Chrome Extensions – Transitioning to Manifest V3
The default content security policy (CSP) for Extensions prevents extensions from loading code from the web at large. This helps to ensure that the runtime resources loaded by an Extension are exactly those you expect and prevents active network attackers from using man-in-the-middle attacks to compromise your Extension.
Manifest V3 removes support for modifying network requests and replaces it with the declarativeNetRequest API. This makes extensions safer and reduces performance degradation.
A Content Security Policy (CSP) directive that specifies the locations from which external scripts and other resources should be loaded. It is a fallback for some of the other fetch directives such as iframe-src, media-src, and font-src. It also applies to browser mechanisms like XMLHttpRequest, WebSocket, fetch(), and
This directive controls the valid sources for
Other CSP policies are available to control how a webpage or an Extension loads other types of resources. The declarativeNetRequest API in Manifest V3 makes this process relatively straightforward. However, designing and implementing a user interface to manage header modifications, storing configurations, and adding URL conditions requires significant design effort and consideration. This is particularly true for Extensions that modify host permissions, as described below.
As the Chrome extension development community transitions to Manifest V3, Google has announced a phase-out of extensions that don’t meet new standards by 2023. This will include removing them from the Chrome Web Store. To help developers make the transition, BinaryFolks has put together a list of key changes that need to be made.
Among the most significant changes is unifying the browser_action and page_action APIs into the action API. This means that any content scripts that depend on these APIs will need to be moved into the service worker execution context. In addition, it is important to remove any references to the browser_style parameter from your manifest.
One of the major issues with previous extension architecture is that it allowed extensions to modify browser configuration, leading to a decline in security standards. Manifest V3 aims to address these concerns by restricting the sources that can load code and disallowing potentially unsafe practices such as eval().
When an extension is uninstalled, all data it has changed should remain unchanged. This includes cookies and other information that may influence how sites operate. It also includes changes to the cache, service workers installed on sites, and proxy settings. In addition, all data exfiltrated by the extension should be deleted from remote servers. Extensions that do not follow these guidelines are considered a security vulnerability and will be reported to Google.
Sandbox pages are a great place to practice coding and experiment with new ideas. They are automatically protected from being edited by other users, and are the best way to learn how to work with wikitext and code material. Once you have a Sandbox page, you can start adding content to it.
If you are planning on migrating to Manifest V3, you should begin by updating the following four key areas. This will help you get on the right track for the migration.
Manifest V3 introduces security rules that require extensions to declare all of the code they will execute, which Google can scan and assess for risk. This is important because Google can flag extensions that do not follow these rules and remove them from the Chrome Store.
The default security policy in Manifest V3 is restrictive and restricts the sources from which Extensions can load content scripts (