Google doubles down on Chrome extension security by blocking inline installations
At the moment there are a couple of ways to install Chrome extensions -- either via the Chrome Web Store as Google would prefer, or via an inline installation from any website.
Aware that this latter option opens up the possibility of people installing malicious extensions, Google is clamping down. Starting today, all newly-published extensions can only be installed via the Chrome Web Store, and this restriction will extend to existing extensions over the remainder of the year.
- Google Home can now handle up to three queries at a time
- Google says it will continue to work with the military on AI, but won't get involved in weapons or spying
- Keep track of the World Cup with Google
- Is Google getting out of the tablet business?
Google says that the changes are being introduced because of "large volumes of complaints from users about unwanted extensions causing their Chrome experience to change unexpectedly". By blocking the avenue through which malicious, unwanted or suspect extensions tend to be installed, it is hoped that this problem can be eradicated.
Product managers for the extensions platform, James Wagner says:
We've learned that the information displayed alongside extensions in the Chrome Web Store plays a critical role in ensuring that users can make informed decisions about whether to install an extension. When installed through the Chrome Web Store, extensions are significantly less likely to be uninstalled or cause user complaints, compared to extensions installed through inline installation.
Google has a three-phase strategy which will roll out over the next few months:
- Starting today, inline installation will be unavailable to all newly published extensions. Extensions first published on June 12, 2018 or later that attempt to call the chrome.webstore.install() function will automatically redirect the user to the Chrome Web Store in a new tab to complete the installation.
- Starting September 12, 2018, inline installation will be disabled for existing extensions, and users will be automatically redirected to the Chrome Web Store to complete the installation.
- In early December 2018, the inline install API method will be removed from Chrome 71.
Developers are warned that they will need to update any inline links they have created for their extensions so they instead point to entries in the Chrome Web Store. Google hopes that the improved transparency this offers will help to keep users informed and secure.