Executing Remote Code through Native messaging host in Manifest v3

55 views
Skip to first unread message

Vishal Jaiswal

unread,
Jan 22, 2024, 6:46:44 AM1/22/24
to Chromium Extensions
Hi All,

While migrating chrome extension from manifest v2 to manifest v3, I came across the migration of remotely hosted code to extension package.
In my extension, we pass javascript files and code from our native messaging host to extension background.js and after that we execute that javascript in background.js using eval.
So, do we need to migrate these files? as they are coming through native messaging host.
Also the javascript code that we pass from native messaging host to background.js, this javascript is runtime, so anyone can guide how to handle these scripts ? 
I didn't found any document mentioning the migration in terms of Native messaging host.

- Thanks


wOxxOm

unread,
Jan 22, 2024, 9:18:34 AM1/22/24
to Chromium Extensions, Vishal Jaiswal
In a published extension eval/dynamic code in extension contexts is not allowed, you can only do it in a special sandbox page/frame, which you can put inside the offscreen document and use standard parent.postMessage to exchange the data or a MessageChannel's port to subsequently communicate directly with the service worker.

In a personal unpacked extension you can use a more direct method based on onfetch exploit via import() in the offscreen document.

Reply all
Reply to author
Forward
0 new messages