Google reported today five new rules for the Chrome Web Store, the portal where users visit download Chrome extensions. The new rules are primarily designed to prevent malicious extensions from reaching the Web Store, but also to minimize the amount of damage they actually do client-side.
The first new rule that Google announced today is in regards to code readability. According to Google, starting today, the Chrome Web Store will no longer allow extensions with obfuscated code. Obfuscation is definitely the deliberate act of creating source code that is certainly difficult for humans to understand.
This really should not be wrongly identified as minified (compressed) code. Minification or compression means the practice of removing whitespace, newlines, or shortening variables in the interests of performance. Minified code can be easily de-minified, while deobfuscating obfuscated code takes considerable time
Based on Google, around 70 percent of all the webclipper chrome the company blocks use code obfuscation. Since code obfuscation also adds a performance hit, Google argues there are no advantages in using code obfuscation in any way, hence the reason to ban such extensions altogether. Developers have until January 1st, 2019 to eliminate any obfuscated code using their extension.
The next rule Google put in place today is actually a new review process for many extensions sent to be listed on the Chrome Online Store. Google states that all extensions that request use of powerful browser permissions will likely be exposed to a thing that Google called an “additional compliance review.” Preferably, Google would choose if extensions were “narrowly-scoped” –requested only the permissions they need to get the job done, without requesting access to extra permissions being a backup for future features.
Furthermore, Google also stated that an additional compliance review will also be triggered if extensions use remotely hosted code, a sign that developers want the opportunity to change the code they deliver to users at runtime, possibly to deploy malicious code after the review has brought place. Google said such extensions will be subjected to “ongoing monitoring.” The next new rule will be backed up by a brand new feature that will land in Chrome 70, set to be released this month.
With Chrome 70, Google says users will are able to restrict extensions to particular sites only, preventing potentially dangerous extensions from executing on sensitive pages, such as e-banking portals, web cryptocurrency wallets, or email inboxes. Furthermore, Chrome 70 can also be able to restrict extensions to your user click, meaning the extension won’t execute njqtju a page up until the user clicks a button or option in Chrome’s menu.
Your fourth new rule will not be for extensions per-se, however for extension developers. As a result of a huge number of phishing campaigns which have occurred in the last year, beginning from 2019, Google will need all extension developers to make use of one of the two-step verification (2SV) mechanism that Google offers its accounts (SMS, authenticator app, or security key).
With 2SV enabled for accounts, Google hopes to stop cases where hackers dominate developer accounts and push malicious code to legitimate Chrome extensions, damaging the extension and Chrome’s credibility. The changes to Manifest v3 are based on the brand new features added in Chrome 70, and much more precisely for the new mechanisms granted to users for manipulating the extension permissions.
Google’s new Web Store rules arrived at bolster the protection measures that the browser maker has brought to secure Chrome recently, including prohibiting setting up extensions hosted on remote sites, or the usage of out-of-process iframes for isolating some of the extension code from the page the extension operates on.