Thursday, November 7, 2013

Chrome for Windows, Limited to Web Store Extensions

Now that Chrome is very popular, many applications bundle Chrome extensions. I've recently installed a security suite from Kaspersky, which bundled 5 Chrome extensions. Chrome's menu shows notifications if there are extensions added by other apps, so the extensions are not installed automatically.

When Chrome added support for extensions, any app could install them automatically and you could easily install .crx files from any site. Google changed this and made it more difficult to install extensions outside the Chrome Web Store.


Apparently, there are some Windows applications that found some loopholes and bypassed Chrome's security features, so Chrome's engineers decided to block almost all Chrome extensions from other sources than the Chrome Web Store.


From the Chromium blog:

"Many services bundle useful companion extensions, which causes Chrome to ask whether you want to install them (or not). However, bad actors have abused this mechanism, bypassing the prompt to silently install malicious extensions that override browser settings and alter the user experience in undesired ways, such as replacing the New Tab Page without approval. Since these malicious extensions are not hosted on the Chrome Web Store, it's difficult to limit the damage they can cause to our users. As part of our continuing security efforts, we're announcing a stronger measure to protect Windows users: starting in January on the Windows stable and beta channels, we'll require all extensions to be hosted in the Chrome Web Store."


There are some exceptions to this rule: developers and power users will still be able to install unpacked extensions and business users will still be able deploy extensions. Everyone else will have to install extensions from the Chrome Web Store, where extensions have to comply with Google's terms and conditions and where users can rate extensions and post reviews.

While this new rule is limited to extensions and Chrome for Windows, it's interesting to notice that Chrome is closer to the walled garden approach from iOS than the more open Android style. Even though Android has bigger security issues than Chrome, it still allows you to install APK files from any site, so you can even use third-party app stores. Google's Android team chose to disable this feature by default and to also add a tool that checks the files you install, while the Chrome team increasingly limited the support for extensions installed outside the Store.

Chrome Web Store is a great place, but not all extensions belong there. Some break Google's terms by allowing you to download YouTube videos, download music files from services like Grooveshark or allow you to use Pandora outside US. From the store's policies: "we don't allow products or services that facilitate unauthorized access to content on websites, such as circumventing paywalls or login restrictions. We also don't allow products or services that encourage, facilitate, or enable the unauthorized access, download, or streaming of copyrighted content or media". No nudity, no online gambling, no gratuitous violence, no hate speech and the rules can always change to include other restrictions.

Fortunately, the developer option will still work: replace the crx extension with zip, extract the files to a new folder, go to the Chrome extensions page, enable developer mode, click "load unpacked extension" and select the folder you've created.

0 comments:

Post a Comment

Blog Archive