Google reported today five new rules for the Chrome Online Store, the portal where users head to download Chrome extensions. The new rules are primarily intended to prevent malicious extensions from reaching the net Store, but additionally to lessen the amount of damage they do client-side.
The very first new rule that Google announced today is when it comes to code readability. According to Google, starting today, the Chrome Online Store will will no longer allow extensions with obfuscated code. Obfuscation is definitely the deliberate act of creating source code that is certainly difficult for humans to understand.
This must not be confused with minified (compressed) code. Minification or compression refers to the practice of removing whitespace, newlines, or shortening variables in the interest of performance. Minified code can be simply de-minified, while deobfuscating obfuscated code takes lots of time
Based on Google, around 70 percent of all 10 best google chrome extensions the organization blocks use code obfuscation. Since code obfuscation also adds a performance hit, Google argues there are no advantages in utilizing code obfuscation whatsoever, hence the reason why to ban such extensions altogether. Developers have until January 1st, 2019 to eliminate any obfuscated code from their extension.
The next rule Google placed into place today is actually a new review process for all extensions published to be listed on the Chrome Online Store. Google states that all extensions that request access to powerful browser permissions will be put through something which Google called an “additional compliance review.” Preferably, Google would prefer if extensions were “narrowly-scoped” –asked for just the permissions they have to get the job done, without requesting use of extra permissions being a backup for future features.
Furthermore, Google also said that an additional compliance review may also be triggered if extensions use remotely hosted code, a signal that developers want the cabability to change the code they deliver to users at runtime, possibly to deploy malicious code following the review has brought place. Google said such extensions would be subjected to “ongoing monitoring.” The 3rd new rule will likely be backed up by a new feature which will land in Chrome 70, set to become released this month.
With Chrome 70, Google says users will have the ability to restrict extensions to particular sites only, preventing potentially dangerous extensions from executing on sensitive pages, including e-banking portals, web cryptocurrency wallets, or email inboxes. Furthermore, Chrome 70 can also be in a position to restrict extensions to a user click, meaning the extension won’t execute njqtju a page up until the user clicks some control or option in Chrome’s menu.
The 4th new rule is not really for extensions per-se, but for extension developers. As a result of a large number of phishing campaigns who have occurred in the last year, starting with 2019, Google will demand all extension developers to make use of one of many two-step verification (2SV) mechanism that Google offers its accounts (SMS, authenticator app, or security key).
With 2SV enabled for accounts, Google hopes to prevent cases when hackers take control developer accounts and push malicious code to legitimate Chrome extensions, damaging both the extension and Chrome’s credibility. The changes to Manifest v3 are based on the brand new features added in Chrome 70, and more precisely to the new mechanisms granted to users for controlling the extension permissions.
Google’s new Online Store rules visit bolster the protection measures the browser maker has taken to secure Chrome in recent years, including prohibiting setting up extensions hosted on remote sites, or the usage of out-of-process iframes for isolating a few of the extension code from the page the extension operates on.