More secure extensions, by default

Wednesday, February 29, 2012

Labels: ,

Security is one of our core values, alongside speed, stability and simplicity. From day one, we’ve designed Chrome’s extension system with security in mind. Since we launched the extension system, the state of the art in web security has advanced with technologies like Content-Security-Policy (CSP). Extension developers have been able to opt into these features, and now we’re enabling these security features by default.

Unfortunately, securing extensions with CSP by default is incompatible with the legacy extension system. We’re passionate about extension compatibility, so we’re going to make this change gradually to minimize pain for users and developers.

Users can continue to install extensions that are available in the store regardless of whether they are secured with CSP or not. This means they will not lose any of the functionality they've added to Chrome.

Developers will be able to choose when to enable the new behavior. To ease the transition, we've introduced a new manifest version attribute in the extension manifest in Chrome 18 (currently in beta). When a developer updates his or her extension to use manifest_version 2, Chrome will enforce the following CSP policy by default:

script-src 'self'; object-src 'self' 

This policy imposes the following restrictions on extensions:

  1. Extensions can no longer use inline scripts, such as <script> ... </script>. Instead, extensions must use out-of-line scripts loaded from within their package, such as <script src="foo.js"></script>. 
  2. Extensions can no longer use eval(). Note: If you’re using eval to parse JSON today, we suggest using JSON.parse instead. 
  3. Extensions can load plug-ins, such as SWF files, only from within their package or from a whitelist of HTTPS hosts. 
A recent study from researchers at UC Berkeley suggested that these restrictions, taken together, would substantially improve the security of the extension system:

These defenses are extremely effective: adopting one of the recommended CSPs would prevent 96% (49 out of 51) of the core extension vulnerabilities we found. 

For most extensions, updating them to manifest_version 2 will require the developer to move inline scripts out-of-line and to move scripts loaded from the network into the extension package. Developers are not required to update their extensions to manifest_version 2 immediately, but, over time, more of the extension ecosystem will encourage developers to update their extensions. For example, at some point, we’ll likely start requiring new extensions uploaded to the web store to use manifest_version 2. You can find a complete list of changes and more details about CSP in the extension documentation.

We expect these changes will make the security of Chrome’s extension system even better. If you have any feedback, please feel encouraged to email the extension developers mailing list.


Posted by Adam Barth, Chrome Security Engineer

9 comments:

akdom said...

This comment has been removed by the author.

February 29, 2012 1:58 PM

akdom said...

By "no longer use <script></script>" does this also mean that background pages must include scripts in their header? If so, the entirety of the extension documentation needs to be updated to reflect this as the current recommended practice is to have the whole of your background application run in inline script tags. Note http://code.google.com/chrome/extensions/background_pages.html as an example.

February 29, 2012 2:00 PM

Unknown said...

@akdom. Yes. You can view the updated documentation using the "trunk" version of the documentation:

http://code.google.com/chrome/extensions/trunk/background_pages.html

When Chrome 18 reaches stable, the documentation will update as well.

February 29, 2012 3:04 PM

Karl Taüfer said...

I had akdom's question also. Now that it is more clear, I have two other questions:

1) Should I update my extensions now, or until version 18 is released? When the new manifest will start working and when the old one will stop?

2)Will chrome.extension.getBackgroundPage() still work with the ""background": { "scripts": "background.js"]}", or I will have to use a different way to access to that code once it changes?

I'm worried about my extensions!! Thanks for the news.

February 29, 2012 11:08 PM

Mr.Wizard said...

I also would like to know whether I should update my extension now or wait until version 18 is released?

March 1, 2012 2:49 AM

Adam Barth said...

If I were you, I would wait until version 18 reaches the stable channel before updating my extensions. That way you only need to test your extension on one version of Chrome. If you'd like to get a head start and update your extension now, you certainly can. However, you'll want to test your extension both on version 17 and version 18 to make sure everything works smoothly.

chrome.extension.getBackgroundPage() will continue to work fine with ""background": { "scripts": "background.js"]}".

If you're worried about your extension, please don't hesitate to email the chromium-extensions@chromium.org.

March 1, 2012 10:24 AM

Chris said...

How can I know which extensions in the webstore are using the security enhancements? If an extension isn't being updated, then I want to find an extension with similar functionality that does proved the updated security.

March 1, 2012 1:25 PM

Adam Barth said...

@Chris: Currently, there's no indication in the webstore about which extensions use this feature. That's something we'll keep in mind as an encouragement to developers to update their extensions.

March 1, 2012 3:08 PM

Karl Taüfer said...

Thanks for your answers! I will surely contact the e-mail for further questions.

March 1, 2012 8:20 PM

Post a Comment

Subscribe to: Post Comments (Atom)