Google reported today five new rules for the Chrome Online Store, the portal where users visit download Chrome extensions. The new rules are primarily designed to prevent malicious extensions from reaching the Web Store, but also to reduce the amount of damage they do client-side.
The initial new rule that Google announced today is in relation to code readability. According to Google, starting today, the Chrome Web Store will will no longer allow extensions with obfuscated code. Obfuscation is definitely the deliberate act of making source code that is difficult for humans to know.
This really should not be wrongly identified as minified (compressed) code. Minification or compression refers to the practice of removing whitespace, newlines, or shortening variables in the interest of performance. Minified code can be easily de-minified, while deobfuscating obfuscated code takes lots of time
In accordance with Google, around 70 % of all the chrome extension the business blocks use code obfuscation. Since code obfuscation also adds a performance hit, Google argues you can find no advantages in using code obfuscation whatsoever, hence the reason why to ban such extensions altogether. Developers have until January 1st, 2019 to eliminate any obfuscated code from their extension.
The second rule Google put into place today is a new review process for all extensions submitted to be listed on the Chrome Web Store. Google says that all extensions that request use of powerful browser permissions will be exposed to a thing that Google called an “additional compliance review.” Preferably, Google would choose if extensions were “narrowly-scoped” –requested only the permissions they should get the job done, without requesting access to extra permissions as being a backup for future features.
Furthermore, Google also claimed that an additional compliance review may also be triggered if extensions use remotely hosted code, a signal that developers want the cabability to modify the code they deliver to users at runtime, possibly to deploy malicious code following the review is taking place. Google said such extensions would be subjected to “ongoing monitoring.” The third new rule will be supported by a new feature that will land in Chrome 70, set to become released this month.
With Chrome 70, Google says users will have the capacity to restrict extensions to particular sites only, preventing potentially dangerous extensions from executing on sensitive pages, like e-banking portals, web cryptocurrency wallets, or email inboxes. Furthermore, Chrome 70 may also be able to restrict extensions to your user click, meaning the extension won’t execute njqtju a page up until the user clicks some control or option in Chrome’s menu.
Your fourth new rule is not for extensions per-se, but also for extension developers. Because of a huge number of phishing campaigns who have taken place within the last year, starting with 2019, Google will demand all extension developers to make use of one of many two-step verification (2SV) mechanism that Google offers its accounts (SMS, authenticator app, or security key).
With 2SV enabled for accounts, Google hopes to prevent cases where hackers take over developer accounts and push malicious code to legitimate Chrome extensions, damaging both the extension and Chrome’s credibility. The modifications to Manifest v3 are related to the brand new features added in Chrome 70, and much more precisely towards the new mechanisms granted to users for manipulating the extension permissions.
Google’s new Web Store rules come to bolster the security measures that this browser maker has taken to secure Chrome in recent years, such as prohibiting the installation of extensions hosted on remote sites, or using out-of-process iframes for isolating a few of the extension code from the page the extension runs on.