We've just been hit with a Google Chrome Web Store rejection,
Violation: Including remotely hosted code in a Manifest V3 item.
Violating content:
Code snippet: static/background/index.js: https://apis.google.com/js/api.js?onload=, https://www.google.com/recaptcha/enterprise.js?render=
Because Google's Firebase library dynamically loads Google's Recaptcha library here https://github.com/firebase/firebase-js-sdk/blob/9ea0e3b4702ef50789d2cacc839673b968ca1f42/packages/auth/src/platform_browser/recaptcha/recaptcha_enterprise_verifier.ts#L138,
When you install the library, it's then compiled into firebase-auth.js
, which then gets compiled into your own app in a more obfuscated way.
In a perfect world, what I'd like to do is something like
import * as firebaseauth from "firebase/firebase-auth"
firebaseauth._loadJS = function( ) {
return new Promise((resolve, reject) => {
reject("No dynamic loading of JS allowed");
});
}
At a pre-compile admin/root step of the compilation. At the moment, there's a few text replace options, manually, after we install the library, with another tool like https://github.com/ds300/patch-package after we instally the library, or manually, after compilation, which we can do, but I ask for a hopefully more sensible way to do this.
This change has also just come onto the web store very recently, so others could well be hit with a similar issue, and also looking for an alternate solution to this.