James Wagner, Chrome Extensions Product Manager, said in a blog post published today that Google will add extra measures to assure the safety of Chrome users who have access to more than 180,000 extensions from the Chrome Web Store.
Besides the addition of inline installation, machine learning-based blocking of malicious extensions, and out-of-process iframes, Google will also add 2-step verification (also known as two-factor verification) as a requirement from all Chrome Web Store developers.
Two-factor authentication will allow Chrome extension developers to add an extra layer of protection against attackers who would want to compromise their account and push malicious copies of their extensions to the store.
Also, starting with Chrome 70, the browser's users will be able to set restrictions allowing installed extensions to only access a limited list of websites or to require a click to confirm access to a page.
Chrome extensions will also have to comply with extra compliance requirements, with the Chrome extension review team keeping a closer eye on extensions that use remotely hosted code which could be compromised and act as a potential attack vector.
Google to add stronger security and extra privacy to all 180,000 extensions from the Chrome Web Store
Chrome Web Store developers are also required to abide by new code readability specifications, extensions containing obfuscated code being rejected automatically.
All Chrome extensions which contain obfuscated code have 90 days to submit humanly readable code updates, before January 1st, 2019, ready to be reviewed by the Chrome Web Store's investigation team, or suffer the consequences (hint: removal from the Chrome Web Store.)
According to Wagner, "over 70% of malicious and policy violating extensions that we block from Chrome Web Store contain obfuscated code."
Google will also introduce in 2019 the new extensions manifest, Manifest v3, which will come with "stronger security, privacy, and performance guarantees."