Google limits content-blocking Chrome extensions sensitive data
In an effort to tamp down data collection by third-party ad-blocking Chrome extensions, Google today announced that it intends to replace parts of Chrome’s Web Request API, a set of events and functions that enable developers to monitor, analyze, and shape web traffic, with the Declarative Net Request API, which doesn’t require access to potentially sensitive data.
As Google explains in a blog post, the current Web Request API requires that users grant permission for Chrome to pass all information about a network request which can include things like emails, photos, or other private information to a given extension. In contrast, the Declarative Net Request API which is rolling out as part of a suite of changes Google is calling Manifest V3 allows extensions to block content at install time.
“The Chrome extensions ecosystem has seen incredible advancement, adoption, and growth since its launch over ten years ago … As this system grows and expands in both reach and power, user safety and protection remains a core focus of the Chromium project,” wrote Chrome extensions team member Devlin Cronin. “One way we are doing this is by helping users be deliberate in granting access to sensitive data such as emails, photos, and access to social media accounts. As we make these changes we want to continue to support extensions in empowering users and enhancing their browsing experience.”
The Declarative Net Request API migration follows a number of changes to extensions intended to improve security, privacy, and performance, according to Google, including granular controls over permissions, a revamped review process, and two-step verification for developers. They dovetail with new safeguards against inline installation on websites, deceptive installation practices, and limits on extension data collection.
It also builds on Google’s broader effort to preserve user privacy on the web. At I/O 2019 in May, the company announced that it will provide users with more transparency about how sites are using cookies and offer simpler controls for cross-site cookies, and it announced that it will require developers to explicitly specify which cookies can work across websites. Additionally, Google said that it plans to reduce the ways browsers can be passively fingerprinted, and promised to release an open source browser extension for the ads it shows on its properties and those of its publishing partners.
Google says that these and other enhancements have driven down the rate of malicious extension installations by 89% since early 2018. Today, it blocks roughly 1,800 malicious uploads a month from reaching the Chrome Web Store.