Google announced today five new rules for the Chrome Online Store, the portal where users go to download Chrome extensions. The new rules are primarily meant to prevent malicious extensions from reaching the internet Store, but also to lessen the amount of damage they do client-side.
The initial new rule that Google announced today is in regards to code readability. According to Google, starting today, the Chrome Web Store will no longer allow extensions with obfuscated code. Obfuscation will be the deliberate act of creating source code that is challenging for humans to comprehend.
This should not be wrongly identified as minified (compressed) code. Minification or compression refers back to the practice of removing whitespace, newlines, or shortening variables for the sake of performance. Minified code can be simply de-minified, while deobfuscating obfuscated code takes considerable time
In accordance with Google, around 70 percent of all of the 10 best google chrome extensions the company blocks use code obfuscation. Since code obfuscation also adds a performance hit, Google argues you will find no advantages in making use of code obfuscation at all, hence the reason why to ban such extensions altogether. Developers have until January 1st, 2019 to remove any obfuscated code from their extension.
The 2nd rule Google put in place today is really a new review process for all extensions published to be listed on the Chrome Online Store. Google says that all extensions that request usage of powerful browser permissions will likely be put through a thing that Google called an “additional compliance review.” Preferably, Google would prefer if extensions were “narrowly-scoped” –requested just the permissions they have to get the job done, without requesting use of extra permissions being a backup for future features.
Furthermore, Google also claimed that an additional compliance review can also be triggered if extensions use remotely hosted code, a signal that developers want the opportunity to alter the code they deliver to users at runtime, possibly to deploy malicious code right after the review has brought place. Google said such extensions could be exposed to “ongoing monitoring.” The 3rd new rule will likely be supported by a new feature which will land in Chrome 70, set to become released this month.
With Chrome 70, Google says users will have the capacity to restrict extensions to particular sites only, preventing potentially dangerous extensions from executing on sensitive pages, such as e-banking portals, web cryptocurrency wallets, or email inboxes. Furthermore, Chrome 70 can also be able to restrict extensions to a user click, meaning the extension won’t execute njqtju a page up until the user clicks a button or option in Chrome’s menu.
The fourth new rule is not for extensions per-se, but also for extension developers. As a result of a huge number of phishing campaigns that have taken place in the last year, beginning with 2019, Google will demand all extension developers to use one of many two-step verification (2SV) mechanism that Google provides for its accounts (SMS, authenticator app, or security key).
With 2SV enabled for accounts, Google hopes to prevent instances when hackers take over developer accounts and push malicious code to legitimate Chrome extensions, damaging the extension and Chrome’s credibility. The changes to Manifest v3 are related to the new features added in Chrome 70, and much more precisely for the new mechanisms granted to users for manipulating the extension permissions.
Google’s new Online Store rules come to bolster the protection measures that this browser maker is taking to secure Chrome in recent years, such as prohibiting setting up extensions hosted on remote sites, or the use of out-of-process iframes for isolating some of the extension code from your page the extension runs on.