An Open Letter to the Chromium Team About Their Proposed Changes to the WebExtension Standard

Dan Finlay
Feb 11 · 2 min read

I’m Dan Finlay, a lead developer at MetaMask. We’re a chrome extension crypto wallet and account manager with about a million active installs.

I’m writing to raise a concern with Chromium Issue 896897, Implement Manifest v3 for Chromium extensions. I commented there, but I am re-publishing here for the sake of more easily linking to our specific concerns (especially since there are so many concerns being expressed regarding those changes).

We would like the v3 manifest format to not be pushed to production in its current form until support for the FrozenRealms specification has been included, or at least iFrame API support is kept in the background script context, allowing extensions to run foreign scripts in an isolated environment.

Most of the WebExtensions representing this perspective are plugin systems like GreaseMonkey, which increase security by limiting its extensions’ access to the DOM. In addition to plugin systems, I’d like to share another security concern related to these changes.

We have been working on using Agoric’s SES (Secure EcmaScript) to better isolate our dependencies, to reduce the risk of dependency-based thefts like the CoPay Dash event-stream hack, as suggested by Zooko Wilcox. SES was derived from Google’s own Caja project.

Currently Agoric’s SES relies on a polyfill of the Realms API that relies on the iFrame API, which is not available in ServiceWorkers at this time, which the proposed manifest v3 currently requires all background scripts to be.

All we really need is the FrozenRealms API, since it’s the simplest way to truly isolate foreign code in a secure way, but keeping iFrame support would at least let us continue using the SES Realms polyfill.

Our background script must handle user keys which manage cryptocurrency accounts, often the most security sensitive bits of data on the user’s entire computer, so it should be understandable that we care very much about the security available to the background script in particular.

Thanks for your time,

Dan Finlay and Aaron Davis,
MetaMask

MetaMask

MetaMask is a bridge that allows you to visit the distributed web of tomorrow in your browser today. It allows you to run Ethereum dApps right in your browser without running a full Ethereum node.

Dan Finlay

Written by

Decentralized web developer at ConsenSys working on MetaMask, with a background in comedy, writing, and teaching.

MetaMask

MetaMask

MetaMask is a bridge that allows you to visit the distributed web of tomorrow in your browser today. It allows you to run Ethereum dApps right in your browser without running a full Ethereum node.