Google Chrome

Google announced plans today to gradually remove the option of installing Chrome extensions from a remote website, also known as an "inline installation."

According to Google, this means that by the end of the year, users will only be able to install new Chrome extension only from their respective Chrome Web Store listings.

Inline installation feature abused in the past few years

The reason for this change is because of malicious Chrome developers who've abused this feature to trick users into installing confusing, deceptive, or downright malicious Chrome extensions.

Until now, this has been possible because the inline installation process allowed developers to create extensions, have the extensions hosted on the official Chrome Web Store, but allow users to install the extensions just by clicking a button on a third-party website without the user ever visiting the extension's Chrome Web Store page.

Google says that this interaction pattern has been abused by extension developers, who often used inline installation to distribute malicious Chrome extensions.

This tactic has been quite successful because users never visited the Chrome Web Store listing, and would never see an extension's bad rating or negative user reviews, which often contained warnings or important clues about the extension's real behavior.

Phase-out process spread across three stages

Because of this repeated pattern of abuse, Google has now decided to remove the inline installation process from the Chrome browser and the Chrome Web Store altogether. The phase-out process will take place in three stages, detailed below:

⥤  Starting today, inline installation will be unavailable to all newly published extensions. Extensions first published on June 12, 2018 or later that attempt to call the chrome.webstore.install() function will automatically redirect the user to the Chrome Web Store in a new tab to complete the installation.
⥤  Starting September 12, 2018, inline installation will be disabled for existing extensions, and users will be automatically redirected to the Chrome Web Store to complete the installation.
⥤  In early December 2018, the inline install API method will be removed from Chrome 71.

"If you distribute an extension using inline installation, you will need to update install buttons on your website to link to your extension’s Chrome Web Store page prior to the stable release of Chrome 71," said James Wagner, Extensions Platform Product Manager at Google.

Remote installation of a malicious Chrome extension
Remote installation of a malicious Chrome extension [Source: Trend Micro]

Related Articles:

Google Chrome to Remove "Secure" Indicator From HTTPS Pages in September

Chrome Extension Devs Use Sneaky Landing Pages after Google Bans Inline Installs

Google Adds New Rules To End Malicious Chrome Extensions

Chrome 69 Keeps Google's Cookies After You Clear Browser Data

Google Experiments With Showing Search Queries in Chrome 71 Address Bar