Google declared today five new rules for the Chrome Online Store, the portal where users head to download Chrome extensions. The new rules are primarily intended to prevent malicious extensions from reaching the net Store, but also to lessen the amount of damage they do client-side.
The very first new rule that Google announced today is in regards to code readability. According to Google, starting today, the Chrome Online Store will will no longer allow extensions with obfuscated code. Obfuscation is the deliberate act of producing source code that is certainly hard for humans to comprehend.
This must not be wrongly identified as minified (compressed) code. Minification or compression means the practice of removing whitespace, newlines, or shortening variables for the sake of performance. Minified code can easily be de-minified, while deobfuscating obfuscated code takes lots of time
In accordance with Google, around 70 % of all cool chrome extensions the business blocks use code obfuscation. Since code obfuscation also adds a performance hit, Google argues you can find no advantages in using code obfuscation in any way, hence the reason to ban such extensions altogether. Developers have until January 1st, 2019 to eliminate any obfuscated code using their extension.
The second rule Google placed into place today is actually a new review process for many extensions published to be listed on the Chrome Web Store. Google states that all extensions that request usage of powerful browser permissions will likely be put through a thing that Google called an “additional compliance review.” Preferably, Google would like if extensions were “narrowly-scoped” –asked for just the permissions they need to get the job done, without requesting use of extra permissions being a backup for future features.
Furthermore, Google also said that an additional compliance review may also be triggered if extensions use remotely hosted code, a signal that developers want the cabability to change the code they deliver to users at runtime, possibly to deploy malicious code following the review is taking place. Google said such extensions would be subjected to “ongoing monitoring.” The next new rule will be maintained by a whole new feature that can land in Chrome 70, set to become released this month.
With Chrome 70, Google says users will have the ability to restrict extensions to particular sites only, preventing potentially dangerous extensions from executing on sensitive pages, like e-banking portals, web cryptocurrency wallets, or email inboxes. Furthermore, Chrome 70 can also be able to restrict extensions to some user click, meaning the extension won’t execute njqtju a page up until the user clicks a button or option in Chrome’s menu.
Your fourth new rule is not really for extensions per-se, but also for extension developers. As a result of a huge number of phishing campaigns which have occurred within the last year, beginning with 2019, Google will demand all extension developers to make use of one of the two-step verification (2SV) mechanism that Google offers its accounts (SMS, authenticator app, or security key).
With 2SV enabled for accounts, Google hopes to stop instances when hackers take over developer accounts and push malicious code to legitimate Chrome extensions, damaging both the extension and Chrome’s credibility. The modifications to Manifest v3 are related to the newest features added in Chrome 70, and much more precisely to the new mechanisms granted to users for controlling the extension permissions.
Google’s new Online Store rules arrived at bolster the protection measures the browser maker has brought to secure Chrome in recent years, such as prohibiting the installation of extensions hosted on remote sites, or the use of out-of-process iframes for isolating a number of the extension code through the page the extension runs on.