Google retires Chrome extension inline installations
Google announced yesterday that it will retire inline installations of Google Chrome extensions starting with Chrome 71 in December 2018.
Chrome extension developers are required to add their extensions to the Chrome Web Store but they could distribute it using inline installations up until now.
Inline installations fire on third-party websites; Chrome users get the installation prompts on these websites and can install the browser extension without having to visit the Chrome web store first.
The direct installation may save the user a click or two but it led to all kinds of abuse as well. While the system has been used by legitimate companies and developers to provide extension installations directly from websites they operate, it has been abused by crooks as well.
The inline installation prompt displays only some information to the user. It displays the name of the extension, its rating and number of votes, and number of users. The prompt lists extra permissions that the extension requests, and includes a link to the Chrome Web Store next to that.
The prompt omits information such as the extension's description, user reviews, and developer information.
We have suggested for years that users need to verify Chrome extensions before installation, and that users should take a number of precautions as well.
Google notes in its announcement that inline installed extensions have a higher user complaint ratio and are uninstalled significantly more often than extensions installed from the Web Store. The company goes on to explain that the "Chrome Web Store plays a critical role in ensuring that users can make informed decisions about whether to install an extension".
The company promised to do something against deceptive inline installations in January 2018 and revealed that fewer than 3% of extensions used deceptive or confusing install flows and that these 3% account for more than 90% of user complaints.
Google wanted to use machine learning back in January 2018 to combat deceptive or confusing inline installations but yesterday's announcement suggests that this did not yield the desired results.
The company and its users experienced wave after wave of issues with malicious or deceptive Chrome extensions. Criminals managed time and time again to plant malicious or fake extensions in the Chrome Web Store,
Retiring inline installations
Google plans to roll out the change in three phases starting June 12, 2018 and ending in December 2018.
- New published extensions cannot be distributed as inline installations anymore. If extensions use the function, users are redirected automatically to the Chrome Web Store in a new tab.
- From September 12, 2018 on, inline installations will be disabled for all existing extensions as well. Users will be redirected to the Chrome Web Store.
- The inline install API will be removed in Chrome 71 in December 2018 (no more redirects after this point).
Extension developers who use inline installations currently need to change the install buttons on their web properties before Chrome 71's release in December so that they link to the Chrome Web Store instead.
Closing Words
While inline installations of extensions accounted for a large part of user complaints and issues, one needs to remember that all of the extensions installed this way were hosted in the Web Store as well.
It may be more difficult for malicious actors to get users to install their extensions directly from the Web Store. Google has not published information about the ratio of installs. One thing is certain: while the retiring of inline Chrome extension installations will have a positive impact, it won't suddenly free the Chrome Web Store from user tracking or outright malicious extensions.
Hello,
Sorry for offtopic but I want to ask you what cookie consent plugin do you use. Thanks
It is this one: https://wordpress.org/plugins/cookie-notice/
Can only be good for security but, as previously mentioned Google will have the power to remove ad blockers that affect their ‘advertising revenues’ and may leave useless blockers in the chrome web store. There are plenty other browsers to use should this turn out to be the case ;)
Google could do this before as well as any extension that used inline installations had to be uploaded to the Chrome Web Store.
“Users will be redirected to the Chrome Web Store.”
And what will happen if the extension in not present on Chrome Web Store, like loading extensions in developer mode ?
I don’t think it affects these extensions as inline installations always used Chrome Web Store for the source.
Great so now when Google decides to ban a certain class of extensions (like ad/tracker blockers) there will be no other way to get them.
There will always be Firefox to get ad/tracker blockers. Which is already the best option in my opinion since Google Chrome is almost like a spyware
It’s not that it’s “almost”, it’s that it is. It’s not that it’s Google Chrome, it’s that it’s Google.
Anything Google does, excellently is not the problem because excellent it is, includes the price which is our privacy. And not only Google of course, but Google is the most powerful because they control the networks. I can block all I can from Microsoft, from Facebook, from Twitter but I can’t when it comes to Google, or Amazon, or Cloudflare : companies which have tied more and more domains to their servers have become unavoidable and with those the best we can do is to limit the intrusions.
Using Google Chrome is therefor not even limiting the damage, it is contributing to it. I just cannot understand how this tracking machine has become the browser Number 1.
This won’t affect Developer Mode installations.
shouldn’t it be possible to enable developer mode and import an extension from the computer?