Google Picker API doesn't work in MV3

[Ian Williams]

For security, Google recommends using the "drive.file" scope for the Google Drive API to limit file access. I'm trying to work within that scope, but the Picker API doesn't really gel with Manifest Version 3. 

The Google Picker API  |  Google Drive  |  Google for Developers

Whenever I try to call the API from a sandboxed page, the API throws an error saying I need to allow-same-origin on the document, which is not allowed in Chrome Extension sandbox pages. 

Is there any workaround? The only alternative is to up the scope of the Drive API and it's seemingly impossible to get CASA verification for a functional Chrome Extension. 

[Ian Williams]

Can anything be done here? I'm essentially looking for a way for users to select a working directory/directories from Google Drive. 

[Chris Cowan]

Iframes pointing at html files inside of your extension have a restricted CSP you can't freely modify because Chrome wants to be strict about pages that are given access to extension APIs.

Inside of the extension iframe, place an iframe to a page at a remote URL (your website) and then use the Google Picker API inside there. The inner iframe pointing to a page at your website will have its own CSP rules that you can freely modify. As long as the outer iframe's CSP rules permit the inner iframe to exist, the contents of the inner iframe are unaffected by the outer iframe's CSP rules because they do not cascade inward.

[Ian Williams]

Thank you. Someone already dm'd me about using the external site, but I appreciate you replying.