Recaptcha in Manifest V3 extension
607 views
Skip to first unread message
extension_tester
Apr 11, 2022, 7:26:31 AM4/11/22
to Chromium Extensions
Hi,
I want to ask for clarification:
1. Are external iframes with Google Recaptcha allowed in Manifest V3? If the external iframe already contains Recaptcha code and html, and communicates with the extension via postMessage or chrome.runtime.sendMessage (per these answers it seems to be allowed: https://stackoverflow.com/questions/66057804/what-does-it-mean-that-v3-extensions-is-the-disallowing-of-remotely-hosted-code#comment125[…]8_66057804
https://groups.google.com/a/chromium.org/g/chromium-extensions/c/ks--r5hDNQ0/m/rGYiWkOZCAAJ)
2. If the iframe is empty at first and the Chrome Extension injects recaptcha code in it (adds scripts tags), and then adds communication between the iframe and the extension. As I understand, it's technically possible, but prohibited by the CWS policy (per this answer: https://groups.google.com/a/chromium.org/g/chromium-extensions/c/ks--r5hDNQ0/m/rGYiWkOZCAAJ)? Is this still true? Extensions are not allowed to inject any remote code, even if it's technically possible and the code is injected inside a remote iframe?
3. If at least the first method is allowed, is it the best way to have anti-bot protection in Manifest V3 extensions, or is it better to look into other libraries, which offer local captcha bundles (I'm not sure though if there are any large captcha projects like this)?
Thank you
I want to ask for clarification:
1. Are external iframes with Google Recaptcha allowed in Manifest V3? If the external iframe already contains Recaptcha code and html, and communicates with the extension via postMessage or chrome.runtime.sendMessage (per these answers it seems to be allowed: https://stackoverflow.com/questions/66057804/what-does-it-mean-that-v3-extensions-is-the-disallowing-of-remotely-hosted-code#comment125[…]8_66057804
https://groups.google.com/a/chromium.org/g/chromium-extensions/c/ks--r5hDNQ0/m/rGYiWkOZCAAJ)
2. If the iframe is empty at first and the Chrome Extension injects recaptcha code in it (adds scripts tags), and then adds communication between the iframe and the extension. As I understand, it's technically possible, but prohibited by the CWS policy (per this answer: https://groups.google.com/a/chromium.org/g/chromium-extensions/c/ks--r5hDNQ0/m/rGYiWkOZCAAJ)? Is this still true? Extensions are not allowed to inject any remote code, even if it's technically possible and the code is injected inside a remote iframe?
3. If at least the first method is allowed, is it the best way to have anti-bot protection in Manifest V3 extensions, or is it better to look into other libraries, which offer local captcha bundles (I'm not sure though if there are any large captcha projects like this)?
Thank you
Reply all
Reply to author
Forward
0 new messages