Google recently announced it would block code injection from third-party applications into its Chrome browser. The measure, which will be deployed starting July 2018, is intended to reduce crash rates and improve performance.
“Roughly two-thirds of Windows Chrome users have other applications on their machines that interact with Chrome, such as accessibility or antivirus software.” states the Chromium blog post on November 30, 2017. The Chromium team works on the core software that powers Google Chrome.
“In the past, this software needed to inject code in Chrome in order to function properly; unfortunately, users with software that injects code into Windows Chrome are 15% more likely to experience crashes.”
The changes will happen in three phases over the next fourteen months to allow developers to update their code and ensure smooth running for affected Chrome users. The Chromium blog encourages developers to use Chrome Beta for early testing. These changes will likely begin in the Dev or Canary channels even sooner.
In April 2018, following a crash, Chrome 66 will alert users to the fact that other software is injecting code into Chrome and will guide them to remove or update that software.
In July 2018, Chrome 68 will start to block third-party software at the point of code injection. If this stops Chrome from starting, Chrome will restart and allow the injection to go ahead, but simultaneously flash a warning that guides users on how to remove the software.
In the final stage, January 2019, Chrome 72 will always block code injection.
However, while most software will be affected, there are some exceptions such as Microsoft-signed code, IME software and accessibility software.
Many third-party applications, such as antivirus or accessibility software, inject code into your web browser in order to offer additional features, including live debugging.
Developers will need to take notice of the advance warning, especially those who work on applications that rely on injection of code to function properly. It will force them to use Chrome extensions or Native Message API calls. According to Google, this will allow developers to retain their app features, but cause fewer browser crashes.
Blocking of third-party code injection will also make it harder for attackers to hijack the browser.