Proposal for Manifest v3: Have less restrictive security measures for force-installed extensions #43
Comments
|
@nir-walkme This topic was discussed during the last meeting (https://github.com/w3c/webextensions/blob/main/_minutes/2021-08-05-wecg.md), but we ran out of time. Did you get a satisfactory answer or is there anything else that you'd like to ask/discuss? |
|
@Rob--W Thank you for the discussion yesterday. I feel we made progress but did not finalize this issue. To re-clarify my request following yesterday's discussion: So I propose:
Of course, sometimes deprecations are needed in order to move forward to more modern technology, so it is OK to deprecate as long as there is an alternative approach with equivalent functionality.
@Rob--W How do you recommend to move forward with this discussion? |
|
Note from a citizen of the net: as a developer, I would rather go forward with more of a "feature detection" type of API rather than a split based on "Store" vs. "Enterprise". I think if I tried to make my enterprise addon work across different browsers, the different browser vendors may very well have differences in which API's they would view as privileged or not, so I'd end up having to do feature detection anyways. Checking for "Store" vs. "Enterprise" seems like it may end up running into the same problems that JS ran into in the past with checking "IE" vs. "Chrome" vs. "Firefox" that eventually moved towards feature detection. And as a bonus: I don't even have to learn any new API's for checking depending on how it's implemented. How did you envision that checking would work with |
|
Hi @wingman-jr-addon . I may actually agree with you that feature detection is better than But that is actually not the focus of my request. |
|
Well, I think there's a bit of an issue here in point 2 that is rooted precisely in the thinking around point 1. In the meeting notes above, it was brought up that deployment mechanism was out-of-scope. And above in your clarification you call out Why is this coupling to deployment problematic? As But that still ties the wording to the deployment method. I think from a specification perspective it might be better to indicate "trusted context" or something like that, as there might be additional ways of achieving that. For example, Mozilla has been trying out a "Recommended Extensions" approach where some number of addons go through a security review before becoming "recommended". Now, I'm not sure that I particularly like the idea of introducing two levels of privilege here at any level, but at least I think something like "trusted context" might better embrace a variety of approaches to ensuring security and perhaps be a better abstraction for a specification - if this type of approach were taken. I do not have thoughts on point 3, but I believe that it should be split off into its own issue. Saying point 3 is the heart of the issue when it is not part of the main title seems problematic. A general security mechanism and a specific API are two quite different things. |
|
Thanks @wingman-jr-addon I agree with your points. It does make more sense for the specification to be more abstract, so we can define an extension running in "normal mode" and "trusted mode". "normal mode" would be the default mode for extensions installed from the store.
The specification will mention that on "trusted mode", API/capability X is guaranteed to exist. Browser may decide if to include API/capability X also in "normal mode". I realize that introducing these modes is adding more complexity, but I would like to reiterate the need here: Manifest V3 has introduced several deprecations. Those deprecations means that functionality that have worked for years may stop working, causing major impact to both developers and customers. More specifically, I suggest that the following capabilities would work in "trusted mode" (it is up to the browsers to decide if they should work in "normal mode" as well):
|
|
The implementation details aside, what I see in this request looks like this:
I can follow the train of thoughts, but don't view the conclusion as an actionable point in this community group. Enterprise policies are currently not standardized and the set of supported policies is browser-specific. This is not likely to change. "Deployment mechanisms" are explicitly outside the scope of this group according to the charter document. If you believe that an API is too limited, file new issues requesting for specific functionality with specific use cases. In that way, all extension developers can benefit from improvements, and not just the group of enterprise extension developers.
This already exists in the form of the I question the value of this information for an extension though. Feature detection is generally more effective than checking whether an extension fits in a specific bucket.
Manifest v2 (note: the existing v2, not v3) extensions are already not allowed to execute remote code with very privileged extension APIs (e.g. blocked by the default CSP in extension pages). This restriction is not going to be lifted, so it is very unlikely for a request to (broadly) allow "executing remotely hosted code" to be accepted. If there are specific forms of "remotely hosted code" that you have in mind, please mention that instead. |
|
There's a case for SMBs here that seems to be ignored; Many SMBs don't have an IT department, but certainly need custom Chrome extensions written to handle their business operations. I wrote an extension, for example, whose purpose was to extend web-based POS software for a consignment shop in LA. We had them install this as an unpacked extension in dev mode, so that we could take whatever steps were necessary in order to meet their needs for this internal tools, regardless of what the CWS thought about it. A large number of these users we extension specialists write internal tools for are not technically-saavy users. They therefore can't be expected to set up and/or maintain any sort of enterprise management. Perhaps whatever extra capability is granted to extensions force-installed by enterprise policy can also extend to unpacked extensions manually installed by the user. This would not only greatly improve the development of said enterprise extensions, but also improve accessibility to SMBs who don't want/need their extensions available to the public and don't have the IT capacity to maintain enterprise deployment. |
I'm actually accounting for SMB that don't use enterprise deployment; in my previous comment I suggested to be specific about use cases so that "all extension developers can benefit from improvements, and not just the group of enterprise extension developers." I believe that the author of this issue is not specifically asking to restrict features to enterprise, but to allow them to use certain features whose availability are at risk (and suggesting to introduce enterprise-specific functionality in case this constraint would make it more likely to support the functionality). |
|
@cuylerstuwe and @Rob--W Let me try to pitch an idea that can benefit all.
How about allowing "remotely hosted code" from pre-defined domains only that are explicitly written in the manifest file in a "match pattern" format? |
|
@nir-walkme without saying whether or not this should be supported. Instead of having a separate key with a match pattern in the manifest we can use existing tech like the |
|
@carlosjeurissen When I refer to "executing remotely hosted code" I am referring mostly to "userscripts", meaning remotely hosted scripts that run in the page context (similar to Greasemonkey/Tampermonkey). This includes the ability to execute the script in the page context even if the page is blocking that using content security policy. I believe the content_security_policy in the manifest files refers only to extension pages and not to the use case I mentioned. What do you think? |
|
@nir-walkme In the case of content scripts, it could be done using the Everything else would not be a blocker for force-installed extensions as they are policies from stores and not restrictions on a browser level. The |
|
In Manifest v2 it was possible to injects remote scripts into the page's context using a content script, including bypassing the page's CSP and without the need to modify the CSP using chrome.webRequest API.
Therefore I suggest to keep the Manifest v2 behavior, at least for pre-defined domains, as suggested before. |
|
Safari does not currently support force-installed extensions. |
Manifest v3 introduces some security improvements which are great for consumers. They reduce the risk that an extension installed from the store will harm the user. This is great as most users lack the knowledge and tools to assess the security level of an extension they install from the store.
On the contrary, in an enterprise use case, the Manifest v3 changes limit the functionality of existing extensions. There are many use cases where an extension requires elevated permissions. For example, extensions used for QA, security or digital adoption.
In the enterprise world, extensions are pushed to the end users using an IT policy (either from the store or from a self-hosted location) and the extensions usually go through a security review before being pushed.
Therefore we suggest treating extensions installed manually from the store differently than extensions force-installed.
This is already the case for the blocking version of the webRequest API (https://developer.chrome.com/docs/extensions/mv3/intro/mv3-migration/#when-use-blocking-webrequest) so it appears that our line of thought is in the right direction.
As a general rule, we suggest that any security related restriction in the extension would be excluded from force-installed extensions, or at least there would be a discussion about it.
More specifically, our ask is to allow us to load remotely hosted code into a website's page when using force-installed extensions. We believe this has much use in enterprise use cases.
The text was updated successfully, but these errors were encountered: