In the Google Groups post, the author for the Tampermonkey Chrome extension has stated that his program will be the next victim of Google's proposed Chrome Manifest V3 changes if they are put into practice.

What abilities and permissions a Chrome extension has is governed by the Chrome extension manifest, which is currently at version 2. The upcoming version 3 of the extension manifest is placing new restrictions on what extensions are permitted to do, which if go into effect, will break popular extensions such as the uBlock Origin ad blocker.

While ad blockers are affected by the proposed phasing out of the webRequest API, the v3 manifest is also proposing to prevent remotely-hosted scripts from being used by an extension. This is being done to increase security and protect users from malware that routinely import external scripts and to make it easier for Google to review a script in its entirety.

In a new post to the Chromium Extensions group, TamperMonkey developer Jan Biniok has stated that this proposed change would prevent his extension from working as the ability to load remote-scripts is part of its core functionality.

Hi Chromium developers, Hi Devlin I'm the Tampermonkey developer and I have not studied all the planned changes in detail yet, but this is the one that worries me most. > Beginning in Manifest V3, we will disallow extensions from using remotely-hosted code. This will require that all code executed by the extension be present in the extension’s package uploaded to the webstore. Server communication (potentially changing extension behavior) will still be allowed. This will help us better review the extensions uploaded, and keep our users safe. We will leverage a minimum required CSP to help enforce this (though it will not be 100% unpreventable, and we will require policy and manual review enforcement as well). While the text above might be interpreted in a way that an extension like Tampermonkey can continue to exist, I got the following explanation from Devlin in an email: > Note that we will be limiting remotely-hosted/arbitrary code execution in all contexts. The goal is that we should be able to perform an in-depth security review of an extension and be confident in what it does and whether it poses a security or privacy risk to users (which is possible through web page contexts, as well). But let's move this conversation to another thread. :) I understand the need for security, but this means that V3 P1, in the way it's currently planned, will stop Tampermonkey from working entirely, because arbitrary code execution is Tampermonkey's main functionality. Every little userscript would then have to become an own extension. Anyone who wants to do that has to pay $5 to be able to publish an extension. There are so many use cases for userscripts so I hope that this planned change is reconsidered. One possibility would be e.g. a new permission that relaxes this constraint and allows remote code execution again. All extensions with this permission could then be provided with a special warning and be examined more intensively. What do you think? I've been working on Tampermonkey since Chrome version 4 or 5 and I could not live without it anymore. :) Thanks, Jan

TamperMonkey is a userscript manager that allows users to create JavaScript scripts that can be remotely loaded by the extension in order to change the functionality of a site that they visit. With over 400,000 scripts available and over 10 million users, TamperMonkey is an extremely popular extension that allow users to control how they view the web and fix issues on sites that they frequently visit.

Recognizing the fact that utilizing remotely-hosted scripts can be abused, Biniok has asked for a new permission that relaxes the blocking of remote scripts, to cause extensions with this permission to be examined more closely, and to come with a warning for users when the extension is installed.

Google has not directly addressed Biniok's concern in the Google Groups thread, but have provided the following statement to BleepingComputer: