Chrome 70 features option to restrict extension access
Extensions can be really useful for a huge number of things. From blocking unwanted content to changing websites, improving the usability of the browser or improving your shopping experience.
Chrome extensions are limited in what they are allowed to do. Chrome supports a permission system that requires that extensions request certain permissions, e.g. access to data on all sites, and that users need to grant extensions the requested permissions.
Criminals and some extension developers have found loopholes in the automated system that Google uses to vet extensions. Security firms identified malicious or privacy invading extensions in the Chrome Web Store multiple times in 2018 alone.
If you installed extensions in Chrome before, you may have encountered extensions that request wide-reaching permissions (access data on all sites) even though they are supposed to run only on some or a single site. Not all extensions that do request this permission are malicious but some are that or at least problematic from a privacy point of view.
Google revealed plans today to improve the situation with the release of Chrome 70 in mid-October 2018.
User control over sites extensions may run on
Google plans to give Chrome users control over the hosts that extensions may access. Currently, if an extension has permissions to change data on all websites it may do so and the user can't do anything about it at that point other than remove it again from Chrome.
Starting with Chrome 70, Chrome users may restrict host access of extensions in the following ways:
- Restrict access to specific sites, e.g. ghacks.net only.
- Enable click to activate for all sites.
A right-click on any installed extension displays the new "this can read and change site data" item in the menu. When you hover the mouse cursor over it you get the options to restrict access of that extension.
You may also manage on which site extensions run on chrome://extensions when you click on the details button of an installed extension.
The new "Allow this extension to read and change all your data on websites you visit" menu provides options to limit the extension to "on-click" or "on specific sites".
The selection of "on specific sites" displays the list of sites the extension is allowed to run on. You can add multiple sites to the list which act as a whitelist in that case then. The extension's access to the site is blocked if it is not on that list.
Note that the new functionality becomes available after you install an extension. Chrome extension installations from the Chrome Web Store don't display options to limit site access of an extension that is about to be installed at this time.
It is possible that Google will change that going forward or integrate an option in Chrome to set a different default for extensions that request access to all sites.
For now, it is only possible to change site access permissions after installation.
Chrome highlights extension icons that want access to a site but don't have that access due to access restrictions.
A click on the extension icon displays "reload page to use this extension".
The extension is granted access to the page then and you may use its functionality on the page afterward.
The selected extension gets rights to access the selected page only if you activate it but not on any other page if it is set to activate on click only.
If you want an extension to run on all pages of a site select the "on site" option instead.
Chrome users will get better extension control in Chrome 70. It is then possible to restrict extensions to run only on a small set of sites or activate only when they are clicked on. The default, access granted everywhere, seems to remain the same though.
I see the new options as a tool for advanced users who want to limit extensions that they install. It is certainly the right move for certain kinds of extensions. A video or image download should only run when you need it and not whenever you load a site in the browser.
I can't really see this become very popular with new or inexperienced users, though. It would be great if Google would add an option to set a default for new extensions.
Chrome users who run version 70 already can enable the feature right now by setting chrome://flags/#extension-active-script-permission to enabled.
I'd love to see this implemented by other browser makers as well.
Now You: What is your take on the announcement?
Tip: Check out our lists of best Chrome extensions and best Firefox add-ons.
Weird browser, always two steps backward and one forward. Broken address bar, weird cookie policies, and now this, which is actually a very useful feature. I assume other Chromium-based browsers such as Opera or Vivaldi will inherit this feature.
Finally, a way for us to have control over our extensions!
I am tired of installing an extension for a particular site, yet it wants access to all sites.
A Chrome feature that every browser should adopt.
Gonna switch back to ungoogled-chromium_67.0.3396.87 and hope it’s safe enough for the foreseeable future.
When Chrome care more about your privacy than Mozilla Hahahahaahahahahaahha! :P
Well done Google, that’s why Chrome is getting all the time new users and makes the gap between Chrome and other browsers even bigger. You lead and others follow.
To restrict third party access to the Data, not extensions.
Somebody please tell people in Mozilla Firefox to do the same feature for its browser!
There are extensions that effect only one site say, gmail. I wish there was also an option to restrict from one site only (allow on all sites except this one)
I don’t care if an extension wants to read all “my data” on any particular site or on all of them. So long as my password is safe and they can’t access my Google account information or get my personal info (address, phone, SS number, access to medical or insurance info, bank account number, date of birth, etc) I don’t care. What I’m not clear about is the exact meaning of “change all your data”. Why should any app be able or allowed to change “all” my data? What the hell does that mean? What “data”? Why change it? Or even have access to it? If I pay a plumber to fix a leaky faucet he doesn’t have access to “all my household infrastructure”. He can’t get into my electrical wiring or my drywall or my floorboards. He can’t open my closets. All he can do is the job I authorize and pay him to do. Granting him access only to those areas where he will perform the task he is hired to perform. I’m not subscribing to chrome apps in order to allow them to go rummaging all through my browsing history or peek into emails from my oncologist or snoop for my address or phone number or purchasing habits. I’m subscribing to specific apps to do particular jobs for me. I know little (almost nothing) about tech or computers or how the web works, nor do I care. I just push certain tabs on the keyboard and I’m magically able to get into my gmail or onto YouTube. I don’t need anything else. But if any of my personal data is compromised or if my Chromebook is rendered inoperable or my Google account is cancelled or changed or if I can’t get online with it, I’m up shit creek. Exactly what can these apps (that want to access and change all “my data”) actually do? And why are they allowed to do it? What is their excuse? What are the hardware or software parameters that make it necessary for them to change all my data? I would never allow a plumber to rewire my house or redesign and rebuild my closets. Only to keep his damn nose in front of the leaky faucet and fix it. Can anyone explain these issues for me? This from a senior citizen (translation: old fart) who finds the web an incredible blessing but also a hugely complex puzzle.
Needs an “Enable on all sites except…” option.
Yes! This is why I came to this page. Annoying that this option is missing :( Hope there is a workaround or that this will be implemented. Good luck to others trying to get this to work!