Tampermonkey: [Chrome] Manifest V3: examine the effects

Created on 27 Jan 2019  Â·  9Comments  Â·  Source: Tampermonkey/tampermonkey

Most helpful comment

I'm in contact with the Chrome developers. Extensions like Tampermonkey will work in MV3, but some additional user action is required for it to work. I don't have any further details on this at the moment.

All 9 comments

Cc: @jasonbarnabe , @sizzlemctwizzle

Depending on how this rolls out this might affect other public sites such as OUJS, GF and even GH. I'm certainly not going to pay goo for anything for a possible, and probable, monopolistic practice.

At first glance, TM or other userscript managers don't seem to be endangered by the APIv3 proposal. There is even an upside - the dynamic registration of content scripts (hopefully similar to Firefox). In the worst case some hacks like CSP header patching might become impossible though.

I'm not that sure. Devlin wrote

Note that we will be limiting remotely-hosted/arbitrary code execution in all contexts. The goal is that we should be able to perform an in-depth security review of an extension and be confident in what it does and whether it poses a security or privacy risk to users (which is possible through web page contexts, as well).

...and he wrote that to me while we discussed the Opera issue. It depends on how deep the security review should be. Userscripts of course can be a security threat and it's simply not possible to meet this criteria:

This will require that all code executed by the extension be present in the extension’s package uploaded to the webstore. ↗

Ah, the good old detached-from-reality-Devlin, one should love the man's idealistic world view... Could you suggest they implement a userscript sandbox API that was present in the old Firefox and is about to be restored in WebExtensions?

Could you suggest they implement a userscript sandbox API that was present in the old Firefox and is about to be restored in WebExtensions?

No, we focused on the Opera issue.

and so https://blog.chromium.org/2020/12/manifest-v3-now-available-on-m88-beta.html V3 is upon us.

some hacks like CSP header patching

is essential to tampermonkey functionality?

There's much more missing in ManifestV3. The CSP patching problem isn't essential. The much bigger problem is the very ability to inject user code which is ostensibly forbidden by ManifestV3 completely, and this wasn't still clarified by anyone on chromium team.

I'm in contact with the Chrome developers. Extensions like Tampermonkey will work in MV3, but some additional user action is required for it to work. I don't have any further details on this at the moment.

The CSP patching problem isn't essential.

after further looking around it seems CSP header injection/modification is working now https://bugs.chromium.org/p/chromium/issues/detail?id=1116487

Was this page helpful?
0 / 5 - 0 ratings