If you’re a front-end developer, you’re probably already aware of the changes coming up to Google Chrome extensions. But even if you’re not, the changes are important and worth knowing a bit more about. 

About Chrome extensions

There are well over 100,000 Chrome extensions – pieces of HTML, CSS, and JavaScript written by third parties and installed by a user to customize their Chrome browsing experience.

There are extensions that block ads, check spelling, save passwords, offer VPN connections, and (e.g., Evinced) test a website’s accessibility. The list is nearly endless.

Extensions are built out of two main types of components:

1. Content scripts with a user interface, or that need to access data on a web page.
2. Background scripts which do not have access to the user interface. These have access to browser events such as opening a new tab, refreshing the page, etc. The background script often acts as the server side of the application.

Permissions and security

Chrome extensions in the past have had a surprisingly large list of permissions. For example, extensions could:

• Access and manipulate the DOM. Grammarly, for example, uses its permissions to read the contents of input fields and check the spelling.
• Send requests to servers.
• Download scripts from a server and run them.
• Run scripts on the website a user is visiting. Evinced uses this to check for accessibility issues.
• Read and manipulate network requests. HuluVPN uses this to reroute requests to a different server in a different country.
• Bypass CORS defenses that are enforced by the browser.
• Listen to browser events.

This is only a partial list of course, but even a non-developer can see that this list is expansive and presents nefarious coders with lots of opportunities for mischief.  As we say in the business, the attack surface is huge.  

To take just one example, a hacker group took over an extension called The Great Suspender and modified it to download and execute malicious code from their servers, while installed on millions of devices.

Say hello to version 3!

Google, thankfully, is responding, with a very serious change to how Extensions are coded.  That change is called Manifest Version 3, and all Chrome Extensions will need to move to the new, significantly less permissive framework.  The official timeline is being re-evaluated by Google (who looks to have firmer dates by March 2023), but we’re planning on being ready sooner rather than later. As of today, that timeline looks like this:

The heart of the change is about security and permissions. In short:

1. Downloading and running any external source code is forbidden. This includes fonts, scripts, CSS, etc.

2. Fewer permissions and capabilities when accessing the network level.

3. Making the background work as a service worker

Because all the code will be bundled into the extension, Google will now have the entire code of an extension, with no code added at runtime. This raises the possibility that Google could detect suspicious code in advance, and remove the extension before it gets installed by users.

That’s a big win.

The future

Personally, we welcome the security improvements, even if upgrading an extension to the new protocol is less than easy (more about that soon).  We don’t believe that Manifest v3 will be perfectly secure – hackers have their ways, after all – but closing the obvious loopholes is simply the right thing to do.  That’s familiar territory for us, as we try to make the world a little more accessible every day.