Browser Extensions: Remotely loading code & Manifest v3

[pbreah]

Summary

The days of remotely loading JS files is coming to an end with manifest v3 (on browser extensions). Since Stripe does remote loading of JS code anyway - it would be good to have an alternative way to load Stripe from a static JS file that can be bundled inside a packaged browser extension.

I totally understand the benefits of remotely loading JS files (like loading the latest stable version), but as new security policies are implemented, this will not always be an option for every platform to load code remotely. There are also performance benefits of having a simple static JS file, while using remotely loaded json for any additional configuration (if needed).

Other information

Info about this change:
https://developer.chrome.com/docs/extensions/mv3/intro/mv3-overview/#remotely-hosted-code

[tylersmith-stripe]

👋 Hi @pbreah,

Thank you for flagging this manifest v3 update with us. I've added a ticket for us to consider the implications of this change internally.

I'm going to close this ticket out for now, as I don't anticipate having near-term updates for how we'll support this. We can update this issue with any relevant updates that come from our internal discussions on the topic.

[pbreah]

@tylersmith-stripe any updates so far?

The removal date is drawing nearer for manifest v2 support. By the end of this year (2022) everyone using manifest v2 will need to migrate to manifest v3 (preventing stripe-js from loading remotely). Not sure if your team will be able to make it possible to load stripe-js from a local JS file before then, but it would be good to know if there are any updates from your internal discussions on this topic. Thanks.

[bluecaret]

Are there any updates for Stripe supporting manifest v3? A lot of developers are going to need this very soon or else they are going to lose their ability to monetize their extensions.

[RTISCOOL]

Just bumping this up once again. Looking for any updates as end of 2022 looms...

[sgi105]

We need this!!! Please help Stripe.

[hedonicadapter]

It's possible to download the <script src="https://js.stripe.com/v3" async></script> script and import it manually in your index.html file

I'm stuck here, is this allowed? "Always load Stripe.js directly from js.stripe.com to remain PCI compliant"

[christopher-stripe]

Hi all, we won't be able to support bundling Stripe.js into extensions. When you load Stripe.js, it inserts several iframes into the page which load additional code from js.stripe.com. The fact that this code comes from js.stripe.com and that it is isolated from your page via an iframe with a separate origin is an essential part of what allows Stripe to take on much of requirements around PCI compliance.

What you can do instead is include a link in your extension that opens a normal webpage (not part of the extension). That webpage can load Stripe.js as usual, as its code is outside the extension.

The other solution that you might try is loading that webpage within the extension UI by using an iframe. I'm not sure this would work (not an expert on Chrome extensions), but it's worth a shot.