Google Beefs Up Privacy Rules for Chrome Extensions; Researcher Discovers New Loophole to Detect Incognito Mode

The new changes for Chrome extensions will go into effect starting October 15.

Advertisement
By Jagmeet Singh | Updated: 24 July 2019 14:13 IST
Highlights
  • Chrome extensions will be required to request access to least user data
  • Google has provided guidelines for developers to adopt new changes
  • Incognito Mode flaw has been detected in Storage Quota Management API

Google has expanded the requirement of posting privacy policies for Chrome extensions

Google has updated its User Data Policy to beef up privacy rules for third-party Chrome extensions. The new move comes as a follow-up on the Project Strobe update that the search giant announced back in late May. The Project Strobe is aimed to impose a root-and-branch review of third-party developer access to user data. In a separate development, a security researcher has found a way to detect Incognito Mode without leveraging the FileSystem API loophole that Google is set to fix through Chrome 76 later this month.

As a result of the new changes to the User Data Policy designed for Chrome Web Store, all third-party Chrome extensions will be required "to only request access to the least amount of data". Google earlier encouraged developers to request access to the least amount of data, but the new change has come into force as a requirement for all extensions.

Advertisement

Google has also expanded the requirement of posting privacy policies for Chrome extensions. Previously, extensions that handle personal and sensitive user data were required to post a privacy policy.

"Now, we're expanding this category to include extensions that handle user-provided content and personal communications. Of course, extensions must continue to be transparent in how they handle user data, disclosing the collection, use, and sharing of that data," Alexandre Blondin and Swagateeka Panigrahy of Chrome Product and Policy team noted in the blog post.

The two new changes to the User Data Policy of Chrome Web Store will go into effect starting October 15. Meanwhile, Google has provided guidelines for developers to make their extensions ready for the new change.

"After October 15, 2019, items that violate these updates to the User Data policy will be removed or rejected from the Web Store and will need to become compliant to be reinstated," the Chrome Product and Policy team members said.

Advertisement

The guidelines ask developers to either inventory the current permissions of their Chrome extensions or switch to alternatives that are "more narrowly scoped." A list of permissions used and the reasons behind their requirement should be included in the Chrome Web Store listing or within an about page section of the extension. Also, developers are required to request the new permission in the updated version of the extension if they expand the features of their extension or require new permission from end users.

For all extensions that handle "Personal or Sensitive User Data", including user-provided content and personal communications, the guidelines note that a privacy policy is mandatory. Google also asks developers to handle the user data securely, including transmitting it via modern cryptography.

Advertisement

Aside from the changes designed for Chrome extensions, Google is also bolstering the Incognito Mode of its Chrome browser by updating its FileSystem API. The change, which was announced last week, will be a part of Chrome 76 that's releasing on July 30. But ahead of the formal release, security researcher and PhD student Vikas Mishra claims to have found another loophole that makes the Incognito Mode trackable.

The new loophole has been spotted in the Storage Quota Management API that is designed to let Web apps understand how much temporary storage space they can use on the browser and how much of the allotted space remains available.

Advertisement

The researcher explains that in the regular browsing mode, a Web app can use a maximum of 1GB, which is 50 percent of the total available space available to all Web apps. When switched to the Incognito Mode, the storage allotment reduced to a maximum of 120MB. Now, the researcher says that for getting 120MB of storage quota in non-Incognito Mode, the Web app should be used on a system with a 2.4GB hard drive that is not common nowadays.

It is, thus, safe to presume that developers would be able to track the status of the Incognito Mode on Chrome browser if a Web app reports only having up to 120MB of allocated storage space using the Storage Quota Management API.

However, it is worth mentioning here that developers leveraging the loophole within the Storage Quota Management API would only be able to detect whether a user is on the Incognito Mode or using the regular browsing mode. This means the reported flaw won't provide any access to user data or browsing patterns.

 

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Advertisement

Related Stories

Popular Mobile Brands
  1. DJI Mic Mini 2S Launched With 32-Bit Float Recording, AI Noise Cancellation
  2. Best Mobiles To Grab During The Flipkart GOAT Sale
  3. Top TWS Earbuds Under Rs 2,000 on Amazon Prime Day Sale
  4. Huion's 2026 India Lineup Defines Next-Gen Creativity
  5. Vivo X500 Camera Details Surface Online After X500 Pro Max Leaks
  6. Asus Vivobook 15 (2026) Launched in India Ahead of Amazon, Flipkart Sale Events
  7. Nokia 235 4G (2026), 215 4G (2026) Launched; Nokia 210 4G, 200 4G Tag Along
  8. Amazon Prime Day 2026 Sale Is Live: Best Tech Deals
  9. Flipkart GOAT Sale: Top Early Deals on Smartphones, Tablets and More
  1. Cyberpunk 2077 Has Sold 40 Million Copies, CD Projekt Red Confirms
  2. Nothing Phone 1 Receives Final Software Update With Latest Security Patches, Bug Fixes and Improvements
  3. Nokia 235 4G (2026), 215 4G (2026) Launched Alongside Nokia 210 4G, and 200 4G With AI Assistant Button
  4. Samsung Galaxy S27 Ultra Battery Details Leaked; Could Top iPhone 18 Pro Max's Battery Capacity
  5. OnePlus Ace 7 Series Tipped to Feature 185Hz Display, 9,000mAh Battery
  6. WhatsApp Rolls Out Primary Device Support on iPad, Tests New Setup Screen for Android Tablets: Report
  7. Government Directs App Stores to Remove Malicious Apps Used to Disrupt E-Rickshaw Operations: Report
  8. Sony Reportedly Restructures Disc Factory After Announcing End of Physical Game Discs on PlayStation
  9. Maharashtra Legislature Passes Amendment to Bring Virtual Digital Assets Under Depositor Protection Law
  10. Redmi 17 5G NCC, SIRIM Certification Listings Reportedly Reveal Battery and Charging Details
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.