Google regularly cracks down on apps and extensions that cause a poor experience for Chrome users. In May 2015, Google began blocking extensions not listed in the Chrome Web Store. In September 2015, the company disabled inline installation of some Chrome extensions, and then in June 2018, it disabled inline installation completely.
Google shared today that there are now more than 180,000 extensions in the Chrome Web Store, with nearly half of Chrome desktop users using extensions. These change aim to give users more transparency and control, while also helping the Chrome Web Store team cut down on malicious behavior.
Changes to the review process and new code readability requirements
Effective today, extensions that request powerful permissions will be subject to additional compliance review. Google doesn’t offer much detail here, but it does say your extension’s permissions should be as narrowly scoped as possible and all your code should be included directly in the extension package to minimize review time. If your extension uses remotely hosted code, Google will also be taking a closer look (and will monitor on an ongoing basis).
This policy applies to all new extension submissions, while existing extensions with obfuscated code can continue to submit updates over the next 90 days. They will, however, be removed from the Chrome Web Store in early January if not compliant.
If you have an extension in the Chrome Web Store, you should review the updated content policies and the recommended minification techniques. You’ll want to submit a new compliant version before January 1, 2019.
User controls for host permissions
Starting in Chrome 70, which is slated to arrive on October 16 (we’re currently on Chrome 69), users will have the option to restrict extension host access to a custom list of sites or to configure extensions to require a click for access to the current page.
Host permissions, which allow extensions to automatically read and change data on websites, enable various powerful and creative use cases, but Google says they have also led to a broad range of malicious and unintentional misuses. “Our aim is to improve user transparency and control over when extensions are able to access site data,” James Wagner, Chrome Extensions product manager, explains.
In later Chrome releases, Google plans to further tweak how its browser handles the user experience around host permissions. In the meantime, if your extension requests host permissions, you should check out the transition guide and make any necessary changes over the next two weeks.
Required 2-step verification and Manifest v3
In 2019, all Chrome Web Store developer accounts will have to enroll in 2-Step Verification. This adds an extra layer of security by requiring a second authentication step, either from your phone or a physical security key.
Popular extensions can attract attackers who want to hijack the corresponding developer accounts. If you want even stronger account security, Google recommends the Advanced Protection Program, which requires a physical security key and offers the same level of security that Google relies on for its own employees.
Lastly, Google will introduce the next version of its extensions platform in 2019 (exact timing and the rollout plan will be announced later). Manifest v3 will aim to create stronger security, privacy, and performance guarantees. Key goals of manifest v3 include:
- More narrowly scoped and declarative APIs, to decrease the need for overly broad access and enable more performant implementation by the browser, while preserving important functionality
- Additional, easier mechanisms for users to control the permissions granted to extensions
- Modernizing to align with new web capabilities, such as supporting Service Workers as a new type of background process
Google admits all the above changes can be a pain for extension developers. “But we believe the collective result will be worth that effort for all users, developers, and for the long term health of the Chrome extensions ecosystem,” Wagner argues. If you have questions, comments, or concerns, head to the Chromium extensions forum.