Google has quietly changed the way Chrome browser adds extensions, blocking automatic installs from all but those downloaded through the company's Chrome Web store.
The motivation for the modification is security. Previously, extensions could be installed by any website without user intervention, an obvious boon for malicious attacks.
“In the latest version of Google Chrome, you must explicitly tell Chrome that you want to install these extensions by adding them through the Extensions page,” Google said, a way of forcing users to pay attention to non-approved software.
“Online hackers may create websites that automatically trigger the installation of malicious extensions. Their extensions are often designed to secretly track the information you enter on the web, which the hackers can then reuse for other ill-intended purposes.”
Anyone who tries to add an extension outside the Web Store will receive the message, "Extensions, apps, and user scripts can only be added from the Chrome Web Store. Learn more."
In pointing users towards its Store, Google will focus on filtering software added there for suspect code.
Individuals or companies hosting legitimate extensions on their own websites will need to add these to the Store or use inline installation (where apps appear to be hosted on a site but are actually on Google's Store).
Google appears to have taken the decision after some humming and hawing to adopt a more locked-down model for apps, both browser-based and mobile. Not before time; abuse of the company's environment was growing.