Google improves security around extensions on Chrome on the next release

Google this month announced that users will have the choice to restrict extensions to a custom list of sites or to configure extensions to require a click to gain access to the current page, beginning on Chrome 70. Chrome 70 will be released in 9 days, on October 16.

Going forward, Google says that extensions with highest permissions will be subject to additional compliance review. Google is looking very closely at extensions that use remotely hosted code, with ongoing monitoring.

Chrome Web Store will no longer allow extensions with obfuscated code. This includes code within the extension package as well as any external code or resource fetched from the web. This policy applies immediately to all new extension submissions. Existing extensions with obfuscated code can continue to submit updates over the next 90 days, but will be removed from the Chrome Web Store in early January if not compliant.

According to Google, over 70% of malicious and policy-violating extensions that Google blocks from Chrome Web Store contain obfuscated code. At the same time, because obfuscation is mainly used to conceal code functionality, it adds a great deal of complexity to our review process. This is no longer acceptable given the aforementioned review process changes.

There are now more than 180,000 extensions in the Chrome Web Store, and nearly half of Chrome desktop users actively use extensions to customize Chrome and their experience on the web. Google launched the extensions on Chrome around one decade ago.