Remotely hosted code in MV3

Min-Seok Kim

unread,

Dec 15, 2020, 7:38:06 PM12/15/20

to Chromium Extensions

MV3 says that Remotely hosted code is no longer allowed. The point seems that prevents executing arbitrary strings.

// no longer allowed in MV3

chrome.tabs.executeScript({

code: 'alert("test!")'

});

Then, I'm wondering if adding a script is also blocked as follows.

// background.js

chrome.scripting.executeScript({

file: 'content-script.js'

});

// content-script.js

const s = document.createElement(‘script’);

s.src = ‘https://example.com/remote_code.js';

document.body.append(s);

Tomislav Zorčec

unread,

Dec 17, 2020, 12:53:51 AM12/17/20

to Chromium Extensions, mski...@gmail.com

Hello,

From the docs (https://developer.chrome.com/docs/extensions/mv3/intro/mv3-overview/):
"Remotely hosted code is no longer allowed; an extension can only execute JavaScript that is included within its package."

I think your first 2 examples are fine;

chrome.tabs.executeScript({

code: 'alert("test!")'

});

chrome.scripting.executeScript({

file: 'content-script.js'

});

But loading the script from an external URL is forbidden.

const s = document.createElement(‘script’);

s.src = ‘https://example.com/remote_code.js';

document.body.append(s);

hrg...@gmail.com

unread,

Dec 17, 2020, 5:48:04 AM12/17/20

to Chromium Extensions, zor...@gmail.com, mski...@gmail.com

The Extensions team has mentioned several times that MV3 will allow arbitrary code evaluation via some mechanism that they still keep under wraps.

We have nothing to do but to wait until they reveal and document this mechanism.

Simeon Vincent

unread,

Dec 17, 2020, 3:24:08 PM12/17/20

to hrg...@gmail.com, Chromium Extensions, zor...@gmail.com, mski...@gmail.com

Min-Seok,

You are correct; the second sample you provided is not allowed in Manifest V3 for the reasons explained by Tomislav.

To briefly touch on the rationale behind this change, CWS reviewers cannot assess the danger an extension poses if they cannot see the code that it executes and loading JS from a remote server makes that impossible. Executing arbitrary code strings at runtime is similar; it's possible to determine what the string could contain, but it requires significantly more work and is a ripe vector for exploitation. As such, we're moving to a model where we require all code that an extension executes to be included in the extension package.

I also want to highlight that extensions can use remote configuration to modify runtime behavior. In other words, you can fetch (and cache, please 😉) a JSON file to toggle features on and off, changes settings, etc. This shouldn't be taken to the extreme of adding so much complexity that the extension could effectively do whatever it likes because then we're back in the situation were review cannot reasonably determine the risk the extension poses.

The Extensions team has mentioned several times that MV3 will allow arbitrary code evaluation via some mechanism that they still keep under wraps. - hgr

We're not being sneaky or anything, we're just focused on all the other work we need to get MV3 in shape. IMO this is an important use case, but it's less important than making MV3 extensions work at all. It will take time to think through and we have precious little of that at the moment.

Cheers,

Simeon - @dotproto

Chrome Extensions DevRel

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/c8fcea8a-5f9b-4ffc-bd7b-74c6ba2137ban%40chromium.org.

Reply all

Reply to author

Forward