How can metamask engine execute code downloaded from npnjs.org ?

[javaspeak]

When there was the switch from manifest 2 to manifest 3, I thought that functions like:

 eval('alert("hello")') 

were blocked. I then thought the work around was to create an interpreter which could say something like:

if ( command === 'alert' ) {
      alert("hello");
}

However in the manifest 3 guidelines I saw that they said that if they notice you are coding an interpreter they will block the extension from the store.

So my question is how does metamask execute code and not break any guidelines?

Or does metamask have a special arrangement with the stores and is treated as the exception to the rules?

Am asking this question because am curious.

Thank you

[rekmarks]

Hi @javaspeak! You are correct that the content security policy (CSP) of Chrome extensions generally forbid the use of eval() (i.e. "direct eval") or constructing interpreters. However, we do not have any "special arrangements" with extension stores. It is not against guidelines or policy for an extension to interact with third parties such as websites (via the browser) or any entity you can reach using fetch(). We just interact with our third parties in a different way.

Per our architecture, snaps are executed inside of an iframe, which are not subject to the CSP of the extension itself. Moreover, this iframe is "locked down" using SES / hardened JavaScript, as detailed in our snap execution documentation. This is a lot like interacting with a web page or third party server, except that we can make strong guarantees about the third party code that we are interacting with (specifically that it matches the checksum associated with a particular snap name and version), while ensuring that it remains confined to its "sandbox".

I hope this answers your question!

[javaspeak]

Thanks for the explanation.