Remotely Hosted Code and Native Messaging Host

[Vishal Jaiswal]

Hi Team,

Since manifest v3 restrict the remote code usage. So what will happens to extensions that uses native messaging host to pass some code (html, images, gif) to extensions. Will it be considered as violation?  There is no documentation on how native messaging host will work in V3.

We're migrating our extension from v2 to v3 that's where we are facing this challenge.
Note - This extension will only be installed in enterprise environment. 

[Anton Bershanskyi]

Hi,

depending on the way you pass the data from native messaging host, it might be considered remote code. There are few things to consider:

1. Does your extension rely on eval() and inline code and similar features? If no, then it will probably continue working. Images, video, and HTML markup (without JavaScript) is not considered remote code.
2. If you do need to execute remote code (turn strings into executable code), then you might be able to put it into a sandbox (docs). I heavily used this API to execute user-provided code in a controlled manner. It might be inconvenient to set up properly at first, but then works perfectly.
3. Disclaimer: I'm not affiliated with Google or CWS. Since you do not publish your extension to Chrome Web Store (CWS), you do not need to comply with CWS review policies. Most of advice online is actually just a bunch of rules discovered by trial and error aimed at reducing CWS review times and chances of a take-down. Effectively, anything that works now is a fair game (and can't result in extension takedown, since you are not even on CWS).
4. If you already have native host, you might benefit from just opening an HTTPS connection to it from the extension and loading resources this way.

If you have any other questions, I might be able to answer them.

[Vishal Jaiswal]

Hi Anton,

Thanks for such a detailed response, this will really help.

Just to clear, though our extension is only for enterprise but we do publish it to chrome web store.
Other thing is that we are executing script using eval, and that script sometimes manipulates dom as well. 
since sandboxed page don't have access to dom so is there any other way to achieve the required functionality?

[Anton Bershanskyi]

Hi,

> Just to clear, though our extension is only for enterprise but we do publish it to chrome web store.

I believe I misunderstood you: in my previous reply I assumed you meant extension deployed via "enterprise deployment" like a corporate profile force-install or group policy install (like this).

> Other thing is that we are executing script using eval, and that script sometimes manipulates dom as well. since sandboxed page don't have access to dom so is there any other way to achieve the required functionality?

It's hard to answer this question without knowing what functionality you are trying to achieve. Specifically:

1. The rules (technical and CWS policy) specifically forbid using anything like eval() (including Function constructor, inline scripts, inline scripts injected via Element.innerHTML or anything which will fail to load/execute with CSP containing only "safe" keywords)
2. You can execute arbitrary code within a sandbox and send over arbitrary result. The rest of extension (e.g., content script) can act on this arbitrary result
3. Query selectors are considered data and textual/numeric/JSON data is just data (not code). So are media files like images, soundtracks, video, even PDF files.

If you consider point 2 and 3 carefully, you'll notice that extensions do have a way to execute remote code in a Turing-complete way, as long as the Turing-complete thing stays in the sandbox. For example, extension content script can receive from "remote source" (literal server online, or native host, or "remote code" executed in a sandbox) an arbitrary query selector (call it sel) and arbitrary text data (call it text) and execute the following: document.querySelector(sel).textContent = text; . Put enough of these on the page via content script and you basically have a remote code execution in a controlled manner. That is the entire point of the sandbox. You just need to make sure you and reviewer can reason about the actual behavior of the code and maintain some boundaries yourself.

Does this make sense?

[Vishal Jaiswal]

Thanks Anton for such a clear cut and quick response. Yeah it made things clear on executing scripts in a controlled manner.