Chrome Extensions – Secure and Streamlined Development with Manifest V3


Chrome Extensions – Transitioning to Manifest V3

The default content security policy (CSP) for Extensions prevents extensions from loading code from the web at large. This helps to ensure that the runtime resources loaded by an Extension are exactly those you expect and prevents active network attackers from using man-in-the-middle attacks to compromise your Extension.

Manifest V3 removes support for modifying network requests and replaces it with the declarativeNetRequest API. This makes extensions safer and reduces performance degradation.


A Content Security Policy (CSP) directive that specifies the locations from which external scripts and other resources should be loaded. It is a fallback for some of the other fetch directives such as iframe-src, media-src, and font-src. It also applies to browser mechanisms like XMLHttpRequest, WebSocket, fetch(), and a ping>.

This directive controls the valid sources for object> and embed> elements, which allow plugin features like Flash and Java. These tags aren’t widely used in modern websites, but they remain a popular attack vector.

Other CSP policies are available to control how a webpage or an Extension loads other types of resources. The declarativeNetRequest API in Manifest V3 makes this process relatively straightforward. However, designing and implementing a user interface to manage header modifications, storing configurations, and adding URL conditions requires significant design effort and consideration. This is particularly true for Extensions that modify host permissions, as described below.

Extension pages

As the Chrome extension development community transitions to Manifest V3, Google has announced a phase-out of extensions that don’t meet new standards by 2023. This will include removing them from the Chrome Web Store. To help developers make the transition, BinaryFolks has put together a list of key changes that need to be made.

Among the most significant changes is unifying the browser_action and page_action APIs into the action API. This means that any content scripts that depend on these APIs will need to be moved into the service worker execution context. In addition, it is important to remove any references to the browser_style parameter from your manifest.

One of the major issues with previous extension architecture is that it allowed extensions to modify browser configuration, leading to a decline in security standards. Manifest V3 aims to address these concerns by restricting the sources that can load code and disallowing potentially unsafe practices such as eval().

Sandbox pages

When an extension is uninstalled, all data it has changed should remain unchanged. This includes cookies and other information that may influence how sites operate. It also includes changes to the cache, service workers installed on sites, and proxy settings. In addition, all data exfiltrated by the extension should be deleted from remote servers. Extensions that do not follow these guidelines are considered a security vulnerability and will be reported to Google.

Sandbox pages are a great place to practice coding and experiment with new ideas. They are automatically protected from being edited by other users, and are the best way to learn how to work with wikitext and code material. Once you have a Sandbox page, you can start adding content to it.

If you are planning on migrating to Manifest V3, you should begin by updating the following four key areas. This will help you get on the right track for the migration.

Security policy

Using a security policy is a good way to reduce the risks of XSS attacks. Security policies set limits on what types of content are allowed to be loaded into a page, such as JavaScript. This helps prevent code injections, which are one of OWASP’s top 10 web application security risks. In addition, a security policy can also be used to enforce HTTP Strict-Transport-Security and protect against packet sniffing.

Manifest V3 introduces security rules that require extensions to declare all of the code they will execute, which Google can scan and assess for risk. This is important because Google can flag extensions that do not follow these rules and remove them from the Chrome Store.

The default security policy in Manifest V3 is restrictive and restricts the sources from which Extensions can load content scripts (script> elements), and disallows unsafe practices, such as the use of eval(). However, it does not apply to sandboxed Extension pages or background workers.

Zoom back to the home screen

Leave a Reply

Your email address will not be published. Required fields are marked *

Ashley M. Arwood 

Ashley M. Arwood is a remarkable figure in the tech industry, a passionate advocate for innovation and equality. With a diverse background that blends technology, social justice, and entrepreneurship, Ashley has made a significant impact on the way we perceive and interact with the ever-evolving digital world. Her journey is not just one of professional success but a testament to the power of tenacity, creativity, and the unwavering commitment to making the tech world a more equitable place.