Browser extensions have become a critical attack vector, especially since many of them require access to all sites. Some malicious extensions were able to read passwords as you type them in or mine cryptocurrency in the background before Google removed them. Google has implemented several new changes for extensions over the past few months, and new ones will come into effect this October.

The first new requirement is that extensions can only request access "to the least amount of data." For example, if someone made an extension that changed how Android Police looks, it could only request access to androidpolice.com and not all sites. Extensions can always ask for more permissions in future updates, but if they're denied, Chrome automatically uninstalls the extension.

Next, Google will require more extensions to post privacy policies, specifically extensions that "handle personal communications and user-provided content." Previously, only tools that handled personal and sensitive data were required to have a privacy policy. The announcement post reads, "extensions must continue to be transparent in how they handle user data, disclosing the collection, use and sharing of that data."

Google is giving developers until October 15th, 2019 to comply with the new rules. After that date, extensions that violate the new rules will be removed from the Chrome Web Store until they are updated to be compliant.

It's nice to see Google cracking down on extensions that request more permissions than are necessary, but until each one is manually reviewed by a human before it can be published (and maybe updated), malicious extensions will inevitably get (at least) a few downloads before they are caught.

Hopefully the Chrome Web Store enforces these rules better than the Play Store.

It also remains to be seen if these new rules will be enforced properly. The Google Play Store already has a rule that apps can "only request permissions that are necessary to implement critical current features or services in your application," but there are hundreds of flashlight apps that want access to my phone calls.