Forgot your password?
typodupeerror
Chrome Google Software The Internet

Google Starts Blocking Extensions Not In the Chrome Web Store 225

Posted by Soulskill
from the protecting-you-from-yourself dept.
An anonymous reader writes "Google has begun blocking local Chrome extensions to protect Windows users. This means that as of today, extensions can be installed in Chrome for Windows only if they're hosted on the Chrome Web Store. Furthermore, Google says extensions that were previously installed 'may be automatically disabled and cannot be re-enabled or re-installed until they're hosted in the Chrome Web Store.' The company didn't specify what exactly qualifies the "may" clause, though we expect it may make exceptions for certain popular extensions for a limited time. Google is asking developers to reach out to it if they run into problems or if they 'think an extension was disabled incorrectly.'"
This discussion has been archived. No new comments can be posted.

Google Starts Blocking Extensions Not In the Chrome Web Store

Comments Filter:
  • Java? (Score:2, Interesting)

    by Anonymous Coward

    Does this include Java?

  • by TubeSteak (669689) on Tuesday May 27, 2014 @09:06PM (#47104373) Journal

    It's only going to get worse as more and more "platforms" get tied to some company curated web store.
    No thanks!

    • by pitchpipe (708843) on Tuesday May 27, 2014 @09:23PM (#47104467)

      It's only going to get worse as more and more "platforms" get tied to some company curated web store.

      HA! Pretty soon they'll have your desktop acting just like a smart phone: no privacy what-so-ever with every app knowing when you take a shit to when your SO is ovulating.

      No fucking thanks indeed!

      • by ozmanjusri (601766) <aussie_bobNO@SPAMhotmail.com> on Tuesday May 27, 2014 @10:55PM (#47104941) Journal

        No fucking thanks indeed!

        Or you could just not use Windows.

        And if that's not an option, you could use the dev channel version of Chrome to sideload anything you want. Or use Chromium instead. You're not locked into the App store unless you want to be,

        Look, you can spin it any way you want, but his is pretty obviously a step to protect non-technical Chrome users from malware. It's not aimed at people who have the know-how to manage their own plugins/apps.

      • by cdrudge (68377)

        Pretty soon they'll have your desktop acting just like a smart phone

        My laptop died over the weekend and while browsing online for a replacement, one laptop was advertised as having "smart-phone like responsiveness." I quickly moved on to a different laptop.

    • Chromium is open source so if you don't like it, fork you own copy and get whatever useless toolbars that install without permission that you want.

      • Re: (Score:3, Insightful)

        by TubeSteak (669689)

        Chromium is open source so if you don't like it, fork you own copy and get whatever useless toolbars that install without permission that you want.

        You let me know when Chromium gets bundled with Android cell phones or Chromebook laptops.

        • by swillden (191260) <shawn-ds@willden.org> on Tuesday May 27, 2014 @10:11PM (#47104785) Homepage Journal

          Chromium is open source so if you don't like it, fork you own copy and get whatever useless toolbars that install without permission that you want.

          You let me know when Chromium gets bundled with Android cell phones or Chromebook laptops.

          Nicely done... you slipped that word "bundled" in there, because obviously that's not going to happen; Google will provide the normal Chrome builds. Users that want to can install Chromium themselves, of course, and in fact Google even provides instructions on how to do it, as well as all of the source code.

          And you also slyly ignored the fact that the just-announced news doesn't affect Android or Chromebook, only Windows. Maybe Chrome for Android will eventually get the same policy, but it's likely that the superior security architecture of ChromeOS will make it unnecessary on Chromebooks.

          • Chrome for Android doesn't have an app store, or even extensions for that matter.

            • by swillden (191260)

              Chrome for Android doesn't have an app store, or even extensions for that matter.

              Yeah, that's why I said maybe it will get the same policy, when it gets extensions and an App Store.

          • by TubeSteak (669689)

            Users that want to can install Chromium themselves, of course, and in fact Google even provides instructions on how to do it, as well as all of the source code.

            There's a large gulf between "can," and "do." Of the millions of users, most do not.
            This is why it's relevant that Google would never bundle Chromium with anything.

            And you also slyly ignored the fact that the just-announced news doesn't affect Android or Chromebook, only Windows.

            I didn't slyly ignore that at all.
            I was rather explicit in prognosticating that "more and more "platforms"" will get fenced off.

        • Chrome/Chromium doesn't have extensions on Android so that platform is not applicable to this move.
          Chromebook laptops can be unlocked and replaced with Chromium builds.

      • Chromium is open source so if you don't like it, fork you own copy and get whatever useless toolbars that install without permission that you want.

        don't be a fuck twit. how will you side load extensions when there are no extensions to install? no sane programmer will make a new windows extension that doesn't go through the chrome store.

      • Chromium is open source so if you don't like it, fork you own copy and get whatever useless toolbars that install without permission that you want.

        Darwin is open source too, so you can fork it and install whatever apps you want.

        The fact is most people stick with the official release. Your platform is not "open" if your official release if third party extensions aren't allowed.

        It's worth mentioning the (non-mobile) version of Safari does allow arbitrary third party extensions. There are some warnings to the user that it might be malware, but they don't block installation.

  • A Pox on Google! (Score:4, Interesting)

    by Anonymous Coward on Tuesday May 27, 2014 @09:13PM (#47104399)

    I refuse to use Google search, maps, cloud, G-mail or anything of theirs. I strongly object to entries in their terms of service and this is the only way that i can express my displeasure with them. Try to find an e-mail address that a live human will read at Google.

    • Re: A Pox on Google! (Score:5, Interesting)

      by postbigbang (761081) on Tuesday May 27, 2014 @09:50PM (#47104659)

      You're not alone, but then again, neither are they. The new world order is to host your own store, and reap the rewards, control your clientele, and do so in the superficial PR mechanism of controlling bad stuff, where the actual motive is more like: profit and gleaning market trends.

      Altruism is NOT Google's business model.

    • Who in their right mind would use Google when there is Bing?

      Oh, wait ...

  • Dealbreaker (Score:4, Interesting)

    by Anonymous Coward on Tuesday May 27, 2014 @09:13PM (#47104401)

    The extension I used to correct their staunch adherence to the idiocy that is mapping backspace to the browser back button is unhosted, so... bye.

    • by Ksevio (865461)
      That's a pretty standard mapping. Makes sense - BACK/BACKspace
      • So how do I unambiguously indicate to a web browser that I want to delete only one character from a text area, not have the entire message be destroyed because I accidentally navigated away from the page?
        • by scottbomb (1290580) on Tuesday May 27, 2014 @10:15PM (#47104809) Journal

          Use Firefox. They have the same idiocy (mapping back to backspace - which I can't stand either) but at least you can turn it off. Almost nothing in Chrome is customizable. Why it has such a large following is beyong me.

          • by Microlith (54737)

            Except that in Firefox, when your focus is a text box the backspace key will not attempt to take you to a previous page. I am also extremely skeptical that Chrome does this.

            • So how do I unambiguously indicate to a web browser that I want the backspace key's focus to remain in a text area? I often accidentally bump my laptop's trackpad with my palm. Or a script may execute on the page that focuses another element. Or I may reach for the letter q or the number 1 and press Tab instead.
          • by Cloud K (125581)

            I know exactly why I originally switched: I was not yet educated on the sheer depth of Google/Chrome's hostility towards your privacy, it had a huge selling point: silent, background updates where I don't even know they're happening (I like it that way).

            This was at that time shortly after Firefox went to that crazy new release schedule and whizzed along from version 4 to version 26 in what felt like about 20 minutes. It was during this time that Firefox was driving me ABSOLUTELY NUTS popping up every few we

        • by mysidia (191772)

          Use the left arrow key to move the cursor left one unit, then press DEL, instead of backspace.

          [*]I am not a big fan of backspace being abused as a navigational command, either. It is not the intended use of the key, and sometimes causes accidental loss of partially drafted text.

        • by Xolvix (3649657) on Wednesday May 28, 2014 @01:54AM (#47105671)

          I just did a test in Firefox with this very post. I typed up to this point, clicked backspace outside the text pane to go back a page, then clicked forward. Whatdayaknow... the text was retained. Maybe that's the reason I never investigated about changing the behavior - because it's far more useful than it is annoying (and the annoyance is temporary because the text buffer won't disappear).

        • This is one of many reasons why I like Safari -you have to jump into the command line settings to *enable* backspace-to-go-back.

          It's definitely the best browser available, in terms of getting little things like this right.

        • by Ksevio (865461)
          If you're in a text area then the browser acts like a text editor and removes a character. Firefox and Opera at least will retain the message if you click backspace outside the text area and go forward again.

          Since back is the most commonly used button, it makes sense to have an easily accessible button on the keyboard.
    • Not that I want you stay on Chrome for any particular reason (I've gravitated to mostly using firefox myself, for other reasons) but I do use this web-store hosted extension - backstop [google.com] - for blocking 'backspace sometimes blows away your entire comment instead of deleting one character' idiocy.

    • by AmiMoJo (196126) *

      Actually you can still install unhosted extensions in the usual way, i.e. enable developer options. It's only packaged extensions hosted on web sites that are affected.

  • yeah whatever (Score:5, Interesting)

    by epyT-R (613989) on Tuesday May 27, 2014 @09:16PM (#47104411)

    The claim of protection is just the public plausible deniability excuse.. The real reason is to force people to use their stupid 'app store.'

    • Re:yeah whatever (Score:5, Insightful)

      by _xeno_ (155264) on Tuesday May 27, 2014 @09:52PM (#47104671) Homepage Journal

      Also to get rid of troublesome extensions like Adblock Plus. I seem to recall Google kicking Adblock Plus from the Google Play store [eff.org], which while not the same thing as the Chrome Web Store, does seem a bit worrying.

      Granted the reasoning used in that case (it "interfered with the operation of other apps") likely wouldn't apply to Chrome but it's the primary reason I want to be able to install extensions from non-Google "blessed" sources: I don't trust Google not to be evil.

      • by swillden (191260)

        Also to get rid of troublesome extensions like Adblock Plus.

        Oh, really [google.com]? It's also worth pointing out that AdBlock Plus by default doesn't block Google ads.

        • Re: (Score:2, Informative)

          by Mashiki (184564)

          Really? It seems to be blocking google served ads just fine on chromium for me.

          • by swillden (191260)
            My mistake. It used to be that AdBlock Plus defaulted to not blocking Google text ads. It looks like the default is to block, now, though it is still optional.
            • by Mashiki (184564)

              Long as it's optional, that's fine in my book. Really adblockers could probably make better inroads if they could allow optional blocking by default for advertisers that people wanted. This of course would let people support websites they want, and block the crap that could give them malware.

              • by rioki (1328185)

                This is what whitelists are for. Almost all websites I regularly browse are on the whitelist. The few exceptions are those that have annoying adds, I regularly unblock them, just to see, no they are still have annoying ads.

      • Re:yeah whatever (Score:5, Informative)

        by AmiMoJo (196126) * <{ten.3dlrow} {ta} {ojom}> on Wednesday May 28, 2014 @07:07AM (#47106945) Homepage

        The reason AdBlock Plus for Android was removed from Play was that it sets up a transparent proxy on your phone. Since the Android version of Chrome doesn't support extensions that is the only way it can operate. The problem is that all network traffic flows though the proxy, even stuff from other apps. If other apps use HTTP to get data it goes through the AdBlock filter. This broke some legitimate non-advertising functionality and also tended to cause issues accessing normal web pages when the mobile connection was a bit intermittent.

        It was fine if you were willing to put up with all that, but created a bad user experience for most people and got a lot of complaints. You can still install it just by downloading the .apk from the AdBlock Plus web site of course.

        Similarly with Chrome, you can still install extensions locally, just not from random web sites any more.

    • Re:yeah whatever (Score:5, Informative)

      by verylargeprime (3668387) on Tuesday May 27, 2014 @11:26PM (#47105077)
      Nope. You're wrong.

      Browser hijacking is a major problem within Chrome and other browsers, and side-loaded extensions are by far the most common vector for hijacking. Firefox and IE have the same problem. Short of making extension APIs totally useless for developers, this is the best approach anyone's come up with. Third-party anti-malware vendors are unreliable in this regard because it's very difficult (with good and often sufficiently gnarly legal reasons) to get them to classify any given extension as clearly being malware. This gives Google a necessary choke-point through which to filter unsavory extensions.

      While you seem to believe this desire for control is driven by a nefarious, greedy plan to herd all the sheeple into a walled garden [diabolical laughter] with "plausible deniability," it's actually driven by a desire to not have users fucking hate Chrome because some dipshit is making millions of dollars injecting toolbars into browsers and sucking up volumes of sensitive and often personally identifiable information with no (or ill-begotten) user consent.

      Though I don't see it mentioned in either of the links, it should be noted that this constraint only affects Windows stable (and I believe beta) channels. If you want to run Windows Chrome and you know you can handle yourself without being hijacked, just run dev channel. It's usually pretty stable.

      Source: I'm a full-time Chrome developer at Google.
      • by nullchar (446050)

        I was wondering how, as a developer, one could load their own extension into a Windows Chrome build when I read the summary.

        I assumed some developer mode within normal Chrome would allow non-store extensions to be added. Interesting if you need an entirely separate install to test your own extensions on Windows.

      • I do agree that malicious extensions could be a problem when allowed via sideloading. However, simply add an option to turn off the blocking from the client. Those that want to sideload can and, by default, others will be blocked. Seems like a logical way of handling this.

        I do also like the suggestion of providing a "trusted list" that allows for alternative "App Stores". These options could make these actions more palatable.

        • by jbolden (176878)

          That's precisely what does exist. People who want sideloading use the developer version of the browser.

      • by jbolden (176878)

        Excellent post. Well done.

  • by Todd Knarr (15451) on Tuesday May 27, 2014 @09:16PM (#47104417) Homepage

    Kaspersky AV installs it's extensions in Chrome, and frankly I a) don't want to depend on the Chrome Store for them since I can only trust them if they come directly from Kaspersky and b) don't want them disabled since I installed Kaspersky specifically for this purpose. I can see refusing to enable local extensions until the user confirms they ought to be there, but Chrome isn't the only source of browser components on my computer.

    • by Virtucon (127420)

      I hit this with KIS and Kaspersky never even responded to the ticket I opened. I'm sure they're scratching their heads about it now but anyway back to Firefox for now.

    • If Chrome asked for user consent, malware vendors would just fake user consent.
    • by mysidia (191772)

      Kaspersky AV installs it's extensions in Chrome, and frankly I a) don't want to depend on the Chrome Store for them since I can only trust them if they come directly from Kaspersky

      That's nice. But it's what Google trusts that matters. Google only trusts the Kaspersky plugin of highly questionable value that may actually be exposing you to multiple additional severe security risks without offering much additional protection -- enough to be enabled in Chrome now, if the app came directly from the app s

    • by AmiMoJo (196126) *

      Kaspersky will be fine. This only affects extensions, which are Javascript based and heavily sandboxed. Anti-virus software uses plug-ins, which are executable code and much more powerful. They are commonly used to support Flash, Silverlight, Java and displaying PDFs.

  • Old (Score:5, Informative)

    by tepples (727027) <<tepples> <at> <gmail.com>> on Tuesday May 27, 2014 @09:21PM (#47104455) Homepage Journal
    This was announced six months ago [slashdot.org]. Unpacked extensions will still run.
  • Good! (Score:2, Interesting)

    by Anonymous Coward

    I help fix computers for friends and family and the amount of incredible crapware that gets installed into browsers "by itself" is staggering. NONE of that is ever wanted.
    Firefox had this problem first, and I'd say it was the only reason why most of them moved to Chrome.
    Now Chrome is just as bad.

    It is good for everyone I know, including me.

  • Okay, how do I get userscripts working? I used to be able to just click on a link, then the restricted that, so I had to download them and drag them into the extensions window, but now even that isn't possible, it seems. What's the recommended method for getting them to work? Honest question.

  • by Virtucon (127420) on Tuesday May 27, 2014 @09:50PM (#47104653)

    For those of us on the Dev channel for Chrome hit this in February. [google.com] It's definitely a fucked up decision by the Chrome team and has led to a lot of folks ripping out Chrome in favor of something else. The claim made by the devs is that it's safer if the extensions come out of their web store and would eliminate malicious activity from extensions. They obviously didn't want to fix the browser [chromium.org] to alert the user when malicious extensions are installed or provide a sysadmin set of functions necessary to install necessary, safe extensions. Of course we all know it's another fucking walled garden take-over by Google. I've already recommended to clients that they don't use Chrome and have removed it from a little over 4000 systems thus far. Personally Google is fucking the user community on this one, so fuck Google.

    • You could just switch on developer mode and your unpacked local extensions will continue to work.

      • by TheGratefulNet (143330) on Wednesday May 28, 2014 @12:15AM (#47105277)

        this time.

        its not the step that's the problem; its the journey.

        you google fans; you really can't see where the end journey is headed? no one knows where it will end, but you can, at least, see the *direction* its going, yeah? how can that not bother you?

        • by fuzznutz (789413)
          Paranoid much? It's a browser. There are lots of browsers to choose from. If the destination of your "journey" is somewhere you don't like, pick another browser. I'll do the same.

          As for me, I have spent countless hours lately cleaning up machines with search protect, conduit, ask, and all the other shitware that loads itself up when some unsuspecting user installs some free program from CNET and gets all their tag-along goodies. I recently cleaned up a brand new Windows 8 laptop that was only 1 week
        • So... explain how a developer is supposed to develop extensions to put in to the web store if they can't load their own in developer mode?

          It will always work that way.

          • by MrNemesis (587188)

            That's easy enough to do. Just require that in order to enable the "incredibly risky" developer mode, you must be registered as a developer with Google, and flipping the button requires google+ integration. After all, we need to look after chrome users and this means cracking down on dodgy app development, I'm sure you're not one of those developers but e just need to check for the greater good, OK?

  • Time to get the dev version. They've already had the annoying habit of nagging me everytime I started the browser to "Disable developer mode extensions" and now they pull this crap.

  • by Formorian (1111751) on Tuesday May 27, 2014 @09:55PM (#47104693)

    The article clearly states that you can still do this with developer mode. To me this is non story. They trying to stop the malware stuff for 90% of users.

    The rest of us can still do what we want. Or anyone else that can manage to click a single check mark.

    • by vux984 (928602)

      They trying to stop the malware stuff for 90% of users.

      There are plenty of actual solutions for that.

      a) Block the extensions that don't come through the app store, but let the user enable them one by one -- without scary 'developer mode' (and opening up the floodgates)

      b) Reputation systems -- allow 'reputable' extensions; revert to a) above for the rest. Google and the AV vendors don't want to get their hands dirty classifying useless shit nobody wants as the useless shit nobody wants, fine let the 'communi

      • by jbolden (176878)

        A user who is too scared to be in developer mode is acknowledging they don't have sufficient knowledge to judge extensions. Therefore they are doing a perfectly rational thing and asking Google to exercise informed judgement on their behalf.

      • by AmiMoJo (196126) *

        Block the extensions that don't come through the app store, but let the user enable them one by one -- without scary 'developer mode' (and opening up the floodgates)

        Presumably you would keep the scary 'do you trust this extension and are you sure you want to install it?' message though. So no better than ticking a single check box then. Also, developer mode doesn't "open the floodgates", you have to manually download, unzip and drag the extension into the extensions tab.

    • How-to (Score:5, Informative)

      by Namarrgon (105036) on Wednesday May 28, 2014 @01:21AM (#47105517) Homepage

      From the Chrome Developer page [chrome.com]:

      1. Unzip the .crx file
      2. Go to chrome://extensions
      3. Tick on Developer Mode
      4. Click Load Unpacked Extension...
      5. Select and install.

  • Remember the "Outlook Email Security Update" from mid-2000 with the pop-ups asking to approve programs sending mail or gathering data from your address book and why it was so difficult to disable?

  • Aside from following rules like no spam and no child pornography, if your extension is free they charge you a $5 developer regisstration fee.

    So it seems to me to distribute by the Chrome eb Store is not that big an inconvenience,

    • by Anonymous Coward

      They can block extensions they don't like for instance youtube ripper or ad blocker.

  • On my Win box, IE, Chrome, FF and Opera. I keep 'em all current and updated.

    The default browser - well, that all depends on which one is working the way I want it to at any given time. It's been Chrome for a while, but the instant that changes so will my default browser. For now, the few extensions I have installed all seem to be working correctly. If that changes, FF is ready in the bullpen. Strangely enough, IE is ready to go in at need. Opera is mostly around as a reminder that a swiss army knife

  • So how do I develop extensions?
    Also, how do I run the custom extensions that are used in our company and should not be publically available?
    How about extensions that are installed with some hardware, like the one that makes Dymo labelwriters accessible from JavaScript?

    • by gl4ss (559668)

      you get the developer version. or chromium.

      but anyhow, this is along the biz reasoning why they started chrome originally. when they started, the most popular browsers were looking like they were going to ship with adblocker extensions by default... and boom google comes up with funding for a browser of their own.

    • by kav2k (1545689)

      So how do I develop extensions?

      Like you always did. Developer mode did not change this time around.

      Also, how do I run the custom extensions that are used in our company and should not be publically available?

      Enterprise install policy is unchanged. If you can use it, you can use extensions from any source. Even NPAPI extensions, which are now banned from Store.

      How about extensions that are installed with some hardware, like the one that makes Dymo labelwriters accessible from JavaScript?

      It's probably not an extension, but a plugin. That's a bit different, but they will also be going away end of this year.

  • I yet have to see many convincing cases of extensions for browsers (for everyday applications). I am unisg firefox, and the extensions i use are scrapbook, nojs, foxyproxy.

This process can check if this value is zero, and if it is, it does something child-like. -- Forbes Burkowski, CS 454, University of Washington

Working...