-
Notifications
You must be signed in to change notification settings - Fork 428
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Chrome] Switch to manifest v3 #644
Comments
Cc: @JasonBarnabe , @sizzlemctwizzle Depending on how this rolls out this might affect other public sites such as OUJS, GF and even GH. I'm certainly not going to pay goo for anything for a possible, and probable, monopolistic practice. |
At first glance, TM or other userscript managers don't seem to be endangered by the APIv3 proposal. There is even an upside - the dynamic registration of content scripts (hopefully similar to Firefox). In the worst case some hacks like CSP header patching might become impossible though. |
I'm not that sure. Devlin wrote
...and he wrote that to me while we discussed the Opera issue. It depends on how deep the security review should be. Userscripts of course can be a security threat and it's simply not possible to meet this criteria:
|
Ah, the good old detached-from-reality-Devlin, one should love the man's idealistic world view... Could you suggest they implement a userscript sandbox API that was present in the old Firefox and is about to be restored in WebExtensions? |
No, we focused on the Opera issue. |
and so https://blog.chromium.org/2020/12/manifest-v3-now-available-on-m88-beta.html V3 is upon us.
is essential to tampermonkey functionality? |
There's much more missing in ManifestV3. The CSP patching problem isn't essential. The much bigger problem is the very ability to inject user code which is ostensibly forbidden by ManifestV3 completely, and this wasn't still clarified by anyone on chromium team. |
I'm in contact with the Chrome developers. Extensions like Tampermonkey will work in MV3, but some additional user action is required for it to work. I don't have any further details on this at the moment. |
after further looking around it seems CSP header injection/modification is working now https://bugs.chromium.org/p/chromium/issues/detail?id=1116487 |
Any news if tampermonkey will work with the chrome manifest v3 ? |
I do not want to sound like a broken record, but it would be great if we can get some details about the "MV3" solution. |
No news yet. https://groups.google.com/a/chromium.org/g/chromium-extensions/c/lSDCHnVpm6I/m/fvAP8eTMAAAJ |
But afaik we dont need arbitrary remote code execution. Is google trying to prevent user defined local code execution? |
Any userscript is the "remote code" because it's not shipped within the extension. |
Those are dangerous semantics. Its remote to Google who wants to control the Browser. Its not remote to the user and his own computer. Lets be clear here, Google is trying to mold User Browser into a closed ecosystem app similar to Apples. Google will successfully argue remote code is dangerous, 3vil haxors from africa injecting malicious scripts etc. We need to be vocal about not wanting "remote code execution" in V3, we want User Defined local code execution. |
It's not really semantics but rather a poor choice of words which were probably coined by C++ programmers who implement the API internals: |
Horrible suggestion (for horrible times) but perhaps we could embed evaljs or Wizer's WASM Spidermonkey to interpret JS. That would let us run dynamic JS again. The next challenge is figuring out how to inject the functions/objects we expect to have access to from Tampermonkey. |
I'd strongly recommend against this path as it's a clear violation of the the Additional Requirements for Manifest V3 section of the Chrome Web Store's Developer Program Policies.
Since I've seen some confusion here and elsewhere, I want to quickly reaffirm that the Chrome team is still planning to support power user tools that inject user-written scripts or styles in Maniest V3, but we have not yet begun implementation work. I expect we're likely still a few months out on this. @derjanb, I also expect I'll be following up with you when we have a more substantial update. |
@dotproto Thanks for clarifying.
That's great. Some substantial changes to Tampermonkey will be necessary. So I like to use whatever lead time I can get so that the Manifest v3 version will be stable within the schedule. At the moment I can't really tackle the migration because important features like this are missing. |
I came to the Tampermonkey repo in hopes of seeing a thread like this. I don't mean to go too off-topic, but I do have concerns of my own Chrome extension, which injects multiple scripts into a website it's dedicated to. PS: Terribly sorry that this isn't on-topic, but you guys are definitely experts in JS script injecting :) |
If I remember right, it should inject scripts to the page context for manifest v3 and even without bothering CSP: const script = document.createElement("script");
script.src = chrome.runtime.getURL('script-to-inject.js');
(document.head || document.documentElement).append(script); manifest.json "web_accessible_resources": [{
"resources": ["script-to-inject.js"],
"matches": ["*://example.com/*"]
}] Likely I got it from this answer. |
|
issues with requiring local scripts |
Oh no! That was the only way I could use an actual frickin' full fledged code editor with all my local creature comforts, AND manage local dependencies! It would absolutely suck if we weren't able to use I guess we can host them on a local server via localhost, but that feels yucky. Does anyone have alternative solutions? |
When V3 is supported, can you change the editor to Monaco Editor? |
Yo, smart But my workaround was to just download and install old tampermonkey for manifest v2 cuz screw migrating |
It's done. 🥳 There now is a manifest v3 based extension version available. In order to test this new build, please download Tampermonkey 5.2.6195 from the link below (right-click and "Save link as") and drag and drop the extension crx to
Please report any issues that you find. Thanks! 🙏 https://data.tampermonkey.net/tampermonkey_beta_5_2_6195.crx |
So in the end there are no issues with regexp as previously feared?
Just fully compatible with existing scripts except for If so, that's excellent news! |
There are issues of course because the API doesn't implement regexp, so we have to do it ourselves wastefully injecting the code of userscripts at document_start into all sites and then checking all those potentially complex regexps manually in every page and frame or doing it in the background script and thus delaying document_start. Also, the users must have I haven't looked into it yet, but there should be more issues:
|
@tophf So you don't know, but giving an answer to a question to someone else can't hurt? 🤪
I found a solution to this problem by using
Was never a problem in split mode.
No problem in "UserScripts API" mode and solved to my satisfaction in "UserScripts API Dynamic" mode. Your GM_getValues approach will ease the pain further. |
@JasonBarnabe: @tophf Is partially right here, but from a user's point of view it always just works. In "UserScripts API Dynamic" mode, scripts that are using a regexp are injected into every tab/frame and a warning message about that fact is logged. For small scripts, however, this might be acceptable and it allows trouble-free migration to non-regexp |
Apparently you mean using
I see, thanks.
If it allows the synchronous GM_getValue at real document_start, it'll still have the problem I described. It's not critical though. |
So after an investigation I confirmed MV3 TM beta was forced to break GM_xmlhttpRequest's onprogress callback: now it's called just once at the end because |
So now you just have to wait until Google changes its mind that scripts will be able to be updated without confirmation by webstore developers. |
Please open "chrome://extensions/", enable "Developer Mode" and press "Update" at the top. Tampermonkey should then update to a MV3 version. |
I'm sorry for being off-topic, but I have 2 replies:
@BlackGlory You're a prophet!
LB seems promising! But we need W3C or WHATWG to publish an RFC for vendor-neutral extensions. That way, any "real" browser must support the standard. Any browser that doesn't support it, should be publicly ridiculed and shamed (like people did to IE). Otherwise, Google will continue "boiling the frog" |
Done. Tampermonkey stable now is MV3 (at the Chrome Web Store, others to follow soon...) |
Draft: https://docs.google.com/document/d/1nPu6Wy4LWR66EFLeYInl3NzzhHzc-qnk4w4PX-0XMw8/edit#
Discussion: https://groups.google.com/a/chromium.org/forum/#!topic/chromium-extensions/hQeJzPbG-js
The text was updated successfully, but these errors were encountered: