Wasn’t manifest v3 supposed to prevent dynamically loaded code? As the article s...

aa_is_op · on June 1, 2023

No. Manifest v3's main role was to cripple ad blockers... hence you're now seeing YouTube experiment with "anti-ad-blocker" popups warning users they wouldn't able to see the site.

They know they got people by the balls after they rolled out v3 earlier this year.

palant · on June 1, 2023

Note: I am the author of this article.

Migration to Manifest V3 has been postponed, all these extensions (like most extensions in Chrome Web Store) are using Manifest V2.

Note that the changes in Manifest V3 are meant to prevent security vulnerabilities. Outright malicious extensions will always find a way.

palant · on June 2, 2023

As I said, outright malicious extensions will always find a way. I now discovered a newer variant of these extensions, this time using Manifest V3. And they still run arbitrary code: https://palant.info/2023/06/02/how-malicious-extensions-hide...

mnoorenberghe · on June 1, 2023

Google announced on December 9 that this timeline was paused: https://groups.google.com/a/chromium.org/g/chromium-extensio...

rektide · on June 1, 2023

Yes, dynamic code is all outlawed.

Disclaimer, I filed this issue. https://github.com/w3c/webextensions/issues/139

londons_explore · on June 1, 2023

Thing is, you can't load javascript code... But you can easily write a mini virtual machine to run any code you download from the web. And due to javascripts introspection abilities, that VM can (if the developer wishes) do anything.

The simplest javascript bytecode interpreter is probably only a few hundred bytes, which is easy to hide in a big extension.

rektide · on June 1, 2023

Those sidesteppings are outlawed by the Chrome Web Store policies.

There are JS-in-JS interpreters out there. They're just not allowed. https://github.com/jterrace/js.js/ https://github.com/marten-de-vries/evaljs