Google has put a lot of effort into keeping its Chrome users more secure and informed over the past several months and that’s about to get even better when it comes to extensions for the platform hosted in the Chrome Web Store.
Specifically, Google is now ready to start implementing a few policy changes that will help make extensions found on that storefront more trustworthy, with plans to start honing in on problem areas as early as this summer. Two of the big implementations center around narrowing down just how much data can be accessed and transparency. The third centers more broadly around how Google Drive can be accessed across the board.
Google is requiring that extensions only request access to data needed to implement their features. In the event that more than one permission could be used to implement a feature, the dev will need to use the permission that accesses the least amount of data.
This behavior has always been encouraged by developers, said Google fellow and VP of engineering, Ben Smith, but now, it is a requirement for all extensions.
Google is also mandating that extensions which handle user-provided content and personal communications post a privacy policy and handle data in a secure fashion. This is an expansion of existing policies that require extensions dealing in personal and sensitive user data to do the same.
Browser extensions have become a growing attack vector for phishing and social engineering. As Atif Mushtaq, CEO of cybersecurity firm SlashNext, highlights, many attacks are born out of legitimate extensions that are later updated with malicious code.
Among the most prominent examples of recent alterations include those related to ad-blocking extensions via the still-unreleased “Manifest V3.” A significant portion of that is aimed at deprecating the API currently used by ad-blocking extensions, shifting the burden to DeclarativeNetRequest API from webRequest API. That will change how network requests can be made and give users more control over what the extensions do and where.
