New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Chrome] Manifest V3: examine the effects #644
Comments
Cc: @JasonBarnabe , @sizzlemctwizzle Depending on how this rolls out this might affect other public sites such as OUJS, GF and even GH. I'm certainly not going to pay goo for anything for a possible, and probable, monopolistic practice. |
At first glance, TM or other userscript managers don't seem to be endangered by the APIv3 proposal. There is even an upside - the dynamic registration of content scripts (hopefully similar to Firefox). In the worst case some hacks like CSP header patching might become impossible though. |
I'm not that sure. Devlin wrote
...and he wrote that to me while we discussed the Opera issue. It depends on how deep the security review should be. Userscripts of course can be a security threat and it's simply not possible to meet this criteria:
|
Ah, the good old detached-from-reality-Devlin, one should love the man's idealistic world view... Could you suggest they implement a userscript sandbox API that was present in the old Firefox and is about to be restored in WebExtensions? |
No, we focused on the Opera issue. |
and so https://blog.chromium.org/2020/12/manifest-v3-now-available-on-m88-beta.html V3 is upon us.
is essential to tampermonkey functionality? |
There's much more missing in ManifestV3. The CSP patching problem isn't essential. The much bigger problem is the very ability to inject user code which is ostensibly forbidden by ManifestV3 completely, and this wasn't still clarified by anyone on chromium team. |
I'm in contact with the Chrome developers. Extensions like Tampermonkey will work in MV3, but some additional user action is required for it to work. I don't have any further details on this at the moment. |
after further looking around it seems CSP header injection/modification is working now https://bugs.chromium.org/p/chromium/issues/detail?id=1116487 |
Any news if tampermonkey will work with the chrome manifest v3 ? |
I do not want to sound like a broken record, but it would be great if we can get some details about the "MV3" solution. |
No news yet. https://groups.google.com/a/chromium.org/g/chromium-extensions/c/lSDCHnVpm6I/m/fvAP8eTMAAAJ |
But afaik we dont need arbitrary remote code execution. Is google trying to prevent user defined local code execution? |
Any userscript is the "remote code" because it's not shipped within the extension. |
Those are dangerous semantics. Its remote to Google who wants to control the Browser. Its not remote to the user and his own computer. Lets be clear here, Google is trying to mold User Browser into a closed ecosystem app similar to Apples. Google will successfully argue remote code is dangerous, 3vil haxors from africa injecting malicious scripts etc. We need to be vocal about not wanting "remote code execution" in V3, we want User Defined local code execution. |
It's not really semantics but rather a poor choice of words which were probably coined by C++ programmers who implement the API internals: |
Horrible suggestion (for horrible times) but perhaps we could embed evaljs or Wizer's WASM Spidermonkey to interpret JS. That would let us run dynamic JS again. The next challenge is figuring out how to inject the functions/objects we expect to have access to from Tampermonkey. |
I'd strongly recommend against this path as it's a clear violation of the the Additional Requirements for Manifest V3 section of the Chrome Web Store's Developer Program Policies.
Since I've seen some confusion here and elsewhere, I want to quickly reaffirm that the Chrome team is still planning to support power user tools that inject user-written scripts or styles in Maniest V3, but we have not yet begun implementation work. I expect we're likely still a few months out on this. @derjanb, I also expect I'll be following up with you when we have a more substantial update. |
@dotproto Thanks for clarifying.
That's great. Some substantial changes to Tampermonkey will be necessary. So I like to use whatever lead time I can get so that the Manifest v3 version will be stable within the schedule. At the moment I can't really tackle the migration because important features like this are missing. |
I came to the Tampermonkey repo in hopes of seeing a thread like this. I don't mean to go too off-topic, but I do have concerns of my own Chrome extension, which injects multiple scripts into a website it's dedicated to. PS: Terribly sorry that this isn't on-topic, but you guys are definitely experts in JS script injecting :) |
If I remember right, it should inject scripts to the page context for manifest v3 and even without bothering CSP: const script = document.createElement("script");
script.src = chrome.runtime.getURL('script-to-inject.js');
(document.head || document.documentElement).append(script); manifest.json "web_accessible_resources": [{
"resources": ["script-to-inject.js"],
"matches": ["*://example.com/*"]
}] Likely I got it from this answer. |
Ideally, the new API should resemble Firefox's userScripts API that in addition to registering the code also provides onBeforeScript event that allows the engine (Tampermonkey) to implement the client-side part of the userscripts API. FWIW, executeScript supports |
Yes, especially since there is (usually) no support for blocking events, the service worker might have been asleep and Also, as far as I can tell, executeScript has no arbitrary code support yet (apart from this hack), right? |
Aaaargh! I was just looking for information about the persistence of the ...When (if?) Tampermonkey migrates to v3, will that affect the scripts' matching policy, i.e. disallow |
@dotproto from Google says "I'll reaffirm that we plan to support userscript managers in Manifest V3 before the Manifest V2 deprecation."
I can't say that at the moment, because it depends on how the Chromium team wants to enable userscript execution. If it's declarative then |
This technique is nothing new, they just create the script element in page context (MAIN world) so it's not subject to the CSP of extension's content script, but in turn it is subject to the site's CSP. It means that Tampermonkey will have to disable the site's CSP on many modern sites thus lowering their security by default, whereas currently it's an opt-in behavior, toggled in settings. Although it might be possible to just modify CSP header by adding SHA nonce of the injected code, but that depends on the shape of the promised API for userscripts. Also, to point out the non-obvious caveat, MAIN world environment may be spoofed by the site even before document_start (due to an old architectural bug in Chrome/FF), so using this trick won't help extensions that want to run an external script or dynamically created code in the safe isolated world environment of their content scripts. Anyway, the act of injecting the external or user-provided code is not the problem and we'll be able to use it in an unpacked dev-mode extension. The problem is that it is forbidden for extensions in the web store, so the authors who circumvent it will be banned. |
Oh, so sorry. I should not have posted that link without reading through it, it just sounded so enticing 🤦♂️ |
hello everyone. Is this topic still under continuous attention? I have a small case here to ask if it is feasible. https://github.com/Xdy1579883916/ext-simple.git It seems that remote scripts can be executed in this way, but I'm not sure whether it is stable. |
@Xdy1579883916, this is the same trick (the original comment is deleted now) I commented upon above. It won't help for exactly the same reasons. |
@tophf , Could you give more details how to run user provided code in a unpacked extension in MV3? Because I see that eval() does not work there. |
@pvmnd, it's shown in https://crbug.com/1239976. An extension page/frame can use its service worker's onfetch event to create a dynamic code in an imported script that runs in this page/frame so that it can be used either directly instead of eval() in the context of the extension process or you can specify it as |
Google delayed the switch to Manifest V3. https://www.ghacks.net/2022/09/29/google-delays-the-death-of-manifest-v2-extensions-to-2024/ |
Yes, I've seen that. Also, the estimated timeline for an API [1][2] that can be used by Tampermonkey to inject scripts is Canary support around October, 2022.
[1] w3c/webextensions#279 (comment) |
It seems like they started to finally do a proposal + they updated the Chrome page with Canary Support around December. |
this is good. thanks. |
|
issues with requiring local scripts |
Oh no! That was the only way I could use an actual frickin' full fledged code editor with all my local creature comforts, AND manage local dependencies! It would absolutely suck if we weren't able to use I guess we can host them on a local server via localhost, but that feels yucky. Does anyone have alternative solutions? |
When V3 is supported, can you change the editor to Monaco Editor? |
Yo, smart But my workaround was to just download and install old tampermonkey for manifest v2 cuz screw migrating |
Draft: https://docs.google.com/document/d/1nPu6Wy4LWR66EFLeYInl3NzzhHzc-qnk4w4PX-0XMw8/edit#
Discussion: https://groups.google.com/a/chromium.org/forum/#!topic/chromium-extensions/hQeJzPbG-js
The text was updated successfully, but these errors were encountered: