Chrome 70 features option to restrict extension access
Extensions can be really useful for a huge number of things. From blocking unwanted content to changing websites, improving the usability of the browser or improving your shopping experience.
Chrome extensions are limited in what they are allowed to do. Chrome supports a permission system that requires that extensions request certain permissions, e.g. access to data on all sites, and that users need to grant extensions the requested permissions.
Criminals and some extension developers have found loopholes in the automated system that Google uses to vet extensions. Security firms identified malicious or privacy invading extensions in the Chrome Web Store multiple times in 2018 alone.
If you installed extensions in Chrome before, you may have encountered extensions that request wide-reaching permissions (access data on all sites) even though they are supposed to run only on some or a single site. Not all extensions that do request this permission are malicious but some are that or at least problematic from a privacy point of view.
Google revealed plans today to improve the situation with the release of Chrome 70 in mid-October 2018.
User control over sites extensions may run on
Google plans to give Chrome users control over the hosts that extensions may access. Currently, if an extension has permissions to change data on all websites it may do so and the user can't do anything about it at that point other than remove it again from Chrome.
Starting with Chrome 70, Chrome users may restrict host access of extensions in the following ways:
- Restrict access to specific sites, e.g. ghacks.net only.
- Enable click to activate for all sites.
A right-click on any installed extension displays the new "this can read and change site data" item in the menu. When you hover the mouse cursor over it you get the options to restrict access of that extension.
You may also manage on which site extensions run on chrome://extensions when you click on the details button of an installed extension.
The new "Allow this extension to read and change all your data on websites you visit" menu provides options to limit the extension to "on-click" or "on specific sites".
The selection of "on specific sites" displays the list of sites the extension is allowed to run on. You can add multiple sites to the list which act as a whitelist in that case then. The extension's access to the site is blocked if it is not on that list.
Note that the new functionality becomes available after you install an extension. Chrome extension installations from the Chrome Web Store don't display options to limit site access of an extension that is about to be installed at this time.
It is possible that Google will change that going forward or integrate an option in Chrome to set a different default for extensions that request access to all sites.
For now, it is only possible to change site access permissions after installation.
Chrome highlights extension icons that want access to a site but don't have that access due to access restrictions.
A click on the extension icon displays "reload page to use this extension".
The extension is granted access to the page then and you may use its functionality on the page afterward.
The selected extension gets rights to access the selected page only if you activate it but not on any other page if it is set to activate on click only.
If you want an extension to run on all pages of a site select the "on site" option instead.
Chrome users will get better extension control in Chrome 70. It is then possible to restrict extensions to run only on a small set of sites or activate only when they are clicked on. The default, access granted everywhere, seems to remain the same though.
I see the new options as a tool for advanced users who want to limit extensions that they install. It is certainly the right move for certain kinds of extensions. A video or image download should only run when you need it and not whenever you load a site in the browser.
I can't really see this become very popular with new or inexperienced users, though. It would be great if Google would add an option to set a default for new extensions.
Chrome users who run version 70 already can enable the feature right now by setting chrome://flags/#extension-active-script-permission to enabled.
I'd love to see this implemented by other browser makers as well.
Now You: What is your take on the announcement?