Google announced plans today to gradually remove the option of installing Chrome extensions from a remote website, also known as an "inline installation."
According to Google, this means that by the end of the year, users will only be able to install new Chrome extension only from their respective Chrome Web Store listings.
The reason for this change is because of malicious Chrome developers who've abused this feature to trick users into installing confusing, deceptive, or downright malicious Chrome extensions.
Until now, this has been possible because the inline installation process allowed developers to create extensions, have the extensions hosted on the official Chrome Web Store, but allow users to install the extensions just by clicking a button on a third-party website without the user ever visiting the extension's Chrome Web Store page.
Google says that this interaction pattern has been abused by extension developers, who often used inline installation to distribute malicious Chrome extensions.
This tactic has been quite successful because users never visited the Chrome Web Store listing, and would never see an extension's bad rating or negative user reviews, which often contained warnings or important clues about the extension's real behavior.
Because of this repeated pattern of abuse, Google has now decided to remove the inline installation process from the Chrome browser and the Chrome Web Store altogether. The phase-out process will take place in three stages, detailed below:
"If you distribute an extension using inline installation, you will need to update install buttons on your website to link to your extension’s Chrome Web Store page prior to the stable release of Chrome 71," said James Wagner, Extensions Platform Product Manager at Google.