Google has always faced much trouble from the various malicious browser extensions for Chrome. Now and then, reports regarding spying browser extensions or malware attacks surface online. Seemingly, considering the scenario, Google has announced new policies for the developers for Chrome extensions. These policies not only address users’ security but also take care of the safety of developers. With the new policies, Google Chrome extensions should become much safer.
As announced by Google,
“We have recently taken a number of steps toward improved extension security with the launch of out-of-process iframes, the removal of inline installation, and significant advancements in our ability to detect and block malicious extensions using machine learning…. We are announcing some upcoming changes and plans for the future.”
Here is a quick review of these policies.
No Complicated Codes In Google Chrome Extensions
Google makes it necessary for the developers to write readable code. Explaining the reason behind this decision, James Wagner, Chrome Extensions Product Manager, stated in the article,
“Over 70% of malicious and policy violating extensions that we block from Chrome Web Store contain obfuscated code. At the same time, because obfuscation is mainly used to conceal code functionality, it adds a great deal of complexity to our review process.”
Moreover, they also consider code obfuscation a reason for poor extension performance. Thus, Google has decided to remove all such extensions with obfuscated code.
“This includes code within the extension package as well as any external code or resource fetched from the web.”
For new extensions, this policy applies with immediate effect. Whereas, the developers of existing extensions with such code can submit code updates over the next 90 days. After that, Google will remove all non-compliant extensions in early January.
This policy does not affect any code minification. In fact, Google appreciates minification as it accelerates code execution and helps in the review process. As described by Google,
Customizing Extensions’ Host Access For Sites
In Chrome 70 onwards, Google will empower users to customize and restrict host access for extensions for individual websites. This will certainly help users while browsing sensitive sites such as those involving crypto wallets, or online bank account portals.
Two-Step Verification For Developers
If we recall the latest MEGA chrome extension hack that affected over a million users, this step seems much needed. This rule urges developers to employ a two-step verification process to prevent potential hackers from hijacking an extension.
“Additional Compliance Review” For Extensions
Google has also made changes in its review process by subjecting some browser extensions to an additional compliance review. It particularly applies to those Google Chrome extensions that require extensive permissions and use remotely hosted code.
Launch Of Manifest v3
The last rule that Google has stated is primarily an announcement for developers. Reportedly, Google will launch version 3 of the Manifest guideline in 2019 that will “entail additional platform changes” for better privacy, security as well as performance.
Google realizes that the policies may demand tireless efforts from developers. However, they do have a reason for this step.
“We recognize that some of the changes announced today may require effort in the future, depending on your extension. But we believe the collective result will be worth that effort for all users, developers, and for the long term health of the Chrome extensions ecosystem.”