For Google, it's not enough to warn you when an extension attempts to install from outside the Chrome Web Store. Starting in January, Windows users will be able to install extensions only from the official store, as Google blocks all other extension sources.
Erik Kay, Chrome's engineering director, wrote in a blog post that the current security mechanism isn't enough. It asks users if they want to install the extension when it comes from outside the Chrome Web Store, but "bad actors" have figured out how to bypass it.
The malicious extensions that get installed override browser settings and replace the New Tab page, a major gripe from Windows users, Kay said.
The change will affect Chrome stable, the version used by most people, and Chrome Beta. Chrome's developer's and Canary builds will remain unaffected. Google is encouraging developers of non-malicious extensions to migrate their extensions to the Chrome Web Store before January. Web site developers can use Chrome's inline installs feature, and businesses can use Enterprise policy.
While the change might have a deleterious effect on software that regularly installs extensions from outside the store, such as security suites, some of them have already moved their extensions to the Chrome Web Store. Others, Kay said, will be able to host their extensions in the store but with the listings hidden from search.