Google reported today five new rules for the Chrome Online Store, the portal where users visit download Chrome extensions. The new rules are primarily intended to prevent malicious extensions from reaching the internet Store, but also to lessen the amount of damage they actually do client-side.
The very first new rule that Google announced today is when it comes to code readability. Based on Google, starting today, the Chrome Online Store will no more allow extensions with obfuscated code. Obfuscation is definitely the deliberate act of making source code that is hard for humans to understand.
This must not be confused with minified (compressed) code. Minification or compression means the practice of removing whitespace, newlines, or shortening variables for the sake of performance. Minified code can be easily de-minified, while deobfuscating obfuscated code takes considerable time
According to Google, around 70 % of all of the best google chrome extensions for productivity the business blocks use code obfuscation. Since code obfuscation also adds a performance hit, Google argues you will find no advantages in utilizing code obfuscation at all, hence the reason to ban such extensions altogether. Developers have until January 1st, 2019 to get rid of any obfuscated code off their extension.
The second rule Google put in place today is actually a new review process for those extensions published to be listed on the Chrome Web Store. Google says that all extensions that request use of powerful browser permissions will be put through a thing that Google called an “additional compliance review.” Preferably, Google would like if extensions were “narrowly-scoped” –requested only the permissions they have to do their job, without requesting use of extra permissions as being a backup for future features.
Furthermore, Google also stated that an extra compliance review may also be triggered if extensions use remotely hosted code, an indication that developers want the opportunity to modify the code they deliver to users at runtime, possibly to deploy malicious code right after the review has brought place. Google said such extensions could be subjected to “ongoing monitoring.” The third new rule will be maintained by a brand new feature that will land in Chrome 70, set to become released this month.
With Chrome 70, Google says users will have the ability to restrict extensions to specific sites only, preventing potentially dangerous extensions from executing on sensitive pages, including e-banking portals, web cryptocurrency wallets, or email inboxes. Furthermore, Chrome 70 will also be able to restrict extensions to your user click, meaning the extension won’t execute njqtju a page up until the user clicks a button or option in Chrome’s menu.
The fourth new rule is not for extensions per-se, however for extension developers. As a result of a lot of phishing campaigns who have occurred within the last year, beginning with 2019, Google will demand all extension developers to use one of many two-step verification (2SV) mechanism that Google offers its accounts (SMS, authenticator app, or security key).
With 2SV enabled for accounts, Google hopes to prevent instances when hackers take control developer accounts and push malicious code to legitimate Chrome extensions, damaging both the extension and Chrome’s credibility. The alterations to Manifest v3 are related to the newest features added in Chrome 70, and much more precisely to the new mechanisms granted to users for managing the extension permissions.
Google’s new Web Store rules come to bolster the safety measures the browser maker is taking to secure Chrome in recent years, such as prohibiting installing extensions hosted on remote sites, or the usage of out-of-process iframes for isolating a few of the extension code from the page the extension runs on.