You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
PR #9 and its successor PR #18 introduce a native-host/ directory with a Python HTTP+WebSocket trigger server. The code review in PR #9 identified several Chrome Web Store compliance risks that remain unresolved in PR #18.
Not using Chrome Native Messaging: The extension connects via raw new WebSocket('ws://127.0.0.1:19998') instead of chrome.runtime.connectNative(). The nativeMessaging permission is not declared in manifest.template.json.
Missing host permission: ws://127.0.0.1:* is not in host_permissions, so the WebSocket connection may silently fail in production or be flagged by CWS reviewers.
MV3 service worker lifecycle conflict: setInterval keepalive (30s) and reconnect loop (5s) work against MV3's design where service workers should go idle. Reviewers may flag this.
Chromium Private Network Access (PNA): Connecting to localhost from a service worker faces increasing scrutiny under PNA policies.
PR #18 removed the dead native messaging files (install.sh, install.ps1, com.numbersprotocol.proofsnap.json) and fixed CORS wildcard + auto pip install issues, but the core WebSocket architecture concern remains.
Proposed Approach
Before merging PR #18, the team should decide on one of:
Use Chrome Native Messaging properly: Declare nativeMessaging permission, use chrome.runtime.connectNative(), communicate via stdio.
Ship native-host separately: Companion webpage approach via chrome.runtime.sendMessage().
Problem
PR #9 and its successor PR #18 introduce a
native-host/directory with a Python HTTP+WebSocket trigger server. The code review in PR #9 identified several Chrome Web Store compliance risks that remain unresolved in PR #18.Evidence (from PR #9 code review, conversation bf08ad18)
new WebSocket('ws://127.0.0.1:19998')instead ofchrome.runtime.connectNative(). ThenativeMessagingpermission is not declared inmanifest.template.json.ws://127.0.0.1:*is not inhost_permissions, so the WebSocket connection may silently fail in production or be flagged by CWS reviewers.setIntervalkeepalive (30s) and reconnect loop (5s) work against MV3's design where service workers should go idle. Reviewers may flag this.PR #18 removed the dead native messaging files (
install.sh,install.ps1,com.numbersprotocol.proofsnap.json) and fixed CORS wildcard + auto pip install issues, but the core WebSocket architecture concern remains.Proposed Approach
Before merging PR #18, the team should decide on one of:
nativeMessagingpermission, usechrome.runtime.connectNative(), communicate via stdio.chrome.runtime.sendMessage().Reference
Generated by NREM Mode with Omni