Google has announced plans to further restrict Chrome extensions in a bid to crack down on the number of malicious extensions found in the Chrome Web Store.

We've seen a spate of malicious extensions this year; the extensions do things like steal credentials and participate in click fraud schemes. The malicious extensions take advantage of the considerable access to webpages that extensions have.

Google has already taken some steps to limit malicious extensions. Last year, a stricter multi-process model was applied to extensions to limit the impact of security flaws in the browser, and earlier this year, Google deprecated the ability for extensions to offer installation from third-party websites (instead forcing all installations to go via the Chrome Web Store). This feature will be fully removed in Chrome 71 in December.

The first new measure is to give the users of extensions greater control over which sites extensions can access. One of the most powerful extension permissions is the ability to read and write data on any site; in Chrome 70, due later this month, extension users will be able to restrict access to specific domains, or block all access to a site until the extension is explicitly activated. This change doesn't prevent malicious extensions outright, but it has the power to greatly limit the damage they can do.

The other measures are applied to the extension development process. Google says it's going to apply greater scrutiny to extensions that require the most powerful permissions, and it will perform ongoing monitoring of extensions that load code from remote sites. This should help guard against extensions that use harmless external code during the initial submission to the store but then later replace that code with something malicious once the extension has been published to the store.

Google is also prohibiting extensions using obfuscated code. Minified code (that is, code that has had extraneous whitespace and long variable names removed) will still be permitted, because the minification process is generally easy to reverse, but code that's outright obfuscated—manipulated in such a way as to conceal its functionality and hinder its readability—is no longer allowed in new extensions. Instead, obfuscated code will be banned for existing extensions in 90 days. Google says that some 70 percent of malicious extensions use obfuscated code. Prohibiting it should make extension reviewing simpler, because it will make the JavaScript code that powers extensions easier to understand.

Extension developers will also have to do more to protect their developer accounts. From 2019, extension developers will have to enable two-factor authentication for their accounts. The concern here is that if a developer of a legitimate extension has their account hacked, their extensions can be tampered with and made malicious. Two factor authentication makes it harder to compromise accounts in the first place.

Next year, Google also plans to introduce a new extension manifest (the part of an extension that enumerates the contents of the extension and the permissions it requires) that will give users greater control over the permissions they grant and allow extension developers to demand narrower, more restricted permissions in the first place.