Chrome 70 features option to restrict extension access - gHacks Tech News

Chrome 70 features option to restrict extension access

Extensions can be really useful for a huge number of things. From blocking unwanted content to changing websites, improving the usability of the browser or improving your shopping experience.

Chrome extensions are limited in what they are allowed to do. Chrome supports a permission system that requires that extensions request certain permissions, e.g. access to data on all sites, and that users need to grant extensions the requested permissions.

Criminals and some extension developers have found loopholes in the automated system that Google uses to vet extensions. Security firms identified malicious or privacy invading extensions in the Chrome Web Store multiple times in 2018 alone.

If you installed extensions in Chrome before, you may have encountered extensions that request wide-reaching permissions (access data on all sites) even though they are supposed to run only on some or a single site. Not all extensions that do request this permission are malicious but some are that or at least problematic from a privacy point of view.

While users can verify extensions for Chrome before they install them to make sure they are legitimate, it is just a minority that does so as it requires knowledge of JavaScript and how Chrome extensions work.

Google revealed plans today to improve the situation with the release of Chrome 70 in mid-October 2018.

User control over sites extensions may run on

chrome extensions restrict access

Google plans to give Chrome users control over the hosts that extensions may access. Currently, if an extension has permissions to change data on all websites it may do so and the user can't do anything about it at that point other than remove it again from Chrome.

Starting with Chrome 70, Chrome users may restrict host access of extensions in the following ways:

  • Restrict access to specific sites, e.g. ghacks.net only.
  • Enable click to activate for all sites.

A right-click on any installed extension displays the new "this can read and change site data" item in the menu. When you hover the mouse cursor over it you get the options to restrict access of that extension.

You may also manage on which site extensions run on chrome://extensions when you click on the details button of an installed extension.

chrome limit extensions

The new "Allow this extension to read and change all your data on websites you visit" menu provides options to limit the extension to "on-click" or "on specific sites".

The selection of "on specific sites" displays the list of sites the extension is allowed to run on. You can add multiple sites to the list which act as a whitelist in that case then. The extension's access to the site is blocked if it is not on that list.

Note that the new functionality becomes available after you install an extension. Chrome extension installations from the Chrome Web Store don't display options to limit site access of an extension that is about to be installed at this time.

It is possible that Google will change that going forward or integrate an option in Chrome to set a different default for extensions that request access to all sites.

For now, it is only possible to change site access permissions after installation.

Chrome highlights extension icons that want access to a site but don't have that access due to access restrictions.

A click on the extension icon displays "reload page to use this extension".

chrome extension wants access

The extension is granted access to the page then and you may use its functionality on the page afterward.

The selected extension gets rights to access the selected page only if you activate it but not on any other page if it is set to activate on click only.

If you want an extension to run on all pages of a site select the "on site" option instead.

Closing Words

Chrome users will get better extension control in Chrome 70. It is then possible to restrict extensions to run only on a small set of sites or activate only when they are clicked on. The default, access granted everywhere, seems to remain the same though.

I see the new options as a tool for advanced users who want to limit extensions that they install. It is certainly the right move for certain kinds of extensions. A video or image download should only run when you need it and not whenever you load a site in the browser.

I can't really see this become very popular with new or inexperienced users, though. It would be great if Google would add an option to set a default for new extensions.

Chrome users who run version 70 already can enable the feature right now by setting chrome://flags/#extension-active-script-permission to enabled.

I'd love to see this implemented by other browser makers as well.

Now You: What is your take on the announcement?

Tip: Check out our lists of best Chrome extensions and best Firefox add-ons.

Summary
Chrome 70 features option to restrict extension access
Article Name
Chrome 70 features option to restrict extension access
Description
Google plans to give Chrome users control over the hosts that extensions may access when it releases Google Chrome 70 in mid-October 2018.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:


Previous Post: «
Next Post: »

Comments

  1. Yuliya said on October 1, 2018 at 10:53 pm
    Reply

    Weird browser, always two steps backward and one forward. Broken address bar, weird cookie policies, and now this, which is actually a very useful feature. I assume other Chromium-based browsers such as Opera or Vivaldi will inherit this feature.

  2. Anonee said on October 2, 2018 at 12:49 am
    Reply

    Finally, a way for us to have control over our extensions!
    I am tired of installing an extension for a particular site, yet it wants access to all sites.

  3. kms said on October 2, 2018 at 4:42 am
    Reply

    A Chrome feature that every browser should adopt.

  4. Joshua X said on October 2, 2018 at 8:36 am
    Reply

    I can’t stand these new changes, as mentioned by Yuliya, the new address bar and cookie policy (doubleclick.net locally stored data). And now these new extension access features, just sounds like bloat to me. I trust uBlock Origin and Decentraleyes FWIW.

    Gonna switch back to ungoogled-chromium_67.0.3396.87 and hope it’s safe enough for the foreseeable future.

  5. Mikhoul said on October 2, 2018 at 7:12 pm
    Reply

    When Chrome care more about your privacy than Mozilla Hahahahaahahahahaahha! :P

  6. pic said on October 3, 2018 at 3:00 am
    Reply

    Well done Google, that’s why Chrome is getting all the time new users and makes the gap between Chrome and other browsers even bigger. You lead and others follow.

  7. Future said on October 3, 2018 at 10:19 am
    Reply

    To restrict third party access to the Data, not extensions.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.