Google reported today five new rules for the Chrome Web Store, the portal where users visit download Chrome extensions. The new rules are primarily meant to prevent malicious extensions from reaching the Web Store, but in addition to reduce the amount of damage they do client-side.
The very first new rule that Google announced today is in relation to code readability. According to Google, starting today, the Chrome Online Store will will no longer allow extensions with obfuscated code. Obfuscation is definitely the deliberate act of producing source code that is hard for humans to understand.
This must not be mistaken for minified (compressed) code. Minification or compression refers back to the practice of removing whitespace, newlines, or shortening variables for the sake of performance. Minified code can easily be de-minified, while deobfuscating obfuscated code takes considerable time
In accordance with Google, around 70 % of all of the top best chrome extensions the organization blocks use code obfuscation. Since code obfuscation also adds a performance hit, Google argues there are no advantages in making use of code obfuscation in any way, hence the reason to ban such extensions altogether. Developers have until January 1st, 2019 to eliminate any obfuscated code using their extension.
The second rule Google put into place today is a new review process for all extensions submitted to be listed on the Chrome Online Store. Google says that all extensions that request use of powerful browser permissions is going to be exposed to something that Google called an “additional compliance review.” Preferably, Google would prefer if extensions were “narrowly-scoped” –asked for just the permissions they have to get the job done, without requesting usage of extra permissions being a backup for future features.
Furthermore, Google also claimed that an extra compliance review can also be triggered if extensions use remotely hosted code, a signal that developers want the ability to change the code they deliver to users at runtime, possibly to deploy malicious code following the review is taking place. Google said such extensions could be put through “ongoing monitoring.” The 3rd new rule will likely be maintained by a whole new feature that can land in Chrome 70, set to get released this month.
With Chrome 70, Google says users will have the ability to restrict extensions to specific sites only, preventing potentially dangerous extensions from executing on sensitive pages, like e-banking portals, web cryptocurrency wallets, or email inboxes. Furthermore, Chrome 70 will also be able to restrict extensions to your user click, meaning the extension won’t execute njqtju a page until the user clicks a control button or option in Chrome’s menu.
The fourth new rule is not for extensions per-se, but also for extension developers. As a result of a huge number of phishing campaigns who have taken place in the last year, starting with 2019, Google will demand all extension developers to use among the two-step verification (2SV) mechanism that Google provides for its accounts (SMS, authenticator app, or security key).
With 2SV enabled for accounts, Google hopes to stop cases where hackers take control developer accounts and push malicious code to legitimate Chrome extensions, damaging both the extension and Chrome’s credibility. The modifications to Manifest v3 are related to the newest features added in Chrome 70, and more precisely to the new mechanisms granted to users for managing the extension permissions.
Google’s new Web Store rules come to bolster the security measures the browser maker is taking to secure Chrome in recent years, like prohibiting setting up extensions hosted on remote sites, or the use of out-of-process iframes for isolating a number of the extension code from your page the extension runs on.