Microsoft has unveiled an updated version of its Publish API for Edge, targeting third-party browser extension developers. This new iteration aims to enhance security for developers’ accounts and streamline the extension update process.
The revamped Publish API for Edge encourages developers to initially submit new extensions to the Partner Center. Once approved, subsequent updates can be managed through either the Partner Center or the Publish API.
The new Publish API additionally ensures that secrets become dynamically generated API keys by default for every developer. This change mitigates the risk of hackers discovering login information through code or data breaches. Microsoft stores these dynamic API keys as hashed values in their databases, further bolstering security.
Stop or limit misuse
Furthermore, Microsoft is improving the security of external Edge extensions by internally generating access token URLs. Developers no longer need to provide these URLs when updating their extensions, reducing the risk of exposure and potential exploitation for pushing malicious updates.
Another significant security enhancement is the shortened expiration period for API keys, now set at 72 days instead of the previous two-year duration. Rotating secrets more frequently prevents long-term abuse when a secret is exposed.
Currently opt-in
The new security features in Publish API are part of the Microsoft Security Initiative. With this program, the tech giant aims to upgrade security features across its product portfolio. While these enhancements are currently opt-in, it’s plausible that they may become mandatory for third-party browser extension developers in the future.
Microsoft is not the only browser provider bolstering the security of its browser extensions. Google is actively rolling out its Manifest V3 program, to which all Chrome extensions must comply. Tens of thousands of extensions still do not meet these security and performance requirements, which could cause problems for many users in the future.
Also read: Microsoft Edge tests browser extensions for performance issues