Passbolt browser extension migration to Manifest V3

Introduction

The Passbolt browser extension is essential for more than 300,000 users daily, providing secure access to their credentials and passwords. It guarantees end-to-end encryption (E2EE) by securely storing the user's secret key and performing cryptographic tasks, from handling the authentication challenges to the encryption of users' credentials and passwords. 

In November 2018, Google proposed Manifest V3, marking the start of significant changes for extension providers and the community. Since then, the impacts have been unfolding, leading up to the official shift from MV2 to MV3 on Google Chrome in June 2024.

Understanding manifest v3

For a browser extension, the manifest is like a passport, describing its identity, permissions, and purpose, providing a high-level understanding to browsers and users of what is necessary to operate a browser extension it describes. Manifest V3 is the latest version, introduced by Google to enforce security and improve resource consumption of the extensions running on the browser. 

Key changes include replacing long-lived background pages with service workers, which only run when needed or stop long processes that slow down the browser. In this sense, Manifest V3, as implemented by Google, has taken a strong stand to keep the main browsing process undisrupted by vendors.

Manifest V3 also introduces a stricter permissions model and disallows the use of remotely hosted code, ensuring that all code is reviewed and contained within the extension package.  This is a rule already enforced by the passbolt browser extension since the very beginning, ensuring that even if the API were to be compromised, the browser extension will act as an independent layer of security, protecting users' confidentiality.

The last but not least significant change introduced by this manifest is the replacement of the blocking webRequest API with the declarativeNetRequest API. While it was not used by passbolt, it is important to note that this API was widely used by ad blockers and is considered the most controversial change of all.

The community's migration journey

More than 150,000 browser extensions needed to be migrated to the new manifest, a task that was far from easy. On one hand, Google needed to convince the community to adopt this newly introduced version, which imposes more constraints while aiming to achieve the same functionality. On the other hand, the promise of MV3 was not complete, and many APIs were still unavailable to the service worker at the beginning.

This situation caused the formation of the Web Extensions Community Group (WECG) within the W3C. This group, involving key players like Mozilla, Google, Apple, and Microsoft, as well as representative extension providers, helps define standards and gather diverse perspectives. The group gathered at regular intervals to discuss community needs and was instrumental in making MV3 fit for production. If you want to know more about it, the transcript of all the meetings is available online to the community: https://github.com/w3c/webextensions/tree/main/_minutes 

As we approach the deprecation of MV2 in June 2024, much progress has been made since the initial announcement. We’ve seen the appearance of some APIs, such as session storage and offscreen, that help developers support use cases not compatible with the initial version of the manifest and now ease the transition. The new manifest seems stable, and while not all browsers are ready to roll it out, Google is on the edge of making it a reality.

Impact on passbolt users

Passbolt users should not notice any changes with the migration to Manifest V3, which in itself is a measure of success. Maintaining the same set of functionalities under the new, more constrained environment signifies a successful transition.

As an indirect addition, passbolt users should benefit from the enhanced security introduced by Manifest V3. While the risk of your password manager extension being breached by another browser extension still exists, the newly added security measures reduce this risk, particularly by preventing the execution of remote code by browser extensions. This security measure has been enforced by the Passbolt browser extension since the very beginning, but not by all extensions.

Moreover, as the browser implements new rules on the lifecycle of browser extensions, reclaiming resources that are either not used or consume too much, you should notice a better overall experience with faster loading times and improved performance, especially if you have heavy usage of browser extensions.

Technical challenges

While this migration has had almost no impact on the Passbolt user journeys, it had a major repercussion on the base code.

As mentioned earlier, one key change was the migration from a long-lived background page to an on-demand service worker. It is like migrating from a stateful to a stateless framework, where all processes that were using runtime memory have to be rethought and take into consideration the application could nap at any moment.

Previously, the runtime memory was used to store the state of the different applications launched by the background page. While there was only one background page, multiple applications were launched to answer the different user journeys, such as authentication, the authenticated application, or the quickaccess. All these applications run in a specific context and are authorized to access a limited subset of the passbolt functionalities, safeguarded by the background page. By instance it shouldn’t be possible to access authenticated functionalities when on the sign-in screen for security reasons. 

Now imagine that the context holding the information necessary to run all these applications can be destroyed any time the service worker is shut down. It posed an interesting challenge that required rethinking how the information would be stored to guarantee their integrity as well as offer the same level of confidentiality. This issue was only possible to solve after May 2022 and the introduction of the session storage, the only memory that persists as long as the browser is not stopped and can be accessed by default only by the service worker.

Conclusion

The migration to Manifest V3 is expected to be smooth and transparent to end-users thanks to all the beta testers that helped us identify issues early on. We are incredibly grateful for their efforts and feedback in making this transition possible.

If, like them, you would like to help us in the future improvements, you can install the Passbolt beta channel extension and start using upcoming features before they are publicly released. Despite the name, the beta channel is quite stable and used by dozens of people every day!