Google doubles down on Chrome extension security by blocking inline installations

Donna Miller
June 13, 2018

Inline installation lets websites add Chrome extensions that were hosted behind the scenes at the Chrome Web Store, but Google's shutting the technology down after abuse.

In order to prove that extensions in the Chrome store are legit and the best course of action, Google has written a research paper on its extension cleansing efforts.

Google's initial extensions plan was to let people download them from anywhere, but it backtracked and offered the inline installation from the Chrome Web Store instead.

Until now, this has been possible because the inline installation process allowed developers to create extensions, have the extensions hosted on the official Chrome Web Store, but allow users to install the extensions just by clicking a button on a third-party website without the user ever visiting the extension's Chrome Web Store page.

"We continue to receive large volumes of complaints from users about unwanted extensions causing their Chrome experience to change unexpectedly", explains James Wagner, Google's extensions platform product manager. Too often, though, developers combined these so-called "inline installs" with deceptive information on their sites to get users to install them.

The decision, which will be implemented in stages, follows a series of complaints in recent years about malicious extensions distributed through the Chrome Web Store and via malware.

Chrome extensions will soon only be installed at the Chrome Web Store

The company and its users experienced wave after wave of issues with malicious or deceptive Chrome extensions. Extensions first published on June 12, 2018 or later that attempt to call the chrome.webstore.install () function will automatically redirect the user to the Chrome Web Store in a new tab to complete the installation.

From September 12, 2018 on, inline installations will be disabled for all existing extensions as well.

"We're proud of the choices the Chrome Web Store provides users in enhancing their browsing experience", said Wagner.

However, it is likely that this new change will ruffle the feathers of existing extension owners who rely on the inline install method for legitimate installs of their extensions.

It may be more hard for malicious actors to get users to install their extensions directly from the Web Store.

Early December will see the inline install application programming interface completely removed from Chrome version 71. Google has not published information about the ratio of installs.

Lesbian killed after being tricked into Tinder date with couple looking threeway
Court documents reveal Trail told Federal Bureau of Investigation agents he had strangled the girl with an extension cord. The Nebraska Attorney General's office, which is prosecuting the case, said it is considering seeking the death penalty.

Other reports by

Discuss This Article

FOLLOW OUR NEWSPAPER