Google reported today five new rules for the Chrome Web Store, the portal where users head to download Chrome extensions. The new rules are primarily designed to prevent malicious extensions from reaching the Web Store, but also to lessen the amount of damage they do client-side.
The very first new rule that Google announced today is in relation to code readability. In accordance with Google, starting today, the Chrome Online Store will will no longer allow extensions with obfuscated code. Obfuscation is definitely the deliberate act of making source code that is certainly difficult for humans to know.
This really should not be wrongly identified as minified (compressed) code. Minification or compression refers back to the practice of removing whitespace, newlines, or shortening variables for the sake of performance. Minified code can be simply de-minified, while deobfuscating obfuscated code takes considerable time
In accordance with Google, around 70 % of all the evernote the business blocks use code obfuscation. Since code obfuscation also adds a performance hit, Google argues there are no advantages in utilizing code obfuscation in any way, hence the reason why to ban such extensions altogether. Developers have until January 1st, 2019 to eliminate any obfuscated code off their extension.
The next rule Google put into place today is actually a new review process for those extensions submitted to be listed on the Chrome Web Store. Google states that all extensions that request access to powerful browser permissions will be subjected to something which Google called an “additional compliance review.” Preferably, Google would like if extensions were “narrowly-scoped” –asked for just the permissions they need to get the job done, without requesting use of extra permissions as a backup for future features.
Furthermore, Google also said that an extra compliance review can also be triggered if extensions use remotely hosted code, a signal that developers want the ability to modify the code they deliver to users at runtime, possibly to deploy malicious code following the review has taken place. Google said such extensions could be subjected to “ongoing monitoring.” The next new rule is going to be maintained by a new feature which will land in Chrome 70, set to become released this month.
With Chrome 70, Google says users will have the ability to restrict extensions to specific sites only, preventing potentially dangerous extensions from executing on sensitive pages, like e-banking portals, web cryptocurrency wallets, or email inboxes. Furthermore, Chrome 70 may also be capable of restrict extensions to some user click, meaning the extension won’t execute njqtju a page till the user clicks a button or option in Chrome’s menu.
The fourth new rule is not for extensions per-se, but also for extension developers. Because of a large number of phishing campaigns that have occurred over the past year, beginning from 2019, Google will require all extension developers to use one of many two-step verification (2SV) mechanism that Google provides for its accounts (SMS, authenticator app, or security key).
With 2SV enabled for accounts, Google hopes to avoid cases where hackers take control developer accounts and push malicious code to legitimate Chrome extensions, damaging both extension and Chrome’s credibility. The alterations to Manifest v3 are related to the new features added in Chrome 70, and more precisely for the new mechanisms granted to users for manipulating the extension permissions.
Google’s new Web Store rules visit bolster the security measures that this browser maker is taking to secure Chrome lately, including prohibiting setting up extensions hosted on remote sites, or the use of out-of-process iframes for isolating some of the extension code from your page the extension operates on.