PSA: Removing `--extensions-on-chrome-urls` and `--disable-extensions-except` flags in Chrome branded builds

2.955 visualizações
Pular para a primeira mensagem não lida

Richard Chen

não lida,
12 de jun. de 2025, 13:14:4912 de jun.
para Chromium Extensions, Anunoy Ghosh, Benjamin Ackerman, Oliver Dunk

Hi all,


Starting in Chrome 139, the --extensions-on-chrome-urls and --disable-extensions-except command-line flags will be removed in official Chrome branded builds. This follows the removal of the `--load-extension` flag in Chrome 137.

Please note that this change only applies to Chrome branded builds. --extensions-on-chrome-urls and --disable-extensions-except will continue to function as before in non-Chrome brands, such as Chromium and Chrome For Testing. They will also be available on ChromeOS builds.


This change aims to enhance the security and stability of the Chrome browser for our users. We have observed that both flags are commonly abused to load and obfuscate malicious/unwanted software into the browser.

What this means for your development workflow:

  • If you use --extensions-on-chrome-urls for debugging extension pages, you can use a new command-line switch --extensions-on-extension-urls instead in M139. This new switch will be allowed for all extensions.

  • For all other use cases of --extensions-on-chrome-urls and --disable-extensions-except, consider using Chromium or Chrome for Testing. The Chrome For Testing build is specifically designed for development and testing and will continue to support both flags

We recognize that this might require changes in your usual process, and we truly appreciate your understanding as we work to improve the security of the Chrome ecosystem and protect our users from potential harm.

If you have any questions or concerns regarding this change, please feel free to reply to this email or reach out through our developer support channels.

Thank you for your understanding and continued dedication to building great extensions for Chrome users.

Thanks,

Richard on behalf of Chrome Counter Abuse


Peter Bloomfield

não lida,
13 de jun. de 2025, 06:46:1213 de jun.
para Chromium Extensions, Richard Chen, Anunoy Ghosh, Benjamin Ackerman, Oliver Dunk
Thanks for the update. It's good to know some more exploits are being resolved.

Is there also a plan to remove the `--disable-extensions` command-line flag?

Fyodor Kurlyuk

não lida,
10 de ago. de 2025, 23:22:0310 de ago.
para Chromium Extensions, Richard Chen, Anunoy Ghosh, Benjamin Ackerman, Oliver Dunk
Hello,

I am concerned about the removal of the `--extensions-on-chrome-urls` flag in Chrome, which has significantly impacted my WebRTC monitoring extension. This change has limited its ability to access `chrome://webrtc-internals`, forcing reliance on untrusted environments and increasing security risks.

Are there alternatives to asking concerned users to use a separate browser? I worry that malicious actors could exploit other browsers similarly, leading them to also drop support for the flag in the future. Could you consider implementing a specific flag for `chrome://webrtc-internals` or a more granular permission system for chrome:// URLs, excluding high-risk ones like ://settings and ://extensions?

I am also curious about the reasoning behind this change in the new Android desktop version, where similar risks seem absent. Will it be affected as well?

I previously raised these concerns through developer support without success and hope this message reaches the right place. Any guidance or moral support would be greatly appreciated.

Thank you for your efforts in enhancing Chrome's security.

Sincerely,  
Fyodor Kurlyuk  
Videochat Extension (alchldmijhnnapijdmchpkdeikibjgoi)
Responder a todos
Responder ao autor
Encaminhar
0 nova mensagem