Google declared today five new rules for the Chrome Online Store, the portal where users go to download Chrome extensions. The new rules are primarily meant to prevent malicious extensions from reaching the net Store, but in addition to reduce the amount of damage they actually do client-side.
The initial new rule that Google announced today is in regards to code readability. Based on Google, starting today, the Chrome Online Store will no more allow extensions with obfuscated code. Obfuscation is the deliberate act of producing source code that is challenging for humans to know.
This should not be wrongly identified as minified (compressed) code. Minification or compression means the practice of removing whitespace, newlines, or shortening variables for the sake of performance. Minified code can be easily de-minified, while deobfuscating obfuscated code takes considerable time
In accordance with Google, around 70 percent of all the most useful extensions for chrome the organization blocks use code obfuscation. Since code obfuscation also adds a performance hit, Google argues there are no advantages in utilizing code obfuscation whatsoever, hence the reason why to ban such extensions altogether. Developers have until January 1st, 2019 to remove any obfuscated code off their extension.
The second rule Google put into place today is really a new review process for all extensions published to be listed on the Chrome Web Store. Google says that all extensions that request use of powerful browser permissions will likely be put through a thing that Google called an “additional compliance review.” Preferably, Google would like if extensions were “narrowly-scoped” –requested just the permissions they have to get the job done, without requesting use of extra permissions as a backup for future features.
Furthermore, Google also said that an extra compliance review can also be triggered if extensions use remotely hosted code, a signal that developers want the cabability to modify the code they deliver to users at runtime, possibly to deploy malicious code following the review has taken place. Google said such extensions could be exposed to “ongoing monitoring.” The third new rule will be backed up by a new feature that will land in Chrome 70, set to be released this month.
With Chrome 70, Google says users will have the ability to restrict extensions to specific sites only, preventing potentially dangerous extensions from executing on sensitive pages, such as e-banking portals, web cryptocurrency wallets, or email inboxes. Furthermore, Chrome 70 will also be in a position to restrict extensions to your user click, meaning the extension won’t execute njqtju a page till the user clicks a button or option in Chrome’s menu.
The 4th new rule will not be for extensions per-se, but also for extension developers. Due to a lot of phishing campaigns that have taken place within the last year, beginning from 2019, Google will demand all extension developers to make use of one of many two-step verification (2SV) mechanism that Google offers its accounts (SMS, authenticator app, or security key).
With 2SV enabled for accounts, Google hopes to prevent cases where hackers dominate developer accounts and push malicious code to legitimate Chrome extensions, damaging the extension and Chrome’s credibility. The changes to Manifest v3 are based on the brand new features added in Chrome 70, and much more precisely towards the new mechanisms granted to users for manipulating the extension permissions.
Google’s new Web Store rules arrived at bolster the protection measures that this browser maker has taken to secure Chrome lately, including prohibiting the installation of extensions hosted on remote sites, or the usage of out-of-process iframes for isolating a few of the extension code through the page the extension operates on.