Did anyone know about sandBoxing in chromeExtension??

[sakthi]

Hi there, So i need to import and use an external library for my extension.But Extension blocks the importing,now i cant normally use the library.To overcome this , i saw sandbox will help.But there's no proper explanation docs/video.If you find any doc , plzz share here.

Working:

I injected iframe (frame.html)in bottom of page when the user clicks the extension icon.In that iframe I have three buttons, when the user clicks the button , frame.js handles event for frame.html.I need to import d3 library in my frame.html.So that i can work with d3 in frame.js. But extension prevents importing a 3rd party library.

[Jackie Han]

Extension Manifest V3 doesn't allow embedding remotely hosted code.

1. preferred: usually, you should download the library code and bundle it in your extension.

For your use case, you can download https://d3js.org/d3.v7.min.js to use it offline.

2. alternative: if the code can't be used offline, you can try a sandbox page.

Although extension sandbox pages allow remote code, they have other restrictions that may cause other problems you don't expect.

Some CSP/sandbox references:

https://developer.chrome.com/docs/extensions/mv3/manifest/sandbox/

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox

https://developer.chrome.com/blog/csp/#sandboxing

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/a5d85a7b-1ae1-47fd-9e54-ce08c732985dn%40chromium.org.

[sakthi]

Oh okk, But why handlebars used in sandbox page???  https://developer.chrome.com/docs/extensions/mv3/sandboxingEval/
Do we need to compile the code which uses 3rd party library in sandbox and then send back to extension scope??

[Jackie Han]

Oh okk, But why handlebars used in sandbox page???  https://developer.chrome.com/docs/extensions/mv3/sandboxingEval/

I never use handlebars. That article(and its title) talks about "eval()" , which is disabled in extension. So I guess that the library uses "eval()" internally.

Do we need to compile the code which uses 3rd party library in sandbox and then send back to extension scope?

See my previous comment. It has answered this question.

[Suzette O'Donnell]

Sent from my Bell Samsung device over Canada’s largest network.

---

From: chromium-...@chromium.org <chromium-...@chromium.org> on behalf of Jackie Han <han.g...@gmail.com>
Sent: Sunday, August 20, 2023 11:55:12 PM
To: sakthi <sakthisab...@gmail.com>
Cc: Chromium Extensions <chromium-...@chromium.org>
Subject: Re: [crx] Did anyone know about sandBoxing in chromeExtension??

 

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CAAgdh1LMX1Yhuv3RuxYc0MhB%3DQu-10qKtrzDX%2BXevh0Zhm0JZw%40mail.gmail.com.

[sakthi]

Jjust now saw this post. https://developer.chrome.com/docs/extensions/migrating/improve-security/#remove-remote-code  It says remote codes are not allowed. So there is no way to include 3rd party library , even if i try sandbox logic?

[Jackie Han]

My first reply answered your question. It looks like you don't fully understand. I suggest you read it again, including the reference links.

If you encounter any problems, please attach your detailed code and error.

[piyush gupta]

Not the expert here, but because I'm also trying to run some code in sandbox, have some thoughts.

Sakthi, it would great help if you can post the code(manifest, sandbox html, the failing script) you're trying to run, you can also post the link to your github repo.

Ques:

1. What happens when you try to fetch the d3.js file from sandbox, what's the error ?

2. Why can't you just bundle d3.js with your extension like Jackie suggested, ?