Google Starts Blocking Extensions Not In the Chrome Web Store 225
An anonymous reader writes "Google has begun blocking local Chrome extensions to protect Windows users. This means that as of today, extensions can be installed in Chrome for Windows only if they're hosted on the Chrome Web Store. Furthermore, Google says extensions that were previously installed 'may be automatically disabled and cannot be re-enabled or re-installed until they're hosted in the Chrome Web Store.' The company didn't specify what exactly qualifies the "may" clause, though we expect it may make exceptions for certain popular extensions for a limited time. Google is asking developers to reach out to it if they run into problems or if they 'think an extension was disabled incorrectly.'"
Java? (Score:2, Interesting)
Does this include Java?
Re: (Score:2)
Java isn't an extension.
Welcome to your new walled garden (Score:5, Insightful)
It's only going to get worse as more and more "platforms" get tied to some company curated web store.
No thanks!
Re:Welcome to your new walled garden (Score:5, Insightful)
It's only going to get worse as more and more "platforms" get tied to some company curated web store.
HA! Pretty soon they'll have your desktop acting just like a smart phone: no privacy what-so-ever with every app knowing when you take a shit to when your SO is ovulating.
No fucking thanks indeed!
Re:Welcome to your new walled garden (Score:5, Informative)
No fucking thanks indeed!
Or you could just not use Windows.
And if that's not an option, you could use the dev channel version of Chrome to sideload anything you want. Or use Chromium instead. You're not locked into the App store unless you want to be,
Look, you can spin it any way you want, but his is pretty obviously a step to protect non-technical Chrome users from malware. It's not aimed at people who have the know-how to manage their own plugins/apps.
Re: (Score:2, Interesting)
Look, you can spin it any way you want, but his is pretty obviously a step to protect non-technical Chrome users from malware. It's not aimed at people who have the know-how to manage their own plugins/apps.
Oh come on. This is obviously phase 2 of google's plan to consolidate its hold on the internet. Note that if the extensions are in the chrome store then all the data flows through google, which is all they want anyway.
Re:Welcome to your new walled garden (Score:5, Informative)
Complete nonsense. Extensions are just Javascript and a bit of metadata, and can post data anywhere they like. No need for it to "flow though google" at all.
Re: (Score:2)
Re: (Score:3)
My laptop died over the weekend and while browsing online for a replacement, one laptop was advertised as having "smart-phone like responsiveness." I quickly moved on to a different laptop.
Re: (Score:3)
Chromium is open source so if you don't like it, fork you own copy and get whatever useless toolbars that install without permission that you want.
Re: (Score:3, Insightful)
Chromium is open source so if you don't like it, fork you own copy and get whatever useless toolbars that install without permission that you want.
You let me know when Chromium gets bundled with Android cell phones or Chromebook laptops.
Re:Welcome to your new walled garden (Score:5, Insightful)
Chromium is open source so if you don't like it, fork you own copy and get whatever useless toolbars that install without permission that you want.
You let me know when Chromium gets bundled with Android cell phones or Chromebook laptops.
Nicely done... you slipped that word "bundled" in there, because obviously that's not going to happen; Google will provide the normal Chrome builds. Users that want to can install Chromium themselves, of course, and in fact Google even provides instructions on how to do it, as well as all of the source code.
And you also slyly ignored the fact that the just-announced news doesn't affect Android or Chromebook, only Windows. Maybe Chrome for Android will eventually get the same policy, but it's likely that the superior security architecture of ChromeOS will make it unnecessary on Chromebooks.
Re: (Score:2)
Chrome for Android doesn't have an app store, or even extensions for that matter.
Re: (Score:2)
Chrome for Android doesn't have an app store, or even extensions for that matter.
Yeah, that's why I said maybe it will get the same policy, when it gets extensions and an App Store.
Re: (Score:2)
Users that want to can install Chromium themselves, of course, and in fact Google even provides instructions on how to do it, as well as all of the source code.
There's a large gulf between "can," and "do." Of the millions of users, most do not.
This is why it's relevant that Google would never bundle Chromium with anything.
And you also slyly ignored the fact that the just-announced news doesn't affect Android or Chromebook, only Windows.
I didn't slyly ignore that at all.
I was rather explicit in prognosticating that "more and more "platforms"" will get fenced off.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Chrome/Chromium doesn't have extensions on Android so that platform is not applicable to this move.
Chromebook laptops can be unlocked and replaced with Chromium builds.
Re: (Score:3)
Chromium is open source so if you don't like it, fork you own copy and get whatever useless toolbars that install without permission that you want.
don't be a fuck twit. how will you side load extensions when there are no extensions to install? no sane programmer will make a new windows extension that doesn't go through the chrome store.
Re: (Score:2)
Chromium is open source so if you don't like it, fork you own copy and get whatever useless toolbars that install without permission that you want.
Darwin is open source too, so you can fork it and install whatever apps you want.
The fact is most people stick with the official release. Your platform is not "open" if your official release if third party extensions aren't allowed.
It's worth mentioning the (non-mobile) version of Safari does allow arbitrary third party extensions. There are some warnings to the user that it might be malware, but they don't block installation.
Re: (Score:2)
On both Firefox and Chrome, the efforts to require permission to install an extension can be bypassed if the installer has local access to manually tell the config files that it has been 'approved' even when it has not, and this is quite prevalent.
Of course it's not going to affect technical folk who avoid installation of spyware to begin with, but this is a sensible security step for the masses.
Re: Welcome to your new walled garden (Score:2)
Is that going to continue to work if they are disabling the installed extensions retroactively? If it's not part of the update process now, it could be down the road.
Re: (Score:2)
What secure, clean source? [arstechnica.com]
Re: (Score:2)
It might not be as big a defense, as you think
b) Bullshit toolbars and crapware that are installed by "sponsorware" crapware
Seems like a minor tweak to bundle in with the crapware: Chromium or an altered chrome binary and altered versions of all major browsers; change user's default browser to the 'crapware' one, and disable updates ---- or rather, make them auto-update from the crapware vendor with new crapware.
A Pox on Google! (Score:4, Interesting)
I refuse to use Google search, maps, cloud, G-mail or anything of theirs. I strongly object to entries in their terms of service and this is the only way that i can express my displeasure with them. Try to find an e-mail address that a live human will read at Google.
Re: A Pox on Google! (Score:5, Interesting)
You're not alone, but then again, neither are they. The new world order is to host your own store, and reap the rewards, control your clientele, and do so in the superficial PR mechanism of controlling bad stuff, where the actual motive is more like: profit and gleaning market trends.
Altruism is NOT Google's business model.
Re: (Score:3)
Oh, wait ...
Re: (Score:2)
Apple is the same if not considerably WORSE than Google in pretty much every aspect of end user privacy
I'm calling you out on this. For one, apple is BETTER than google in pretty much every aspect of end user privacy. It doesn't earn billions of dollars from tracking everything that people do and search for. Can you provide any examples to support your point?
Re: (Score:3)
more importantly, EFF is only considering privacy from govt interference. Apple also gives you privacy from their own snooping. Google, all they do is peer into your activities to track and profile. that is loss of privacy. Apple does not do this.
Dealbreaker (Score:4, Interesting)
The extension I used to correct their staunch adherence to the idiocy that is mapping backspace to the browser back button is unhosted, so... bye.
Re: (Score:2)
Data loss due to accidental navigation (Score:5, Insightful)
Re:Data loss due to accidental navigation (Score:5, Insightful)
Use Firefox. They have the same idiocy (mapping back to backspace - which I can't stand either) but at least you can turn it off. Almost nothing in Chrome is customizable. Why it has such a large following is beyong me.
Re: (Score:2)
Except that in Firefox, when your focus is a text box the backspace key will not attempt to take you to a previous page. I am also extremely skeptical that Chrome does this.
In turn due to accidental focus loss (Score:2)
Re: (Score:3)
Re: (Score:2)
I know exactly why I originally switched: I was not yet educated on the sheer depth of Google/Chrome's hostility towards your privacy, it had a huge selling point: silent, background updates where I don't even know they're happening (I like it that way).
This was at that time shortly after Firefox went to that crazy new release schedule and whizzed along from version 4 to version 26 in what felt like about 20 minutes. It was during this time that Firefox was driving me ABSOLUTELY NUTS popping up every few we
Re: (Score:2)
Use the left arrow key to move the cursor left one unit, then press DEL, instead of backspace.
[*]I am not a big fan of backspace being abused as a navigational command, either. It is not the intended use of the key, and sometimes causes accidental loss of partially drafted text.
Re:Data loss due to accidental navigation (Score:4, Informative)
I just did a test in Firefox with this very post. I typed up to this point, clicked backspace outside the text pane to go back a page, then clicked forward. Whatdayaknow... the text was retained. Maybe that's the reason I never investigated about changing the behavior - because it's far more useful than it is annoying (and the annoyance is temporary because the text buffer won't disappear).
Re: (Score:2)
This is one of many reasons why I like Safari -you have to jump into the command line settings to *enable* backspace-to-go-back.
It's definitely the best browser available, in terms of getting little things like this right.
Re: (Score:2)
Since back is the most commonly used button, it makes sense to have an easily accessible button on the keyboard.
Dealbreaker (Score:3)
Not that I want you stay on Chrome for any particular reason (I've gravitated to mostly using firefox myself, for other reasons) but I do use this web-store hosted extension - backstop [google.com] - for blocking 'backspace sometimes blows away your entire comment instead of deleting one character' idiocy.
Re: (Score:2)
Actually you can still install unhosted extensions in the usual way, i.e. enable developer options. It's only packaged extensions hosted on web sites that are affected.
Re: (Score:2)
You didn't literally press Backspace 100 times in a row. As if it would have taken more than three presses before it was obvious it wouldn't do anything.
In Linux the backspace key in Firefox is by default set to do nothing. In Windows it goes back a page. I don't know why the defaults are difference, but whenever I try Linux out (before inevitability going back to Windows), I always dip into about:config and change the backspace behavior in Firefox to make backspace go back just like it does in Windows. Kee
yeah whatever (Score:5, Interesting)
The claim of protection is just the public plausible deniability excuse.. The real reason is to force people to use their stupid 'app store.'
Re:yeah whatever (Score:5, Insightful)
Also to get rid of troublesome extensions like Adblock Plus. I seem to recall Google kicking Adblock Plus from the Google Play store [eff.org], which while not the same thing as the Chrome Web Store, does seem a bit worrying.
Granted the reasoning used in that case (it "interfered with the operation of other apps") likely wouldn't apply to Chrome but it's the primary reason I want to be able to install extensions from non-Google "blessed" sources: I don't trust Google not to be evil.
Re: (Score:2)
Also to get rid of troublesome extensions like Adblock Plus.
Oh, really [google.com]? It's also worth pointing out that AdBlock Plus by default doesn't block Google ads.
Re: (Score:2, Informative)
Really? It seems to be blocking google served ads just fine on chromium for me.
Re: (Score:2)
Re: (Score:2)
Long as it's optional, that's fine in my book. Really adblockers could probably make better inroads if they could allow optional blocking by default for advertisers that people wanted. This of course would let people support websites they want, and block the crap that could give them malware.
Re: (Score:2)
This is what whitelists are for. Almost all websites I regularly browse are on the whitelist. The few exceptions are those that have annoying adds, I regularly unblock them, just to see, no they are still have annoying ads.
Re:yeah whatever (Score:5, Informative)
The reason AdBlock Plus for Android was removed from Play was that it sets up a transparent proxy on your phone. Since the Android version of Chrome doesn't support extensions that is the only way it can operate. The problem is that all network traffic flows though the proxy, even stuff from other apps. If other apps use HTTP to get data it goes through the AdBlock filter. This broke some legitimate non-advertising functionality and also tended to cause issues accessing normal web pages when the mobile connection was a bit intermittent.
It was fine if you were willing to put up with all that, but created a bad user experience for most people and got a lot of complaints. You can still install it just by downloading the .apk from the AdBlock Plus web site of course.
Similarly with Chrome, you can still install extensions locally, just not from random web sites any more.
Comment removed (Score:5, Informative)
Re: (Score:2)
I was wondering how, as a developer, one could load their own extension into a Windows Chrome build when I read the summary.
I assumed some developer mode within normal Chrome would allow non-store extensions to be added. Interesting if you need an entirely separate install to test your own extensions on Windows.
Re: (Score:2)
I do agree that malicious extensions could be a problem when allowed via sideloading. However, simply add an option to turn off the blocking from the client. Those that want to sideload can and, by default, others will be blocked. Seems like a logical way of handling this.
I do also like the suggestion of providing a "trusted list" that allows for alternative "App Stores". These options could make these actions more palatable.
Re: (Score:2)
That's precisely what does exist. People who want sideloading use the developer version of the browser.
Re: (Score:2)
Excellent post. Well done.
Problem with antivirus (Score:3)
Kaspersky AV installs it's extensions in Chrome, and frankly I a) don't want to depend on the Chrome Store for them since I can only trust them if they come directly from Kaspersky and b) don't want them disabled since I installed Kaspersky specifically for this purpose. I can see refusing to enable local extensions until the user confirms they ought to be there, but Chrome isn't the only source of browser components on my computer.
Re: (Score:2)
I hit this with KIS and Kaspersky never even responded to the ticket I opened. I'm sure they're scratching their heads about it now but anyway back to Firefox for now.
Re: (Score:2)
Re: (Score:2)
Kaspersky AV installs it's extensions in Chrome, and frankly I a) don't want to depend on the Chrome Store for them since I can only trust them if they come directly from Kaspersky
That's nice. But it's what Google trusts that matters. Google only trusts the Kaspersky plugin of highly questionable value that may actually be exposing you to multiple additional severe security risks without offering much additional protection -- enough to be enabled in Chrome now, if the app came directly from the app s
Re: (Score:2)
Kaspersky will be fine. This only affects extensions, which are Javascript based and heavily sandboxed. Anti-virus software uses plug-ins, which are executable code and much more powerful. They are commonly used to support Flash, Silverlight, Java and displaying PDFs.
Old (Score:5, Informative)
Re: (Score:3)
True, old news but no, unless it comes from their blessed store or points to their blessed store you can't http://www.chromium.org/develo... [chromium.org]
"You can still load unpacked extensions" (Score:4, Informative)
Good! (Score:2, Interesting)
I help fix computers for friends and family and the amount of incredible crapware that gets installed into browsers "by itself" is staggering. NONE of that is ever wanted.
Firefox had this problem first, and I'd say it was the only reason why most of them moved to Chrome.
Now Chrome is just as bad.
It is good for everyone I know, including me.
Userscripts? (Score:2)
Okay, how do I get userscripts working? I used to be able to just click on a link, then the restricted that, so I had to download them and drag them into the extensions window, but now even that isn't possible, it seems. What's the recommended method for getting them to work? Honest question.
Re: (Score:2)
Try TamperMonkey [tampermonkey.net]. A little more bloated than native Userscript handling, but it does work.
This is not new news. (Score:5, Interesting)
For those of us on the Dev channel for Chrome hit this in February. [google.com] It's definitely a fucked up decision by the Chrome team and has led to a lot of folks ripping out Chrome in favor of something else. The claim made by the devs is that it's safer if the extensions come out of their web store and would eliminate malicious activity from extensions. They obviously didn't want to fix the browser [chromium.org] to alert the user when malicious extensions are installed or provide a sysadmin set of functions necessary to install necessary, safe extensions. Of course we all know it's another fucking walled garden take-over by Google. I've already recommended to clients that they don't use Chrome and have removed it from a little over 4000 systems thus far. Personally Google is fucking the user community on this one, so fuck Google.
Re: (Score:2)
You could just switch on developer mode and your unpacked local extensions will continue to work.
Re:This is not new news. (Score:4, Insightful)
this time.
its not the step that's the problem; its the journey.
you google fans; you really can't see where the end journey is headed? no one knows where it will end, but you can, at least, see the *direction* its going, yeah? how can that not bother you?
Re: (Score:2)
As for me, I have spent countless hours lately cleaning up machines with search protect, conduit, ask, and all the other shitware that loads itself up when some unsuspecting user installs some free program from CNET and gets all their tag-along goodies. I recently cleaned up a brand new Windows 8 laptop that was only 1 week
Re: (Score:3)
So... explain how a developer is supposed to develop extensions to put in to the web store if they can't load their own in developer mode?
It will always work that way.
Re: (Score:2)
That's easy enough to do. Just require that in order to enable the "incredibly risky" developer mode, you must be registered as a developer with Google, and flipping the button requires google+ integration. After all, we need to look after chrome users and this means cracking down on dodgy app development, I'm sure you're not one of those developers but e just need to check for the greater good, OK?
That sort of depends on how you define PC (Score:2)
its funny that intelligent people would even THINK to try a google product that is a binary, running on their pc.
That depends on whether you consider a phone or tablet running Android OS to be a personal computer. True, the vast majority of devices are not "Lenovo compatible PCs" because they have non-x86 CPUs. But they are still personal computers in a sense.
Re: (Score:2)
Dev Version (Score:2)
Time to get the dev version. They've already had the annoying habit of nagging me everytime I started the browser to "Disable developer mode extensions" and now they pull this crap.
Developer Mode still can install (Score:5, Informative)
The article clearly states that you can still do this with developer mode. To me this is non story. They trying to stop the malware stuff for 90% of users.
The rest of us can still do what we want. Or anyone else that can manage to click a single check mark.
Re: (Score:3)
They trying to stop the malware stuff for 90% of users.
There are plenty of actual solutions for that.
a) Block the extensions that don't come through the app store, but let the user enable them one by one -- without scary 'developer mode' (and opening up the floodgates)
b) Reputation systems -- allow 'reputable' extensions; revert to a) above for the rest. Google and the AV vendors don't want to get their hands dirty classifying useless shit nobody wants as the useless shit nobody wants, fine let the 'communi
Re: (Score:2)
A user who is too scared to be in developer mode is acknowledging they don't have sufficient knowledge to judge extensions. Therefore they are doing a perfectly rational thing and asking Google to exercise informed judgement on their behalf.
Re: (Score:2)
Block the extensions that don't come through the app store, but let the user enable them one by one -- without scary 'developer mode' (and opening up the floodgates)
Presumably you would keep the scary 'do you trust this extension and are you sure you want to install it?' message though. So no better than ticking a single check box then. Also, developer mode doesn't "open the floodgates", you have to manually download, unzip and drag the extension into the extensions tab.
How-to (Score:5, Informative)
From the Chrome Developer page [chrome.com]:
1. Unzip the .crx file
2. Go to chrome://extensions
3. Tick on Developer Mode
4. Click Load Unpacked Extension...
5. Select and install.
Reminds me of the "Outlook Email Security Update" (Score:2)
Remember the "Outlook Email Security Update" from mid-2000 with the pop-ups asking to approve programs sending mail or gathering data from your address book and why it was so difficult to disable?
What does it take to publish in Chrome Web Store? (Score:2)
Aside from following rules like no spam and no child pornography, if your extension is free they charge you a $5 developer regisstration fee.
So it seems to me to distribute by the Chrome eb Store is not that big an inconvenience,
Re: (Score:2)
They can block extensions they don't like for instance youtube ripper or ad blocker.
Re: (Score:2)
Developers? (Score:2)
So how do I develop extensions?
Also, how do I run the custom extensions that are used in our company and should not be publically available?
How about extensions that are installed with some hardware, like the one that makes Dymo labelwriters accessible from JavaScript?
Re: (Score:2)
you get the developer version. or chromium.
but anyhow, this is along the biz reasoning why they started chrome originally. when they started, the most popular browsers were looking like they were going to ship with adblocker extensions by default... and boom google comes up with funding for a browser of their own.
Re: (Score:3)
So how do I develop extensions?
Like you always did. Developer mode did not change this time around.
Also, how do I run the custom extensions that are used in our company and should not be publically available?
Enterprise install policy is unchanged. If you can use it, you can use extensions from any source. Even NPAPI extensions, which are now banned from Store.
How about extensions that are installed with some hardware, like the one that makes Dymo labelwriters accessible from JavaScript?
It's probably not an extension, but a plugin. That's a bit different, but they will also be going away end of this year.
And nothing of value is lost. (Score:2)
I yet have to see many convincing cases of extensions for browsers (for everyday applications). I am unisg firefox, and the extensions i use are scrapbook, nojs, foxyproxy.
Re:Fork or patch? (Score:4, Informative)
They say developers will still be able to install locally. My guess is that if you enable developer mode (checkbox in the extensions page) you can still use local extensions like always.
Re: (Score:2)
You can use unpackaged extensions (that cannot auto-update) like alw.. Sorry, with a nagging prompt every time you launch Chrome.
Re: (Score:2)
Yep. Firefox is far superior to Chrome. You can customize almost anything in Firefox and nothing in Chrome.
Re: (Score:3)
For the time being, but Mozilla keeps making Firefox worse and worse. If that trend continues even a little while longer, then FF won't be a viable alternative anymore.
Re: (Score:2)
Because the plan totally isn't to do something pretty similar [google.com] in Firefox.
Re: (Score:3)
Ugh. I'm one of those developers who would be affected, as I have custom FF extensions deployed for a mid-size client. We don't use the "Enterprise" FF though. I suppose we might have to switch, and deploy FF updates differently, just to keep the ability to run extensions (that have no business being uploaded to anyone's store, as they're entirely site-specific.)
Re: (Score:2)
I simply trust Mozilla to do the right thing
One word: Australis
(Don't mind me, Seamonkey [seamonkey-project.org] user just passing through...)
Re: (Score:2)
Re: (Score:3, Informative)
There is no problem. Chrome is for the clueless and they should be shielded from external extensions. The tech savvy all use Chromium, which has no such restriction.
Butt Strife and Fox McButt (Score:2)