New Google Chrome Policies To Make Extensions MORE Trustworthy

Chrome Web Store Extensions AH 2019

Google has poured a lot of effort into keeping its Chrome users more secure and informed over the past several months and that’s about to get even better when it comes to extensions for the platform hosted in the Chrome Web Store.

Specifically, Google is now ready to start implementing a few policy changes that will help make extensions found on that storefront more trustworthy, with plans to start honing in on problem areas as early as this summer. Two of the big implementations center around narrowing down just how much data can be accessed and transparency. The third centers more broadly around how Google Drive can be accessed across the board.

The first of the changes isn’t entirely new but is a directional shift that moves one of Google’s best practice guidelines into position as a policy that will be enforced. With enforcement set to begin by fall according to the associated developer pages, the company will now be working to ensure that Chrome developers are only accessing the minimum amount of data required to accomplish their extensions’ given tasks.


That includes any extension that uses one permission when another would serve the appropriate purpose without accessing quite so much user data, in instances where multiple permissions could have accomplished the same task.

The second change that will come with identical consequences requires developers to expand on use cases that require full disclosure of how much data is being used and what is being done to keep it safe. Prior to the changes, only extensions that accessed user data directly were required to make those disclosures but now that will apply to extensions that access user inputs or those handling communications.

New policies for extensions and apps that access Google Drive API


Google isn’t shirking its own responsibility on those fronts either, with its Google Drive API getting some changes that should make apps that access the API easier to trust.

Subsequently, starting sometime near the beginning of next year, Google plans to ensure that third-party apps will generally no longer have broad access to what users are storing in their Google Drive cloud storage. Instead, most apps will be severely limited and only have access to specific files, with previous guidelines and restrictions pertaining to user control and transparency remaining in place.

The only apps that will continue having wider access are those that genuinely require it. Google has provided the example of apps that use Drive API for backup services. The company will also be turning its attention to digging in and verifying those apps that need broad access.


Google is taking recent changes seriously

From the start of enforcement, any extensions that use permissions that grant more than what’s required or that don’t adhere to disclosure guidelines will be removed from the Chrome Web Store, pending changes and resubmission. Once removed, Google will be disabling apps that have been deemed untrustworthy on end-user devices and will only reinstate the extensions once policies are met and the extension is uploaded again to the store.

That aggressive approach to protecting user trust stems from its Project Strobe — the very same endeavor that was responsible for the death of Google’s social media bid last year after it discovered vulnerabilities in the associated API. It also mirrors the seriousness with which Google is implementing other key changes as it seeks to avoid fines from emergent consumer protection regulations amid concerns about privacy.


Among the most prominent examples of recent alterations include those related to ad-blocking extensions via the still-unreleased “Manifest V3.” A significant portion of that is aimed at deprecating the API currently used by ad-blocking extensions, shifting the burden to DeclarativeNetRequest API from webRequest API. That will change how network requests can be made and give users more control over what the extensions do and where.