Remote hosted code fix

Fix remotely hosted code issues in Manifest V3 extensions

Find remote script tags, importScripts calls, remote JavaScript imports, remote WebAssembly execution paths, and remote JS URL assignments.

Run local ZIP scan

Guide

What to check

What counts as remote hosted code risk

Remote JavaScript or WebAssembly that is loaded and executed by the extension is a high-risk pattern for Manifest V3 review. The fix is usually to bundle executable code into the submitted package.

What is usually safe

Remote API endpoints, image URLs, documentation links, and JSON data URLs are not automatically executable code. They should still be reviewed so executable code is not being fetched indirectly.

How to fix it

Replace CDN scripts, remote dynamic imports, remote importScripts calls, and remote WebAssembly execution paths with bundled files. Fetch remote services as data, then process that data with local code.

Checklist

Action checklist

  • Search extension HTML for remote script src values.
  • Search service workers and content scripts for importScripts with remote URLs.
  • Replace remote dynamic imports with bundled modules.
  • Bundle WebAssembly files when they are executable extension logic.
  • Keep remote API calls as data requests, not code loaders.
  • Rebuild and scan the final ZIP again.

Examples

Common cases this page helps with

CDN script in popup.html

Before: <script src="https://cdn.example.com/widget.js"></script>. After: bundle the script into the extension and reference <script src="/vendor/widget.js"></script>.

Remote dynamic import

Before: import('https://example.com/module.js'). After: import('./module.js') and let the bundler include the module in the release ZIP.

Remote WebAssembly execution

If WebAssembly is part of executable extension logic, include the wasm file in the extension ZIP and load it from extension resources instead of an HTTPS URL.

FAQ

Frequently asked questions

Are all remote URLs forbidden?

No. Remote data, images, and API endpoints can be legitimate. The high-risk pattern is loading and executing remote JavaScript or WebAssembly as extension code.

Can I use a CDN for third-party libraries?

For extension code, bundle the library into the submitted package instead of loading it from a CDN at runtime.

What should I scan after bundling?

Scan the final production ZIP and verify that extension pages and service workers reference local bundled files.

Related guides

Continue review

Run the local ZIP scanner Fix Blue Argon rejection Fix eval and dynamic code rejection Run local ZIP scan