaround I see is by using the MessageChannel API to communicate with the content script, which has access to DOM elements.

There is no way for the evalued code from the sandboxed page to access DOM elements directly.

Another alternative would be to eval your code in the MAIN world instead of the sandbox page, but this will not work if the website CSP rules don't allow eval. This might also not be allowed by CWS and there are chances that your extension will not be published.

[Dhruv TechApps]

Hi ,

Can you provide simple example of how to add sandbox in MV3. as the background is service worker and dont know how to add iframe within it