Google announced today five new rules for the Chrome Web Store, the portal where users visit download Chrome extensions. The new rules are primarily designed to prevent malicious extensions from reaching the Web Store, but also to minimize the amount of damage they actually do client-side.
The first new rule that Google announced today is when it comes to code readability. According to Google, starting today, the Chrome Web Store will no more allow extensions with obfuscated code. Obfuscation is definitely the deliberate act of making source code that is difficult for humans to understand.
This must not be wrongly identified as minified (compressed) code. Minification or compression means the practice of removing whitespace, newlines, or shortening variables in the interests of performance. Minified code can easily be de-minified, while deobfuscating obfuscated code takes lots of time
Based on Google, around 70 % of all web clipper the organization blocks use code obfuscation. Since code obfuscation also adds a performance hit, Google argues you can find no advantages in using code obfuscation whatsoever, hence the reason to ban such extensions altogether. Developers have until January 1st, 2019 to get rid of any obfuscated code off their extension.
The next rule Google placed into place today is a new review process for all extensions sent to be listed on the Chrome Web Store. Google states that all extensions that request usage of powerful browser permissions is going to be subjected to something that Google called an “additional compliance review.” Preferably, Google would prefer if extensions were “narrowly-scoped” –asked for only the permissions they have to do their job, without requesting access to extra permissions as being a backup for future features.
Furthermore, Google also claimed that an extra compliance review can also be triggered if extensions use remotely hosted code, an indication that developers want the ability to alter the code they deliver to users at runtime, possibly to deploy malicious code following the review has taken place. Google said such extensions will be exposed to “ongoing monitoring.” The third new rule will be maintained by a brand new feature which will land in Chrome 70, set to get released this month.
With Chrome 70, Google says users will are able to restrict extensions to certain sites only, preventing potentially dangerous extensions from executing on sensitive pages, such as e-banking portals, web cryptocurrency wallets, or email inboxes. Furthermore, Chrome 70 may also be able to restrict extensions to some user click, meaning the extension won’t execute njqtju a page up until the user clicks a button or option in Chrome’s menu.
Your fourth new rule is not for extensions per-se, however for extension developers. Due to a large number of phishing campaigns which have happened over the past year, starting with 2019, Google will need all extension developers to make use of among the two-step verification (2SV) mechanism that Google offers its accounts (SMS, authenticator app, or security key).
With 2SV enabled for accounts, Google hopes to prevent cases when hackers dominate developer accounts and push malicious code to legitimate Chrome extensions, damaging the extension and Chrome’s credibility. The modifications to Manifest v3 are related to the newest features added in Chrome 70, and more precisely to the new mechanisms granted to users for managing the extension permissions.
Google’s new Online Store rules come to bolster the safety measures that the browser maker has taken to secure Chrome in recent years, including prohibiting installing extensions hosted on remote sites, or using out-of-process iframes for isolating a number of the extension code from the page the extension runs on.