Tech companies like Microsoft, Google, and Mozilla have been doing a lot to improve security on their web browsers. However, web extensions are becoming a relatively easy way for threat actors to target users. Google wants Chrome to be better at protecting users against malicious addons and is making changes to its privacy rules.
Extensions are created by third party developers. If a malicious web extension arrives on Edge or Chrome, it is not from Microsoft or Google. However, it could be argued the company need to do more to stop fraudulent extensions reaching users in the first place.
The ship has sailed on stopping all web extensions, they are simply too valuable to users. Instead, Google is beefing up its privacy rules for Chrome extensions.
Coming into effect next year, how extensions get permissions for website data will be different. Currently, extensions can request to access data from visited web pages. The user grants access to the extension by default.
Next year, Google says extensions will only get permission on a per-domain basis. Users can still opt for all website access, but it will no longer be the default.
Elsewhere, the company says new “Privacy Practices” will show details regarding what data each extension can ask for and collect. This new document will be available on the Chrome Web Store on extension pages.
Both changes will be coming early in 2021. If Chrome adopts these kinds of changes, hopefully Microsoft Edge will follow with its own clamp down on malicious extensions. Just last month Microsoft removed a batch of malicious extensions from its own store.
The good news is, Edge users can also access extensions from the Chrome Web Store, where Google's new policies will be in place.