Google announced yesterday that it will retire inline installations of Google Chrome extensions starting with Chrome 71 in December 2018.

Chrome extension developers are required to add their extensions to the Chrome Web Store but they could distribute it using inline installations up until now.

Inline installations fire on third-party websites; Chrome users get the installation prompts on these websites and can install the browser extension without having to visit the Chrome web store first.

The direct installation may save the user a click or two but it led to all kinds of abuse as well. While the system has been used by legitimate companies and developers to provide extension installations directly from websites they operate, it has been abused by crooks as well.

Img

The inline installation prompt displays only some information to the user. It displays the name of the extension, its rating and number of votes, and number of users. The prompt lists extra permissions that the extension requests, and includes a link to the Chrome Web Store next to that.

The prompt omits information such as the extension's description, user reviews, and developer information.

We have suggested for years that users need to verify Chrome extensions before installation, and that users should take a number of precautions as well.

Google notes in its announcement that inline installed extensions have a higher user complaint ratio and are uninstalled significantly more often than extensions installed from the Web Store. The company goes on to explain that the "Chrome Web Store plays a critical role in ensuring that users can make informed decisions about whether to install an extension".

The company promised to do something against deceptive inline installations in January 2018 and revealed that fewer than 3% of extensions used deceptive or confusing install flows and that these 3% account for more than 90% of user complaints.

Google wanted to use machine learning back in January 2018 to combat deceptive or confusing inline installations but yesterday's announcement suggests that this did not yield the desired results.

The company and its users experienced wave after wave of issues with malicious or deceptive Chrome extensions. Criminals managed time and time again to plant malicious or fake extensions in the Chrome Web Store,

Retiring inline installations

Google plans to roll out the change in three phases starting June 12, 2018 and ending in December 2018.

  1. New published extensions cannot be distributed as inline installations anymore. If extensions use the function, users are redirected automatically to the Chrome Web Store in a new tab.
  2. From September 12, 2018 on, inline installations will be disabled for all existing extensions as well. Users will be redirected to the Chrome Web Store.
  3. The inline install API will be removed in Chrome 71 in December 2018 (no more redirects after this point).

Extension developers who use inline installations currently need to change the install buttons on their web properties before Chrome 71's release in December so that they link to the Chrome Web Store instead.

Closing Words

While inline installations of extensions accounted for a large part of user complaints and issues, one needs to remember that all of the extensions installed this way were hosted in the Web Store as well.

It may be more difficult for malicious actors to get users to install their extensions directly from the Web Store. Google has not published information about the ratio of installs. One thing is certain: while the retiring of inline Chrome extension installations will have a positive impact, it won't suddenly free the Chrome Web Store from user tracking or outright malicious extensions.