Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Will Block Third-Party Software From Injecting Code Into Chrome (bleepingcomputer.com)

Posted by msmash on from the strengthening-things dept.

Catalin Cimpanu, writing for BleepingComputer: Google has laid out a plan for blocking third-party applications from injecting code into the Chrome browser. The most impacted by this change are antivirus and other security products that often inject code into the user's local browser process to intercept and scan for malware, phishing pages, and other threats. Google says these changes will take place in three main phases over the next 14 months. Phase 1: In April 2018, Chrome 66 will begin showing affected users a warning after a crash, alerting them that other software is injecting code into Chrome and guiding them to update or remove that software. Phase 2: In July 2018, Chrome 68 will begin blocking third-party software from injecting into Chrome processes. If this blocking prevents Chrome from starting, Chrome will restart and allow the injection, but also show a warning that guides the user to remove the software. Phase 3: In January 2019, Chrome 72 will remove this accommodation and always block code injection.

1 of 40 comments (clear)

  1. Re:"Injecting" vs. "Plugging in" by Anubis+IV · · Score: 4, Informative

    What's the difference between "plugging in" and "injecting"? Spin!

    Hardly, and I'm a little disappointed that there's a need to explain the difference to an adult.

    You plug things into receptacles designed to accept those things, whereas you inject things so as to bypass barriers that those things are not otherwise able or intended to cross. I'm not "injecting" a power plug when I plug it into the wall. The wall outlet is designed to take the plug. I'm not "plugging in" a syringe when I receive a tetanus booster shot in my arm. It's being injected into me in order to bypass my skin, which would otherwise keep it out.

    Chrome provides frameworks by which developers can "plug in" third-party code (e.g. userscripts, extensions, apps, etc.), and many of us here have experience in developing those. But those frameworks are intentionally limited so that they can only accept code that's designed to work within their APIs. In contrast, the code being injected by these third parties has no such constraints, since they've injected it in a way that bypasses Chrome's frameworks.