Chrome Extensions are very useful, but are ripe for abuse given the utility and wide-ranging access. Google in the past year has taken steps to police extensions, but is today announcing more policies aimed at developers, as well as new options to give users more control.
Nearly half of all Chrome desktop users actively use extensions to customize the browser and browsing experience. Google wants to ensure that add-ons are safe, privacy-preserving, and performant for end users.
Starting with version 70 next month, users can restrict Chrome Extensions to only run on sites that they have approved. You can establish a custom list of URLs, or require a click before the extension can run on the current page.
Right-clicking on an extension will reveal a new menu that lets users determine when the browser add-on “can read and change site data.” Options include “When you click the extension,” on the current site, and “On all sites.”
Meanwhile, Google will subject Chrome extensions that request “powerful permissions” to an additional compliance review. The focus is on extensions that use remotely hosted code, with Google advising that permissions should be “narrowly-scoped” and have all code included directly in the extension package.
The Chrome Web Store is no longer allowing extensions that feature obfuscated code, with existing apps given 90 days to update. Chrome Extensions will be removed in early January if they are found to not be in compliance.
Today over 70% of malicious and policy violating extensions that we block from Chrome Web Store contain obfuscated code. At the same time, because obfuscation is mainly used to conceal code functionality, it adds a great deal of complexity to our review process.
Developers of Chrome Extensions in 2019 will be required to enable 2-Step Verification on Chrome Web Store developer accounts given the risk of hijacking. Google encourages Security Keys or Advanced Protection Program given how popular extension developers are targeted by attackers.
Lastly, Google next year is launching the Manifest v3 platform with stronger security, increased privacy, and other performance improvements for Chrome extensions.
- More narrowly-scoped and declarative APIs, to decrease the need for overly-broad access and enable more performant implementation by the browser, while preserving important functionality
- Additional, easier mechanisms for users to control the permissions granted to extensions
- Modernizing to align with new web capabilities, such as supporting Service Workers as a new type of background process.