[ad_1]
Google announced today five major changes to the Chrome Web Store. The first two are happening now: developers are undergoing a more rigorous review process, and the Chrome Web Store no longer supports obfuscated JavaScript files. In a few weeks, Chrome users will have the opportunity to limit the access of hosts to their extensions. And in 2019, two more changes will come into effect: the Chrome Web Store developer accounts will require a two-step verification, and Google will introduce version 3 of the extensions platform manifest.
Google regularly crashes apps and extensions that annoy Chrome users. In May 2015, Google started blocking unlisted extensions in the Chrome Web Store. In September 2015, the company disabled the online installation of some Chrome extensions, and then in June 2018, it completely disabled the online installation.
Google shares today the fact that there are now over 180,000 extensions in Chrome Web Store, nearly half of which use extensions. These changes are designed to give users more transparency and control, while helping the Chrome Web Store team reduce malicious behavior.
Changes to the review process and new code readability requirements
As of today, extensions that request powerful permissions will be subject to an additional compliance check. Google does not provide much detail here, but it says that your extension's permissions should be as extended as possible and that all of your code should be included directly in the extension package to reduce review time. If your extension uses remotely hosted code, Google will also look more closely (and monitor regularly).
In addition, starting today, the Chrome Web Store will no longer accept new extensions containing obscured JavaScript files, including the extensions package, as well as external codes or resources extracted by the package. extensions.
This strategy applies to all new submissions of extensions, while existing extensions with obscured code may continue to submit updates in the next 90 days. However, they will be removed from the Chrome Web Store in early January if they are not compliant.
Google explains that over 70% of malicious extensions and breaking the rules that the company currently blocks on the Chrome Web Store contain obfuscated code. There are three other reasons to combat obfuscation: this adds a great deal of complexity to the review process (because it is mainly used to hide the functionality of the code), it is insufficient to protect the proprietary code of a reverse engineering motivated (since JavaScript). the code is always run locally on the user's machine), resulting in high performance costs (slower execution, increased file and memory footprint).
Instead, Google recommends a minification, as this usually speeds up code execution because it reduces the size of the code and is much simpler to analyze. This includes removing spaces, newlines, code comments, and block delimiters; shortening of variable names and functions; and reduce the number of JavaScript files.
If you have an extension in the Chrome Web Store, you should review the updated content policies and recommended minification techniques. You will want to submit a new compliant version by January 1, 2019.
User Controls for Host Permissions
Starting with Chrome 70, due to arrive Oct. 16 (we're currently on Chrome 69), users will have the ability to restrict access for extension hosts to a custom list of sites or configure extensions to require a click to access the current page.
Host permissions, which allow extensions to automatically read and edit data on websites, allow for various powerful and creative use cases, but Google says that they have also led to a wide range of malicious and unintentional uses. "Our goal is to improve the transparency and control of users when extensions can access site data," said James Wagner, Product Manager for Chrome Extensions.
In later versions of Chrome, Google plans to further modify the way its browser handles the user experience regarding host permissions. In the meantime, if your extension is requesting host permissions, you should review the transition guide and make the necessary changes in the next two weeks.
Two-step verification and manifest v3 required
By 2019, all Chrome Web Store developer accounts will need to sign up for 2-step verification. This adds an extra layer of security by requiring a second step of authentication, from your phone or from a physical security key.
Popular extensions may attract attackers who want to hijack the corresponding developer accounts. If you want to further enhance the security of your accounts, Google recommends the Advanced Protection Program, which requires a physical security key and offers the same level of security that Google uses for its own employees.
Finally, Google will present the next version of its platform extensions in 2019 (the exact schedule and deployment plan will be announced later). Manifest v3 will strengthen security, privacy and performance guarantees. The main objectives of manifest v3 are:
- Declarative APIs and narrower scope to reduce the need for access too broad and allow a more efficient implementation by the browser, while preserving important features
- Simpler additional mechanisms that allow users to control permissions granted to extensions
- Modernize to align with new Web features, such as supporting service operators as a new type of background process
Google admits that all of the above changes can be distressing for developers of extensions. "But we are confident that the collective outcome will be worth this effort for all users, developers and for the long-term health of the Chrome Extensions ecosystem," says Wagner. If you have questions, comments, or concerns, visit the Chromium Extensions forum.
Source link
