PSA: Removing `--extensions-on-chrome-urls` and `--disable-extensions-except` flags in Chrome branded builds

조회수 4,291회
읽지 않은 첫 메시지로 건너뛰기

Richard Chen

읽지 않음,
2025. 6. 12. 오후 1:14:496월 12일
받는사람 Chromium Extensions, Anunoy Ghosh, Benjamin Ackerman, Oliver Dunk

Hi all,


Starting in Chrome 139, the --extensions-on-chrome-urls and --disable-extensions-except command-line flags will be removed in official Chrome branded builds. This follows the removal of the `--load-extension` flag in Chrome 137.

Please note that this change only applies to Chrome branded builds. --extensions-on-chrome-urls and --disable-extensions-except will continue to function as before in non-Chrome brands, such as Chromium and Chrome For Testing. They will also be available on ChromeOS builds.


This change aims to enhance the security and stability of the Chrome browser for our users. We have observed that both flags are commonly abused to load and obfuscate malicious/unwanted software into the browser.

What this means for your development workflow:

  • If you use --extensions-on-chrome-urls for debugging extension pages, you can use a new command-line switch --extensions-on-extension-urls instead in M139. This new switch will be allowed for all extensions.

  • For all other use cases of --extensions-on-chrome-urls and --disable-extensions-except, consider using Chromium or Chrome for Testing. The Chrome For Testing build is specifically designed for development and testing and will continue to support both flags

We recognize that this might require changes in your usual process, and we truly appreciate your understanding as we work to improve the security of the Chrome ecosystem and protect our users from potential harm.

If you have any questions or concerns regarding this change, please feel free to reply to this email or reach out through our developer support channels.

Thank you for your understanding and continued dedication to building great extensions for Chrome users.

Thanks,

Richard on behalf of Chrome Counter Abuse


Peter Bloomfield

읽지 않음,
2025. 6. 13. 오전 6:46:126월 13일
받는사람 Chromium Extensions, Richard Chen, Anunoy Ghosh, Benjamin Ackerman, Oliver Dunk
Thanks for the update. It's good to know some more exploits are being resolved.

Is there also a plan to remove the `--disable-extensions` command-line flag?

Fyodor Kurlyuk

읽지 않음,
2025. 8. 10. 오후 11:22:038월 10일
받는사람 Chromium Extensions, Richard Chen, Anunoy Ghosh, Benjamin Ackerman, Oliver Dunk
Hello,

I am concerned about the removal of the `--extensions-on-chrome-urls` flag in Chrome, which has significantly impacted my WebRTC monitoring extension. This change has limited its ability to access `chrome://webrtc-internals`, forcing reliance on untrusted environments and increasing security risks.

Are there alternatives to asking concerned users to use a separate browser? I worry that malicious actors could exploit other browsers similarly, leading them to also drop support for the flag in the future. Could you consider implementing a specific flag for `chrome://webrtc-internals` or a more granular permission system for chrome:// URLs, excluding high-risk ones like ://settings and ://extensions?

I am also curious about the reasoning behind this change in the new Android desktop version, where similar risks seem absent. Will it be affected as well?

I previously raised these concerns through developer support without success and hope this message reaches the right place. Any guidance or moral support would be greatly appreciated.

Thank you for your efforts in enhancing Chrome's security.

Sincerely,  
Fyodor Kurlyuk  
Videochat Extension (alchldmijhnnapijdmchpkdeikibjgoi)

Scott Crunkleton

읽지 않음,
2025. 9. 26. 오후 4:08:399월 26일
받는사람 Chromium Extensions, Fyodor Kurlyuk, Richard Chen, Anunoy Ghosh, Benjamin Ackerman, Oliver Dunk
I have seen `--disable-extension-except` working in Chrome 140. Has this flag returned?

I first noticed it in conjunction with an `--app` launch. Thinking that might be related, I removed the `--app`, but `--disable-extensions-except` was still in effect.
전체답장
작성자에게 답글
전달
새 메시지 0개