In an effort to tamp down data collection by third-party ad-blocking Chrome browser extensions, Google today announced that it intends to replace parts of Chrome’s Web Request API, a set of events and functions that enable developers to monitor, analyze, and block web traffic, with the Declarative Net Request API, which doesn’t require access to all a user’s sensitive data.
As Google explains in a blog post, the current Web Request API requires that users grant permission for Chrome to pass all information about a network request — which can include things like emails, photos, or other private information — to a given extension. In contrast, the Declarative Net Request API — which is rolling out as part of a suite of changes Google’s calling Manifest V3 — allows extensions to block content at install time.
“The Chrome extensions ecosystem has seen incredible advancement, adoption, and growth since its launch over ten years ago … As this system grows and expands in both reach and power, user safety and protection remains a core focus of the Chromium project,” wrote Chrome extensions team member Devlin Cronin. “One way we are doing this is by helping users be deliberate in granting access to sensitive data – such as emails, photos, and access to social media accounts. As we make these changes we want to continue to support extensions in empowering users and enhancing their browsing experience.”
The Declarative Net Request API migration follows a number of changes to extensions intended to improve security, privacy, and performance, Google says, including granular controls over permissions, a revamped review process, and two-step verification for developers. They dovetail with new safeguards against inline installation on websites, deceptive installation practices, and limits on extension data collection.
Google says that these and other changes have driven down the rate of malicious extension installations by 89% since early 2018. Today, it blocks roughly 1,800 malicious uploads a month from reaching the Chrome Web Store.