As a follow-up to our blog post on continuing to protect Chrome users from malicious extensions, we’re enforcing the following changes starting in May 2015 for all Windows channels and starting in July 2015 for all Mac channels:
For extensions that are currently hosted outside the Chrome Web Store, what should be done and by when?If your extensions are currently hosted outside the Chrome Web Store you should migrate them to the Chrome Web Store as soon as possible. The above changes will very soon become effective for all channels on Windows and will become effective for all Mac channels in July 2015. Once you migrate your extensions to the Chrome Web Store, there will be no impact to your users, who will still be able to use your extension as if nothing changed. And if you have a dedicated installation flow from your own website, you can make use of the existing inline installs feature.
What will happen if I migrate the extension to the Chrome Web Store sometime in the future? Will I lose all my users?
Users will have their off-store extensions hard-disabled once the enforcement rolls out. However, if the extension is migrated to the Chrome Web Store after the rollout, users will be able to manually enable the migrated extension from extensions settings page (chrome://extensions) or from the Chrome Web Store listing.
What if I want to restrict access to certain users or prevent my extension from being listed on the Chrome Web Store?You can restrict access to your extension by limiting its visibility to Trusted Tester or by unlisting the extension from the Chrome Web Store.
As of May 2015, these changes are effective for all Windows channels starting with Chrome 33 and for all Mac channels starting with Chrome 44 (around end of July 2014).
No. You can still load unpacked extensions in developer mode on Windows and Mac.
Why couldn't this problem be solved by having a setting/option to load extensions that are not hosted in the Chrome Web Store?Unlike modern mobile operating systems, Windows and Mac do not sandbox applications. Hence we wouldn’t be able to differentiate between a user opting in to this setting and a malicious downloaded program overriding the user’s desired setting.
Apart from users installing extensions from the Chrome Web Store, the following deployment options will be supported:
Are there any other considerations to be aware of for extensions that depend on a native application binary?Previously when off-store extensions were supported, it was possible to have the third party application binaries and the sideloaded extension be updated in lockstep. However, extensions hosted on the Chrome Web Store are updated via the Chrome update mechanism which developers do not control. Extension developers should be careful about updating extensions that have a dependency on the native application binary (for example, extensions using native messaging or legacy extensions using NPAPI).
They will get a notification that says: “Unsupported extensions disabled” with a link to the following support article.
Why do I see a bubble about “Disable developer mode extensions” when loading an unpacked extension in Windows stable/beta channels?We do not want the developer mode to be used as an attack vector for spreading malicious extensions. Hence we’re informing users about developer mode extensions on all Windows and Mac channels and giving them an option to disable these extensions.
For Developers >