Will my chrome extenstion that embeds an Iframe be approved by Google?

[Jeff2001]

I am building a Chrome extension that works together with a web application. The UI of this extension is actually in an Iframe. Will this be approved by the Chrome Extension review process? The reason I use an Iframe is that I want to use Firebase Auth and Firestore, which is complicated with the Manifest V3. The URL of the Iframe page will be myapp.com?URLofCurrentTab. URLofCurrentTab being the page the user is on in their browser. So the only communication between the browser and the Iframe page is a URL passed as a query string.

[Bruno Messias]

I've the same doubt

[Uladzimir Yankovich]

In general, Chrome extension developers' policies prohibit extensions whose sole purpose is to display another site. But perhaps in your case, it's not just displayed? Because if it is, why would you make an extension at all? Invite people to your site.

Other than that, it seems that you can use mv3 firebase auth and firestore in the extension. Probably not as convenient as a classic web app. But you certainly can.

[Juraj M.]

You mean like this fake WinRar installed by 20k users? :D

https://chrome.google.com/webstore/detail/winrar/ihgbadlkdhiffbhpkhbhapagmdingbgb

[Uladzimir Yankovich]

I'm talking about this - https://developer.chrome.com/docs/webstore/program_policies/#functionality 

[Juraj M.]

I know, I just wanted to point out that there are extensions in store "whose sole purpose is literally a single link to a page" and nobody cares.

So I think if the extension is actually useful, it's OK to load a third party iframe. The rules are here to protect people, not to harass them, right? :)

[Uladzimir Yankovich]

You are right. But actually, breaking the rules is a lottery. And unfortunately, sometimes, even good extensions pull the ticket with a ban.

I wanted to let the author know that there is a risk. And whether to accept it or not is his responsibility :) 

--

Uladzimir Yankovich.

[Simeon Vincent]

Going back to the original question, it's hard to say given how little information about the extension was shared. I think Uladzimir's guidance is pretty solid. My first though on seeing that "The UI of this extension is actually in an Iframe" was the policy he called out.

The main thing I wanted to comment on, though, was the iframe's URL being http://myapp.com/?URLofCurrentTab. My first though on seeing the URL of the current page in the iframe's URL is immediate suspicion of data harvesting or misuse. There are legitimate reasons to send URLs to remote servers, but A) I don't see an obvious reason to do so given what has been shared so far and B) including sensitive information in query parameters is not good practice. On the security side, a better practice in this case is to postMessage the URL to the iframe, to make your site externally connectable so the extension and sure can communicate directly with each other.

Simeon - @dotproto
Chrome Extensions DevRel

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CAAN4%2Bqg%2BqfunpLMLf70MoDg2ptFG6_rNh3VUQ1fpBRzO1SnmcQ%40mail.gmail.com.