Browser extensions are both a boon and bane in personal/corporate Internet-centric computing, it is beneficial to users as it extends the features of the browser, while unfortunately expanding the attack surface of web browsers. That is why browser vendors are making a tight balancing act between enabling browser extensions and plugins with reasonable-level of access to the browser’s APIs, while at the same time establishing a certain level of restrictions, a sandbox if you will in order to reduce security risks.
Google, the current king of the browser vendors reinforces Chromium-based browser extensions with their announcement of Project Strobe. The initiative is for establishing strict privacy-rules that all Chrome extensions must adhere, including the enforcement of policies that govern accessibility of APIs by 3rd-party cloud storage providers as well as their native Google Drive service. Project Strobe is designed address and prevent the repeat security mistakes that the search giant embarrassingly experienced with their outgoing Google+ service and its underlying API.
The security and privacy specific policies to be implemented with Chrome extensions are nothing new, as extensions developer were informed about it months ahead. However, Google will start strictly enforcing it in Chromium and Chrome browsers, including all browsers that use the Blink rendering engine, like Opera, Vivaldi, Brave and even the new Chromium-based Edge browser from Microsoft.
“Today, as part of Project Strobe, we’re continuing that effort with additional Chrome Web Store policies. We’re requiring extensions to only request access to the appropriate data needed to implement their features. We’re requiring more extensions to post privacy policies, including extensions that handle personal communications and user-provided content. We’re announcing these changes in advance of the official policy rollout this summer to give developers the time needed to ensure their extensions will be in compliance,” explained Ben Smith, Google’s Vice President of Engineering and Fellow, in Chrome’s official blog site.
Google Drive’s API will also be locked-down, to a level of permission system similar to what is Android is using. That means both Chrome and Drive will stop 3rd-parties from receiving permissions approval the moment it asked for certain access. All developers are expected to adhere with this policy, as non-compliance means their extensions will not perform as expected. The search giant is fully enforcing Project Strobe starting on the fall, with developers given 90 days to comply with the requirements.
For those browser extensions hosted in the Chrome store that are non-compliant, Google will remove them 90-days after the formal announcement on fall. Google engineers will strictly check all the re-uploaded extensions before approving the republishing to the store. Chrome-based browsers also have a universal kill switch for all non-compliant extensions that were already installed prior to the deadline.
Strict “download extensions only in Chrome Store” is only implemented in Google Chrome, the open source Chromium users may download .crx extensions from other sources other than the official store.