Google today began blocking local Chrome extensions with the aim of protecting Windows users against the secret installation of unwanted extensions by malware.
Google had previously announced it would be making changes in order to make it more difficult for malware to install unwanted Chrome extensions without the user’s knowledge.
While many services bundle useful companion extensions which can be installed following a prompt, said Google, some agents have designed extensions to bypass the prompt in order to silently install malicious extensions that override browser settings.
"From now on, to protect Windows users from this kind of attack, extensions can be installed only if they're hosted on the Chrome Web Store," said Google in a blog post. "With this change, extensions that were previously installed may be automatically disabled and cannot be re-enabled or re-installed until they're hosted in the Chrome Web Store."
Google said it would continue to support local extension installs during development as well as installs via Enterprise policy. The company also said that Windows developer channel users, along with users on other operating systems, will be unaffected by the changes.
In December Google announced it had updated its Chrome Web Store policy, banning multi-purpose Chrome extensions. The company stipulated that extensions in the Chrome Web Store must have a single purpose that “is narrow and easy to understand”.
Google also revealed this week that the Chrome Web Store would no longer show Netscape Plugin API (NPAPI)-based apps and extensions on its home page, search results, and category pages.
The company first said late last year that it would begin to phase out all plugins, apps, and extensions that make use of NPAPI in order to improve Chrome’s security, speed, and stability, while also reducing the complexity of the code base.
Google said it was still in the process of helping still-popular NPANPI plugins such as Silverlight, Google Earth, Google Talk, and Java, migrate to open-web-based alternatives.