Google declared today five new rules for the Chrome Online Store, the portal where users visit download Chrome extensions. The new rules are primarily meant to prevent malicious extensions from reaching the internet Store, but additionally to lessen the amount of damage they actually do client-side.
The very first new rule that Google announced today is in regards to code readability. Based on Google, starting today, the Chrome Online Store will no longer allow extensions with obfuscated code. Obfuscation will be the deliberate act of making source code that is hard for humans to understand.
This must not be mistaken for minified (compressed) code. Minification or compression refers back to the practice of removing whitespace, newlines, or shortening variables in the interests of performance. Minified code can easily be de-minified, while deobfuscating obfuscated code takes considerable time
According to Google, around 70 % of all of the chrome extension the company blocks use code obfuscation. Since code obfuscation also adds a performance hit, Google argues you will find no advantages in making use of code obfuscation in any way, hence the reason why to ban such extensions altogether. Developers have until January 1st, 2019 to remove any obfuscated code using their extension.
The second rule Google placed into place today is actually a new review process for many extensions submitted to be listed on the Chrome Online Store. Google states that all extensions that request use of powerful browser permissions will be exposed to something which Google called an “additional compliance review.” Preferably, Google would choose if extensions were “narrowly-scoped” –asked for only the permissions they need to get the job done, without requesting usage of extra permissions as being a backup for future features.
Furthermore, Google also stated that an extra compliance review may also be triggered if extensions use remotely hosted code, an indication that developers want the ability to modify the code they deliver to users at runtime, possibly to deploy malicious code right after the review has brought place. Google said such extensions will be exposed to “ongoing monitoring.” The 3rd new rule is going to be supported by a brand new feature that can land in Chrome 70, set to be released this month.
With Chrome 70, Google says users will have the ability to restrict extensions to certain sites only, preventing potentially dangerous extensions from executing on sensitive pages, including e-banking portals, web cryptocurrency wallets, or email inboxes. Furthermore, Chrome 70 can also be capable of restrict extensions to your user click, meaning the extension won’t execute njqtju a page till the user clicks a button or option in Chrome’s menu.
The 4th new rule is not really for extensions per-se, however for extension developers. Because of a lot of phishing campaigns which have taken place within the last year, beginning from 2019, Google will need all extension developers to make use of one of the two-step verification (2SV) mechanism that Google offers its accounts (SMS, authenticator app, or security key).
With 2SV enabled for accounts, Google hopes to avoid instances when hackers take control developer accounts and push malicious code to legitimate Chrome extensions, damaging both the extension and Chrome’s credibility. The changes to Manifest v3 are related to the new features added in Chrome 70, and a lot more precisely to the new mechanisms granted to users for managing the extension permissions.
Google’s new Web Store rules come to bolster the security measures that the browser maker has brought to secure Chrome lately, including prohibiting the installation of extensions hosted on remote sites, or the usage of out-of-process iframes for isolating a number of the extension code through the page the extension runs on.