There are many extensions available for Chrome and specifically those for Gmail, and while Google has always done its best to ensure malicious add-ons don’t become widespread, they are certainly out there. Over the last year, the company has taken steps to improve privacy for its Gmail users, which was believed to be sparked by NSA security issues among other things.
Google is ready to takes things even further now. Software Engineer for Gmail Security Danesh Irani took to the official Gmail blog today to announce some new security measures surrounding extensions. As mentioned in the post, Google is already using secure proxy servers for images and requiring HTTPS, but has now implemented something called Content Security Policy (CSP).
CSP is essentially a standard that will stop malicious extensions from doing things you don’t want them to. There are add-ons out there that will load messy code that slows things down or those that purposely run malware to compromise your security.
According to Google most popular extensions have already been updated to work alongside CSP just fine, but it sounds as though there are a number that haven’t been. Google mentions to ensure you have the newest versions of those extensions if any problems arise. Outside of users that run a lot of different Gmail add-ons, CSP seems like mostly a good thing that will hopefully help to tidy up some of the messy extensions out there and get rid of the malicious ones.