Getting js code from our orgainisation's cdn links v3 extension

[Tania Arora]

I am building chrome extension using manifest v3, since new version, google has stopped allowing getting js code from any cdn links.

Is there any way to whitelist particular domains in version 3? Since embedding all js in extension is increasing extensions's size and it is becoming difficult to modify extension on regular basis.

[Stefan Van Damme]

Hi tania,

Google Chrome extension Manifest v3 no longer allows external JavaScript files for security reasons. So it is best to put those files in your Chrome extension folder.

|| A key security improvement in Manifest V3 is that extensions can't load remote code like JavaScript or Wasm files. This lets us more reliably and efficiently review the safe behavior of extensions when they're submitted to the Chrome Web Store. Specifically, all logic must be included in the extension's package.

Source: https://developer.chrome.com/docs/extensions/mv3/intro/mv3-overview/#remotely-hosted-code

Thanks,

Stefan vd

[Frank from Gmail]

Unfortunately, as per the latest information available to me, the new version of the Chrome extension manifest (version 3) has limited the ability to load external resources, including scripts from CDN domains. This change was made to enhance security and privacy, but it may have consequences for your development process.

At this time, there is no way to explicitly whitelist domains in the Chrome extension manifest version 3. The best solution is to include all the necessary JavaScript code in your extension, either as inline code or as a separate script file included in your extension package. This can make it more difficult to update your extension, but it will also reduce the risk of malicious code being introduced into your extension.

If the size of your extension is becoming a concern, you may want to consider using code minification and compression techniques to reduce the size of your JavaScript code. Additionally, you may want to consider using a tool like Webpack to bundle your code into smaller chunks that can be loaded on-demand.

Overall, the trade-off between security and ease of development is an important one, and the best approach will depend on the specifics of your project.

On Thu, Feb 9, 2023 at 3:13 PM 'Tania Arora' via Chromium Extensions <chromium-...@chromium.org> wrote:

I am building chrome extension using manifest v3, since new version, google has stopped allowing getting js code from any cdn links.

Is there any way to whitelist particular domains in version 3? Since embedding all js in extension is increasing extensions's size and it is becoming difficult to modify extension on regular basis.

Disclaimer:- This email and any files transmitted with it are confidential and intended to be received only by individual or entity to whom they are addressed. If you are not the intended recipient, you are hereby cautioned that any dissemination, disclosure, copying, distribution or taking any action in reliance on the contents of this message or any accompanying attachment is strictly prohibited and is unlawful, Please notify the sender immediately if you have received this email in error then delete this email from your system.

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/499ec9a9-673c-43a1-b820-e8d972e2149cn%40chromium.org.

[Simeon Velichkov]

You can argue that libraries hosted on cdnjs cannot be tampered with and are pretty safe to use, but generally it's a security concern if you leave the door open, especially if developers have the ability exclude domains or URLs.

As for the difficulty of updating and maintaining your extension you will need a build script as part of your release/development process. Pulling a library from the internet can be as simple as:

curl https://cdnjs.cloudflare.com/ajax/libs/mermaid/9.2.2/mermaid.min.js --output ../../vendor/mermaid.min.js

but in some cases you may need to pull from git, npm and do some manual adjustments if needed.

In the end if you have all of your minified code clearly separated and stated as third-party code, and there is a build script that you could provide if needed to reproduce that build then this may also speed up the review process, I guess. I know there is no such practice as of now on the CSW but maybe in future there will be.

As for the package size concern that is true, although the maximum allowed extension size should be pretty large, can't remember the exact number, but you can check it out on the official documentation web site. For example, I had to bundle MathJax with one of my extensions, which is a pretty large JavaScript library, it's around 50MB in total, so I spent some time looking around on how to trim it a little bit, it went down to 1.6MB which after archiving it as .zip package is even less. However, as it turned out I trimmed it way too much and some users reported that some of the MathJax plugins are not loading because those plugins were available on cdnjs before, but now are missing from my extension package. So it can be an issue in some cases.