Google slightly delays kill switch for Chrome add-ons
Google yesterday gave Chrome extension developers another two months to register their work with the browser’s online store, after which the company will throw a “kill switch” on most add-ons that were installed from other sources.
The deadline extension means that Google won’t implement the new policy on the “stable” version of Chrome for Windows—one of three build channels the company maintains, and the most polished of the trio—until after May 1. The beta of Chrome 33 for Windows, which launched mid-January, already has the policy in place.
“Some developers have requested more time to complete this transition, so we’ve decided to extend the window until May 1 before we start enforcing this policy for the Windows Stable channel,” said Erik Kay, director of Chrome engineering, in a Wednesday blog.
Under the new rules, only extensions—also called add-ons—that originate from the Chrome Web Store, Google’s official distribution channel, can be installed in the Windows browser. The change does not affect the OS X or Linux versions of Chrome.
Google first promised the extension blocking in November, when Kay cited “our continuing security efforts” for the change, and stated, “We believe this change will help those whose browser has been compromised by unwanted extensions.”
According to Google, unauthorized and sometimes downright dangerous extensions are a leading complaint from users, and a prime cause of problems.
Google has been tightening the screws on third-party add-ons since July 2012, when it first required that add-ons move to the Chrome Web Store. In other subsequent steps, it blocked sneaky add-on installations.
Those stricter policies had driven some purveyors of adware to try an end-around by buying the rights to established add-ons already in the Chrome Web Store, then modifying them to bombard users with advertisements.
Walling off the web browser's garden
Starting with Chrome 33 Beta on Windows, Google is closing the remaining loopholes: Extensions that had been installed locally or by businesses internally must be published to the Chrome Web Store. Businesses can hide their extensions on the store from the public at large—or continue to use group policies to offer the add-ons to their workforce from their own servers—and developers will still be able to initiate “in-line” installs from their website, assuming the add-on is also in the Chrome Web Store.
Only add-ons that were installed via such enterprise policies, or by developers from their websites or software, can avoid the automatic “hard disable” that Google mandated. “Hard disable” means that users will not be able to re-enable the extensions.
By forcing add-on developers to publish their work in the Store, Google moved another step closer to a “walled-garden” market, the kind popularized by Apple’s mobile app ecosystem. That allows Google to vet the extensions and yank those that turn out to be malicious or do something without user approval, like access other parts of the PC or mine personal information.
Because of the May 1 deadline for developers, the stable version of Chrome for Windows probably won’t throw the kill switch on non-Chrome Web Store extensions until version 35 at the earliest. Google just promoted Chrome 33 to the stable channel a week ago, and typically takes five to six weeks between each version number.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg’s RSS feed. His email address is firstname.lastname@example.org.
Read more about internet in Computerworld’s Internet Topic Center.