--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at https://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/deb5dbd0-5952-4e4a-868d-8bc917c163e0%40chromium.org.
For more options, visit https://groups.google.com/a/chromium.org/d/optout.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CABc02_%2Bq%2B8EpSxhkzZf9SKm2-HnD4ORS_kE4cZB7yiZ9C2%3Dqfg%40mail.gmail.com.
@Simeon -What about using Google Analytics or Google Tag Manager (for example) in a Chrome extension?Do you expect all of the extensions to embed a local version of the analytics/tag manager code (and they must update the local version, along with the extension, every time it updates)?Do you expect extensions to track their analytics in a customized fashion?Do you expect extensions not to track their analytics?Same for any third party service that requires code execution (analytics, maps, content-distribution-network based custom elements that can have security issues fixed...).Or will there be a review-based white list for remote services?Note, though, that Google Tag Manager might be a security hole, because it can embed whatever JavaScript code the owner of the tag decided to add.☆PhistucK
On Wed, Feb 13, 2019 at 9:10 PM PhistucK wrote:
On Wed, Feb 13, 2019 at 8:13 PM Darren Govoni wrote:
I'm pretty certain it's more than that. An extension can open a popup that itself loads code like a webpage because that's what in fact it is. Those <script> tags in the popup menu (extension) are expected to behave just like any webpage. But Google are suggesting prohibiting the basic web model for extensions which would essentially make them "local only" web pages. Which is pretty useless. Just as it would be for web pages. No longer "web" at all.
As I understand the RHC plan, if an extension wanted to load GA, GTM, or any other 3rd party library in the extension's context, it would be expected to embed the analytics library as you've described.
var script = document.createElement('script');
script.type = 'text/javascript';
script.src = 'https://some-remote-domain.com/script.js';
window.parent.document.appendChild(script);
--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at https://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/9276a663-b80c-4ff0-a10a-978b1032a610%40chromium.org.
Hi PhistucK,For example, some 3rd party online JavaScript code may:
- control the element directly in current page(e.g. google map place api and youtube iframe api, you can see their api docs).
- generate code dynamically by url parameters.
- detect user ip and user interaction (e.g. reCAPTCHA api).
- load more code/resources from the first loaded code.
--韩国恺(Jackie)