Google’s new rules for developers make Chrome extensions safer for all | Cyber Security

Latest breaking news on


Google has announced a range of security changes to its browser that will make the use of more secure. The updates, to be introduced in version 70 of the popular browser, cover areas including extension permissions and developer accounts.

Browser extensions are small programs that enhance its functionality. The problem is that misbehaving extensions can steal data or invade users’ browser privacy. Chrome is a trusted application in most operating systems, meaning that if you give an extension permission to do things, the operating system will usually wave it through. This can leave users vulnerable to malicious extensions.

In the past, Google has taken steps to keep extensions in line by limiting what they can do. Late last year, for example, it introduced an optional site isolation feature that made it more difficult for malicious code on one site to steal secrets from another when open in the browser. It also enabled administrators to block extensions based on the kinds of permissions they request, such as access to the webcam or the clipboard.

Per-site permissions

Now, it has announced plans to take things further. In Chrome 70, the company will enable users to restrict an extension’s permissions to manipulate website data and services on a per-site basis. When users gave a Chrome extension permission to read and change website data in the past, the extension could use those permissions across all sites. The change allows users to be more selective about the sites that the extension can access.

While you may want a screen clipping extension to read information from a handful of news sites that you visit, say, you might want it to avoid reading anything else, including your online bank account. Chrome 70 will restrict host access permissions to specific sites allowed by the user, or it can be configured to request approval for host access when visiting any site. The user can also enable host permissions on all sites by default if they wish.

Google will also make the review process more stringent for extensions that request ‘powerful permissions’, it said, and will also monitor extensions that use code hosted remotely.

Obfuscated code banned

The company is also banning the use of obfuscated code. This is JavaScript code that is scrambled to avoid others finding out what it does, and while this can be a way for to protect their IP, a good reverse engineer would eventually work out what it was doing, Google pointed out.