Google today announced five major changes to the Chrome Web Store. The first two are happening now: Developers are being subjected to a more rigorous review process, and the Chrome Web Store no longer accepts obfuscated JavaScript files. In a couple of weeks, Chrome users will get the option to restrict host access for their extensions. And in 2019, two more changes will take effect: Chrome Web Store developer accounts will require 2-step verification, and Google will introduce manifest version 3 of the extensions platform.

Google regularly cracks down on apps and extensions that cause a poor experience for Chrome users. In May 2015, Google began blocking extensions not listed in the Chrome Web Store. In September 2015, the company disabled inline installation of some Chrome extensions, and then in June 2018, it disabled inline installation completely.

Google shared today that there are now more than 180,000 extensions in the Chrome Web Store, with nearly half of Chrome desktop users using extensions. These change aim to give users more transparency and control, while also helping the Chrome Web Store team cut down on malicious behavior.

Changes to the review process and new code readability requirements

Effective today, extensions that request powerful permissions will be subject to additional compliance review. Google doesn’t offer much detail here, but it does say your extension’s permissions should be as narrowly scoped as possible and all your code should be included directly in the extension package to minimize review time. If your extension uses remotely hosted code, Google will also be taking a closer look (and will monitor on an ongoing basis).

Also starting today, the Chrome Web Store will no longer accept new extensions that contain obfuscated JavaScript files, including within the extension package as well as any external code or resource fetched by the extension package.

This policy applies to all new extension submissions, while existing extensions with obfuscated code can continue to submit updates over the next 90 days. They will, however, be removed from the Chrome Web Store in early January if not compliant.

Google explains that over 70 percent of malicious and policy-violating extensions that the company blocks from Chrome Web Store today contain obfuscated code. There are three other reasons for cracking down on obfuscation: It adds a great deal of complexity to the review process (because it is mainly used to conceal code functionality), it is insufficient to protect proprietary code from a truly motivated reverse engineer (since JavaScript code is always running locally on the user’s machine), and there are hefty performance costs (slower execution, increased file and memory footprints).

Instead, Google recommends minification since it typically speeds up code execution as it reduces code size, and is much more straightforward to review. That includes the removal of whitespace, newlines, code comments, and block delimiters; shortening of variable and function names; and collapsing the number of JavaScript files.

If you have an extension in the Chrome Web Store, you should review the updated content policies and the recommended minification techniques. You’ll want to submit a new compliant version before January 1, 2019.

User controls for host permissions

Starting in Chrome 70, which is slated to arrive on October 16 (we’re currently on Chrome 69), users will have the option to restrict extension host access to a custom list of sites or to configure extensions to require a click for access to the current page.

Host permissions, which allow extensions to automatically read and change data on websites, enable various powerful and creative use cases, but Google says they have also led to a broad range of malicious and unintentional misuses. “Our aim is to improve user transparency and control over when extensions are able to access site data,” James Wagner, Chrome Extensions product manager, explains.

In later Chrome releases, Google plans to further tweak how its browser handles the user experience around host permissions. In the meantime, if your extension requests host permissions, you should check out the transition guide and make any necessary changes over the next two weeks.

Required 2-step verification and Manifest v3

In 2019, all Chrome Web Store developer accounts will have to enroll in 2-Step Verification. This adds an extra layer of security by requiring a second authentication step, either from your phone or a physical security key.

Popular extensions can attract attackers who want to hijack the corresponding developer accounts. If you want even stronger account security, Google recommends the Advanced Protection Program, which requires a physical security key and offers the same level of security that Google relies on for its own employees.

Lastly, Google will introduce the next version of its extensions platform in 2019 (exact timing and the rollout plan will be announced later). Manifest v3 will aim to create stronger security, privacy, and performance guarantees. Key goals of manifest v3 include:

  • More narrowly scoped and declarative APIs, to decrease the need for overly broad access and enable more performant implementation by the browser, while preserving important functionality
  • Additional, easier mechanisms for users to control the permissions granted to extensions
  • Modernizing to align with new web capabilities, such as supporting Service Workers as a new type of background process

Google admits all the above changes can be a pain for extension developers. “But we believe the collective result will be worth that effort for all users, developers, and for the long term health of the Chrome extensions ecosystem,” Wagner argues. If you have questions, comments, or concerns, head to the Chromium extensions forum.