1 <h1>Chrome
33 Hosting Changes
</h1>
3 <p>As a follow-up to our blog post on
4 <a href=
"http://blog.chromium.org/2013/11/protecting-windows-users-from-malicious.html">protecting Windows users from malicious extensions
</a>,
5 we’re enforcing the following changes starting in Chrome
33 Beta and stable channels for Windows:
<p>
8 <li>Users can only install extensions hosted in the Chrome Web store, except for installs via
9 <a href=
"https://support.google.com/chrome/a/answer/188453">enterprise policy
</a>
10 or
<a href=
"http://developer.chrome.com/extensions/getstarted.html#unpacked">developer mode
</a>.
</li>
11 <li>Extensions that were previously installed, but not hosted on the Chrome Web Store will be
12 <a href=
"https://support.google.com/chrome/answer/2811969">hard-disabled
</a>
13 (i.e the user cannot enable these extensions again), except for installs via
14 <a href=
"https://support.google.com/chrome/a/answer/188453">enterprise policy
</a>
15 or
<a href=
"http://developer.chrome.com/extensions/getstarted.html#unpacked">developer mode
</a>.
</li>
18 <h2>What’s the rationale for this measure?
</h2>
20 <p>See
<a href=
"http://blog.chromium.org/2013/11/protecting-windows-users-from-malicious.html">Protecting Windows users from malicious extensions
</a>.
</p>
22 <h2>For extensions that are currently hosted outside the Chrome Web Store, what should be done and by when?
</h2>
24 <p>If your extensions are currently hosted outside the Chrome Web Store,
25 you should migrate them to the Chrome Web Store as soon as possible.
26 The above changes are already effective on Chrome
33 Beta for Windows and
27 will be effective on Chrome
33 stable for Windows (around end of Feb
2014).
28 Once you migrate your extensions to the Chrome Web Store,
29 there will be no impact to your users,
30 who will still be able to use your extension as if nothing changed.
31 And if you have a dedicated installation flow from your own website,
32 you can make use of the existing
33 <a href=
"https://developers.google.com/chrome/web-store/docs/inline_installation">inline installs
</a> feature.
34 If you’re migrating your extensions to the Chrome Web Store, start testing with Chrome
33 right away.
</p>
36 <h2>What will happen if I migrate the extension to the Chrome Web Store sometime in the future? Will I lose all my users?
</h2>
38 <p>Users will have their off-store extensions hard-disabled once the enforcement rolls out in Chrome
33 stable/beta for Windows.
39 However, if the extension is migrated to the Chrome Web Store after the rollout,
40 users would be able to manually to enable the migrated extension from extensions settings page (chrome://extensions)
41 or from the Chrome Web Store listing.
</p>
43 <h2>What if I want to restrict access to certain users or prevent my extension from being listed on the Chrome Web Store?
</h2>
45 <p>You can restrict access to your extension by limiting its visibility to Trusted Tester or
46 by unlisting the extension from the Chrome Web Store.
</p>
48 <h2>Which operating systems and Chrome channels are affected by this change?
</h2>
50 <p>The changes are effective only for Windows stable and beta channels starting with Chrome
33.
</p>
52 <h2>Will this affect my ability to develop my extensions on Windows?
</h2>
54 <p>No. You can still load unpacked extensions in
55 <a href=
"http://developer.chrome.com/extensions/getstarted.html#unpacked">developer mode
</a>
57 Also, you can continue to develop extensions on Chrome Dev channel/Canary,
58 where these changes are not effective.
</p>
60 <h2>How can I distribute my extension if I cannot upload it to the Chrome Web Store for policy reasons?
</h2>
62 <p>These changes are effective only on Windows stable and beta channel.
63 Users who want to get extensions that are not hosted on the Chrome Web Store can do so on
64 <a href=
"http://www.chromium.org/getting-involved/dev-channel">Chrome dev/canary channels in Windows
</a>
65 or on all Chrome channels in other operating systems.
</p>
67 <h2>Why couldn't this problem be solved by having a setting/option to load extensions that are not hosted in the Chrome Web Store?
</h2>
69 <p>Unlike modern mobile operating systems,
70 Windows does not sandbox applications.
71 Hence we wouldn’t be able to differentiate between a user opting in
72 to this setting versus a malicious native app overriding the user’s setting.
</p>
74 <h2>What are the supported deployment options for extensions after this change?
</h2>
76 <p>Apart from users installing extensions from the Chrome Web Store,
77 the following deployment options will be supported:
</p>
79 <ul><li>For OSX and Linux, extensions can be installed via a
80 <a href=
"http://developer.chrome.com/extensions/external_extensions.html#preferences">preferences JSON file
</a>.
</li>
81 <li>For Windows, extensions can be installed via the
82 <a href=
"http://developer.chrome.com/extensions/external_extensions.html#registry">Windows registry
</a>.
83 In the Windows registry,
84 ensure that the update_url registry key points to the following URL:
85 <a href=
"https://clients2.google.com/service/update2/crx">https://clients2.google.com/service/update2/crx
</a>.
86 Local .crx installs via the path registry key are deprecated.
87 Note that this deployment option works only for Chrome Web Store hosted extensions,
88 and update_url cannot point to any other host other than
89 <a href=
"https://clients2.google.com/service/update2/crx">https://clients2.google.com/service/update2/crx
</a>.
</li>
90 <li>For Enterprises, we’ll continue to support
91 <a href=
"https://support.google.com/chrome/a/answer/188453?hl=en" style=
"background-color:transparent">group policy
</a>
92 to install extensions, irrespective of where the extensions are hosted.
93 Note that the user's machine has to join a domain for GPO policy pushes to be effective.
</li>
96 <h2>Are there any other considerations to be aware of for extensions that depend on a native application binary?
</h2>
98 <p>Previously when off-store extensions were supported,
99 it was possible to have the third party application binaries and the sideloaded extension be updated in lockstep.
100 However, extensions hosted on the Chrome Web Store are updated via the Chrome update mechanism
101 which developers do not control.
102 Extension developers should be careful about updating extensions that have a dependency on the native application binary
103 (for example, extensions using
104 <a href=
"https://developer.chrome.com/extensions/messaging.html#native-messaging">native messaging
</a>
105 or legacy extensions using
106 <a href=
"http://developer.chrome.com/extensions/npapi.html">NPAPI
</a>).
</p>
108 <h2>What will users see when their off-store extension is disabled as a result of this rollout?
</h2>
110 <p>They will get a notification that says:
111 “Suspicious Extensions Disabled” with a link to the following
112 <a href=
"https://support.google.com/chrome/answer/2811969">support article
</a>.
</p>
114 <h2>Why do I see a bubble about “Disable developer mode extensions” when loading an unpacked extension in Windows stable/beta channels?
</h2>
116 <p>We do not want the developer mode to be used as an attack vector for spreading malicious extensions.
117 Hence we’re informing users about developer mode extensions on Windows stable/beta channels and
118 giving them an option to disable these extensions.
</p>