This document provides an overview of the Chrome Web Store review process and the enforcementactions that are taken when an extension violates the Chrome Web Store's policies. The enforcementpractices described in this document are accurate as of the document's last updated date and aresubject to change without notification.

SeeLifecycle of a Chrome Web Store item for an overview of how reviews fit in thelifecycle.

The review process helps protect end users from scams, data harvesting, malware, and maliciousactors seeking to take advantage of Chrome users, as well as from extensions that inadvertentlyviolate policy.

The basics

When you submit an extension for review, the review team will review the extension for compliancewith thedeveloper program policies and, if any violations are found, take appropriateenforcement actions.

Existing items are also reviewed periodically for compliance. We do this because the extensionecosystem is constantly evolving; as malicious actors evolve their attacks or exploits arediscovered, the review process must also evolve in response. Also, as the developer programpolicies change, we need to ensure that existing published items comply with current policy in orderto protect end users.

Review times

Chrome Web Store review times can vary. In early 2021, most submissions completed review in lessthan 24 hours, with over 90% completed within three days.

Note: If your extension is pending review for more than three weeks, pleasecontact developer support to request assistance.

The review process uses a combination of manual and automated systems. All submissions go throughthe same review system, regardless of the tenure of the developer or number of active users.However, some signals may cause the reviewer to examine an extension more closely, including:

• new developers
• new extensions
• dangerous permission requests
• significant code changes

These signals may therefore cause the review to take longer. Review times may also be longer thannormal after an extension has been rejected or warned.

Note: Note that all item submissions—whether for a new item or an update to an existing one—aresubject to the same review process.

Notable factors that increase review time

Reviews may take longer for extensions that request broad host permissions or sensitive executionpermissions, or which include a lot of code or hard-to-review code.

Broad host permissions

Host permissions patterns like*://*/*,https://*/*, and<all_urls> giveextensions extensive access to the user's web activity, especially when combined with otherpermissions. Extensions with this kind of access can collect a user's browsing history, hijack websearch behavior, scrape data from banking websites, harvest credentials, or exploit users in otherways.

Sensitive execution permissions

Permissions grant extensions special data access and manipulation rights. Some permissions do thisdirectly (for example,tabs anddownloads) while others must be combined with host permissionsgrants (for example,cookies andwebRequest). Review must verify that each requestedpermission is actually necessary and is used appropriately. Requesting powerful and potentiallydangerous capabilities takes more time to review.

Amount and formatting of code

The more code an extension contains, the more work it takes to verify that code is safe.Obfuscation is disallowed as it increases the complexity of the validation process. Minificationis allowed, but it can also make reviewing extension code more difficult. Where possible, considersubmitting your code as authored. You may also want to consider structuring your code in a waythat is easy for others to understand.

Review outcomes

There are a number of possible pass/no-pass outcomes, depending on whether it's a publishing reviewor a periodic re-review. These outcomes are described in the following sections.

Publishing review outcomes

This section describes how we handle policy violations that we find while reviewing an extensionsubmitted for publishing.

Note: Existing published items may also be checked for these same violations; that process is described inthePeriodic review outcomes section.

Publish review requests have two basic outcomes.

• No violations are found: The submission is approved and can be published to the Chrome WebStore.
• A violation is found: The submission isrejected and the developer isinformed why.

SeeDeveloper communication for details on how these outcomes are communicated backto the developer and how developers can contact the review team regarding the outcome.

Finally, a third potential outcome is that the submission is found to contain malware or anotherextreme policy violation. See themalware section for details on how theseverdicts are enforced.

Periodic review outcomes

This section describes how policy violations are handled during the periodic review process. Notethat a violation identified during thepublishing review process maytrigger a re-review of the currently published version of the extension.

Existing published extensions are occasionally subject to review outside of the standard submissiontime review process. Possible reasons for this include, but are not limited to regular periodicreview, review triggered by a violation observed in a new submission, and user reports of unexpectedor malicious behavior.

There are four outcomes for review of a published item:

• No violations are found: No action is taken. The extension remains on the Chrome Web Store.
• A minor violation is found: A warning is sent to the developer about the violation. Thedeveloper has a set amount of time to address the violation before the item will be taken down.Seewarning for more information.
• A more serious violation is found: The extension is immediately taken down and the developeris notified of the violation. Seetakedown for more information.
• An extreme issue is found: The extension is immediately taken down and the developerisnot notified. Seemalware for more information.

SeeDeveloper communication for details on how this is communicated and how toappeal the verdict.

Violation enforcement

In the event that a policy violation is identified during the review process, the Chrome Web Storewill take appropriate action depending on the type of review being performed, the severity ofviolation, the discretion of the reviewer, and potentially other factors.

Rejection

Rejection can occur in response to a "Submit for review" request. If the submission is found toviolate Chrome Web Store policy but is not an egregious policy violation, the submission will berejected.

In some cases, a violation detected in a submission may trigger a review of the published extension.If the violation is also found in the published version of the extension, additional enforcementactions may be taken.

Note: Rejection applies only when the submission is not found to contain malware or other extreme policyviolation. If an extension is found to contain malware during the submission review process, proceeddirectly tomalware enforcement.

Developer communication

The publisher email address associated with the extension will be sent an email stating that thesubmission was rejected. The rejection emails will state which policy the extension violated andprovide the developer with guidance on how to appeal the verdict.

Chrome Web Store listing

The extension's listing in the Chrome Web Store is not affected; the description text, imageassets, privacy disclosures, and published CRX all remain unchanged.

Chrome UI

End users are not notified when a submission is rejected.

Warning

If a currently published item is found to contain minor policy violations, Chrome Web Store Reviewwill notify the extension publisher of the violation via email. Depending on the violation, thepublisher are typically given 7 to 30 days to address the issue(s). The extension developer canresolve the warning by submitting a new version of the extension that fixes the violation(s) usingthe standard submission process. If the violation is not addressed within the warning period, theextension will be taken down.

The following information only covers the warning period. SeeTakedown foradditional information on takedown handling.

Developer communication

The publisher email address associated with the extension will be sent a warning email statingthat the extension will be taken down due to one or more policy violations. The exact length ofthe warning period depends on the observed violation.

If the developer does not resolve the violation(s) within the warning period, the publisher willreceive another email explaining that the warning period expired and that the extension has beentaken down. SeeDeveloper communication for additional information about emailcommunication.

Chrome Web Store listing

The extension's Chrome Web Store listing is not affected during the warning period. The item willremain available for download and existing users will be able to update to the most recentsuccessfully published version of the extension.

Chrome UI

End users are not notified during the warning period.

Takedown

Takedown refers to the act of removing an extension from the Chrome Web Store. In most situationstakedowns are not permanent: the extension's publisher can return the extension to the web store bysubmitting a new version that resolves the policy violation and passing the review process.

Takedowns occur in two primary scenarios. First, immediate takedowns occur when reviewers detect oneor more policy violations of moderate or greater severity in the published version of an extension.Second, delayed takedowns occur after thewarning period for a minor policyviolation expires. In both cases, the impact of the takedown is the same.

Developer communication

The publisher email address associated with the extension will be sent an email stating that theextension has been taken down due to one or more policy violations. In the case of an expiredwarning, the email will include a reference to the warning email the developer previouslyreceived.

Chrome Web Store listing

When an extension is taken down, it will no longer be available in the Chrome Web Store. If normalusers attempt to access the extension's listing, Chrome Web Store will return a 404 error. Ifthe developer that owns the extension or a member of the extension's group publisher list (ifthere is one) is logged into the Chrome Web Store, they will see the last published version of theextension and a warning at the top of the window indicating that the extension has been takendown. Additionally, the item will not appear in Chrome Web Store search results, collections,category listings, or elsewhere in the Chrome Web Store's consumer UI.

Chrome UI

End users are not notified of the enforcement action immediately after takedown. If the violationremains unresolved for several weeks, Chrome will automatically disable the extension and notifythe end user that the extension violates Chrome Web Store policy. Users may choose to re-enablethe extension if they wish.

Malware and extreme violations

The Chrome Web Store Review team has special procedures for egregious policy violations. In casessuch as malware distribution, deceptive behavior designed to evade review, repeated severeviolations indicative of malicious intent, and other egregious policy violations, more drasticmeasures are necessary.

To limit the potential for these developers to further harm users, the Chrome Web Storeteam intentionally does not provide details regarding these violations. Additionally, in more severecases the developer's Chrome Web Store account will be permanently suspended.

Developer communication

Unlike other enforcement actions, notificationis not sent to the publisher's email addresswhen the extension(s) are taken down. In the event that the developer's Chrome Web Store accountis suspended, the developer will be sent an email to notify them of that enforcement action.

Chrome Web Store listing

Just as with atakedown, the offending item is removed from the Chrome WebStore.

Chrome UI

The violating extension is disabled on all end user devices. Unlike standard takedowns, theseextensions cannot be re-enabled. Chrome notifies the user that the extension has been disabledbecause it was found to contain malware. Users may choose to remove the extension or dismiss thedialog.

Developer communication

The Chrome Web Store review process has two primary ways of communicating with developers: automatedemails sent to the extension publisher's email address and support tickets.

Support tickets must be opened using theOne Stop Support form, but once aticket is opened all communication takes place over email.

Note: Though the team monitors and responds to various online forums where Chrome extensions are discussed, these platforms are primarily geared towards discussions about extension development and are not intended to be support channels. If you need to raise any concerns, it is recommended to use the CWS Support form.

Automated emails

In all but the most extreme policy violations, the Chrome Web Store will send developers automatedemails informing them about the violation observed and the enforcement action taken. These emailsstate what policy or policies were violated, link to troubleshooting documentation related to theviolation, and provide the developer with guidance on how to appeal the verdict.

One Stop Support

TheOne Stop Support contact form provides Chrome Web Store publishers with asingle contact point to request assistance with a variety of issues. Concerns that necessitate escalation, such as issues with dashboard stats, transfers between developers, and developer account recovery, may take longer than seven days to answer due to the complexity and in-depth investigation required to identify the root cause or explanation.

Appealing a review verdict

Use the following steps to appeal atakedown orwarning.

1. Open theOne Stop Support contact form.
2. Select "My item (extensions, app, or theme)".
3. Select "My item was warned / removed / rejected".
4. Select why you are appealing, and the reference color and element.
5. Review the violation troubleshooting guidance.
6. Provide additional details as requested by the form.

Appealing an account suspension

Use the following steps to appeal a developer account suspension.

1. Open theOne Stop Support contact form.
2. Select "My developer account".
3. Select "My account was suspended".
4. Provide additional details as requested by the form.

A few minutes after submitting a support request, you should receive an email with a unique ID foryour support request. Depending on the size of the support queue and the specific violation, it maytake up to three days to receive a reply. If you do not receive a response within that period, youcan reply to the initial case email to request an update.

Please only open one support request per enforcement action. Multiple support requests makes it moredifficult for the agents assisting you to find and keep track of all of the relevant informationabout your issue.

Note: As a developer in the European Union, if you have concerns related to the Platform To Business (P2B) regulations in Europe, you can raise them by filing through theOne Stop Support contact form.