Prevent chrome extensions from running on my website

[Asaf Shochet]

Hi,
This is more of a general question.
Let's say I am developing a website (a banking site for example), and I want to prevent all chrome extensions from injecting code into it (no adblockers, no lastpass, nothing) due to security/privacy/other reasons.

What's the best approach to do that? Is there a way to "defend" against chrome extensions from the website owner's perspective?

Thank you,

Asaf

[Oliver Dunk]

Hi Asaf,

The simple answer is that there isn't a way to prevent extensions from running, and this isn't a capability we have traditionally been supportive of. Extensions are installed by the user and the user may want to run them regardless of if the website would like this.

In principle, there are some sites like banking sites where restricting access may make sense - but unfortunately there isn't an easy way to offer that without risking other sites declaring themselves in a misleading way.

As a user, you can revoke an extension's access to a particular site.

As a website developer, you would need to rely on detecting something the extension has changed about a page, but I would strongly discourage this.

If you have particular privacy or security concerns, it would be great if you could share them. Always interested to discuss those.

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/1f5f2ba9-ea09-45ec-915b-54231441c064n%40chromium.org.

[Oliver Dunk]

Hi Asaf,

In enterprise specifically, there are additional controls - you can forcefully withhold host permissions from an extension using policy, even if it requires them, and you can block access to specific permissions in the same way if you deem them to provide capabilities you are uncomfortable with.

As mentioned, the hard thing about providing controls for websites is that ultimately Chrome is a user agent that acts on behalf of the user. There are certainly use cases where a user may feel strongly about needing to use an extension on a banking site (password managers to fill logins is a great example).

These sorts of risks are definitely something we keep in mind, including with MV3. This is why we have restricted usage of Remote Hosted Code to allow us to be sure we are reviewing an extension's full functionality, for example. Review in particular plays a big part in keeping the Chrome Web Store safe.

There are certainly risks with any features but the goal is to find a balance between power for users and safety at the same time :)

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

On Fri, Apr 19, 2024 at 4:06 PM Asaf Shochet <asaf.s...@evinced.com> wrote:

Hey Oliver,
Thanks for the reply :)

Actually, I'm working with extensions for a few years, and saw how easy it is to create an extension that looks legit, but collects data very easily - key logger, taking screenshots using the screenCapture API, understanding user behavior by listening to webnavigation events, and more.

As a security amateur, it puzzles me how come these are all available, but there's no defense mechanism allowing a website to protect itself.

There are configuration that an admin can do to allow specific extensions inside an organization (example), but there are no other mechanism to help companies defend themselves against these kind of threats.

would appreciate your thoughts on that subject, was this taken into consideration when defining mv3 for example? (it blocks external scripting for the most part, but still no way to prevent a content script from running if I understand correctly).


Thank you!
Asaf