Chromium Blog
News and developments from the open source browser project
More secure extensions, by default
středa 29. února 2012
Security is one of our core values, alongside speed, stability and simplicity. From day one, we’ve designed Chrome’s extension system
with security in mind
. Since we launched the extension system, the state of the art in web security has advanced with technologies like
Content-Security-Policy
(CSP). Extension developers have been able to
opt into these features
, and now we’re enabling these security features by default.
Unfortunately, securing extensions with CSP by default is incompatible with the legacy extension system. We’re passionate about extension compatibility, so we’re going to make this change gradually to minimize pain for users and developers.
Users can continue to install extensions that are available in the store regardless of whether they are secured with CSP or not. This means they will not lose any of the functionality they've added to Chrome.
Developers will be able to choose when to enable the new behavior. To ease the transition, we've introduced a new manifest version attribute in the extension manifest in Chrome 18 (currently in beta). When a developer updates his or her extension to use
manifest_version
2, Chrome will enforce the following CSP policy by default:
script-src 'self'; object-src 'self'
This policy imposes the following restrictions on extensions:
Extensions can no longer use inline scripts, such as
<script> ... </script>
. Instead, extensions must use out-of-line scripts loaded from within their package, such as
<script src="foo.js"></script>
.
Extensions can no longer use
eval()
. Note: If you’re using eval to parse JSON today, we suggest using
JSON.parse
instead.
Extensions can load plug-ins, such as SWF files, only from within their package or from a whitelist of HTTPS hosts.
A
recent study
from researchers at UC Berkeley suggested that these restrictions, taken together, would substantially
improve the security
of the extension system:
These defenses are extremely effective: adopting one of the recommended CSPs would prevent 96% (49 out of 51) of the core extension vulnerabilities we found.
For most extensions, updating them to
manifest_version
2 will require the developer to move inline scripts out-of-line and to move scripts loaded from the network into the extension package. Developers are not required to update their extensions to
manifest_version
2 immediately, but, over time, more of the extension ecosystem will encourage developers to update their extensions. For example, at some point, we’ll likely start requiring new extensions uploaded to the web store to use
manifest_version
2. You can find
a complete list
of changes and
more details
about CSP in the
extension documentation
.
We expect these changes will make the security of Chrome’s extension system even better. If you have any feedback, please feel encouraged to email the extension developers
mailing list
.
Posted by Adam Barth, Chrome Security Engineer
Štítky
$200K
1
10th birthday
4
abusive ads
1
abusive notifications
2
accessibility
3
ad blockers
1
ad blocking
2
advanced capabilities
1
android
2
anti abuse
1
anti-deception
1
background periodic sync
1
badging
1
benchmarks
1
beta
83
better ads standards
1
billing
1
birthday
4
blink
2
browser
2
browser interoperability
1
bundles
1
capabilities
6
capable web
1
cds
1
cds18
2
cds2018
1
cloud print
1
coalition
1
coalition for better ads
1
contact picker
1
content indexing
1
cookies
1
core web vitals
2
csrf
1
css
1
cumulative layout shift
1
custom tabs
1
dart
8
dashboard
1
Data Saver
3
Data saver desktop extension
1
day 2
1
deceptive installation
1
declarative net request api
1
design
2
developer dashboard
1
Developer Program Policy
2
developer website
1
devtools
13
digital event
1
discoverability
1
DNS-over-HTTPS
4
DoH
4
emoji
1
emscriptem
1
enterprise
1
extensions
27
Fast badging
1
faster web
1
features
1
feedback
2
field data
1
first input delay
1
Follow
1
fonts
1
form controls
1
frameworks
1
fugu
2
fund
1
funding
1
gdd
1
google earth
1
google event
1
google io 2019
1
google web developer
1
googlechrome
12
harmful ads
1
html5
11
HTTP/3
1
HTTPS
4
chrome
35
chrome 81
1
chrome 83
2
chrome 84
2
chrome ads
1
chrome apps
5
Chrome dev
1
chrome dev summit
1
chrome dev summit 2018
1
chrome dev summit 2019
1
chrome developer
1
Chrome Developer Center
1
chrome developer summit
1
chrome devtools
1
Chrome extension
1
chrome extensions
3
Chrome Frame
1
Chrome lite
1
Chrome on Android
2
chrome on ios
1
Chrome on Mac
1
Chrome OS
1
chrome privacy
4
chrome releases
1
chrome security
10
chrome web store
32
chromedevtools
1
chromeframe
3
chromeos
4
chromeos.dev
1
chromium
9
iframes
1
images
1
incognito
1
insecure forms
1
intent to explain
1
ios
1
ios Chrome
1
issue tracker
3
jank
1
javascript
5
lab data
1
labelling
1
largest contentful paint
1
launch
1
lazy-loading
1
lighthouse
2
linux
2
Lite Mode
2
Lite pages
1
loading interventions
1
loading optimizations
1
lock icon
1
long-tail
1
mac
1
manifest v3
2
metrics
2
microsoft edge
1
mixed forms
1
mobile
2
na
1
native client
8
native file system
1
New Features
5
notifications
1
octane
1
open web
4
origin trials
2
pagespeed insights
1
pagespeedinsights
1
passwords
1
payment handler
1
payment request
1
payments
2
performance
20
performance tools
1
permission UI
1
permissions
1
play store
1
portals
3
prefetching
1
privacy
2
privacy sandbox
4
private prefetch proxy
1
profile guided optimization
1
progressive web apps
2
Project Strobe
1
protection
1
pwa
1
QUIC
1
quieter permissions
1
releases
3
removals
1
rlz
1
root program
1
safe browsing
2
Secure DNS
2
security
36
site isolation
1
slow loading
1
sms receiver
1
spam policy
1
spdy
2
spectre
1
speed
4
ssl
2
store listing
1
strobe
2
subscription pages
1
suspicious site reporter extension
1
TCP
1
the fast and the curious
23
TLS
1
tools
1
tracing
1
transparency
1
trusted web activities
1
twa
2
user agent string
1
user data policy
1
v8
6
video
2
wasm
1
web
1
web apps
1
web assembly
2
web developers
1
web intents
1
web packaging
1
web payments
1
web platform
1
web request api
1
web vitals
1
web.dev
1
web.dev live
1
webapi
1
webassembly
1
webaudio
3
webgl
7
webkit
5
WebM
1
webmaster
1
webp
5
webrtc
6
websockets
5
webtiming
1
writable-files
1
yerba beuna center for the arts
1
Archive
2024
pro
srp
čvn
kvě
dub
bře
úno
2023
lis
říj
zář
srp
čvn
kvě
dub
úno
2022
pro
zář
srp
čvn
kvě
dub
bře
úno
led
2021
pro
lis
říj
zář
srp
čvc
čvn
kvě
dub
bře
úno
led
2020
pro
lis
říj
zář
srp
čvc
čvn
kvě
dub
bře
úno
led
2019
pro
lis
říj
zář
srp
čvc
čvn
kvě
dub
bře
úno
led
2018
pro
lis
říj
zář
srp
čvc
čvn
kvě
dub
bře
úno
led
2017
pro
lis
říj
zář
srp
čvc
čvn
kvě
dub
bře
úno
led
2016
pro
lis
říj
zář
srp
čvn
kvě
dub
bře
úno
led
2015
pro
lis
říj
zář
srp
čvc
čvn
kvě
dub
bře
úno
led
2014
pro
lis
říj
zář
srp
čvc
čvn
kvě
dub
bře
úno
led
2013
pro
lis
říj
zář
srp
čvc
čvn
kvě
dub
bře
úno
led
2012
pro
lis
říj
zář
srp
čvc
čvn
kvě
dub
bře
úno
led
2011
pro
lis
říj
zář
srp
čvc
čvn
kvě
dub
bře
úno
led
2010
pro
lis
říj
zář
srp
čvc
čvn
kvě
dub
bře
úno
led
2009
pro
lis
zář
srp
čvc
čvn
kvě
dub
bře
úno
led
2008
pro
lis
říj
zář
Feed
Follow @ChromiumDev
Give us feedback in our
Product Forums
.
