Chrome extensions cannot use obfuscation after January 1st, 2019 but can use minification?

1,468 views
Skip to first unread message

Sean Wilson

unread,
Oct 1, 2018, 2:15:49 PM10/1/18
to Chromium Extensions
Google have just announced some changes to Chrome extension submissions:
https://blog.chromium.org/2018/10/trustworthy-chrome-extensions-by-default.html

"Starting today, Chrome Web Store will no longer allow extensions with obfuscated code...Ordinary minification, on the other hand, typically speeds up code execution as it reduces code size, and is much more straightforward to review. Thus, minification will still be allowed"

I have a Chrome extension that uses Webpack to convert TypeScript to JavaScript which then uses UglifyJS to minify it. If I submit only the minified code, is this compliant?

What would be an example of obfuscation that is disallowed?

What are some examples of obfuscation tools that now cannot be used?

Minification can be viewed as a form of obfuscation and transpiled code is harder to review than the original code so I'm not finding the announced changes clear.

PhistucK

unread,
Oct 2, 2018, 4:32:45 AM10/2/18
to m...@seanw.org, Chromium-extensions
I would guess that if the original names are preserved (maybe with some characters likes _ and so on), it is minification without obfustication.
The main goal is for the logic of the code to be readable and understandable by a human as well as machine learning methods so any (unintentional, obviously) violation would be easily revealed.

PhistucK


--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at https://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/d48c10a4-51de-4a22-97f1-222f01f9cda5%40chromium.org.
For more options, visit https://groups.google.com/a/chromium.org/d/optout.

Thomas Werner

unread,
Oct 2, 2018, 4:51:35 AM10/2/18
to Chromium Extensions
I have the same problem. I use Closure Compiler for minification in hope that its a bit faster. I always get support requests like "i have 1000 bookmarks please make it faster".

I know obfuscation makes no sense to protect code, but if someone who wants to copy and paste the code the one must invest more time, instead of getting it "for free" in seconds.

They wrote "recommended minification techniques" are ok, really? Means if i use "Closure Compiler" i am safe or will be my extension deleted by any reviewer having "a bad day"? If taken down, does I get a notification/warning *before* it will be taken down or just deleted like "who cares"?

I like what they do, to make using extensions more safe etc, because i use extensions as well. But please Goolge let use developer not alone and give us an example, because for me minification is obfuscation too.

PhistucK

unread,
Oct 2, 2018, 5:37:06 AM10/2/18
to t...@ideaweb.de, Chromium-extensions
I take my post back - renaming variables/functions is fine according to the post.
So they only mean actual obfuscation attempts, like https://obfuscator.io/ and not Closure Compiler/Uglify.

PhistucK


--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at https://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/0866d0f6-404f-4bf3-b0fc-b438a7062115%40chromium.org.

Thomas Werner

unread,
Oct 2, 2018, 10:17:59 AM10/2/18
to Chromium Extensions, t...@ideaweb.de
Thanks for the link, now it's clear. =)

abdulbadii

unread,
Oct 3, 2018, 5:26:28 AM10/3/18
to Chromium Extensions
Many people don't know what's the difference between obfuscation and minification you just pointed out.
Would you please explain the difference clearly ?
Thanks so much in advance.

PhistucK

unread,
Oct 3, 2018, 6:06:49 AM10/3/18
to Budi Kusasi, Chromium-extensions
https://yuiblog.com/blog/2006/03/06/minification-v-obfuscation/
https://www.programmerinterview.com/index.php/javascript/minification-vs-obfuscation/
http://www.differencebetween.info/difference-between-minification-and-obfuscation

Concrete (but simplistic) example -
Input -
function runLogic(logicType) {
  if (logicType === 1) {
    console.log("Hello, World!");
  } else {
    console.log("Hello, Aliens!");
  }
}
runLogic();

Minification (Closure Compiler whitespace only) output -
function runLogic(logicType){if(logicType===1)console.log("Hello, World!");else console.log("Hello, Aliens!")}runLogic();

Minification output (Closure Compiler simple) -
function runLogic(a){1===a?console.log("Hello, World!"):console.log("Hello, Aliens!")}runLogic();

Minification with optimization (Closure Compiler advanced) output -
console.log("Hello, Aliens!");

Obfuscation output (obfuscator.io) -
var _0x2077=['log','Hello,\x20World!','Hello,\x20Aliens!'];(function(_0x5e4eb6,_0x1f7c12){var _0x5d0158=function(_0x448088){while(--_0x448088){_0x5e4eb6['push'](_0x5e4eb6['shift']());}};_0x5d0158(++_0x1f7c12);}(_0x2077,0x192));var _0x9638=function(_0x17c33a,_0x4f74fa){_0x17c33a=_0x17c33a-0x0;var _0x978856=_0x2077[_0x17c33a];return _0x978856;};function runLogic(_0x52d4c3){if(_0x52d4c3===0x1){console[_0x9638('0x0')](_0x9638('0x1'));}else{console[_0x9638('0x0')](_0x9638('0x2'));}}runLogic();

PhistucK


--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at https://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/fed6620b-efc6-44f9-8114-47077601b413%40chromium.org.

Ibrahim

unread,
Oct 6, 2018, 5:28:23 PM10/6/18
to Chromium Extensions
Wouldn't it be better if the process would be similar to how Firefox does?

To let developers upload the minified version for users to download, and separately upload the source code for reviewers to check, along with build instructions for them to make sure that their compiled version matches with the actual files in the extension package.

I expect that having unobfuscated or unminified code in the extension will result in increased package size.
Reply all
Reply to author
Forward
0 new messages