Chrome Manifest V3 will affect the TamperMonkey extension

by ·

In the Google Groups post, the author of the TamperMonkey extension, Jan Biniok said that if the Chrome Manifest V3 version is implemented, TamperMonkey will be severely affected. Tampermonkey makes it very easy to manage your userscripts and provides features like a clear overview over the running scripts, a built-in editor, ZIP-based import and export, automatic update checks and browser and cloud storage based synchronization.

What features and permissions are available for Chrome Extensions managed by Chrome Manifest V2. The forthcoming V3 release imposes new restrictions on extended execution permissions, and if the limit is in effect, some extensions will no longer be useful, such as the uBlock ad blocking extension.

The V3 release also recommends blocking extensions from using remotely hosted scripts. This is done to enhance security and protect users from malware, which typically imports external scripts. Doing so also allows Google to better review extensions.

In an article in the Chromium Extensions group, TamperMonkey developer Jan Biniok said that this change would affect his extensions from working properly because loading remote scripts are part of the plugin’s core functionality.

Hi Chromium developers, Hi Devlin

I’m the Tampermonkey developer and I have not studied all the planned changes in detail yet, but this is the one that worries me most. 

> Beginning in Manifest V3, we will disallow extensions from using remotely-hosted code.  This will require that all code executed by the extension be present in the extension’s package uploaded to the webstore.  Server communication (potentially changing extension behavior) will still be allowed.  This will help us better review the extensions uploaded, and keep our users safe.  We will leverage a minimum required CSP to help enforce this (though it will not be 100% unpreventable, and we will require policy and manual review enforcement as well).

While the text above might be interpreted in a way that an extension like Tampermonkey can continue to exist, I got the following explanation from Devlin in an email:
> Note that we will be limiting remotely-hosted/arbitrary code execution in all contexts.  The goal is that we should be able to perform an in-depth security review of an extension and be confident in what it does and whether it poses a security or privacy risk to users (which is possible through web page contexts, as well).  But let’s move this conversation to another thread. 🙂
I understand the need for security, but this means that V3 P1, in the way it’s currently planned, will stop Tampermonkey from working entirely, because arbitrary code execution is Tampermonkey’s main functionality. Every little userscript would then have to become an own extension. Anyone who wants to do that has to pay $5 to be able to publish an extension. There are so many use cases for userscripts so I hope that this planned change is reconsidered. 
One possibility would be e.g. a new permission that relaxes this constraint and allows remote code execution again. All extensions with this permission could then be provided with a special warning and be examined more intensively. What do you think?
I’ve been working on Tampermonkey since Chrome version 4 or 5 and I could not live without it anymore. 🙂
Thanks,
Jan

With over 400,000 scripts and over 10 million users, TamperMonkey is a very popular extension. Since Google recognizes that using remotely hosted scripts may be abused, Jan Biniok requests new permissions to avoid the impact on the extension and hopes to have a more rigorous review of extensions with this privilege and when installing the extension The user issues a warning.

Tags: