Closed tiero closed 1 year ago
We have a kind of a pickle with manifest v3.
MV3 disallows certain CSP modifications for extension_pages that were permitted in MV2.
The script-src, object-src, and worker-src directives may only have the following values:
- self
- none
So, this needed to be changed:
"content_security_policy": {
- "extension_pages": "script-src 'self' 'unsafe-eval'; object-src 'self'"
+ "extension_pages": "script-src 'self'; object-src 'self'"
},
But, by removing 'unsafe-eval' from CSP, this means our code can't have any of this:
eval()
Function() // typically new Function()
setTimeout() // with non-callable argument
setInterval() // with non-callable argument
setImmediate()
execScript()
While our code seems ok, some of the node modules we use do have this. For example, https://github.com/facebook/regenerator has this:
Function(...)
This means Chrome refuses to registrate the service worker (the new background script).
https://github.com/facebook/regenerator/issues/450
During our investigation, we also found that Taxi has the same problem, and that's to the fact it uses grpc-web which in turn uses protcolbuffers JS code generation:
https://github.com/shumbo/grpc-web-error-details/issues/3 protocolbuffers/protobuf-javascript#25
So, at the time, we are stucked.
Ideally we can migrate grpc-web to plain JSON over HTTP endpoint for Taxi API. Working on this server side as we speak cc/ @altafan
Great.
I was worried on loosing the information we already gathered so I write it down here. It's essentially a copy & paste with some editions from our Slack conversation.
grpc.liquid.taxi
exposes now a HTTP JSON interface
The proto defintion is here https://github.com/vulpemventures/taxi-protobuf/blob/master/taxi.proto#L8-L24
the two RPCs becomes
The Swagger JSON as well
We can now implement the REST interface and drop protobuf dependency.
We are going to deploy a testnet instance later today @altafan
The Taxi daemon on testnet is up&running. It's ready to serve topups paid with tUSDT and can be reached at https://grpc.liquid.taxi:18000
This Issue will be on hold, until we figure out a way to fix the following problems:
With Manifest v3 it is mandatory to use service workers instead of the background script. Workers no longer provide XMLHttpRequest, but instead support the more modern fetch(). Since axios uses XMLHttpRequest, it no longer works.
So, all axios calls must be changed to fetch, including all dependencies, and at least ldk is using axios.
Further investigation is needed to find out if any other dependencies are using axios.
in https://developer.chrome.com/docs/extensions/mv3/migrating_to_service_workers/
It seems that Chrome requires script-src: 'unsafe-eval' CSP directive to be active for WebAssembly compilation. But one of the conditions of Manifest v3 is the absence of this directive. So, we cannot have any modules on our dependencies using WebAssembly, but it seems liquid uses it.
Since we still have a full year where we can still use Manifest v2 (and make upgrades) we’re leaving this Issue on hold.
Manifest v3 timeline: https://adguard.com/en/blog/manifestv3-timeline.html
Discussion about wasm not working in extensions Manifest v3: https://bugs.chromium.org/p/chromium/issues/detail?id=1173354#c33
Lack of XMLHttpRequest https://developer.chrome.com/docs/extensions/mv3/migrating_to_service_workers/
https://developer.chrome.com/blog/mv2-transition/