[HN Gopher] Chrome users beware: Manifest v3 is deceitful and th... ___________________________________________________________________ Chrome users beware: Manifest v3 is deceitful and threatening Author : dredmorbius Score : 233 points Date : 2021-12-09 20:22 UTC (2 hours ago) (HTM) web link (www.eff.org) (TXT) w3m dump (www.eff.org) | Glench wrote: | Wow, I kind of thought the headline would be an overstatement, | but the article actually seems pretty even-handed and truthful in | describing what's happening with Google's power over the browser | market. | breezeTrowel wrote: | I, on the other hand, found the article to be terrible. | Consider the following quote: | | > _Manifest V3, or Mv3 for short, is outright harmful to | privacy efforts. It will restrict the capabilities of web | extensions--especially those that are designed to monitor, | modify, and compute alongside the conversation your browser has | with the websites you visit. Under the new specifications, | extensions like these- like some privacy-protective tracker | blockers- will have greatly reduced capabilities._ | | One would think that the article would then go on to detail | exactly what these "new specifications" are and how would they | reduce the capability of ad and tracker blockers. | | That never happens. We keep getting statements to the effect | that Manifest V3 is bad but we're never told what makes it bad. | | What aspects of Manifest V3 limit ad blocker capabilities? | Since Manifest V3 has been introduced way back in 2019 and, | since then, has gone through various changes, are the quotes | listed towards the end of the article recent or do they reflect | an earlier version of V3? | | There was controversy over changes to the WebRequest API but | that was two years ago and, I believe, changes have been made. | Are there still changes that break functionality? What changes | were made over the past two years? Have things gotten better or | worse? | | The article gives absolutely no details. | dessant wrote: | Follow the links in the first paragraph of the article, they | go into details about the technical aspects of why Manifest | V3 is harmful to users. | | It's disappointing to see this sentiment again, as this has | been Google's tactic in the past decade: feign innocence and | initiate technical discussions, then move goalposts and start | over until their opponents are exhausted. | | When we first heard of Manifest V3, it took them months to | find a ridiculous reason for no longer allowing proper | control over requests in Chrome, and they kept jumping | between performance, privacy and security, as researchers | refuted all their technical arguments one by one. | | By now there is nothing left to discuss, they'd just need to | stop being malicious. | plorkyeran wrote: | The article does not mention changes over the last two years | because there haven't been any to mention. The new WebRequest | API still does not support blocking requests (and still does | support _recording_ requests), and the replacement for that | functionality is still very limited. | breezeTrowel wrote: | > _The new WebRequest API still does not support blocking | requests (and still does support _recording_ requests), and | the replacement for that functionality is still very | limited._ | | Thank you. What you wrote is information that needs to be | in the article but is not mentioned anywhere. The closest | thing is a quote from Mozilla regarding their extensions | security review process. | mortehu wrote: | > WebRequest API still does not support blocking requests | (and still does support _recording_ requests) | | The whole point is that there would be no reason to allow | any ad blocking extension access to the WebRequest API | anymore. | | The replacement, declarativeNetRequest, does not require | the user to give any permissions, so the days of granting | ad blocking extensions full access to every page are gone. | | If you think Google is doing this for their own gain, I | guess you can simply ask if declarativeNetRequest will be | able to block all Google ads, or if you really need a | turing complete language for that. | Shank wrote: | > There was controversy over changes to the WebRequest API | but that was two years ago and, I believe, changes have been | made. Are there still changes that break functionality? What | changes were made over the past two years? Have things gotten | better or worse? | | The WebRequest API's blocking functions, which are central to | the functionality of uBlock, are still slated to be removed. | breezeTrowel wrote: | Thank you. I hope the author of the article reads this | thread and ads a proper summary of the problematic changes | that Manifest V3 introduces to the article. | tyingq wrote: | Blocked under the supposed reason of privacy, but | extensions can still see every request, and inject whatever | javascript they want, exfiltrate your data, etc. Meaning | the reason is pretty clearly not privacy. | sonofhans wrote: | I agree with you. The article is terrible. It's a collection | of reactions and scare quotes from industry figures. I | followed the first few links in the article and they're not | much better. You'd hope that EFF, of all people, would be | able to make a simple and compelling summary of the issue. | HappySweeney wrote: | So I guess someone will have to come up with a turn-key pihole- | alike? | [deleted] | mh- wrote: | Not even close to a replacement for the type of active, | context-aware evaluation uBlock can do. | | Additionally, if a solution like Pi-hole was ever sufficiently | mainstream, more sites would start serving their ads from the | same hostname as the page. It's not difficult to do with the | CDN providers most media sites already use. | cheschire wrote: | Doesn't https and subsequently DNS over HTTPS effectively | negate pi-hole? Honest inexperienced question. | EvanAnderson wrote: | Yes. Next you'll have to MiTM the DNS over HTTPS. Next in the | arms race comes certificate-pinning. Controlling your name | resolution will probably remain possible on Linux, but I | expect most other platforms will make it exceedingly | difficult for "normal" users. | | Embedded devices are already "game over". You don't own them | (even if you paid for them). | | Controlling name resolution on your own network (and MiTM'ing | HTTPS) makes you the same as a hostile nation-state actor. We | can't have that. | kelnos wrote: | > _Embedded devices are already "game over". You don't own | them (even if you paid for them)._ | | Ugh, seriously. I have a Chromecast, and couldn't figure | out why it wouldn't play things on my local network (via | DNS names set up in my router's resolver). Turns out Google | hard-codes their own DNS servers and doesn't allow you to | change them. | | The fix was to give the Chromecast a reserved IP address, | and then set up some iptables rules on the router to | redirect requests from it to 8.8.8.8 and 8.8.4.4 on port 53 | to my router. I'm surprised that Chromecast is using old- | school port-53 DNS and not DoH. | sofixa wrote: | HTTPS no, because you're still making regular old DNS queries | for every domain, but DNS over HTTPS or stuff like | Chromecasts using hardcoded DNS servers do effectively negate | Pi-Hole. | pkulak wrote: | HTTPS doesn't, though DNS over HTTPS does. No one really uses | DNS over HTTPS right now though. | judge2020 wrote: | While a good message that does have actual merit if you know | what's happening already, I don't see how this is a legitimate | consideration of MV3. | | The entire argument regarding security doesn't mention any of the | reasons Chrome developers cite its security improvement, instead | it brings up that Firefox "does good enough already" and that | malicious extensions can still get past the review process. the | review process is by itself improved with V3 as extensions that | pull in code remotely can no longer get past the review | process[0], especially with how many current extensions implement | RCE C&C intentionally. They also say extensions are "usually | interested in simply observing the conversation between your | browser and whatever websites you visit" - that's 'usually', | though; malicious extensions intercepting and modifying requests | for their own benefit isn't unheard of. | | Instead of only stating 'this is bad', it would be beneficial to | include both (A) what they say (B) their basis for the decision, | if any (C) why that line of reason is incorrect/deceiving. | | 0: | https://developer.chrome.com/docs/extensions/mv3/intro/mv3-o... | yonixw wrote: | Google has not provided any reason to not include "block | request" functionality. And that the super bad faith underlying | fact that poison their "reasoning". | kevingadd wrote: | Anyone who pays attention to the web platform should know by | now that any rationale Chrome (or Google in general) developers | give for web platform decisions is made up. They repeatedly | told us they had specific motives for AMP and it was all a lie, | AMP was designed to tighten their grip on the advertising | market. It's not the only example - the way their autoplay | whitelist works is also transparently manipulative despite lies | to the contrary - and I would bet money that MV3 is partially | motivated by business incentives in the same way. Googlers' | paychecks are signed by Ads and GCP and ad-blockers actively | undermine the former. | syrrim wrote: | Beneficial in what sense? If manifest v3 is still bad on net, | then including chrome's counter arguments makes for bad | rhetoric and thus does a poor job of advancing a valiant goal. | rektide wrote: | Previously extensions could be background pages, with access to | DOM & Web Platform apis. MV3 currently reduces them to Service | Workers, able to use far far far less capabilities. This is a | massive massive downgrade for Extensions, unfathomable really. A | Mozillaian proposed a less limited Limited Events Page but Google | has snubbed it & not discussed. | https://github.com/w3c/webextensions/issues/134 | | Extensions are forced to use a small subset of JavaScript with no | dynamic code execution. Eval() is banned. Function is banned. | Embedding a scripting language inside JavaScript to circumvent | this is banned. This is a mere ghost of JavaScript left over. | Google claims it's to make it easier for them to insure | extensions are safe & protect users, but just as much, to me, | this is to protect Google from capable & competent extensions | allowing users to expand their agency: now extensions have to be | narrow, fixed use, specific extensions. Tools like GreaseMonkey | are all dead. The web becomes no where near the hackable medium | it is, all for a little convenience for Google. | https://github.com/w3c/webextensions/issues/72 | https://github.com/w3c/webextensions/issues/139 | | A lot has been said & discussed about MV3's | declarativeNetRequest; this is where the visible war has raged in | MV3 for a while now. I'm not a huge fan but it's also one of the | more minor side-shows in this debate, to me. High impact on ad- | blocking, but ultimately there's enough compromise & wiggle room | here, enough possibility to make this not awful, and if things | are left truly bad, there will be enormous hell to pay & this | will blow up. DeclarativeNetRequest feels like a side show to how | much real ruin & savagery is being wreaked by the first two | issues I outlined, being wreaked upon the most powerful & | interesting & defining software humanity has, that we augment | ourselves with as we do software: our user agent extensions. | | I generally find Google to be quite a good steward for the web & | am so happy they advance so many different initiatives & | capabilities. But this is something that is extremely near & dear | to me. The web is different & better than all other software, to | me, because it is malleable, because the user-agent gives us | power. MV3 is a radical curtailing of us the users. A radical | shift towards a web that we have to simply accept, as is, that we | cannot bend & shape as we want. Everything happening here feels | abhorrent & disgraceful. | | The process also feels totally goofy. Google is simply flipping | the switch next month. They built what they wanted to as a new | spec, debated some about feedback, leave comments that oh yeah, | we maybe do need to do something about GreaseMonkey, maybe we do | need to fix some of the missing use cases, but we're going ahead | with Apocalypse Now anyways. This is the most hostile use of | standardizing to destroy that I have ever witnessed. | | If Google is having such a hard time hosting extensions as is, | they need to stop. They need to close the Google Chrome Web Store | for Extensions & stop trying to moderate it. Create a 3rd party | store model, let other people serve as the agents of trust. They | absolutely positively cannot be allowed to come along & | standardize a much much much lower powered form of extension than | what we've had, purely because they've had such a (sad fiddle) | hard time running an extension store. Their justifications & | pleading that these amputations to us are for our own good ring | so very very false to me. Google needs to give up being a | regulator of this power if it's too much for them. | tentacleuno wrote: | > I generally find Google to be quite a good steward for the | web & am so happy they advance so many different initiatives & | capabilities. | | I don't. Especially not with FloC[0][1]. | | [0]: https://www.eff.org/deeplinks/2021/03/googles-floc- | terrible-... [1]: https://developer.chrome.com/docs/privacy- | sandbox/floc/ | breezeTrowel wrote: | Have background pages ever had access to DOM? Usually all | interaction with an observed tab is done through content | scripts not background pages. Same goes for evaling JS code | within the context of the inspected window. | kevingadd wrote: | By DOM access I assume they mean that since background pages | are pages, you can do things like use IMG and SCRIPT tags to | load resources, and perhaps a CANVAS to rasterize images that | you then serve to pages via an extension URL or something. | I've done stuff like that before so I can imagine there being | use cases for it, but it's kind of niche. | aeharding wrote: | Manifest v3 is a shit show. | | https://github.com/w3c/webextensions/issues?q=is%3Aissue+is%... | ineptech wrote: | If Chrome can kill uBlock and use its dominance to do user- | hostile stuff, and Firefox goes along "in the interest of cross- | browser compatibility", then what the hell's the point of Firefox | in the first place? | pkulak wrote: | My assumption is that Firefox will be implementing the | standard, but not the restrictions. Am I wrong there? | amelius wrote: | Firefox also implemented DRM. | ok_dad wrote: | DRM doesn't limit anything for the user except for some | video content. The day DRM prevents doing things to | requests and such, like Manifext v3 does, then I will care. | Right now, I'm happy to be able to watch One Punch Man on | my laptop. | pkulak wrote: | I needed them to do that so I could watch Netflix. Debate | it all you want, but it made my life measurably better and | I'm glad they did it. This would only negatively effect me | (and everyone else). | danuker wrote: | How is your life measurably better, by comparing it with | other people's fake and perfect and amazing lives (in | Netflix videos)? | handrous wrote: | > other people's fake and perfect and amazing lives | | Uh, if that's what we're supposed to be using movie and | TV streaming services for, I've been watching precisely | the wrong things. | | Seems more like a description of social media & (not | unrelatedly) advertising. Or maybe porn. | contravariant wrote: | You can tell this argument is flawed because it applies | to _all_ forms of video. | tomjen3 wrote: | That would be Insta, not Netflix where you are watching | interesting/awesome stories. | Spivak wrote: | Because some people don't find digital DVD rentals to be | an affront to their freedom and just want to watch | Squidgame? | mkl wrote: | You are pretty much right. There's no need for assumptions | though, see https://blog.mozilla.org/addons/2021/05/27/manife | st-v3-updat... and | https://blog.mozilla.org/addons/2019/09/03/mozillas- | manifest.... | prox wrote: | I really hope so. Any good sources to find out Mozilla's | stance? | mirashii wrote: | https://blog.mozilla.org/addons/2021/05/27/manifest-v3-upda | t... | | > We will support blocking webRequest until there's a | better solution which covers all use cases we consider | important, since DNR as currently implemented by Chrome | does not yet meet the needs of extension developers. | tentacleuno wrote: | It would certainly be interesting they implemented | blocking webRequest (just to keep compatibility with | Chrome) and then added a Firefox-specific API for | blocking web requests. | kreetx wrote: | I'd guess even if Firefox did keep extensions unrestricted | then slowly they would die away - given how much smaller the | user base will be. We need some new power to emerge in this | space. | bee_rider wrote: | If Firefox keeps full extension capability, as a superset | of Chrome's gimped implementation, then extension | developers can decide how they want to handle the | incompatibility. | | I don't really get how the extension ecosystem works anyway | -- extension developers are usually just sharing something | they use to be helpful/make a point, and then some tack on | donations thing, right? Since nobody is doing this to get | rich I suspect they won't chase marketshare. | NewEntryHN wrote: | There is surely a bias between users of extensions of | uBlock Origin and users of Firefox. The userbase is still | smaller, but maybe not enough to completely throw away | development. | danuker wrote: | I believe they would gain users from Chrome, where you | won't be able to block ads anymore. | dariusj18 wrote: | I would certainly stop using Chrome | skinkestek wrote: | Just do it today :-) | | I often have a month or more long streak between every | time I have to use Ch#%!e ;-) | | Bonus point for devs: If it works in Firefox it usually | works everywhere since Firefox had always been reasonably | standard compliant. | tomjen3 wrote: | If they do that, it will be forked. | NewEntryHN wrote: | Firefox has already been forked multiple times because of | decisions from Mozilla, see [Pale | Moon](https://www.palemoon.org/) or | [Waterfox](https://www.waterfox.net/). Few people use those | forks, for the simple reason that what has been removed from | Firefox is not game-changing enough to mandate an exodus. | However I agree that removing support for uBlock Origin will | surely be another story. | skinkestek wrote: | > Few people use those forks, for the simple reason that | what has been removed from Firefox is not game-changing | enough to mandate an exodus. | | This is not the reason for me at least to not use it as my | main browser. | | I recently tested and the speed is good and it is | absolutely wonderful to have true full fledged extensions | and complete themes. | | My reason is that I'm worried if their security is good | enough. If we could somehow be sure about that I'd actually | happily leave modern Firefox behind for it. | | Personally I'm hoping for someone to create a patch set and | bulld binaries based on it to re-enable the old stuff, not | by letting extensions muck around in the internals but by | providing defined extensions points like: | | - enable / disable tab bar | | - provide your own tab rendering code | | - etc | Nuzzerino wrote: | Just wanted to leave a reminder here that low user count | does not necessarily imply low utility. The goal of a fork | isn't to become the next monopoly. | matheusmoreira wrote: | They should probably just special case uBlock Origin at this | point. It's too important an extension to allow it to be | limited. | josefx wrote: | Are you sure you don't want to hard code the original | "uBlock" instead of the "Origin" fork while you are at it? It | already had a perfectly fine hostile takeover in the past, no | need to wait for a new one. | ynth7 wrote: | I think you mean "what open web?" | | Back to IRC DCC style sharing and distributed computing with | VPN | | No need to follow the money to do interesting engineering and | computing. Interesting is subjective and wrapping a white paper | in the cruft to host it as a service in the cloud isn't | interesting engineering | | Part of me wonders if the chip shortage is real or just a way | to hide big corp hoovering them up for DC hosted services. | dessant wrote: | I have a couple of popular extensions on the line, and I no | longer see a way to stop Google without immediate government | intervention. I am confident that they are not acting entirely in | good faith, regardless of the much needed and useful parts of | Manifest V3. They will get away with anything, be fined again in | a couple of years for the growing list of illegalities they | commit, and now they'll also harm the browser extension | ecosystem. | | Some of the extensions I maintain will no longer work, or have | reduced functionality for no acceptable reason, and some of the | projects that I have been preparing to release have now been | abandoned, because they rely on having proper control over | requests in the browser. | xxpor wrote: | Where do people get this sense of entitlement from? Please cite | one law you believe Google has broken. | dessant wrote: | > Where do people get this sense of entitlement from? Please | cite one law you believe Google has broken. | | Just like Amazon (your employer), Google has also been fined | several times in the past decade for illegal business | practices. Their illegal activities are extensively | documented, and in some cases they were forced to change | course due to regulatory intervention. Fell free to look it | up, I don't think there is a need to relitigate objective | reality. | bee_rider wrote: | No you have to understand, as long as a company doesn't | commit enough crimes to be literally run out of business, | we have to pretend it is good for some reason. | dane-pgp wrote: | And if a company does go out of business after committing | too many crimes, then the problem is too much regulation | holding back innovation. | heavyset_go wrote: | > _I have a couple of popular extensions on the line, and I no | longer see a way to stop Google without immediate government | intervention_ | | As the developer of several extensions that are impacted by | Google's anti-competitive actions, you can report how this | impacted both you and the market as a whole to the competition | and anti-trust divisions of the government. I've posted links | to forms and sites that you can use to report to the relevant | state-level and federal-level regulators on HN here[1]. | | If you aren't in the US, the US also has antitrust legislation | that applies to US companies operating in foreign countries, as | well as a myriad of antitrust treaties and agreements with | other nations. It might be worth it to also report it to the | government of the country you reside in, as well. | | [1] https://news.ycombinator.com/item?id=28176193 | kevin_thibedeau wrote: | Make them first class Firefox extensions. | preinheimer wrote: | I mean you can, but firefox doesn't treat you any better. We | waited 2+ months to get a minor update through review, and | getting it through that quickly took emailing several folks | (including one from HN). During that whole process they also | removed the display of your queue position, making it even | more opaque. | | At some point they disliked something in our extension that | had been live for months, and disabled every release in the | past year. At another point they found something wanting in a | 2 year old release (not a recent one) and threatened to | remove it from the store, our attempts to continue that | conversation or just allow it to be pulled to save everyone | some time met with crickets. | skinkestek wrote: | At this point I am seriously wondering if Mozilla is paid | to drive Firefox into the ground. | lunfard000 wrote: | It will be interesting what Microsoft will do, at first glance | they don't care about advertisement and allowing ad-block would | bring a lot of users to their ecosystem. (they already have soft | adblock out of the box) | account-5 wrote: | That probably because their operating system is infested with | advertisements and data exfiltration mechanisms. Why would they | need the browser to do it too? | tpmx wrote: | I've been using Chrome for such a long time now (since like a | year after it launched), out of convenience and because it used | to be fast (and more secure). It's definitely time to switch. | | I think my main alternatives are Brave, Vivaldi and Firefox. | pkulak wrote: | Please Firefox. The first two are just Chrome wrappers. | tpmx wrote: | Well I like both Brendan and Jon, and I actively dislike | Baker's leadership of Mozilla. However, Mozilla seems to have | the highest investment level into the their desktop browser. | I'll test Brave first. | anewguy9000 wrote: | You realize Firefox only exists because it serves Google's | interests right? | | And while Brave might be based on Chromium, it is distinct; | in addition to not crippling nativewebrequest as chrome will, | it's native adblocker is compatible with the same lists as | ublock origin. So I would go with Brave :) | [deleted] | celsoazevedo wrote: | What will Brave, Vivaldi, etc, do when Google makes some | change that breaks the current APIs? Do they have the | resources and are willing to continue to support them? | seph-reed wrote: | FWIW, Brave does. | pkulak wrote: | If Google is not able to control ad-blocking because all | the Chromium clones refuse to play ball, what do you think | they will do? I have no idea. Maybe just close Chromium | entirely, and force all the clones to shut down since | there's no way they have the engineering resources to keep | up with Google. | | EDIT: Except for MSFT... that would be interesting for | sure. | kelnos wrote: | > _You realize Firefox only exists because it serves Google | 's interests right?_ | | Ironically, though, the larger Firefox's market share, the | more Google will pay to be the default search engine in | Firefox. Yes, it's perverse and a little gross that we | depend on Google to such a large degree to keep Mozilla and | Firefox funded, but having more users increases Mozilla's | leverage over Google. | | Anyway, your point isn't really relevant. Unless you | believe Google is dictating nefarious things to Mozilla and | has subverted Firefox (difficult since Firefox is open | source, but not impossible), you should still be using | Firefox. If you care about not continuing to give a giant, | monopolistic advertising company control over the web, | anyway. | pkulak wrote: | If Google actually gave a crap about security, they would let you | disable extensions. As it is, I have to routinely delete | malicious extensions from every family member's Chromebook. Lord | knows how they get there, but they always do. Since this new | standard still lets extensions observe everything, I don't see | what the point is. | jeroenhd wrote: | You can only signed addons these days, so they must be sourced | or at least signed by Google. Especially on Chromebooks which | are more restrictive in the software they run. | | My guess would be that your family members got social | engineered into installing that crap ("this web page only works | with X, click here to install"), ort their browsers got | exploited and hacked (very unlikely!). You'll probably need | full MDM to prevent these websites from getting their users to | enable extensions. | | The problem with disabling extensions is that whatever has the | capability of pushing extensions into your browser also has the | ability to change the settings for addons. The only solution I | can think of is to create a Chromium build that cannot run | extensions at all. | dathinab wrote: | Remindes me one time one time a old person I sometimes help | out got social engineered to enable desktop notifications for | a website. | | And as a non windows user it took me a while to realize that | this notifications come from the browser as desktop | notifications and disable them. Its still a riddle for me how | chrome managed to make it both very obvious and very unclear | at the same time that this are websites desktop | notifications. (As a counter example I used some sites which | used desktop notifications on FF/Andriod instead of making a | app just because notifications, that I loved) | technobabbler wrote: | Point is they get to make ad blocking harder. | pkulak wrote: | lol, well, yeah. | izacus wrote: | Chrome allows you to disable installation of extensions via | Group Policy for a looong time now: | https://security.stackexchange.com/questions/66239/how-to-pr... | oliverulerich wrote: | but sadly Group Policy is not available on Windows Home | edition | jeroenhd wrote: | In most cases, you can get group policies like these to | work if you manually create the registry keys that GPO | would create for you. It's more complicated, but it can | work. | pkulak wrote: | I'm just not smart enough to figure that out. That first | answer references steps that don't exist on any Chromebook | I've ever seen. So I assume I have to enroll the machine in a | group policy externally? I have no idea. Never been able to | figure it out. I usually just end up installing an extension | (oh, the irony) that blocks the extensions domain. :/ | mkl wrote: | > That first answer references steps that don't exist on | any Chromebook I've ever seen. | | That's because Group Policies are a Windows-only thing. | jeroenhd wrote: | Chromebooks don't run Windows, so Group Policies won't work | for you. | | You can get the same (and more) control with an Enterprise | subscription from Google which seems to cost about $50 per | year, per device. | wumpus wrote: | That's windows-only, right? | judge2020 wrote: | IIRC you can apply it on macOS via MDM / configuration | profiles, but that's not as simple as gpedit.msc. | rektide wrote: | This post carries a lot of water for user-hating user-blaming | anti-extensions. | | I'm sorry that your family are... having such a hard time | making reasonable choices for themselves. I have literally | never seen this anywhere, or heard any coworker ever report | their family rampantly adding shitty extensions. I tend to see | pretty clear & obvious signals about what extensions are good & | ok when I go to consume. Bad extensions seem to be discovered | fairly quickly & taken down. The world seems no where near as | grimdark as you project to me. | | Alas I think it requires a paid Google Enterprise account, but | your family sounds like their need external management of their | browsers. That they should, like a school computer, have an | administrator & a denylist or perhaps even allowlist of what | extensions they can use. | | This post spreads so much Fear Uncertainty and Doubt. Trying to | justifying ending a good thing because some creative user keeps | finding a way to misuse, to not listen to sense, to not make | good judgement... I find it unfortunate that such heavy | fearmongering, such terror at the world is allowed to sway us | so heavily. | | Ultimately I want 3rd party sites hosting extensions. Not | Google. And I want moderation teams able to surface claims that | some extensions are bad. We need more choice, more democracy, | more ability to help each other. Sunlight is the best | disinfectant. Simply giving in to the bed-wetting terror of, oh | no, freedom & denying ourselves user-agency is intellectual | suicide for the web. | pkulak wrote: | > I'm sorry that your family are idiots. | | Stopped reading there, mate. | gnicholas wrote: | Does anyone know how the Manifest v3 changes will affect | extensions that modify pages for accessibility reasons? | porkbrain wrote: | As long as those extensions don't fetch and execute any | JavaScript that hasn't been bundled at the time of Chrome store | submission, they'll be fine. The biggest change happens at the | API for monitoring and managing web requests. | kevingadd wrote: | Generally speaking it shouldn't impact them, but it may make | them more awkward to use. And the developers will have to | change a lot of code. | hunterb123 wrote: | What!? Google acting in interest of ads and not users?!? | | Who cares? Just use Brave and kill Chrome off. | donatj wrote: | I miss the early days of Firefox extensions (circa 2004) where an | extension could in very powerful ways completely change the | layout/functionality of your browser; when they had near | unlimited access to the XUL and could change anything and | everything. | | I used a ton of very useful extensions then. Nested tabs were one | of my favorites. These days I've got a password manager, a | bookmark checker, and a tab manager I wrote myself. | | They're just not allowed to do anything _too useful_ these days - | I know what they have access to, I write Chrome extensions. A lot | of them should just be standalone desktop apps. | | Like most things, normies came in, shot themselves in the foot, | made a fuss, and now we can't have nice things. | kelnos wrote: | Has nothing to do with "normies". With the old extension | system, Mozilla couldn't make any substantial changes to | browser internals (like multi-process, among other things) | without breaking everything. It makes sense to have clear | boundaries between the core and extensions, and keep | implementation details out of the extension interface. | hippofever wrote: | Take a look at http://nyxt.atlas.engineer/. | | It's written to be extensible/introspectable, and the extension | language is Common Lisp. | donatj wrote: | Looks like it would have a very steep learning curve. | superkuh wrote: | The least worst web browsers these days are typically the older | Firefox forks that have maintained XUL and powerful extensions. | But this class of browsers is rapidly become few and those left | are run by... controversial personalities. | dathinab wrote: | While I also miss some of the capabilities, I also can | understand why Firefox removed them. | | Extensions systems which don't have very clear cut boundaries | like XUL are just add a very hefty maintenance burden and make | review extremely hard. | | It's not really about "normies". | | This doesn't really apply to the current change, as extensions | already have clear boundaries and and as the article pointed | out problematic apps likely won't be too much affected as they | often already do things which bypass the constraints to avoid | detection by the reviewer... (assuming I understand the topic | correctly) | power78 wrote: | I wish Firefox would have left the old extension abilities. | They could have easily added the WebExtensions standard to | allow for cross-browser compatibility and not removed the old | functionality. | readflaggedcomm wrote: | They basically did, until the underlying browser became | incompatible. That was the point: to have a stable API | instead of extensions relying on implementation details, | which includes multiple processes. | kevingadd wrote: | Once multi-process was adopted, old extensions couldn't work | anymore. The design simply didn't work. | ilaksh wrote: | One option is to just move away from browsers entirely. We can | take some of the good things. Like maybe a small subset of HTML | and web assembly. Add some minimal IO to web assembly. | tux1968 wrote: | A website being rendered by opaque, per-site web-assembly code, | is not going to be amenable to uBlock, Greasemonkey or any | other user-empowering extensions. | lobocinza wrote: | Two weights and two measures. | [deleted] | polote wrote: | I honestly think that Google underestimated how much they are | going to piss off users with MV3. There are thousands of | extensions that will stop working and be impossible to build. But | also there will be a lot of broken experiences as remote loading | is forbidden and fixes will need a new release. | | Can't wait, but that's a very good opportunity for Firefox as | Firefox will become more powerful than Chrome | csdvrx wrote: | Or more likely, towards Edge, by virtue of requiring almost no | effort to deploy the same set of extensions in a very similar | browser in the hands of a company who doesn't require | destroying privacy as much as google does to keep making money. | fooey wrote: | Edge seems to be trying very hard to kill all the momentum | they've gained | | They recently baked in a "feature" to hijack online shopping | with some Pay Later garbage: | | https://gizmodo.com/microsoft-keeps-making-its-edge- | browser-... | | Now they're running gross little popups if you browse to the | Chrome installer in Edge: | | https://gizmodo.com/seriously-what-is-going-on-with- | microsof... | | > "Microsoft Edge runs on the same technology as Chrome, with | the added trust of Microsoft." | | > "That browser is so 2008! Do you know what's new? Microsoft | Edge." | | > "I hate saving money," said no one ever. Microsoft Edge is | the best browser for online shopping. | nvrspyx wrote: | IIRC, the Edge team said they would adopt manifest v3, but | correct me if I'm wrong. | sharken wrote: | This page intended for developers of Edge extensions seems | to support your statement: | | https://github.com/MicrosoftDocs/edge- | developer/blob/main/mi... | [deleted] | cube00 wrote: | One of the "benefits" to Microsoft of using Chromium is | reduced development costs and they're not going to get that | if they let the forks diverge too much. | tentacleuno wrote: | Right, but 'we don't support this!' would be a great look | when most technical people are already strongly opposed to | Manifest v3. I'd call it an easy win, but of course they'd | have to maintain that and possibly implement / design their | own API's when Manifest v4, for example, comes out... so | it's definitely not as easy as it may seem. | [deleted] | korethr wrote: | In the article, Firefox is cited as intending to adopt MV3 for | compatibility reasons. If they indeed do so, I'm not sure how | much relief running Firefox will offer from the more evil | aspects of MV3. | jeroenhd wrote: | With Firefox's market share, not much. This could massively | benefit Firefox adoption, though, because everyone relying on | old extensions will have to switch. | | From that viewpoint, the new restrictions could actually be a | good thing. | renzo88 wrote: | My understanding is that they will adopt but continue to | support "legacy" extensions | kelnos wrote: | They're not really "adopting" it as the way forward. Firefox | will be able to use Mv3-type extensions, but the current | extension types will continue to work. | heavyset_go wrote: | Firefox devs have confirmed that they'll implement Mv3, but | without all of its restrictions and with compatibility for | older extensions. | mkl wrote: | Firefox will not implement all the restrictions: https://blog | .mozilla.org/addons/2021/05/27/manifest-v3-updat... | jsnell wrote: | The security argument seems pretty simple. The end goal is that | legit extensions that people regularly install should not need to | ask for dangerous permissions, because a) it teaches the users | that it's normal and b) since the extensions can become | compromised later and abuse the permissions. Adblockers are | probably the most common kind of extension, and are currently | granted effectively unlimited access to read and modify every | single web page you use. That's fucking scary. | | If adblockers (and other classes of legit and common extensions) | can be migrated to a safe API, it makes the unrestricted and | dangerous API much more manageable since what's left is much less | likely to be legit or something people actually care about. For | example you can have enhanced review processes, warn users more | forcefully about the danger, start limiting the power of the API, | implement new safe APIs for some of the remaining use cases, etc. | | EFF are smart people. They know what the actual security benefit | is, and choose to instead argue against a caricature. | ianbutler wrote: | I, as an end user want to be able to install whatever dangerous | software I want, especially as a power user. I understand the | potential consequences and I don't want or need the handrails. | Options and freedom are good. This is why browsers need to be | split off from for profit organizations to be managed by | entities that aren't concerned with the fallout if someone | installs malicious software. | zentiggr wrote: | It sounds like you're happy to hand control of your browser | away for free. I've been writing code for a few decades, I | don't know everything but I don't need someone to decide for me | what's too dangerous for me to have access to. | | If I was truly insane I'd go the Steve Gibson route and write a | completely different browser from scratch. I'm aware it would | take the rest of my life (or longer) at this point but the | engine options are so few, and the ability to avoid the owners' | restrictive BS limited enough, that I'd be happy as a clam to | see a whole new reboot. | | I'd jump onto even an alpha of that, just to bump numbers out | of hope that ANY group could get together and get out from | under the advertising trap. | vehemenz wrote: | Since you casually mentioned it--why would Google implement a | safe API after removing the "dangerous" API that increased | their ad sales? Given their recent history, and all. | readflaggedcomm wrote: | The browser team could implement the ad blocker itself, instead | of relying on third-party code. But even the apparently-best | one of those (Brave) has a lousy interface for it. | bambax wrote: | > _Adblockers are probably the most common kind of extension, | and are currently granted effectively unlimited access to read | and modify every single web page you use. That 's fucking | scary._ | | How is that scary? | | The browser by definition has unlimited access to read and | modify (and monitor) anything I do in it. | | And I trust gorhill a million times more than any Google | employee, past, present or future. | mappu wrote: | The scary part is gorhill is able to sell or hand over the | extension - as he has done in the past - to someone with | looser morals and/or goals. | | How much do you think NSO Group would pay for this kind of | access? | | If you ran uBlock Origin, would you like to retire early? | | Jbk from the VLC project has a lot of stories about turning | down 6, 7 figure payments to bundle malware in VLC. Not | everyone has the strong morals and unlimited stamina to | withstand that. | | Manifest V3 is created to solve a real problem. I have had | browser extensions go rogue on me before (Stylish), and i | would like it to not happen again. At the same time, uBlock | Origin is a hugely important extension for making the web | usable for hundreds of millions of people. A compromise must | be found that moves their safety out of a single person's | hands. | Havoc wrote: | Wait FF is copying this too?!? | zdragnar wrote: | Safari had the same concept first. | Spivak wrote: | And ad blocking in Safari is fine, not great, but it works | more or less. | bambax wrote: | Content blocking on iOS doesn't work properly, many many | things go through. Is it better on the desktop? | SquareWheel wrote: | Yep. But note that MV3 is a lot more powerful than Safari's | adblocking capabilities. It's still declarative, but supports | dynamic rules, header modification, etc. | | https://developer.chrome.com/docs/extensions/reference/decla. | .. | rektide wrote: | Web Extensions have never had a spec before. So of course | Google is taking the initiative to aggressively re-define & cut | down what an extension is, at the exact moment they try to turn | it into a cross-browser standard. | zamadatix wrote: | Firefox is supporting Manifest v3 extensions however they are | not imposing every limitation Chrome is on them and they are | continuing to support features outside the scope of v3 like | blocking webrequest. | | A lot of the changes in v3 are actually pretty sensible, it's | just 10% of the stuff shoehorned in creating 90% of the | friction. | | https://blog.mozilla.org/addons/2021/05/27/manifest-v3-updat... | rvp-x wrote: | Firefox will make it possible to upload manifest V3 extensions | to their store (eventually). It's a good thing because it makes | it easier to make an extension that works unmodified for both. | | Chrome is additionally planning to remove support for manifest | V2 as well, Firefox can't start to do this because they don't | support V3 in their store yet. | eitland wrote: | Mentioning again to the entrepreneurical ones here that I want to | pay money for something that works like old Firefox but uses the | new supposedly more secure code base. | | I pay for IntelliJ so why not pay for the just as important | browser if I can get one that I like? | | Just don't increase the pricing to Jetbrains level until you have | Jetbrains level features. | foxrider wrote: | I'd pay for Vivaldi if I had to at this point, it's the only | browser that feels "feature-complete" to me | eitland wrote: | Is it Chromium based? | | It might be great but for now refuse to support anything that | further strengthen Googles grip on the market. | KronisLV wrote: | > It might be great but for now refuse to support anything | that further strengthen Googles grip on the market. | | The question then becomes: "What else even is out there?" | | Because if you're looking for something that's even | remotely feature complete for browsing the modern day web, | the majority of the current browsers out there are indeed | based on Chromium, as expressed in this article, "Firefox | is the Only Alternative": | https://batsov.com/articles/2021/11/28/firefox-is-the- | only-a... | | Here's the table from the article in text format: | Browser Based on Chromium Open-source Market Share | (desktop + mobile) Chrome Yes No | 64.7% Chromium Yes Yes - | Edge Yes No 4.0% Brave | Yes Yes - Vivaldi Yes | No - Opera Yes No | 2.4% Safari No No 19.0% | Firefox No Yes 3.7% | | To me it seems like Firefox is the only viable alternative | and putting all of our hopes on a singular browser and the | company behind it, especially given that there has recently | been some controversy around it, seems risky. For example: | https://itdm.com/mozilla-firefox-usage-down-85-but-why- | are-e... and https://arstechnica.com/information- | technology/2020/08/firef... | foxrider wrote: | I've been using Firefox for as long as I've been on the | internet, but I got really tired of using it just because | "It's not chromium". Mozilla been doing really stupid and | frustrating decisions that made me feel like I'm in an | abusive relationship. I've been eyeballing Vivaldi for a | long time, and Firefox breaking compact mode finally broke | the camel's back for me earlier this year. | | When I switched to Vivaldi I felt like it's 2003 again, and | I've just switched from IE to Firefox. Every single thing | Mozilla removed from Firefox over the years is here, and | most of the stuff I used hacky addons that would often | break is here too! In the core browser, as first-class | features, without the need to fiddle with userChrome.css or | look through obscure flags. It really is a breath of fresh | air and it puts into perspective how many excuses I've made | for Firefox over the years. It's not worthy of being my | browser, simple as. | | Mozilla took my fundamental addons that separated Firefox | from other browsers, they took my RSS reader, they took my | cool Torrenting and Email clients that were a part of the | browser itself. The TreeStyleTab requires you to go through | obscure and hidden config files that often break with | updates and the extension itself is not stable and fiddly. | On top of that, I had way more Firefox extensions that | aren't even different from Chrome extensions in major ways. | In Vivaldi, I just get a nice panel with RSS, Calendar, | Translator, Email client, Notes, whatever I want! The | adblocker is built-in, the privacy features are built-in, | you even get to put your tabs wherever you want. It has | theming support that is as good as Firefox Colors, and it | has custom search keywords that replace DuckDuckGos bangs | for me more often than not. It even has the dark mode among | other page filters, a screenshot tool, web page tiling! All | the things that would turn my Firefox profile into a slow | extension pile that barely works and longs for death. | | Mozilla's "goals" of removing key features meant for people | who actually would want to use a "google alternative" are | laughable, and it's as bad on "privacy" axis as Chrome is | because you have to use something like LibreWolf to get the | actual privacy from it, very much like you have to use | ungoogled-chromium with Chrome. If they think that turning | the browser into a Chrome clone with some bumper stickers | that say things like "Proud not to use Blink" and "We do | say privacy a lot", then it's already dead to me. ___________________________________________________________________ (page generated 2021-12-09 23:00 UTC)