Google declared today five new rules for the Chrome Web Store, the portal where users visit download Chrome extensions. The new rules are primarily designed to prevent malicious extensions from reaching the internet Store, but in addition to lessen the amount of damage they do client-side.
The very first new rule that Google announced today is in relation to code readability. Based on Google, starting today, the Chrome Web Store will will no longer allow extensions with obfuscated code. Obfuscation is definitely the deliberate act of creating source code that is certainly challenging for humans to comprehend.
This must not be wrongly identified as minified (compressed) code. Minification or compression means the practice of removing whitespace, newlines, or shortening variables in the interest of performance. Minified code can be simply de-minified, while deobfuscating obfuscated code takes a lot of time
Based on Google, around 70 % of all of the best google chrome extensions the business blocks use code obfuscation. Since code obfuscation also adds a performance hit, Google argues there are no advantages in making use of code obfuscation at all, hence the main reason to ban such extensions altogether. Developers have until January 1st, 2019 to get rid of any obfuscated code off their extension.
The second rule Google put into place today is really a new review process for those extensions sent to be listed on the Chrome Web Store. Google states that all extensions that request usage of powerful browser permissions will be put through something which Google called an “additional compliance review.” Preferably, Google would prefer if extensions were “narrowly-scoped” –asked for only the permissions they should get the job done, without requesting usage of extra permissions being a backup for future features.
Furthermore, Google also said that an extra compliance review may also be triggered if extensions use remotely hosted code, a signal that developers want the ability to modify the code they deliver to users at runtime, possibly to deploy malicious code after the review is taking place. Google said such extensions will be put through “ongoing monitoring.” The next new rule will be supported by a new feature that will land in Chrome 70, set to become released this month.
With Chrome 70, Google says users will are able to restrict extensions to specific sites only, preventing potentially dangerous extensions from executing on sensitive pages, like e-banking portals, web cryptocurrency wallets, or email inboxes. Furthermore, Chrome 70 may also be capable of restrict extensions to your user click, meaning the extension won’t execute njqtju a page till the user clicks a button or option in Chrome’s menu.
The fourth new rule is not for extensions per-se, but for extension developers. As a result of a huge number of phishing campaigns that have taken place over the past year, beginning with 2019, Google will demand all extension developers to utilize one of many two-step verification (2SV) mechanism that Google offers its accounts (SMS, authenticator app, or security key).
With 2SV enabled for accounts, Google hopes to prevent cases where hackers take over developer accounts and push malicious code to legitimate Chrome extensions, damaging both extension and Chrome’s credibility. The changes to Manifest v3 are related to the newest features added in Chrome 70, and more precisely towards the new mechanisms granted to users for controlling the extension permissions.
Google’s new Web Store rules come to bolster the protection measures the browser maker has brought to secure Chrome lately, like prohibiting the installation of extensions hosted on remote sites, or using out-of-process iframes for isolating a few of the extension code from the page the extension runs using.