Google locks out extensions that don’t come from its Chrome Web Store

As of Tuesday, 12 June, Google started on a phase-out of Chrome extensions that come from third-party websites. In the coming months, that means that extensions have got to either hit the Chrome Web Store or hit the highway.

It’s about time, many will say – third-party extensions cause too many headaches.

Extensions Platform Product Manager James Wagner said in an announcement on the Chromium blog that inline extensions (i.e., those from third-party sites) are far more likely to cause Chrome users problems than the ones they get from the Chrome Web Store:

When installed through the Chrome Web Store, extensions are significantly less likely to be uninstalled or cause user complaints, compared to extensions installed through inline installation.

Here’s the timeline:

  • Starting on Tuesday 12 June 2018, inline installation was made unavailable to all newly published extensions. Extensions first published on that day or later that attempt to call the chrome.webstore.install() function will now automatically redirect the user to the Chrome Web Store in a new tab to complete the installation.
  • Starting 12 September 2018, inline installation will be disabled for existing extensions, and users will be automatically redirected to the Chrome Web Store to complete the installation.
  • In early December 2018, the inline install API method will be removed from Chrome 71.

Wagner advised developers who distribute an extension using inline installation that they’ll have to update install buttons on their websites to link to their extension’s Chrome Web Store page prior to the stable release of Chrome 71.

He also suggested that if you haven’t already, “be sure to read up on how to create a high-quality store listing, and consider using our install badge on your site.”

Wagner said that it’s “crucial” that users have “robust information” about extensions before they install them, so that they fully understand how the extensions will affect their browsing experience. He says that Google is confident that the walled-garden approach will “improve transparency for all users about their extension choices in Chrome.”

A little recent extensions history: in October, Google was embarrassed when a fake adblocker – one that posed as the massively popular AdBlock Plus – wound up sneaking past Google’s security checks and weaseling its way into the Chrome Web Store. The “adblocker” turned out not to be an adblocker at all. Rather, ironically enough, it was adware. It served ads. To people who wanted to block ads.

At the time, Google said it had plans to improve the vetting of its browser extensions:

We know the issue spans beyond this single app. We can’t go into details publicly about solutions we are currently considering, but we wanted to let the community know that we are working on it…

Of course these problems aren’t unique to Google, they turn up everywhere vendors provide walled-garden access to apps, plugins, add-ons or whatever else they call the bits of somebody else’s code you can use to extend their products.

In most cases the security of a walled garden beats not having a walled garden, but keeping the bad stuff out is an on-going and evolving struggle.