Community submitted remote HTML/JS in sandboxed iframe — policy question

11 views
Skip to first unread message

aaa aaa

unread,
3:12 AM (3 hours ago) 3:12 AM
to Chromium Extensions

Hi,

I'm building a MV3 new tab page extension. Users can install additional functionality created and submitted by third party community developers. The community code is hosted on my server and loaded into sandboxed iframes inside the new tab page.

My specific questions:

  1. Is loading community submitted HTML/CSS/JS into a sandboxed iframe inside a new tab extension page allowed under MV3 and current CWS policies?
  2. Are there specific CSP headers or sandbox attribute flags required for compliance?
  3. Is communicating between a sandboxed iframe and the core extension via postMessage an approved pattern?
  4. Does the fact that the code is community created rather than first party affect the policy answer?
  5. Any other policy concerns with this approach?

Thank you


Reply all
Reply to author
Forward
0 new messages