Chrome extensions have been with us for nearly a decade and are a major part of Google’s web browser. Users like adding more functionality to their browser experience. Indeed, we have seen Firefox adopt extensions (add-ons) and Microsoft follow suit with Edge extensions.
Over the years, the number of Chrome extensions has grown and now there are some 180,000 available in the web store. While the majority of these are legitimate, extensions are a relatively easy way for bad actors to place malicious content onto machines.
Google wants to overcome this problem with planned changes to security for Chrome extensions. The company says it is adding new security tools and making user privacy more robust.
“While host permissions have enabled thousands of powerful and creative extension use cases, they have also led to a broad range of misuse – both malicious and unintentional – because they allow extensions to automatically read and change data on websites. Our aim is to improve user transparency and control over when extensions are able to access site data,” the company said.
The changes will be implementing in Chrome 70 and will be optional from users. Controls will allow users to choose if an extension access read data from websites. Other tools include the ability to limit extension access to domains.
Chrome Extension Changes
Google has detailed exactly what changes it is making to Chrome extensions:
- User controls for host permissions: Beginning in Chrome 70, users will have the choice to restrict extension host access to a custom list of sites, or to configure extensions to require a click to gain access to the current page.
- Changes to the extensions review process: Going forward, extensions that request powerful permissions will be subject to additional compliance review. We’re also looking very closely at extensions that use remotely hosted code, with ongoing monitoring.
- New code readability requirements: Starting today, Chrome Web Store will no longer allow extensions with obfuscated code. This includes code within the extension package as well as any external code or resource fetched from the web. This policy applies immediately to all new extension submissions.
- Required 2-Step Verification: In 2019, enrollment in 2-Step Verification will be required for Chrome Web Store developer accounts.
- Looking ahead: Manifest v3: In 2019 we will introduce the next extensions manifest version. Manifest v3 will entail additional platform changes that aim to create stronger security, privacy, and performance guarantees.