Chrome extensions have been under heavy scrutiny over the couple of years due to security risks, but Google is looking to change that with upcoming granular permission control. This is a huge step forward for extension security.
Basically, this is a similar take on Android’s granular permissions controls, just for Chrome browser extensions. The biggest problem with extensions—at least from a security standpoint—is their essentially universal ability to read, write, and change data on websites. With this upcoming feature, you’ll be able to control when and how extensions can read and write data.
You’ll be able to specify when an extension can read and change data on a particular website with what appears to be three primary options: when you click the extension, on the specific website, or on all websites. While the latter will allow the extension to function in the same way the system currently works, the first two will disallow the extension from acting outside of the policy you set, essentially sandboxing the extension’s access within the set parameters.
To take this a step further, Google will also put a bigger focus on scrutinizing extensions that request “powerful permissions” and use remotely-hosted code. In short, control for extensions—both on the user front and for Google—is going to get a lot tighter.
There are also some changes being made on the developer end—the Chrome Web Store will no longer allow extensions with obfuscated code, developers will be required to enable 2FA on their accounts starting in 2019, and more. For details on that, you can take a look at the Chromium developer blog.
The real meat and potatoes here is granular controls on the consumer front. This will be available starting in Chrome 70, which is already available though the beta channel. The feature hasn’t yet been enabled, but Google will likely flip the switch in an upcoming update.