Does Manifest v3 make client-side code impossible to truly protect?

I'm working on a paid subscription-based Chrome extension that uses client-side code to help businesses automate a task. However, I'm wondering if it is actually not possible to fully protect my code behind a payment with the payments API being deprecated and remote code not being possible to execute. Those two paired together to me means that:

1. there is nothing preventing a user from installing the chrome extension before first paying
2. all of that client-side code must be available to the user at the time of installation.

Am I missing something or did Google just decide to give the finger to anyone looking to profit from their hard work that makes Google's platform more valuable?

1 thought on “Does Manifest v3 make client-side code impossible to truly protect?”

  1. So if you want to release your extension on the Chrome Web Store, that means the full source code is available to anyone that wants to see it.

    You have a few options if you want a user to pay before they see certain functionality.

    1. Don’t release on the Chrome Web Store. This stinks because I believe it means that users (especially Chrome users) have to install the extension manually which is a tedious process. But it also means you can require payment before they have access to the extension / source code. Not a very good option from the usability perspective, in my opinion.
    2. Keep the user’s paid state client-side in localStorage or chrome.storage. Without a server, this is the only way to keep track of paid state. But if a user can flip a variable in localStorage or [chrome.storage](https://chrome.storage) then that makes it a lot easier to fake having a paid account. Of course, a user can always download the source code, modify it to suit their needs, and install the extension manually. I’ve never actually heard of anyone doing this though — it would require a lot of code knowledge. Maybe unethical competitors would try this but you can get Google to take them down.
    3. Keep functionality behind a server API call and/or require the user to have an account. This means a user has to pay before an API will give them access to certain information.

    But personally I don’t worry much about anyone bypassing the payment system — most users won’t try to hack your system and the ones that do will likely be deterred with minimal precautions. That’s the advice given in the [Mozilla extensions workshop](https://extensionworkshop.com/documentation/publish/make-money-from-browser-extensions/).

    I made and use [**ExtensionPay**](https://extensionpay.com) in my own extensions which makes it really easy to take secure payments. It’s uses a server API so it can’t be hacked, is open-source, and works across all browsers, not just Chrome.

    Reply

Leave a Comment