As Uncle Ben said, "With great power comes great responsibility." Browser extensions can be incredibly powerful tools, but many of them demand full access to all web pages. Stories about popular extensions stealing user data or running cryptocurrency miners have become all too common. Google today announced a series of upcoming changes to Chrome extensions, some which aim to make them more trustworthy.
While some Chrome extensions have a limited scope (for example, our Toolbox add-on only requires permissions for the Play Store website and APKMirror), others ask for permission to read and modify all pages. Ad-blockers, privacy tools, and password managers usually fall into this category.
Starting with Chrome 70, which is due to be released this month, users can restrict far-reaching extensions to only work on whitelisted sites. Google says future releases will continue to "improve user transparency and control over when extensions are able to access site data." These changes shouldn't break existing extensions, but developers can view the transition guide here for more details.
Google also announced a series of changes coming to the Chrome Web Store's extension approval process. Starting sometime next year, developer accounts must have two-factor authentication enabled. "If your extension becomes popular, it can attract attackers who want to steal it by hijacking your account," the company said, "and 2-Step Verification adds an extra layer of security by requiring a second authentication step from your phone or a physical security key."
Other changes include a ban on obfuscated code and additional review processes for extensions "that request powerful permissions." Google also announced that a new extension manifest version (v3) is coming next year, which will have greater permissions controls and support for Service Workers.
- Chromium Blog