Google Chrome team has taken a very important step towards enhancing the security of extensions and apps by enabling the Content-Security-Policy (CSP) by default. This means that the extensions would have to follow strict guidelines for resources, which would prevent 96% vulnerabilities found in Chrome’s extension system.
The CSP has been turned on in Chrome 18 (currently in beta channel) and extension developers have been asked to update their extensions following the new guidelines. As the CSP is not compatible with the legacy extension system, it will land gradually to avoid incompatibility issues for the extensions.
Chrome Web Store has no manual review process for hosted extensions and apps, but features like CSP and sandboxed architecture make Chrome’s extension system much secured.