Google announced today five new rules for the Chrome Web Store, the portal where users visit download Chrome extensions. The new rules are primarily intended to prevent malicious extensions from reaching the internet Store, but in addition to reduce the amount of damage they actually do client-side.
The first new rule that Google announced today is in regards to code readability. According to Google, starting today, the Chrome Web Store will no more allow extensions with obfuscated code. Obfuscation is the deliberate act of making source code that is certainly difficult for humans to comprehend.
This should not be wrongly identified as minified (compressed) code. Minification or compression refers back to the practice of removing whitespace, newlines, or shortening variables in the interest of performance. Minified code can easily be de-minified, while deobfuscating obfuscated code takes a lot of time
According to Google, around 70 % of all of the top best chrome extensions the business blocks use code obfuscation. Since code obfuscation also adds a performance hit, Google argues you can find no advantages in utilizing code obfuscation in any way, hence the reason why to ban such extensions altogether. Developers have until January 1st, 2019 to remove any obfuscated code using their extension.
The next rule Google put in place today is really a new review process for many extensions sent to be listed on the Chrome Online Store. Google states that all extensions that request use of powerful browser permissions is going to be subjected to a thing that Google called an “additional compliance review.” Preferably, Google would prefer if extensions were “narrowly-scoped” –asked for only the permissions they have to do their job, without requesting usage of extra permissions being a backup for future features.
Furthermore, Google also claimed that an extra compliance review can also be triggered if extensions use remotely hosted code, a sign that developers want the ability to change the code they deliver to users at runtime, possibly to deploy malicious code following the review has brought place. Google said such extensions would be put through “ongoing monitoring.” The next new rule will be supported by a new feature that will land in Chrome 70, set to become released this month.
With Chrome 70, Google says users will are able to restrict extensions to particular sites only, preventing potentially dangerous extensions from executing on sensitive pages, including e-banking portals, web cryptocurrency wallets, or email inboxes. Furthermore, Chrome 70 can also be able to restrict extensions to some user click, meaning the extension won’t execute njqtju a page until the user clicks a button or option in Chrome’s menu.
Your fourth new rule will not be for extensions per-se, however for extension developers. Because of a huge number of phishing campaigns which have happened within the last year, beginning from 2019, Google will demand all extension developers to utilize one of the two-step verification (2SV) mechanism that Google offers its accounts (SMS, authenticator app, or security key).
With 2SV enabled for accounts, Google hopes to avoid instances when hackers take control developer accounts and push malicious code to legitimate Chrome extensions, damaging the extension and Chrome’s credibility. The alterations to Manifest v3 are related to the newest features added in Chrome 70, and a lot more precisely to the new mechanisms granted to users for managing the extension permissions.
Google’s new Online Store rules visit bolster the safety measures that this browser maker has taken to secure Chrome lately, including prohibiting the installation of extensions hosted on remote sites, or the usage of out-of-process iframes for isolating a few of the extension code from your page the extension runs using.