How will the change that Google will introduce moving from CRX2 format to CRX3 affect the DLP Endpoint Agent?


Article ID: 184631


Updated On:


Data Loss Prevention Endpoint Prevent


Google Chrome extensions will move from CRX2 to CRX3 format from Chrome version 76. 

Google provides the latest update here: Chrome 75: June 4, 2019 explaining the following: 

"All privately-hosted extensions must be packaged with CRX3 format in Chrome 76. 
This change was originally planned for Chrome 75 but it’s now scheduled for Chrome 76 to allow more time for customer transition. It was originally announced in the Chrome 68 release notes.

CRX2 uses SHA1 to secure updates to a Chrome extension. Breaking SHA1 is technically possible, which allows attackers to intercept an extension update and inject arbitrary code into it. CRX3 uses a stronger algorithm, avoiding this risk.

Starting with Chrome 76, all force-installed extensions will need to be packaged in the CRX3 format. For details on temporarily enabling CRX2, see ExtensionAllowInsecureUpdates. For the CRX2 deprecation timeline, see Chromium.

Privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged. If your organization is force-installing privately hosted extensions or third-party extensions hosted outside of the Chrome Web Store that are packaged in CRX2 format, the extensions will stop updating in Chrome 76 and new installations of the extension will fail."


Symantec uploads the Endpoint Agent extension to the Chrome web store and Google takes care to ensure that the extension uses the CRX3 format once uploaded so there is no action required.