[HN Gopher] Chrome users beware: Manifest v3 is deceitful and th...
___________________________________________________________________
Chrome users beware: Manifest v3 is deceitful and threatening
Author : dredmorbius
Score : 233 points
Date : 2021-12-09 20:22 UTC (2 hours ago)
(HTM) web link (www.eff.org)
(TXT) w3m dump (www.eff.org)
| Glench wrote:
| Wow, I kind of thought the headline would be an overstatement,
| but the article actually seems pretty even-handed and truthful in
| describing what's happening with Google's power over the browser
| market.
| breezeTrowel wrote:
| I, on the other hand, found the article to be terrible.
| Consider the following quote:
|
| > _Manifest V3, or Mv3 for short, is outright harmful to
| privacy efforts. It will restrict the capabilities of web
| extensions--especially those that are designed to monitor,
| modify, and compute alongside the conversation your browser has
| with the websites you visit. Under the new specifications,
| extensions like these- like some privacy-protective tracker
| blockers- will have greatly reduced capabilities._
|
| One would think that the article would then go on to detail
| exactly what these "new specifications" are and how would they
| reduce the capability of ad and tracker blockers.
|
| That never happens. We keep getting statements to the effect
| that Manifest V3 is bad but we're never told what makes it bad.
|
| What aspects of Manifest V3 limit ad blocker capabilities?
| Since Manifest V3 has been introduced way back in 2019 and,
| since then, has gone through various changes, are the quotes
| listed towards the end of the article recent or do they reflect
| an earlier version of V3?
|
| There was controversy over changes to the WebRequest API but
| that was two years ago and, I believe, changes have been made.
| Are there still changes that break functionality? What changes
| were made over the past two years? Have things gotten better or
| worse?
|
| The article gives absolutely no details.
| dessant wrote:
| Follow the links in the first paragraph of the article, they
| go into details about the technical aspects of why Manifest
| V3 is harmful to users.
|
| It's disappointing to see this sentiment again, as this has
| been Google's tactic in the past decade: feign innocence and
| initiate technical discussions, then move goalposts and start
| over until their opponents are exhausted.
|
| When we first heard of Manifest V3, it took them months to
| find a ridiculous reason for no longer allowing proper
| control over requests in Chrome, and they kept jumping
| between performance, privacy and security, as researchers
| refuted all their technical arguments one by one.
|
| By now there is nothing left to discuss, they'd just need to
| stop being malicious.
| plorkyeran wrote:
| The article does not mention changes over the last two years
| because there haven't been any to mention. The new WebRequest
| API still does not support blocking requests (and still does
| support _recording_ requests), and the replacement for that
| functionality is still very limited.
| breezeTrowel wrote:
| > _The new WebRequest API still does not support blocking
| requests (and still does support _recording_ requests), and
| the replacement for that functionality is still very
| limited._
|
| Thank you. What you wrote is information that needs to be
| in the article but is not mentioned anywhere. The closest
| thing is a quote from Mozilla regarding their extensions
| security review process.
| mortehu wrote:
| > WebRequest API still does not support blocking requests
| (and still does support _recording_ requests)
|
| The whole point is that there would be no reason to allow
| any ad blocking extension access to the WebRequest API
| anymore.
|
| The replacement, declarativeNetRequest, does not require
| the user to give any permissions, so the days of granting
| ad blocking extensions full access to every page are gone.
|
| If you think Google is doing this for their own gain, I
| guess you can simply ask if declarativeNetRequest will be
| able to block all Google ads, or if you really need a
| turing complete language for that.
| Shank wrote:
| > There was controversy over changes to the WebRequest API
| but that was two years ago and, I believe, changes have been
| made. Are there still changes that break functionality? What
| changes were made over the past two years? Have things gotten
| better or worse?
|
| The WebRequest API's blocking functions, which are central to
| the functionality of uBlock, are still slated to be removed.
| breezeTrowel wrote:
| Thank you. I hope the author of the article reads this
| thread and ads a proper summary of the problematic changes
| that Manifest V3 introduces to the article.
| tyingq wrote:
| Blocked under the supposed reason of privacy, but
| extensions can still see every request, and inject whatever
| javascript they want, exfiltrate your data, etc. Meaning
| the reason is pretty clearly not privacy.
| sonofhans wrote:
| I agree with you. The article is terrible. It's a collection
| of reactions and scare quotes from industry figures. I
| followed the first few links in the article and they're not
| much better. You'd hope that EFF, of all people, would be
| able to make a simple and compelling summary of the issue.
| HappySweeney wrote:
| So I guess someone will have to come up with a turn-key pihole-
| alike?
| [deleted]
| mh- wrote:
| Not even close to a replacement for the type of active,
| context-aware evaluation uBlock can do.
|
| Additionally, if a solution like Pi-hole was ever sufficiently
| mainstream, more sites would start serving their ads from the
| same hostname as the page. It's not difficult to do with the
| CDN providers most media sites already use.
| cheschire wrote:
| Doesn't https and subsequently DNS over HTTPS effectively
| negate pi-hole? Honest inexperienced question.
| EvanAnderson wrote:
| Yes. Next you'll have to MiTM the DNS over HTTPS. Next in the
| arms race comes certificate-pinning. Controlling your name
| resolution will probably remain possible on Linux, but I
| expect most other platforms will make it exceedingly
| difficult for "normal" users.
|
| Embedded devices are already "game over". You don't own them
| (even if you paid for them).
|
| Controlling name resolution on your own network (and MiTM'ing
| HTTPS) makes you the same as a hostile nation-state actor. We
| can't have that.
| kelnos wrote:
| > _Embedded devices are already "game over". You don't own
| them (even if you paid for them)._
|
| Ugh, seriously. I have a Chromecast, and couldn't figure
| out why it wouldn't play things on my local network (via
| DNS names set up in my router's resolver). Turns out Google
| hard-codes their own DNS servers and doesn't allow you to
| change them.
|
| The fix was to give the Chromecast a reserved IP address,
| and then set up some iptables rules on the router to
| redirect requests from it to 8.8.8.8 and 8.8.4.4 on port 53
| to my router. I'm surprised that Chromecast is using old-
| school port-53 DNS and not DoH.
| sofixa wrote:
| HTTPS no, because you're still making regular old DNS queries
| for every domain, but DNS over HTTPS or stuff like
| Chromecasts using hardcoded DNS servers do effectively negate
| Pi-Hole.
| pkulak wrote:
| HTTPS doesn't, though DNS over HTTPS does. No one really uses
| DNS over HTTPS right now though.
| judge2020 wrote:
| While a good message that does have actual merit if you know
| what's happening already, I don't see how this is a legitimate
| consideration of MV3.
|
| The entire argument regarding security doesn't mention any of the
| reasons Chrome developers cite its security improvement, instead
| it brings up that Firefox "does good enough already" and that
| malicious extensions can still get past the review process. the
| review process is by itself improved with V3 as extensions that
| pull in code remotely can no longer get past the review
| process[0], especially with how many current extensions implement
| RCE C&C intentionally. They also say extensions are "usually
| interested in simply observing the conversation between your
| browser and whatever websites you visit" - that's 'usually',
| though; malicious extensions intercepting and modifying requests
| for their own benefit isn't unheard of.
|
| Instead of only stating 'this is bad', it would be beneficial to
| include both (A) what they say (B) their basis for the decision,
| if any (C) why that line of reason is incorrect/deceiving.
|
| 0:
| https://developer.chrome.com/docs/extensions/mv3/intro/mv3-o...
| yonixw wrote:
| Google has not provided any reason to not include "block
| request" functionality. And that the super bad faith underlying
| fact that poison their "reasoning".
| kevingadd wrote:
| Anyone who pays attention to the web platform should know by
| now that any rationale Chrome (or Google in general) developers
| give for web platform decisions is made up. They repeatedly
| told us they had specific motives for AMP and it was all a lie,
| AMP was designed to tighten their grip on the advertising
| market. It's not the only example - the way their autoplay
| whitelist works is also transparently manipulative despite lies
| to the contrary - and I would bet money that MV3 is partially
| motivated by business incentives in the same way. Googlers'
| paychecks are signed by Ads and GCP and ad-blockers actively
| undermine the former.
| syrrim wrote:
| Beneficial in what sense? If manifest v3 is still bad on net,
| then including chrome's counter arguments makes for bad
| rhetoric and thus does a poor job of advancing a valiant goal.
| rektide wrote:
| Previously extensions could be background pages, with access to
| DOM & Web Platform apis. MV3 currently reduces them to Service
| Workers, able to use far far far less capabilities. This is a
| massive massive downgrade for Extensions, unfathomable really. A
| Mozillaian proposed a less limited Limited Events Page but Google
| has snubbed it & not discussed.
| https://github.com/w3c/webextensions/issues/134
|
| Extensions are forced to use a small subset of JavaScript with no
| dynamic code execution. Eval() is banned. Function is banned.
| Embedding a scripting language inside JavaScript to circumvent
| this is banned. This is a mere ghost of JavaScript left over.
| Google claims it's to make it easier for them to insure
| extensions are safe & protect users, but just as much, to me,
| this is to protect Google from capable & competent extensions
| allowing users to expand their agency: now extensions have to be
| narrow, fixed use, specific extensions. Tools like GreaseMonkey
| are all dead. The web becomes no where near the hackable medium
| it is, all for a little convenience for Google.
| https://github.com/w3c/webextensions/issues/72
| https://github.com/w3c/webextensions/issues/139
|
| A lot has been said & discussed about MV3's
| declarativeNetRequest; this is where the visible war has raged in
| MV3 for a while now. I'm not a huge fan but it's also one of the
| more minor side-shows in this debate, to me. High impact on ad-
| blocking, but ultimately there's enough compromise & wiggle room
| here, enough possibility to make this not awful, and if things
| are left truly bad, there will be enormous hell to pay & this
| will blow up. DeclarativeNetRequest feels like a side show to how
| much real ruin & savagery is being wreaked by the first two
| issues I outlined, being wreaked upon the most powerful &
| interesting & defining software humanity has, that we augment
| ourselves with as we do software: our user agent extensions.
|
| I generally find Google to be quite a good steward for the web &
| am so happy they advance so many different initiatives &
| capabilities. But this is something that is extremely near & dear
| to me. The web is different & better than all other software, to
| me, because it is malleable, because the user-agent gives us
| power. MV3 is a radical curtailing of us the users. A radical
| shift towards a web that we have to simply accept, as is, that we
| cannot bend & shape as we want. Everything happening here feels
| abhorrent & disgraceful.
|
| The process also feels totally goofy. Google is simply flipping
| the switch next month. They built what they wanted to as a new
| spec, debated some about feedback, leave comments that oh yeah,
| we maybe do need to do something about GreaseMonkey, maybe we do
| need to fix some of the missing use cases, but we're going ahead
| with Apocalypse Now anyways. This is the most hostile use of
| standardizing to destroy that I have ever witnessed.
|
| If Google is having such a hard time hosting extensions as is,
| they need to stop. They need to close the Google Chrome Web Store
| for Extensions & stop trying to moderate it. Create a 3rd party
| store model, let other people serve as the agents of trust. They
| absolutely positively cannot be allowed to come along &
| standardize a much much much lower powered form of extension than
| what we've had, purely because they've had such a (sad fiddle)
| hard time running an extension store. Their justifications &
| pleading that these amputations to us are for our own good ring
| so very very false to me. Google needs to give up being a
| regulator of this power if it's too much for them.
| tentacleuno wrote:
| > I generally find Google to be quite a good steward for the
| web & am so happy they advance so many different initiatives &
| capabilities.
|
| I don't. Especially not with FloC[0][1].
|
| [0]: https://www.eff.org/deeplinks/2021/03/googles-floc-
| terrible-... [1]: https://developer.chrome.com/docs/privacy-
| sandbox/floc/
| breezeTrowel wrote:
| Have background pages ever had access to DOM? Usually all
| interaction with an observed tab is done through content
| scripts not background pages. Same goes for evaling JS code
| within the context of the inspected window.
| kevingadd wrote:
| By DOM access I assume they mean that since background pages
| are pages, you can do things like use IMG and SCRIPT tags to
| load resources, and perhaps a CANVAS to rasterize images that
| you then serve to pages via an extension URL or something.
| I've done stuff like that before so I can imagine there being
| use cases for it, but it's kind of niche.
| aeharding wrote:
| Manifest v3 is a shit show.
|
| https://github.com/w3c/webextensions/issues?q=is%3Aissue+is%...
| ineptech wrote:
| If Chrome can kill uBlock and use its dominance to do user-
| hostile stuff, and Firefox goes along "in the interest of cross-
| browser compatibility", then what the hell's the point of Firefox
| in the first place?
| pkulak wrote:
| My assumption is that Firefox will be implementing the
| standard, but not the restrictions. Am I wrong there?
| amelius wrote:
| Firefox also implemented DRM.
| ok_dad wrote:
| DRM doesn't limit anything for the user except for some
| video content. The day DRM prevents doing things to
| requests and such, like Manifext v3 does, then I will care.
| Right now, I'm happy to be able to watch One Punch Man on
| my laptop.
| pkulak wrote:
| I needed them to do that so I could watch Netflix. Debate
| it all you want, but it made my life measurably better and
| I'm glad they did it. This would only negatively effect me
| (and everyone else).
| danuker wrote:
| How is your life measurably better, by comparing it with
| other people's fake and perfect and amazing lives (in
| Netflix videos)?
| handrous wrote:
| > other people's fake and perfect and amazing lives
|
| Uh, if that's what we're supposed to be using movie and
| TV streaming services for, I've been watching precisely
| the wrong things.
|
| Seems more like a description of social media & (not
| unrelatedly) advertising. Or maybe porn.
| contravariant wrote:
| You can tell this argument is flawed because it applies
| to _all_ forms of video.
| tomjen3 wrote:
| That would be Insta, not Netflix where you are watching
| interesting/awesome stories.
| Spivak wrote:
| Because some people don't find digital DVD rentals to be
| an affront to their freedom and just want to watch
| Squidgame?
| mkl wrote:
| You are pretty much right. There's no need for assumptions
| though, see https://blog.mozilla.org/addons/2021/05/27/manife
| st-v3-updat... and
| https://blog.mozilla.org/addons/2019/09/03/mozillas-
| manifest....
| prox wrote:
| I really hope so. Any good sources to find out Mozilla's
| stance?
| mirashii wrote:
| https://blog.mozilla.org/addons/2021/05/27/manifest-v3-upda
| t...
|
| > We will support blocking webRequest until there's a
| better solution which covers all use cases we consider
| important, since DNR as currently implemented by Chrome
| does not yet meet the needs of extension developers.
| tentacleuno wrote:
| It would certainly be interesting they implemented
| blocking webRequest (just to keep compatibility with
| Chrome) and then added a Firefox-specific API for
| blocking web requests.
| kreetx wrote:
| I'd guess even if Firefox did keep extensions unrestricted
| then slowly they would die away - given how much smaller the
| user base will be. We need some new power to emerge in this
| space.
| bee_rider wrote:
| If Firefox keeps full extension capability, as a superset
| of Chrome's gimped implementation, then extension
| developers can decide how they want to handle the
| incompatibility.
|
| I don't really get how the extension ecosystem works anyway
| -- extension developers are usually just sharing something
| they use to be helpful/make a point, and then some tack on
| donations thing, right? Since nobody is doing this to get
| rich I suspect they won't chase marketshare.
| NewEntryHN wrote:
| There is surely a bias between users of extensions of
| uBlock Origin and users of Firefox. The userbase is still
| smaller, but maybe not enough to completely throw away
| development.
| danuker wrote:
| I believe they would gain users from Chrome, where you
| won't be able to block ads anymore.
| dariusj18 wrote:
| I would certainly stop using Chrome
| skinkestek wrote:
| Just do it today :-)
|
| I often have a month or more long streak between every
| time I have to use Ch#%!e ;-)
|
| Bonus point for devs: If it works in Firefox it usually
| works everywhere since Firefox had always been reasonably
| standard compliant.
| tomjen3 wrote:
| If they do that, it will be forked.
| NewEntryHN wrote:
| Firefox has already been forked multiple times because of
| decisions from Mozilla, see [Pale
| Moon](https://www.palemoon.org/) or
| [Waterfox](https://www.waterfox.net/). Few people use those
| forks, for the simple reason that what has been removed from
| Firefox is not game-changing enough to mandate an exodus.
| However I agree that removing support for uBlock Origin will
| surely be another story.
| skinkestek wrote:
| > Few people use those forks, for the simple reason that
| what has been removed from Firefox is not game-changing
| enough to mandate an exodus.
|
| This is not the reason for me at least to not use it as my
| main browser.
|
| I recently tested and the speed is good and it is
| absolutely wonderful to have true full fledged extensions
| and complete themes.
|
| My reason is that I'm worried if their security is good
| enough. If we could somehow be sure about that I'd actually
| happily leave modern Firefox behind for it.
|
| Personally I'm hoping for someone to create a patch set and
| bulld binaries based on it to re-enable the old stuff, not
| by letting extensions muck around in the internals but by
| providing defined extensions points like:
|
| - enable / disable tab bar
|
| - provide your own tab rendering code
|
| - etc
| Nuzzerino wrote:
| Just wanted to leave a reminder here that low user count
| does not necessarily imply low utility. The goal of a fork
| isn't to become the next monopoly.
| matheusmoreira wrote:
| They should probably just special case uBlock Origin at this
| point. It's too important an extension to allow it to be
| limited.
| josefx wrote:
| Are you sure you don't want to hard code the original
| "uBlock" instead of the "Origin" fork while you are at it? It
| already had a perfectly fine hostile takeover in the past, no
| need to wait for a new one.
| ynth7 wrote:
| I think you mean "what open web?"
|
| Back to IRC DCC style sharing and distributed computing with
| VPN
|
| No need to follow the money to do interesting engineering and
| computing. Interesting is subjective and wrapping a white paper
| in the cruft to host it as a service in the cloud isn't
| interesting engineering
|
| Part of me wonders if the chip shortage is real or just a way
| to hide big corp hoovering them up for DC hosted services.
| dessant wrote:
| I have a couple of popular extensions on the line, and I no
| longer see a way to stop Google without immediate government
| intervention. I am confident that they are not acting entirely in
| good faith, regardless of the much needed and useful parts of
| Manifest V3. They will get away with anything, be fined again in
| a couple of years for the growing list of illegalities they
| commit, and now they'll also harm the browser extension
| ecosystem.
|
| Some of the extensions I maintain will no longer work, or have
| reduced functionality for no acceptable reason, and some of the
| projects that I have been preparing to release have now been
| abandoned, because they rely on having proper control over
| requests in the browser.
| xxpor wrote:
| Where do people get this sense of entitlement from? Please cite
| one law you believe Google has broken.
| dessant wrote:
| > Where do people get this sense of entitlement from? Please
| cite one law you believe Google has broken.
|
| Just like Amazon (your employer), Google has also been fined
| several times in the past decade for illegal business
| practices. Their illegal activities are extensively
| documented, and in some cases they were forced to change
| course due to regulatory intervention. Fell free to look it
| up, I don't think there is a need to relitigate objective
| reality.
| bee_rider wrote:
| No you have to understand, as long as a company doesn't
| commit enough crimes to be literally run out of business,
| we have to pretend it is good for some reason.
| dane-pgp wrote:
| And if a company does go out of business after committing
| too many crimes, then the problem is too much regulation
| holding back innovation.
| heavyset_go wrote:
| > _I have a couple of popular extensions on the line, and I no
| longer see a way to stop Google without immediate government
| intervention_
|
| As the developer of several extensions that are impacted by
| Google's anti-competitive actions, you can report how this
| impacted both you and the market as a whole to the competition
| and anti-trust divisions of the government. I've posted links
| to forms and sites that you can use to report to the relevant
| state-level and federal-level regulators on HN here[1].
|
| If you aren't in the US, the US also has antitrust legislation
| that applies to US companies operating in foreign countries, as
| well as a myriad of antitrust treaties and agreements with
| other nations. It might be worth it to also report it to the
| government of the country you reside in, as well.
|
| [1] https://news.ycombinator.com/item?id=28176193
| kevin_thibedeau wrote:
| Make them first class Firefox extensions.
| preinheimer wrote:
| I mean you can, but firefox doesn't treat you any better. We
| waited 2+ months to get a minor update through review, and
| getting it through that quickly took emailing several folks
| (including one from HN). During that whole process they also
| removed the display of your queue position, making it even
| more opaque.
|
| At some point they disliked something in our extension that
| had been live for months, and disabled every release in the
| past year. At another point they found something wanting in a
| 2 year old release (not a recent one) and threatened to
| remove it from the store, our attempts to continue that
| conversation or just allow it to be pulled to save everyone
| some time met with crickets.
| skinkestek wrote:
| At this point I am seriously wondering if Mozilla is paid
| to drive Firefox into the ground.
| lunfard000 wrote:
| It will be interesting what Microsoft will do, at first glance
| they don't care about advertisement and allowing ad-block would
| bring a lot of users to their ecosystem. (they already have soft
| adblock out of the box)
| account-5 wrote:
| That probably because their operating system is infested with
| advertisements and data exfiltration mechanisms. Why would they
| need the browser to do it too?
| tpmx wrote:
| I've been using Chrome for such a long time now (since like a
| year after it launched), out of convenience and because it used
| to be fast (and more secure). It's definitely time to switch.
|
| I think my main alternatives are Brave, Vivaldi and Firefox.
| pkulak wrote:
| Please Firefox. The first two are just Chrome wrappers.
| tpmx wrote:
| Well I like both Brendan and Jon, and I actively dislike
| Baker's leadership of Mozilla. However, Mozilla seems to have
| the highest investment level into the their desktop browser.
| I'll test Brave first.
| anewguy9000 wrote:
| You realize Firefox only exists because it serves Google's
| interests right?
|
| And while Brave might be based on Chromium, it is distinct;
| in addition to not crippling nativewebrequest as chrome will,
| it's native adblocker is compatible with the same lists as
| ublock origin. So I would go with Brave :)
| [deleted]
| celsoazevedo wrote:
| What will Brave, Vivaldi, etc, do when Google makes some
| change that breaks the current APIs? Do they have the
| resources and are willing to continue to support them?
| seph-reed wrote:
| FWIW, Brave does.
| pkulak wrote:
| If Google is not able to control ad-blocking because all
| the Chromium clones refuse to play ball, what do you think
| they will do? I have no idea. Maybe just close Chromium
| entirely, and force all the clones to shut down since
| there's no way they have the engineering resources to keep
| up with Google.
|
| EDIT: Except for MSFT... that would be interesting for
| sure.
| kelnos wrote:
| > _You realize Firefox only exists because it serves Google
| 's interests right?_
|
| Ironically, though, the larger Firefox's market share, the
| more Google will pay to be the default search engine in
| Firefox. Yes, it's perverse and a little gross that we
| depend on Google to such a large degree to keep Mozilla and
| Firefox funded, but having more users increases Mozilla's
| leverage over Google.
|
| Anyway, your point isn't really relevant. Unless you
| believe Google is dictating nefarious things to Mozilla and
| has subverted Firefox (difficult since Firefox is open
| source, but not impossible), you should still be using
| Firefox. If you care about not continuing to give a giant,
| monopolistic advertising company control over the web,
| anyway.
| pkulak wrote:
| If Google actually gave a crap about security, they would let you
| disable extensions. As it is, I have to routinely delete
| malicious extensions from every family member's Chromebook. Lord
| knows how they get there, but they always do. Since this new
| standard still lets extensions observe everything, I don't see
| what the point is.
| jeroenhd wrote:
| You can only signed addons these days, so they must be sourced
| or at least signed by Google. Especially on Chromebooks which
| are more restrictive in the software they run.
|
| My guess would be that your family members got social
| engineered into installing that crap ("this web page only works
| with X, click here to install"), ort their browsers got
| exploited and hacked (very unlikely!). You'll probably need
| full MDM to prevent these websites from getting their users to
| enable extensions.
|
| The problem with disabling extensions is that whatever has the
| capability of pushing extensions into your browser also has the
| ability to change the settings for addons. The only solution I
| can think of is to create a Chromium build that cannot run
| extensions at all.
| dathinab wrote:
| Remindes me one time one time a old person I sometimes help
| out got social engineered to enable desktop notifications for
| a website.
|
| And as a non windows user it took me a while to realize that
| this notifications come from the browser as desktop
| notifications and disable them. Its still a riddle for me how
| chrome managed to make it both very obvious and very unclear
| at the same time that this are websites desktop
| notifications. (As a counter example I used some sites which
| used desktop notifications on FF/Andriod instead of making a
| app just because notifications, that I loved)
| technobabbler wrote:
| Point is they get to make ad blocking harder.
| pkulak wrote:
| lol, well, yeah.
| izacus wrote:
| Chrome allows you to disable installation of extensions via
| Group Policy for a looong time now:
| https://security.stackexchange.com/questions/66239/how-to-pr...
| oliverulerich wrote:
| but sadly Group Policy is not available on Windows Home
| edition
| jeroenhd wrote:
| In most cases, you can get group policies like these to
| work if you manually create the registry keys that GPO
| would create for you. It's more complicated, but it can
| work.
| pkulak wrote:
| I'm just not smart enough to figure that out. That first
| answer references steps that don't exist on any Chromebook
| I've ever seen. So I assume I have to enroll the machine in a
| group policy externally? I have no idea. Never been able to
| figure it out. I usually just end up installing an extension
| (oh, the irony) that blocks the extensions domain. :/
| mkl wrote:
| > That first answer references steps that don't exist on
| any Chromebook I've ever seen.
|
| That's because Group Policies are a Windows-only thing.
| jeroenhd wrote:
| Chromebooks don't run Windows, so Group Policies won't work
| for you.
|
| You can get the same (and more) control with an Enterprise
| subscription from Google which seems to cost about $50 per
| year, per device.
| wumpus wrote:
| That's windows-only, right?
| judge2020 wrote:
| IIRC you can apply it on macOS via MDM / configuration
| profiles, but that's not as simple as gpedit.msc.
| rektide wrote:
| This post carries a lot of water for user-hating user-blaming
| anti-extensions.
|
| I'm sorry that your family are... having such a hard time
| making reasonable choices for themselves. I have literally
| never seen this anywhere, or heard any coworker ever report
| their family rampantly adding shitty extensions. I tend to see
| pretty clear & obvious signals about what extensions are good &
| ok when I go to consume. Bad extensions seem to be discovered
| fairly quickly & taken down. The world seems no where near as
| grimdark as you project to me.
|
| Alas I think it requires a paid Google Enterprise account, but
| your family sounds like their need external management of their
| browsers. That they should, like a school computer, have an
| administrator & a denylist or perhaps even allowlist of what
| extensions they can use.
|
| This post spreads so much Fear Uncertainty and Doubt. Trying to
| justifying ending a good thing because some creative user keeps
| finding a way to misuse, to not listen to sense, to not make
| good judgement... I find it unfortunate that such heavy
| fearmongering, such terror at the world is allowed to sway us
| so heavily.
|
| Ultimately I want 3rd party sites hosting extensions. Not
| Google. And I want moderation teams able to surface claims that
| some extensions are bad. We need more choice, more democracy,
| more ability to help each other. Sunlight is the best
| disinfectant. Simply giving in to the bed-wetting terror of, oh
| no, freedom & denying ourselves user-agency is intellectual
| suicide for the web.
| pkulak wrote:
| > I'm sorry that your family are idiots.
|
| Stopped reading there, mate.
| gnicholas wrote:
| Does anyone know how the Manifest v3 changes will affect
| extensions that modify pages for accessibility reasons?
| porkbrain wrote:
| As long as those extensions don't fetch and execute any
| JavaScript that hasn't been bundled at the time of Chrome store
| submission, they'll be fine. The biggest change happens at the
| API for monitoring and managing web requests.
| kevingadd wrote:
| Generally speaking it shouldn't impact them, but it may make
| them more awkward to use. And the developers will have to
| change a lot of code.
| hunterb123 wrote:
| What!? Google acting in interest of ads and not users?!?
|
| Who cares? Just use Brave and kill Chrome off.
| donatj wrote:
| I miss the early days of Firefox extensions (circa 2004) where an
| extension could in very powerful ways completely change the
| layout/functionality of your browser; when they had near
| unlimited access to the XUL and could change anything and
| everything.
|
| I used a ton of very useful extensions then. Nested tabs were one
| of my favorites. These days I've got a password manager, a
| bookmark checker, and a tab manager I wrote myself.
|
| They're just not allowed to do anything _too useful_ these days -
| I know what they have access to, I write Chrome extensions. A lot
| of them should just be standalone desktop apps.
|
| Like most things, normies came in, shot themselves in the foot,
| made a fuss, and now we can't have nice things.
| kelnos wrote:
| Has nothing to do with "normies". With the old extension
| system, Mozilla couldn't make any substantial changes to
| browser internals (like multi-process, among other things)
| without breaking everything. It makes sense to have clear
| boundaries between the core and extensions, and keep
| implementation details out of the extension interface.
| hippofever wrote:
| Take a look at http://nyxt.atlas.engineer/.
|
| It's written to be extensible/introspectable, and the extension
| language is Common Lisp.
| donatj wrote:
| Looks like it would have a very steep learning curve.
| superkuh wrote:
| The least worst web browsers these days are typically the older
| Firefox forks that have maintained XUL and powerful extensions.
| But this class of browsers is rapidly become few and those left
| are run by... controversial personalities.
| dathinab wrote:
| While I also miss some of the capabilities, I also can
| understand why Firefox removed them.
|
| Extensions systems which don't have very clear cut boundaries
| like XUL are just add a very hefty maintenance burden and make
| review extremely hard.
|
| It's not really about "normies".
|
| This doesn't really apply to the current change, as extensions
| already have clear boundaries and and as the article pointed
| out problematic apps likely won't be too much affected as they
| often already do things which bypass the constraints to avoid
| detection by the reviewer... (assuming I understand the topic
| correctly)
| power78 wrote:
| I wish Firefox would have left the old extension abilities.
| They could have easily added the WebExtensions standard to
| allow for cross-browser compatibility and not removed the old
| functionality.
| readflaggedcomm wrote:
| They basically did, until the underlying browser became
| incompatible. That was the point: to have a stable API
| instead of extensions relying on implementation details,
| which includes multiple processes.
| kevingadd wrote:
| Once multi-process was adopted, old extensions couldn't work
| anymore. The design simply didn't work.
| ilaksh wrote:
| One option is to just move away from browsers entirely. We can
| take some of the good things. Like maybe a small subset of HTML
| and web assembly. Add some minimal IO to web assembly.
| tux1968 wrote:
| A website being rendered by opaque, per-site web-assembly code,
| is not going to be amenable to uBlock, Greasemonkey or any
| other user-empowering extensions.
| lobocinza wrote:
| Two weights and two measures.
| [deleted]
| polote wrote:
| I honestly think that Google underestimated how much they are
| going to piss off users with MV3. There are thousands of
| extensions that will stop working and be impossible to build. But
| also there will be a lot of broken experiences as remote loading
| is forbidden and fixes will need a new release.
|
| Can't wait, but that's a very good opportunity for Firefox as
| Firefox will become more powerful than Chrome
| csdvrx wrote:
| Or more likely, towards Edge, by virtue of requiring almost no
| effort to deploy the same set of extensions in a very similar
| browser in the hands of a company who doesn't require
| destroying privacy as much as google does to keep making money.
| fooey wrote:
| Edge seems to be trying very hard to kill all the momentum
| they've gained
|
| They recently baked in a "feature" to hijack online shopping
| with some Pay Later garbage:
|
| https://gizmodo.com/microsoft-keeps-making-its-edge-
| browser-...
|
| Now they're running gross little popups if you browse to the
| Chrome installer in Edge:
|
| https://gizmodo.com/seriously-what-is-going-on-with-
| microsof...
|
| > "Microsoft Edge runs on the same technology as Chrome, with
| the added trust of Microsoft."
|
| > "That browser is so 2008! Do you know what's new? Microsoft
| Edge."
|
| > "I hate saving money," said no one ever. Microsoft Edge is
| the best browser for online shopping.
| nvrspyx wrote:
| IIRC, the Edge team said they would adopt manifest v3, but
| correct me if I'm wrong.
| sharken wrote:
| This page intended for developers of Edge extensions seems
| to support your statement:
|
| https://github.com/MicrosoftDocs/edge-
| developer/blob/main/mi...
| [deleted]
| cube00 wrote:
| One of the "benefits" to Microsoft of using Chromium is
| reduced development costs and they're not going to get that
| if they let the forks diverge too much.
| tentacleuno wrote:
| Right, but 'we don't support this!' would be a great look
| when most technical people are already strongly opposed to
| Manifest v3. I'd call it an easy win, but of course they'd
| have to maintain that and possibly implement / design their
| own API's when Manifest v4, for example, comes out... so
| it's definitely not as easy as it may seem.
| [deleted]
| korethr wrote:
| In the article, Firefox is cited as intending to adopt MV3 for
| compatibility reasons. If they indeed do so, I'm not sure how
| much relief running Firefox will offer from the more evil
| aspects of MV3.
| jeroenhd wrote:
| With Firefox's market share, not much. This could massively
| benefit Firefox adoption, though, because everyone relying on
| old extensions will have to switch.
|
| From that viewpoint, the new restrictions could actually be a
| good thing.
| renzo88 wrote:
| My understanding is that they will adopt but continue to
| support "legacy" extensions
| kelnos wrote:
| They're not really "adopting" it as the way forward. Firefox
| will be able to use Mv3-type extensions, but the current
| extension types will continue to work.
| heavyset_go wrote:
| Firefox devs have confirmed that they'll implement Mv3, but
| without all of its restrictions and with compatibility for
| older extensions.
| mkl wrote:
| Firefox will not implement all the restrictions: https://blog
| .mozilla.org/addons/2021/05/27/manifest-v3-updat...
| jsnell wrote:
| The security argument seems pretty simple. The end goal is that
| legit extensions that people regularly install should not need to
| ask for dangerous permissions, because a) it teaches the users
| that it's normal and b) since the extensions can become
| compromised later and abuse the permissions. Adblockers are
| probably the most common kind of extension, and are currently
| granted effectively unlimited access to read and modify every
| single web page you use. That's fucking scary.
|
| If adblockers (and other classes of legit and common extensions)
| can be migrated to a safe API, it makes the unrestricted and
| dangerous API much more manageable since what's left is much less
| likely to be legit or something people actually care about. For
| example you can have enhanced review processes, warn users more
| forcefully about the danger, start limiting the power of the API,
| implement new safe APIs for some of the remaining use cases, etc.
|
| EFF are smart people. They know what the actual security benefit
| is, and choose to instead argue against a caricature.
| ianbutler wrote:
| I, as an end user want to be able to install whatever dangerous
| software I want, especially as a power user. I understand the
| potential consequences and I don't want or need the handrails.
| Options and freedom are good. This is why browsers need to be
| split off from for profit organizations to be managed by
| entities that aren't concerned with the fallout if someone
| installs malicious software.
| zentiggr wrote:
| It sounds like you're happy to hand control of your browser
| away for free. I've been writing code for a few decades, I
| don't know everything but I don't need someone to decide for me
| what's too dangerous for me to have access to.
|
| If I was truly insane I'd go the Steve Gibson route and write a
| completely different browser from scratch. I'm aware it would
| take the rest of my life (or longer) at this point but the
| engine options are so few, and the ability to avoid the owners'
| restrictive BS limited enough, that I'd be happy as a clam to
| see a whole new reboot.
|
| I'd jump onto even an alpha of that, just to bump numbers out
| of hope that ANY group could get together and get out from
| under the advertising trap.
| vehemenz wrote:
| Since you casually mentioned it--why would Google implement a
| safe API after removing the "dangerous" API that increased
| their ad sales? Given their recent history, and all.
| readflaggedcomm wrote:
| The browser team could implement the ad blocker itself, instead
| of relying on third-party code. But even the apparently-best
| one of those (Brave) has a lousy interface for it.
| bambax wrote:
| > _Adblockers are probably the most common kind of extension,
| and are currently granted effectively unlimited access to read
| and modify every single web page you use. That 's fucking
| scary._
|
| How is that scary?
|
| The browser by definition has unlimited access to read and
| modify (and monitor) anything I do in it.
|
| And I trust gorhill a million times more than any Google
| employee, past, present or future.
| mappu wrote:
| The scary part is gorhill is able to sell or hand over the
| extension - as he has done in the past - to someone with
| looser morals and/or goals.
|
| How much do you think NSO Group would pay for this kind of
| access?
|
| If you ran uBlock Origin, would you like to retire early?
|
| Jbk from the VLC project has a lot of stories about turning
| down 6, 7 figure payments to bundle malware in VLC. Not
| everyone has the strong morals and unlimited stamina to
| withstand that.
|
| Manifest V3 is created to solve a real problem. I have had
| browser extensions go rogue on me before (Stylish), and i
| would like it to not happen again. At the same time, uBlock
| Origin is a hugely important extension for making the web
| usable for hundreds of millions of people. A compromise must
| be found that moves their safety out of a single person's
| hands.
| Havoc wrote:
| Wait FF is copying this too?!?
| zdragnar wrote:
| Safari had the same concept first.
| Spivak wrote:
| And ad blocking in Safari is fine, not great, but it works
| more or less.
| bambax wrote:
| Content blocking on iOS doesn't work properly, many many
| things go through. Is it better on the desktop?
| SquareWheel wrote:
| Yep. But note that MV3 is a lot more powerful than Safari's
| adblocking capabilities. It's still declarative, but supports
| dynamic rules, header modification, etc.
|
| https://developer.chrome.com/docs/extensions/reference/decla.
| ..
| rektide wrote:
| Web Extensions have never had a spec before. So of course
| Google is taking the initiative to aggressively re-define & cut
| down what an extension is, at the exact moment they try to turn
| it into a cross-browser standard.
| zamadatix wrote:
| Firefox is supporting Manifest v3 extensions however they are
| not imposing every limitation Chrome is on them and they are
| continuing to support features outside the scope of v3 like
| blocking webrequest.
|
| A lot of the changes in v3 are actually pretty sensible, it's
| just 10% of the stuff shoehorned in creating 90% of the
| friction.
|
| https://blog.mozilla.org/addons/2021/05/27/manifest-v3-updat...
| rvp-x wrote:
| Firefox will make it possible to upload manifest V3 extensions
| to their store (eventually). It's a good thing because it makes
| it easier to make an extension that works unmodified for both.
|
| Chrome is additionally planning to remove support for manifest
| V2 as well, Firefox can't start to do this because they don't
| support V3 in their store yet.
| eitland wrote:
| Mentioning again to the entrepreneurical ones here that I want to
| pay money for something that works like old Firefox but uses the
| new supposedly more secure code base.
|
| I pay for IntelliJ so why not pay for the just as important
| browser if I can get one that I like?
|
| Just don't increase the pricing to Jetbrains level until you have
| Jetbrains level features.
| foxrider wrote:
| I'd pay for Vivaldi if I had to at this point, it's the only
| browser that feels "feature-complete" to me
| eitland wrote:
| Is it Chromium based?
|
| It might be great but for now refuse to support anything that
| further strengthen Googles grip on the market.
| KronisLV wrote:
| > It might be great but for now refuse to support anything
| that further strengthen Googles grip on the market.
|
| The question then becomes: "What else even is out there?"
|
| Because if you're looking for something that's even
| remotely feature complete for browsing the modern day web,
| the majority of the current browsers out there are indeed
| based on Chromium, as expressed in this article, "Firefox
| is the Only Alternative":
| https://batsov.com/articles/2021/11/28/firefox-is-the-
| only-a...
|
| Here's the table from the article in text format:
| Browser Based on Chromium Open-source Market Share
| (desktop + mobile) Chrome Yes No
| 64.7% Chromium Yes Yes -
| Edge Yes No 4.0% Brave
| Yes Yes - Vivaldi Yes
| No - Opera Yes No
| 2.4% Safari No No 19.0%
| Firefox No Yes 3.7%
|
| To me it seems like Firefox is the only viable alternative
| and putting all of our hopes on a singular browser and the
| company behind it, especially given that there has recently
| been some controversy around it, seems risky. For example:
| https://itdm.com/mozilla-firefox-usage-down-85-but-why-
| are-e... and https://arstechnica.com/information-
| technology/2020/08/firef...
| foxrider wrote:
| I've been using Firefox for as long as I've been on the
| internet, but I got really tired of using it just because
| "It's not chromium". Mozilla been doing really stupid and
| frustrating decisions that made me feel like I'm in an
| abusive relationship. I've been eyeballing Vivaldi for a
| long time, and Firefox breaking compact mode finally broke
| the camel's back for me earlier this year.
|
| When I switched to Vivaldi I felt like it's 2003 again, and
| I've just switched from IE to Firefox. Every single thing
| Mozilla removed from Firefox over the years is here, and
| most of the stuff I used hacky addons that would often
| break is here too! In the core browser, as first-class
| features, without the need to fiddle with userChrome.css or
| look through obscure flags. It really is a breath of fresh
| air and it puts into perspective how many excuses I've made
| for Firefox over the years. It's not worthy of being my
| browser, simple as.
|
| Mozilla took my fundamental addons that separated Firefox
| from other browsers, they took my RSS reader, they took my
| cool Torrenting and Email clients that were a part of the
| browser itself. The TreeStyleTab requires you to go through
| obscure and hidden config files that often break with
| updates and the extension itself is not stable and fiddly.
| On top of that, I had way more Firefox extensions that
| aren't even different from Chrome extensions in major ways.
| In Vivaldi, I just get a nice panel with RSS, Calendar,
| Translator, Email client, Notes, whatever I want! The
| adblocker is built-in, the privacy features are built-in,
| you even get to put your tabs wherever you want. It has
| theming support that is as good as Firefox Colors, and it
| has custom search keywords that replace DuckDuckGos bangs
| for me more often than not. It even has the dark mode among
| other page filters, a screenshot tool, web page tiling! All
| the things that would turn my Firefox profile into a slow
| extension pile that barely works and longs for death.
|
| Mozilla's "goals" of removing key features meant for people
| who actually would want to use a "google alternative" are
| laughable, and it's as bad on "privacy" axis as Chrome is
| because you have to use something like LibreWolf to get the
| actual privacy from it, very much like you have to use
| ungoogled-chromium with Chrome. If they think that turning
| the browser into a Chrome clone with some bumper stickers
| that say things like "Proud not to use Blink" and "We do
| say privacy a lot", then it's already dead to me.
___________________________________________________________________
(page generated 2021-12-09 23:00 UTC)