Google reported today five new rules for the Chrome Online Store, the portal where users go to download Chrome extensions. The new rules are primarily meant to prevent malicious extensions from reaching the net Store, but in addition to lessen the amount of damage they do client-side.
The initial new rule that Google announced today is when it comes to code readability. According to Google, starting today, the Chrome Online Store will no longer allow extensions with obfuscated code. Obfuscation is the deliberate act of creating source code that is challenging for humans to know.
This must not be mistaken for minified (compressed) code. Minification or compression means the practice of removing whitespace, newlines, or shortening variables in the interests of performance. Minified code can be easily de-minified, while deobfuscating obfuscated code takes a lot of time
According to Google, around 70 percent of all the webclipper the business blocks use code obfuscation. Since code obfuscation also adds a performance hit, Google argues there are no advantages in using code obfuscation in any way, hence the reason to ban such extensions altogether. Developers have until January 1st, 2019 to eliminate any obfuscated code from their extension.
The second rule Google put in place today is actually a new review process for many extensions published to be listed on the Chrome Online Store. Google states that all extensions that request access to powerful browser permissions will be subjected to something that Google called an “additional compliance review.” Preferably, Google would like if extensions were “narrowly-scoped” –asked for only the permissions they need to get the job done, without requesting usage of extra permissions as being a backup for future features.
Furthermore, Google also stated that yet another compliance review can also be triggered if extensions use remotely hosted code, a signal that developers want the ability to change the code they deliver to users at runtime, possibly to deploy malicious code following the review is taking place. Google said such extensions would be put through “ongoing monitoring.” The 3rd new rule will be backed up by a whole new feature that can land in Chrome 70, set to become released this month.
With Chrome 70, Google says users will have the ability to restrict extensions to particular sites only, preventing potentially dangerous extensions from executing on sensitive pages, such as e-banking portals, web cryptocurrency wallets, or email inboxes. Furthermore, Chrome 70 will also be in a position to restrict extensions to a user click, meaning the extension won’t execute njqtju a page up until the user clicks some control or option in Chrome’s menu.
Your fourth new rule is not really for extensions per-se, but for extension developers. As a result of a lot of phishing campaigns who have happened over the past year, beginning from 2019, Google will need all extension developers to use one of the two-step verification (2SV) mechanism that Google offers its accounts (SMS, authenticator app, or security key).
With 2SV enabled for accounts, Google hopes to avoid cases when hackers take control developer accounts and push malicious code to legitimate Chrome extensions, damaging both the extension and Chrome’s credibility. The changes to Manifest v3 are based on the brand new features added in Chrome 70, and a lot more precisely towards the new mechanisms granted to users for manipulating the extension permissions.
Google’s new Web Store rules come to bolster the protection measures the browser maker has brought to secure Chrome in recent years, including prohibiting setting up extensions hosted on remote sites, or using out-of-process iframes for isolating a few of the extension code through the page the extension runs using.