Google is trying to make Chrome extensions safer with new Chrome Web Store review process and permission controls
Extensions are a great way to increase the capabilities of your web browser, but they can also be the source of problems. Malicious extensions can be a serious headache, and this is something that Chrome users know more than most. Now Google is looking to improve security.
The company has already promised that with Chrome 70 it is going to give users more privacy controls, and today it announced that this version of the browser will also introduce permission controls extensions. On top of this Google is introducing a new review process for extensions submitted to the Chrome Web Store, as well as placing a ban on extensions with obfuscated code.
- After complaints, Google is going to give users more privacy controls in Chrome 70
- Users balk as Chrome 69 forcibly signs them into the browser
- Major Google Maps update brings real-time public transport updates, music control, and more
In all, Google has announced five changes that it believes will help to improve the security and trustworthiness of Chrome extensions. With Chrome 70, users will be able to choose between restricting extension host access to a custom list of sites, or configuring extensions to require a click to gain access to the current page. Google explains why:
While host permissions have enabled thousands of powerful and creative extension use cases, they have also led to a broad range of misuse -- both malicious and unintentional -- because they allow extensions to automatically read and change data on websites. Our aim is to improve user transparency and control over when extensions are able to access site data. In subsequent milestones, we'll continue to optimize the user experience toward this goal while improving usability.
A new review process -- it is hoped -- will help weed out more malicious extensions, and a new requirement for all extension code to be readable means it will not be possible for extensions to have hidden capabilities. Google says that over 70 percent of malicious and policy-violating extensions that are blocked from the Chrome Web Store contain obfuscated code, so this change could have quite an impact.
Google is also looking further into the future. Starting in 2019, enrollment in 2-Step Verification will be required for Chrome Web Store developer accounts to help improve security for users. Also arriving next year is the next extensions manifest version, Manifest v3, which Google says has the following goals:
- More narrowly-scoped and declarative APIs, to decrease the need for overly-broad access and enable more performant implementation by the browser, while preserving important functionality
- Additional, easier mechanisms for users to control the permissions granted to extensions
- Modernizing to align with new web capabilities, such as supporting Service Workers as a new type of background process