Browser extensions have become a core part of the browsing experience. People use extensions to improve their security, protect their privacy and enable features that browser makers have yet to include with their core offerings. But the popularity of browser extensions has also made them a prime target for bad actors (not the Shakespearean kind) which is why Google announced that it's locking down Chrome extensions.
Google revealed several changes, some of which are effectively immediately and some of which are taking effect in the coming months, regarding Chrome extensions. The one that most directly affects Chrome users is the ability to restrict host access to a list of specific websites and force extensions to request access to the current page. Here's how Google explained the reasoning behind this change in its blog post:
"While host permissions have enabled thousands of powerful and creative extension use cases, they have also led to a broad range of misuse - both malicious and unintentional - because they allow extensions to automatically read and change data on websites. Our aim is to improve user transparency and control over when extensions are able to access site data. In subsequent milestones, we’ll continue to optimize the user experience toward this goal while improving usability."
That change is set to arrive with Chrome 70 in mid-October. (It is also set to bring shape detection features, web authentication support and some compromises to Google's decision to automatically sign people into the browser when they accessed its services.) Other changes to the Chrome Web Store went into effect today: an updated review process and a requirement for extensions not to use obfuscated code.
The updated review process will increase scrutiny of extensions that "request powerful permissions" or "use remotely hosted code." Google said this is supposed to help it make sure extensions released via the Chrome Web Store aren't requesting access to unnecessary information or exposing user data by using remote code. The company also plans to subject extensions using remote code to "ongoing monitoring."
More extensive reviews will require greater access to extensions' code. That's part of the reason why Google will no longer let developers use obfuscated code for new extensions, and even developers whose extensions are already available will have to remove any obfuscated code within the next 90 days. Those who don't will have their extensions removed from the Chrome Web Store sometime in early January.
This restriction will also directly affect user security and privacy. Google said that 70 percent of "malicious and policy violating extensions" it doesn't allow into the Chrome Web Store feature obfuscated code. There's a chance that some of the extensions released to the store also violate the company's rules; they just aren't caught because their code was better hidden. Requiring everything to be out in the open could prevent that.
Aside from those changes, Google also said that extension developers wold be required to enable two-factor authentication starting in 2019. This is supposed to make it harder for attackers to compromise popular extensions and use them to steal user data. The company will also release Manifest v3 in 2019 with "additional platform changes that aim to create stronger security, privacy, and performance guarantees."
All of these changes are meant to help people trust Chrome extensions. That's a laudable effort -- companies that offer centralized distribution systems need to make sure they're actually preventing bad actors from making their way in. Most have failed in the past, just like Google has with the Play Store and Apple did with the Mac App Store, and these improvements could help prevent similar problems from reoccurring.
Google's timing is also convenient, of course, given the backlash it received for the sign-in changes made in Chrome 69. Nothing makes people forget a privacy issue (or, depending on who you ask, a breakdown in communications) quite like promising to protect them from other threats. That doesn't mean the changes aren't necessary or weren't in the works for a while. It just means that Chrome probably could use the goodwill.
