If you're like us, you use browser add-ons every day to manage passwords; customize the look of your browser,;organize tabs; or to enhance your experiences on specific websites like Reddit, Steam, or YouTube. However, while these extensions can provide missing functionality, sometimes their developers aren't playing by the rules.
Today, Google announced several new initiatives for Chrome that are designed to rein in potentially misbehaving browser add-ons.
New rules let users easily control host permissions
In the announcement, Chrome extensions product manager James Wagner writes that the most prominent change for users will be new widget that helps you control how much data your add-ons collect while you browse.
For every extension you've installed, you will have the option for it to read site data in three different ways; you can limit its collection to the web page that you're currently looking at, let it collect data as it sees fit, or only let it collect data when you click on it.
Wagner uses the company's own Google Dictionary add-on as an example. As you might expect, this tool can define words that you're looking at on a web page -- but for it to work, the add-on has to be able to scan the page for text to begin with. In Chrome 70, you'll be able to limit this scan to a specific web page, or a whole domain like Gamespot.com or CNET.com.
According to Wagner, "While host permissions have enabled thousands of powerful and creative extension use cases, they have also led to a broad range of misuse - both malicious and unintentional - because they allow extensions to automatically read and change data on websites. Our aim is to improve user transparency and control over when extensions are able to access site data."
In this context, the host is the device that you're using, and the permissions are the what the add-on is asking for to do its work.
No more hidden programming code that could harbor suspicious behavior
Wagner says, "Today, over 70 percent of malicious and policy-violating extensions that we block from Chrome Web Store contain obfuscated code." Masking programming code is frequently used to protect trade secrets, but it's become relatively easy to undo that protection layer, to the point where there are no remaining credible reasons to keep letting add-on developers use it, according to Google.
Ergo, Google has decided to end this practice in its web browsers. Pre-existing extensions that use code obfuscation will have 90 days to to conform to Google's new standards, or else they'll be pulled from Chrome's add-on store. New add-ons that want to use such code will not be permitted on Chrome add-on store, effective immediately.
Additionally, Wagner warns, "Going forward, extensions that request powerful permissions will be subject to additional compliance review. We're also looking very closely at extensions that use remotely hosted code, with ongoing monitoring."
FOLLOW Download.com on Twitter for all the latest app news.
Chrome add-on developers must now use two-factor authentication
Starting "in 2019," Chrome Web Store developer accounts will also require two-factor authentication (2FA) to log in. With 2FA, you use a temporary code in addition to your user name and password.
Just a few weeks ago, the dev account for the MEGA cloud storage add-on was hijacked, and the legit version was replaced with a rogue extension that could harvest your passwords for other services, like Amazon or Github, without your knowledge. In theory, adding 2FA to these accounts will protect them against unauthorized access.
Google has been criticized in the past for an underwhelming add-on authentication system; 2FA is one step towards improving it, and it's relatively easier to implement than the code signing conducted by rival Mozilla Firefox.
Google releases a new version of Chrome roughly every six weeks, based on the idea that rapidly updating the browser with relatively small changes is more manageable than fewer updates with bigger changes. It makes bugs easier to fix, and it gets updates into users' hands faster.
The beta version of Chrome 70 came out September 27, and you can download it now to get an advanced peek at some of the changes.
- Google has announced that several security upgrades are coming with version 70 of its Chrome browser, which is due October 16.
- Users will get a widget that lets them control how much data an add-on can collect, Google will no longer allow obfuscated code, apps that want big permissions will be closely inspected
- Starting "in 2019," Chrome Web Store developer accounts will also require two-factor authentication to log in.
- Google turns 20 with Easter eggs and special images to celebrate
- Google to offer travel suggestions in search results to make trip planning easier
- Google Podcasts app will finally let you cast to Chromecast devices
- Trump to meet with Google's Sundar Pichai, other tech execs, report says (CNET)
- Google's Project Stream: Chrome becomes testbed for game streaming services (ZDNet)
- Google: Your hotel, flight planning just got much easier with mobile search (TechRepublic)