In the last few weeks I’ve been a part of an effort to upgrade our Chrome Extension to support Manifest Version 3 (Mv3 in short), and I have a feeling that Google is on its way to throwing this product off a cliff, the Google way.
What is a Chrome Extension?
According to the official docs:
“Extensions are software programs, built on web technologies (such as HTML, CSS, and JavaScript) that enable users to customize the Chrome browsing experience.”
In simple words, they are programs that add functionality to the browser, installed by the user, not by the browser vendor.
There are extensions that block ads (like AdblockPlus), check spelling (like Grammarly), saves passwords (like LastPass), test the site’s accessibility (like the one we’re building in Evinced), offer a VPN connection (like HuluVPN), and many more.
Extensions are built out of two main types of components:
- Content script that runs scripts that have a user interface, or need to access data on a web page.
- Background script which runs in the background, can be persistent and run all the time and has access to browser events such as opening a new tab, refreshing the page, etc. The background often acts as the server side of the application.
Permissions and security
Chrome extensions can have a surprisingly large list of permissions. For example:
- Access and manipulate the DOM; Grammarly uses that to read the contents of input fields and check the spelling.
- Send requests to servers; Extensions that require registration use that to authenticate.
- Download scripts from a server and run them (will be removed on mv3)
- Run scripts on the website a user is visiting; Evinced is using it to check for accessibility issues.
- Read and manipulate network requests; HuluVPN uses it to change requests to go to a different server in a different country.
- Bypass CORS defenses that are enforced by the browser
- Listen to browser events
This is only a partial list of course, but even with these permissions and a bit of a criminal mind, the attack surface here is huge, and criminal entities take advantage of extensions and inject them with malicious code.
Here’s an example of a real attack that happened when a hacker group took over an extension called The Great Suspender and modified it to download and execute malicious code from their servers, while installed on millions of devices.
Bye bye Manifest version 2, hello Manifest version 3
Google announced about 2 years ago that the set of rules applied and allowed for Extensions, bundled into manifest version 2, is changing, and a new set of rules will be enforced in the next version, and all extensions must be upgraded, or they won’t work.
This is the official timeline from: https://developer.chrome.com/docs/extensions/mv3/mv2-sunset/
The heart of the change is about security and permissions, in short:
1. Downloading and running any external source is forbidden. This includes fonts, scripts, CSS, etc.
2. Fewer permissions and capabilities when accessing the network level.
3. Making the background work of a service worker, more of a performance feature.
Because all the code will be bundled into the extension, Google will now have the entire code of an extension, and no code would be added on runtime, it could detect suspicious code, and remove the extension before it gets to the users.
This is a big win for security.
Adblockers and Mv3
One of the most popular extensions is AdblockerPlus. It prevents ads from showing while the user is browsing the web and while watching Youtube videos.
The plugin uses several techniques to block these ads, the main one is by monitoring network requests, identifying calls to ad servers and blocking or modifying these requests.
As Google’s main source of income is advertising, it certainly didn’t like this extension, or others like it.
Critics say that this is actually the main reason for changing the security and permissions mechanism in Mv3.
On the other hand, ad-blocking companies have already stated that they will modify their products to match the new manifest,and some of them have already released.
Our migration process
Personally, I’m in favor of these changes.They will increase the level of security and will reduce the attack surface significantly.
However, the way it is done is very not Googly.
Google has always been very helpful to developers using its tools.
From elaborate tutorials to conferences, talks, and videos.
When migrating a Chrome extension from version 2 to version 3, there are almost no official documents discussing the details of the transition, which can be non-trivial at times.
A great example of this is Google Analytics.
Companies that build chrome extensions often want to know how the users are using them, and Google Analytics can provide these insights (at least to an extent).
However, because Mv3 does not allow downloading of external resources, the code snippet that exists on Google Analytics’ docs simply does not work.
The solution here is to bundle GA’s code into the extension, but the official docs do not help me as a developer see how exactly it is done. This is increasingly frustrating as they recommend using Google Tag Manager, which is by definition an external tool that downloads scripts at runtime, and also doesn’t work with Chrome Extensions.
As an Israeli, I am trained to find workarounds (com-bi-na in Hebrew-English), and we indeed found one. But it is suspicious that no guidance is given for Google tools, when the transition is done by Google itself, and with time running short, it’s now crunch time to make the transition.
The future
Protocols and versions are being replaced or transitioned all the time, this story is no different in that aspect.
There are no official numbers, but according to this, there are between 176,608 and 188,620 Chrome extensions.
The transition to Mv3, which is not backward compatible, will make a big portion of those useless. Long-living extensions that are not maintained will simply die and be removed from the store.
Regarding security, my hope is that it would reduce the number of ways bad actors will take advantage of extensions’ permissions, but I have a feeling all new holes will be discovered very soon.