Google puts the screws to sneaky Chrome add-on installs
The announcement was the latest in a long line of moves Google has made to tighten the screws on Chrome's extension ecosystem by restricting from where and how users can get add-ons for the popular browser.
"We're taking another step in our ongoing effort to protect Chrome users: disabling inline installation for extensions linked to deceptive sites and ads," wrote Andrew Kim and Ben Ackerman, of the browser's policy and anti-abuse team, on the Chromium blog. Google will switch off that installation technique on Sept. 3, Kim and Ackerman added.
Inline add-on installation has been supported by Google since Chrome 15 -- that version appeared in October 2011 -- and lets developers set their add-ons so that their customers can download and install extensions by clicking a link embedded in a website. Although the add-on must still be hosted on Google's Chrome Web Store, inline install is a convenience: Developers don't have to tell users to go to the store, but can snip some steps from the process.
But because some have abused that system -- putting extensions in the Chrome Web Store, even dodgy ones, but distributing them with what Google considers shady practices -- the Mountain View, Calif. company is clamping down.
"For these extensions, inline installation attempts will be redirected to the extension's product details page in the Chrome Web Store, allowing the user to make an informed decision about whether to install," said Kim and Ackerman.
The language used in the blog post seemed to say that only some add-ons' inline installations would be crippled, while others would still be able to use the method. "On September 3 we'll begin disabling inline installation for extensions that employ these deceptive tactics," the pair wrote [emphasis added].
That Google had to take this step, even though the add-ons were required to be submitted to the Store and approved by Google, speaks to the perfunctory evaluation the company gives to extensions and the devious distribution tactics used by makers of seemingly innocent add-ons that pass Google's quick muster.
This isn't the first time Google has moved against iffy extensions. It's been backing away from a laissez-faire add-on ecosystem for nearly three years, claiming that unauthorized and malicious extensions have been a leading complaint from users and a major cause of Chrome's problems. In May 2014, for example, it disabled most add-ons that weren't installed from its app store; a year later it closed the one remaining loophole.
Many of those decisions had implications not only for Chrome users -- Google was certainly correct in fingering malicious or shifty add-ons as security risks at worst, annoyances at best -- but also benefited Google and preserved its bottom line.
There were hints of the latter in today's blog post by Kim and Ackerman. "Unfortunately, this mechanism has been abused by deceptive sites and ads that trick users into installing unwanted extensions," they wrote [emphasis added].
Google has a vested interest in wanting to crush any kind of advertising it believes may irritate users, fearing that such will poison the well for everyone dealing online ads, including its own search engine, which generates the bulk of the firm's revenue.