Opening a self hosted website to fetch remotely hosted code

[Shubham]

Hi team,

I have 2 related queries regarding manifest v3 chrome extension development:

1. We have been using manifest V3 to develop a chrome extension. My requirement is to fetch an SDK code from CDN during runtime. Since due to security reasons V3 doesn't allow to fetch remotely hosted code, we have come up with a solution to open an iframe in our chrome extension which will be opening a self hosted website and we will be fetching RHC from CDN within that website. Since, this is the only workaround we have come up with, we wanted to make sure that this solution doesn't violate any security policy and would result in successful submission at the time of app submission. 

2. In regards to shipping the extension, for the first release, due to time constraints, we are planning to bundle the SDK code within the extension code itself instead of going with the above proposed solution. We intend to roll out the iframe opening hosted website solution in the subsequent release. So, I wanted to make sure that the updates that we'll be publishing in the subsequent release, will they be applied automatically to users already having extension on their systems? Our understanding is that the updated will be applied automatically without any user intervention unless there is any additional permission specifies in the manifest. Could you please confirm if the understanding is correct?

TIA

[Oliver Dunk]

Hi Shubham,

We have come up with a solution to open an iframe in our chrome extension which will be opening a self hosted website and we will be fetching RHC from CDN within that website. Since, this is the only workaround we have come up with, we wanted to make sure that this solution doesn't violate any security policy and would result in successful submission at the time of app submission.

This could definitely be a viable solution, as long as the way in which your extension interacts with the iframe doesn't put users at risk.

For example, let's say you embed a video in an iframe - I would expect that to be fine, since although remotely hosted scripts are loading, it is happening in an isolated context without access to any of the extension's data. The contents of that remote site could change but it wouldn't have any impact.

You could also used sandboxed pages in an iframe to achieve similar results: https://developer.chrome.com/docs/extensions/mv3/sandboxingEval/

On the other hand, let's say your extension is collecting a significant amount of sensitive user data, and then using postMessage to send it into the iframe - this would definitely be subject to heavier scrutiny. While the iframe may not do anything malicious with that data today, we can't guarantee it won't do so in the future.

There's definitely nuance here but hopefully that makes a bit of sense.

So, I wanted to make sure that the updates that we'll be publishing in the subsequent release, will they be applied automatically to users already having extension on their systems? Our understanding is that the updated will be applied automatically without any user intervention unless there is any additional permission specifies in the manifest. Could you please confirm if the understanding is correct?

Chrome periodically checks for updates and will update an extension as soon as it sees that a new version is available. However, if you request additional permissions (including things like adding new content scripts with additional hosts) the extension may be disabled until the user grants these. We recently launched a tool that you can use to see this behaviour (https://github.com/GoogleChromeLabs/extension-update-testing-tool) and there is some documentation here: https://developer.chrome.com/docs/extensions/mv3/permission_warnings/

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/7b8bc27c-e47d-45a5-80fc-e95700a2a6e8n%40chromium.org.

[Shubham]

Thank you so much Oliver for clearing these out, just to confirm the response on the updation process, if there is addition in the permission and the updates are published and the user hasn't yet given the permission then the extension is disabled till the permission is granted, right?

[Oliver Dunk]

Hi Shubham,

That's correct, assuming the new permission has a warning and isn't covered by previous ones. The logic for this is non-trivial (for example, requesting one permissions may bypass the warnings for another) so I definitely encourage testing as a way to be sure.

As I mentioned you can use this tool to see this behaviour (https://github.com/GoogleChromeLabs/extension-update-testing-tool) and there is some documentation here: https://developer.chrome.com/docs/extensions/mv3/permission_warnings/

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

[Shubham]

Extending on to the same solution, I have one more query, I believe my extension can send data to hosted website(which is opened in an iframe) through postMessage API. But how can I send data from the self hosted website to the extension. Is this possible? If yes, then how? Examples would be helpful.
TIA

[wOxxOm]

Use "external messaging": https://developer.chrome.com/extensions/messaging#external-webpage