Google has added support for Content Security Policy (CSP), which will stop extensions from loading unsafe code that could interfere with Gmail sessions and spread malware into systems.
CSP is a World Wide Web Consortium (W3C) standard for preventing cross-site scripting (XSS), which is aimed at improving web security through light-weight policy expression that interconnects with HTML5’s built-in security policies.
Google is planning to use CSP to vet its extension code, reported Info Security.
Google said: "Most popular (and well-behaved) extensions have already been updated to work with the CSP standard, but if you happen to have any trouble with an extension, try installing its latest version from your browser’s web store (for example, the Chrome Web Store for Chrome users)."
The addition of anther security layer is reportedly part of the search giant’s ongoing Gmail upgrades, which includes two-factor authentication, serving images through secure proxy servers, and requiring HTTPS as the default mechanism.
Google has also reportedly developed Inquisition, an internal web based Java application, built on the Chrome and Google Cloud Platform which is being used in combination with the open-source Firing Range.
Inquisition provides support for HTML5 features and contains a wide range of XSS.
Info Security also cited reports from High-Tech Bridge claiming that more than 90% of XSS flaws can be exploited in ways that advanced users and IT staff will not be able to suspect the activities.