Wow, I kind of thought the headline would be an overstatement, but the article actually seems pretty even-handed and truthful in describing what's happening with Google's power over the browser market.
I, on the other hand, found the article to be terrible. Consider the following quote:
> Manifest V3, or Mv3 for short, is outright harmful to privacy efforts. It will restrict the capabilities of web extensions—especially those that are designed to monitor, modify, and compute alongside the conversation your browser has with the websites you visit. Under the new specifications, extensions like these– like some privacy-protective tracker blockers– will have greatly reduced capabilities.
One would think that the article would then go on to detail exactly what these "new specifications" are and how would they reduce the capability of ad and tracker blockers.
That never happens. We keep getting statements to the effect that Manifest V3 is bad but we're never told what makes it bad.
What aspects of Manifest V3 limit ad blocker capabilities? Since Manifest V3 has been introduced way back in 2019 and, since then, has gone through various changes, are the quotes listed towards the end of the article recent or do they reflect an earlier version of V3?
There was controversy over changes to the WebRequest API but that was two years ago and, I believe, changes have been made. Are there still changes that break functionality? What changes were made over the past two years? Have things gotten better or worse?
The article does not mention changes over the last two years because there haven't been any to mention. The new WebRequest API still does not support blocking requests (and still does support _recording_ requests), and the replacement for that functionality is still very limited.
> The new WebRequest API still does not support blocking requests (and still does support _recording_ requests), and the replacement for that functionality is still very limited.
Thank you. What you wrote is information that needs to be in the article but is not mentioned anywhere. The closest thing is a quote from Mozilla regarding their extensions security review process.
> WebRequest API still does not support blocking requests (and still does support _recording_ requests)
The whole point is that there would be no reason to allow any ad blocking extension access to the WebRequest API anymore.
The replacement, declarativeNetRequest, does not require the user to give any permissions, so the days of granting ad blocking extensions full access to every page are gone.
If you think Google is doing this for their own gain, I guess you can simply ask if declarativeNetRequest will be able to block all Google ads, or if you really need a turing complete language for that.
> The replacement, declarativeNetRequest, does not require the user to give any permissions, so the days of granting ad blocking extensions full access to every page are gone.
From what I see, it also has some strict limits. My basic uBlock+ install has 82780 network filter rules. Chrome seems to "only" guarantee 30000 rules, and I don't know if these match 1-to-1.
And there don't seem to be dynamic replacements, which might be useful to trick adblock detection. Not sure how far in the cat-and-mouse game we are on that front, but I sure don't like the idea of giving the mice highly limited rulesets while the cats can do and do whatever they like.
The current global rule limit is 300k rules per profile. This is shared between all extensions, which is shared amongst all extensions. This limit comes after the 30k per extension minimum, so if your extension uses 40k rules only 10k count against the global limit.
So if we assume rules are 1-to-1 (and in fact fewer rules should be present in declarativeNetRequest because certain rules like element hiding do not factor into declarativeNetRequest, and would be handled directly by the extension), you could fit ~5 adblocking extensions the size of your basic ublock install, and most of a 6th.
Now there are some advanced capabilities of some adblockers that have no equivalent available, but for common multi-plugin rulesets like EasyList, declaritiveNetRequest will support pretty much everything contained therein, (except cosmetic rules, which the plugin must apply separately, since they are not blocking requests, but modifying the page, which is quite different).
> If you think Google is doing this for their own gain, I guess you can simply ask if declarativeNetRequest will be able to block all Google ads
The answer to that is "no". declarativeNetRequest is a more restrictive version of what Safari current supports, and Safari ad blockers don't do as good of a job of blocking Google ads as ublock origin does.
> The replacement, declarativeNetRequest, does not require the user to give any permissions, so the days of granting ad blocking extensions full access to every page are gone.
Great, but I want to give my add blocker access to every web page. That's kind of it's purpose.
Sure it could be abused, but not if you used one of the community recommended blockers.
> If you think Google is doing this for their own gain, I guess you can simply ask if declarativeNetRequest will be able to block all Google ads, or if you really need a turing complete language for that.
I am not sure if it will be able to block all google ads. Pretty sure it wont be able to remove their ads from search results, since you wont be able to remove/hide parts of the site. Also it wont be able to remove annoying pop up adds (sure it might remove the content of the ad, but popup will remain - well depending how its implemented.)
Also it is only limited to 30k max urls in a blocker. Nowdays my blocker has 80k+ urls. So i guess I would have to pick an choose (If i continued to use chrome).
> Sure it could be abused, but not if you used one of the community recommended blockers.
Why not? What stops someone from buying (or stealing or co-opting) uBlock Origin and using the fact that it has access to every user's web browsing to do some serious damage?
> There was controversy over changes to the WebRequest API but that was two years ago and, I believe, changes have been made. Are there still changes that break functionality? What changes were made over the past two years? Have things gotten better or worse?
The WebRequest API’s blocking functions, which are central to the functionality of uBlock, are still slated to be removed.
Thank you. I hope the author of the article reads this thread and ads a proper summary of the problematic changes that Manifest V3 introduces to the article.
Blocked under the supposed reason of privacy, but extensions can still see every request, and inject whatever javascript they want, exfiltrate your data, etc. Meaning the reason is pretty clearly not privacy.
Or that extensions can still inject javascript, observe and log requests, exfiltrate data? I mean the api docs will tell you that. Extensions can do all that because they couldn't do a whole lot without those capabilities...normally used for legit purposes, but the apis can't really glean intent.
See things like onBeforeRequest for observe. Injecting javascript is called a "content script" in chrome extension terms. Exfiltrating data could be done in many ways, given that you can inject a "content script".
I agree with you. The article is terrible. It's a collection of reactions and scare quotes from industry figures. I followed the first few links in the article and they're not much better. You'd hope that EFF, of all people, would be able to make a simple and compelling summary of the issue.
Follow the links in the first paragraph of the article, they go into details about the technical aspects of why Manifest V3 is harmful to users.
It's disappointing to see this sentiment again, as this has been Google's tactic in the past decade: feign innocence and initiate technical discussions, then move goalposts and start over until their opponents are exhausted.
When we first heard of Manifest V3, it took them months to find a ridiculous reason for no longer allowing proper control over requests in Chrome, and they kept jumping between performance, privacy and security, as researchers refuted all their technical arguments one by one.
By now there is nothing left to discuss, they'd just need to stop being malicious.
> as researchers refuted all their technical arguments one by one.
Heya, do you have any links for that? Haven't really been keeping up with this whole thing. I briefly looked at the Privacy Sandbox proposal page a while back in late 2020 to figure out what it was all about, but haven't really got anything on researchers refuting their technical arguments.
Browser extensions have a higher trust level than internet sites. V3 simply dis restricts the former which gives the latter more wiggle room. Sure, there are hostile browser extensions, but at that point security and privacy is already compromised.
It will impact µBlock Origin negatively for example and I want this plugin to be able to access the page unrestricted.
Not even close to a replacement for the type of active, context-aware evaluation uBlock can do.
Additionally, if a solution like Pi-hole was ever sufficiently mainstream, more sites would start serving their ads from the same hostname as the page. It's not difficult to do with the CDN providers most media sites already use.
Yes. Next you'll have to MiTM the DNS over HTTPS. Next in the arms race comes certificate-pinning. Controlling your name resolution will probably remain possible on Linux, but I expect most other platforms will make it exceedingly difficult for "normal" users.
Embedded devices are already "game over". You don't own them (even if you paid for them).
Controlling name resolution on your own network (and MiTM'ing HTTPS) makes you the same as a hostile nation-state actor. We can't have that.
> Embedded devices are already "game over". You don't own them (even if you paid for them).
Ugh, seriously. I have a Chromecast, and couldn't figure out why it wouldn't play things on my local network (via DNS names set up in my router's resolver). Turns out Google hard-codes their own DNS servers and doesn't allow you to change them.
The fix was to give the Chromecast a reserved IP address, and then set up some iptables rules on the router to redirect requests from it to 8.8.8.8 and 8.8.4.4 on port 53 to my router. I'm surprised that Chromecast is using old-school port-53 DNS and not DoH.
HTTPS no, because you're still making regular old DNS queries for every domain, but DNS over HTTPS or stuff like Chromecasts using hardcoded DNS servers do effectively negate Pi-Hole.
Previously extensions could be background pages, with access to DOM & Web Platform apis. MV3 currently reduces them to Service Workers, able to use far far far less capabilities. This is a massive massive downgrade for Extensions, unfathomable really. A Mozillaian proposed a less limited Limited Events Page but Google has snubbed it & not discussed. https://github.com/w3c/webextensions/issues/134
Extensions are forced to use a small subset of JavaScript with no dynamic code execution. Eval() is banned. Function is banned. Embedding a scripting language inside JavaScript to circumvent this is banned. This is a mere ghost of JavaScript left over. Google claims it's to make it easier for them to insure extensions are safe & protect users, but just as much, to me, this is to protect Google from capable & competent extensions allowing users to expand their agency: now extensions have to be narrow, fixed use, specific extensions. Tools like GreaseMonkey are all dead. The web becomes no where near the hackable medium it is, all for a little convenience for Google. https://github.com/w3c/webextensions/issues/72https://github.com/w3c/webextensions/issues/139
A lot has been said & discussed about MV3's declarativeNetRequest; this is where the visible war has raged in MV3 for a while now. I'm not a huge fan but it's also one of the more minor side-shows in this debate, to me. High impact on ad-blocking, but ultimately there's enough compromise & wiggle room here, enough possibility to make this not awful, and if things are left truly bad, there will be enormous hell to pay & this will blow up. DeclarativeNetRequest feels like a side show to how much real ruin & savagery is being wreaked by the first two issues I outlined, being wreaked upon the most powerful & interesting & defining software humanity has, that we augment ourselves with as we do software: our user agent extensions.
I generally find Google to be quite a good steward for the web & am so happy they advance so many different initiatives & capabilities. But this is something that is extremely near & dear to me. The web is different & better than all other software, to me, because it is malleable, because the user-agent gives us power. MV3 is a radical curtailing of us the users. A radical shift towards a web that we have to simply accept, as is, that we cannot bend & shape as we want. Everything happening here feels abhorrent & disgraceful.
The process also feels totally goofy. Google is simply flipping the switch next month. They built what they wanted to as a new spec, debated some about feedback, leave comments that oh yeah, we maybe do need to do something about GreaseMonkey, maybe we do need to fix some of the missing use cases, but we're going ahead with Apocalypse Now anyways. This is the most hostile use of standardizing to destroy that I have ever witnessed.
If Google is having such a hard time hosting extensions as is, they need to stop. They need to close the Google Chrome Web Store for Extensions & stop trying to moderate it. Create a 3rd party store model, let other people serve as the agents of trust. They absolutely positively cannot be allowed to come along & standardize a much much much lower powered form of extension than what we've had, purely because they've had such a (sad fiddle) hard time running an extension store. Their justifications & pleading that these amputations to us are for our own good ring so very very false to me. Google needs to give up being a regulator of this power if it's too much for them.
Have background pages ever had access to DOM? Usually all interaction with an observed tab is done through content scripts not background pages. Same goes for evaling JS code within the context of the inspected window.
By DOM access I assume they mean that since background pages are pages, you can do things like use IMG and SCRIPT tags to load resources, and perhaps a CANVAS to rasterize images that you then serve to pages via an extension URL or something. I've done stuff like that before so I can imagine there being use cases for it, but it's kind of niche.
As for FloC, still trying to understand FloC's implications & make a position on it. Hearing it proposed, it sounds enormously stupid, but I'm not convinced it's in fact bad. Part of me even thinks it indeed sounds like a significant privacy win over where we are.
Rather than discuss FloC though I'm wondering what other efforts you would malign.
If Chrome can kill uBlock and use its dominance to do user-hostile stuff, and Firefox goes along "in the interest of cross-browser compatibility", then what the hell's the point of Firefox in the first place?
I needed them to do that so I could watch Netflix. Debate it all you want, but it made my life measurably better and I'm glad they did it. This would only negatively effect me (and everyone else).
DRM doesn't limit anything for the user except for some video content. The day DRM prevents doing things to requests and such, like Manifext v3 does, then I will care. Right now, I'm happy to be able to watch One Punch Man on my laptop.
> We will support blocking webRequest until there’s a better solution which covers all use cases we consider important, since DNR as currently implemented by Chrome does not yet meet the needs of extension developers.
It would certainly be interesting they implemented blocking webRequest (just to keep compatibility with Chrome) and then added a Firefox-specific API for blocking web requests.
I'd guess even if Firefox did keep extensions unrestricted then slowly they would die away - given how much smaller the user base will be. We need some new power to emerge in this space.
If Firefox keeps full extension capability, as a superset of Chrome's gimped implementation, then extension developers can decide how they want to handle the incompatibility.
I don't really get how the extension ecosystem works anyway -- extension developers are usually just sharing something they use to be helpful/make a point, and then some tack on donations thing, right? Since nobody is doing this to get rich I suspect they won't chase marketshare.
There is surely a bias between users of extensions of uBlock Origin and users of Firefox. The userbase is still smaller, but maybe not enough to completely throw away development.
Back to IRC DCC style sharing and distributed computing with VPN
No need to follow the money to do interesting engineering and computing. Interesting is subjective and wrapping a white paper in the cruft to host it as a service in the cloud isn’t interesting engineering
Part of me wonders if the chip shortage is real or just a way to hide big corp hoovering them up for DC hosted services.
Firefox has already been forked multiple times because of decisions from Mozilla, see [Pale Moon](https://www.palemoon.org/) or [Waterfox](https://www.waterfox.net/). Few people use those forks, for the simple reason that what has been removed from Firefox is not game-changing enough to mandate an exodus. However I agree that removing support for uBlock Origin will surely be another story.
> Few people use those forks, for the simple reason that what has been removed from Firefox is not game-changing enough to mandate an exodus.
This is not the reason for me at least to not use it as my main browser.
I recently tested and the speed is good and it is absolutely wonderful to have true full fledged extensions and complete themes.
My reason is that I'm worried if their security is good enough. If we could somehow be sure about that I'd actually happily leave modern Firefox behind for it.
Personally I'm hoping for someone to create a patch set and bulld binaries based on it to re-enable the old stuff, not by letting extensions muck around in the internals but by providing defined extensions points like:
Are you sure you don't want to hard code the original "uBlock" instead of the "Origin" fork while you are at it? It already had a perfectly fine hostile takeover in the past, no need to wait for a new one.
I have a couple of popular extensions on the line, and I no longer see a way to stop Google without immediate government intervention. I am confident that they are not acting entirely in good faith, regardless of the much needed and useful parts of Manifest V3. They will get away with anything, be fined again in a couple of years for the growing list of illegalities they commit, and now they'll also harm the browser extension ecosystem.
Some of the extensions I maintain will no longer work, or have reduced functionality for no acceptable reason, and some of the projects that I have been preparing to release have now been abandoned, because they rely on having proper control over requests in the browser.
I mean you can, but firefox doesn't treat you any better. We waited 2+ months to get a minor update through review, and getting it through that quickly took emailing several folks (including one from HN). During that whole process they also removed the display of your queue position, making it even more opaque.
At some point they disliked something in our extension that had been live for months, and disabled every release in the past year. At another point they found something wanting in a 2 year old release (not a recent one) and threatened to remove it from the store, our attempts to continue that conversation or just allow it to be pulled to save everyone some time met with crickets.
> Where do people get this sense of entitlement from? Please cite one law you believe Google has broken.
Just like Amazon (your employer), Google has also been fined several times in the past decade for illegal business practices. Their illegal activities are extensively documented, and in some cases they were forced to change course due to regulatory intervention. Feel free to look it up, I don't think there is a need to relitigate objective reality.
No you have to understand, as long as a company doesn't commit enough crimes to be literally run out of business, we have to pretend it is good for some reason.
That's true, and so any thing that that company does that some rando doesn't like and claims is illegal we must assume is actually illegal, even when that rando explicitly avoids questions about what they actually think is illegal about it.
They've asked to name one law that I think Google has broken, which is already part of the public record.
If you're asking what illegal business practice Google will be engaging in when the Manifest V3 limitations will begin to be enforced: using their dominance in one industry to gain advantage and maintain dominance in another industry, to the detriment of consumers and competitors.
> I have a couple of popular extensions on the line, and I no longer see a way to stop Google without immediate government intervention
As the developer of extensions that are impacted by Google's anti-competitive actions, you can report how this impacts both you, and the market as a whole, to the competition and antitrust divisions of the government. I've posted links to forms and sites that you can use to report to the relevant state-level and federal-level regulators on HN here[1].
If you aren't in the US, the US also has antitrust legislation that applies to US companies operating in foreign countries, as well as a myriad of antitrust treaties and agreements with other nations. It might be worth it to also report it to the government of the country you reside in, as well.
I've been using Chrome for such a long time now (since like a year after it launched), out of convenience and because it used to be fast (and more secure). It's definitely time to switch.
I think my main alternatives are Brave, Vivaldi and Firefox.
Well I like both Brendan and Jon, and I actively dislike Baker's leadership of Mozilla. However, Mozilla seems to have the highest investment level into the their desktop browser. I'll test Brave first.
You realize Firefox only exists because it serves Google's interests right?
And while Brave might be based on Chromium, it is distinct; in addition to not crippling nativewebrequest as chrome will, it's native adblocker is compatible with the same lists as ublock origin. So I would go with Brave :)
What will Brave, Vivaldi, etc, do when Google makes some change that breaks the current APIs? Do they have the resources and are willing to continue to support them?
Brave's long-term problem is that Google can set the cost of Brave's ongoing maintenance to whatever they want. In the 90s Microsoft called this "keeping the competition on a treadmill".
If Google is not able to control ad-blocking because all the Chromium clones refuse to play ball, what do you think they will do? I have no idea. Maybe just close Chromium entirely, and force all the clones to shut down since there's no way they have the engineering resources to keep up with Google.
EDIT: Except for MSFT... that would be interesting for sure.
> You realize Firefox only exists because it serves Google's interests right?
Ironically, though, the larger Firefox's market share, the more Google will pay to be the default search engine in Firefox. Yes, it's perverse and a little gross that we depend on Google to such a large degree to keep Mozilla and Firefox funded, but having more users increases Mozilla's leverage over Google.
Anyway, your point isn't really relevant. Unless you believe Google is dictating nefarious things to Mozilla and has subverted Firefox (difficult since Firefox is open source, but not impossible), you should still be using Firefox. If you care about not continuing to give a giant, monopolistic advertising company control over the web, anyway.
If Google actually gave a crap about security, they would let you disable extensions. As it is, I have to routinely delete malicious extensions from every family member's Chromebook. Lord knows how they get there, but they always do. Since this new standard still lets extensions observe everything, I don't see what the point is.
I'm just not smart enough to figure that out. That first answer references steps that don't exist on any Chromebook I've ever seen. So I assume I have to enroll the machine in a group policy externally? I have no idea. Never been able to figure it out. I usually just end up installing an extension (oh, the irony) that blocks the extensions domain. :/
In most cases, you can get group policies like these to work if you manually create the registry keys that GPO would create for you. It's more complicated, but it can work.
This post carries a lot of water for user-hating user-blaming anti-extensions.
I'm sorry that your family are... having such a hard time making reasonable choices for themselves. I have literally never seen this anywhere, or heard any coworker ever report their family rampantly adding shitty extensions. I tend to see pretty clear & obvious signals about what extensions are good & ok when I go to consume. Bad extensions seem to be discovered fairly quickly & taken down. The world seems no where near as grimdark as you project to me.
Alas I think it requires a paid Google Enterprise account, but your family sounds like their need external management of their browsers. That they should, like a school computer, have an administrator & a denylist or perhaps even allowlist of what extensions they can use.
This post spreads so much Fear Uncertainty and Doubt. Trying to justifying ending a good thing because some creative user keeps finding a way to misuse, to not listen to sense, to not make good judgement... I find it unfortunate that such heavy fearmongering, such terror at the world is allowed to sway us so heavily.
Ultimately I want 3rd party sites hosting extensions. Not Google. And I want moderation teams able to surface claims that some extensions are bad. We need more choice, more democracy, more ability to help each other. Sunlight is the best disinfectant. Simply giving in to the bed-wetting terror of, oh no, freedom & denying ourselves user-agency is intellectual suicide for the web.
I very very quickly edited my words but thanks for sharing. Got flagged anyhow. I'm still absolutely mystified to hear about such huge sorry sad sappy stupid problems occuring with blitzing regularity. I cannot imagine how your people discover trouble so readily.
It doesn't sound like you think your family is at all educateable in any way, you seem to think this is a horrible lost cause & that we must withdraw power & good for the world to protect your vulnerable unfortunate hapless brood. That's how defenseless your post makes your people sound, that's the impression you're giving off. And you're using that as a weapon against the world, against good, against freedom, against capabilities. This is extremely menacing a position you've made, using your own family's purported victimization a weapon against good.
You can only signed addons these days, so they must be sourced or at least signed by Google. Especially on Chromebooks which are more restrictive in the software they run.
My guess would be that your family members got social engineered into installing that crap ("this web page only works with X, click here to install"), ort their browsers got exploited and hacked (very unlikely!). You'll probably need full MDM to prevent these websites from getting their users to enable extensions.
The problem with disabling extensions is that whatever has the capability of pushing extensions into your browser also has the ability to change the settings for addons. The only solution I can think of is to create a Chromium build that cannot run extensions at all.
Remindes me one time one time a old person I sometimes help out got social engineered to enable desktop notifications for a website.
And as a non windows user it took me a while to realize that this notifications come from the browser as desktop notifications and disable them. Its still a riddle for me how chrome managed to make it both very obvious and very unclear at the same time that this are websites desktop notifications. (As a counter example I used some sites which used desktop notifications on FF/Andriod instead of making a app just because notifications, that I loved)
This wouldn't happen with proper adblockers. Also, if a user or a malicious script has permission to install extensions, I assume it would also have permission to toggle "enable extensions" setting.
This post carries a lot of water for user-hating user-blaming anti-extensions.
I'm sorry that your family are... having such a hard time making reasonable choices for themselves. I have literally never seen this anywhere, or heard any coworker ever report their family rampantly adding shitty extensions. I tend to see pretty clear & obvious signals about what extensions are good & ok when I go to consume. Bad extensions seem to be discovered fairly quickly & taken down. I'm trying to imagine how folks even get to the Chrome Web Store in the first place if they have no idea what they are doing. The world to me seems no where near as grimdark as you project.
Alas I think it requires a paid Google Enterprise account, but your family sounds like their need external management of their browsers. That they should, like a school computer, have an administrator & a denylist or perhaps even allowlist of what extensions they can use.
This post spreads so much Fear Uncertainty and Doubt. Trying to justifying ending a good thing because some creative user keeps finding a way to misuse, to not listen to sense, to not make good judgement... I find it unfortunate that such heavy fearmongering, such terror at the world is allowed to sway us so heavily.
Ultimately I want 3rd party sites hosting extensions. Not Google. And I want moderation teams able to surface claims that some extensions are bad. We need more choice, more democracy, more ability to help each other. Sunlight is the best disinfectant. Simply giving in to the bed-wetting terror of, oh no, freedom & denying ourselves user-agency is intellectual suicide for the web.
I'm absolutely mystified to hear about such huge sorry sad sappy stupid problems occuring with blitzing regularity in your tribe. I cannot imagine how your people discover trouble so readily.
It doesn't sound like you think your family is at all educateable in any way, you seem to think this is a horrible lost cause & that we must withdraw power & good for the world to protect your vulnerable unfortunate tribe. You're using that as a weapon against the world, against good, against freedom, against capabilities.
This is extremely menacing a position you've made, using your own family's purported victimization a weapon against good.
The security argument seems pretty simple. The end goal is that legit extensions that people regularly install should not need to ask for dangerous permissions, because a) it teaches the users that it's normal and b) since the extensions can become compromised later and abuse the permissions. Adblockers are probably the most common kind of extension, and are currently granted effectively unlimited access to read and modify every single web page you use. That's fucking scary.
If adblockers (and other classes of legit and common extensions) can be migrated to a safe API, it makes the unrestricted and dangerous API much more manageable since what's left is much less likely to be legit or something people actually care about. For example you can have enhanced review processes, warn users more forcefully about the danger, start limiting the power of the API, implement new safe APIs for some of the remaining use cases, etc.
EFF are smart people. They know what the actual security benefit is, and choose to instead argue against a caricature.
> Adblockers are probably the most common kind of extension, and are currently granted effectively unlimited access to read and modify every single web page you use. That's fucking scary.
How is that scary?
The browser by definition has unlimited access to read and modify (and monitor) anything I do in it.
And I trust gorhill a million times more than any Google employee, past, present or future.
The scary part is gorhill is able to sell or hand over the extension - as he has done in the past - to someone with looser morals and/or goals.
How much do you think NSO Group would pay for this kind of access?
If you ran uBlock Origin, would you like to retire early?
Jbk from the VLC project has a lot of stories about turning down 6, 7 figure payments to bundle malware in VLC. Not everyone has the strong morals and unlimited stamina to withstand that.
Manifest V3 is created to solve a real problem. I have had browser extensions go rogue on me before (Stylish), and i would like it to not happen again. At the same time, uBlock Origin is a hugely important extension for making the web usable for hundreds of millions of people. A compromise must be found that moves their safety out of a single person's hands.
It's a good point. Probably best to build it into the browser and let me add my own lists for it to use. That would be a good move for Firefox, they could have it off by default but it would help to reduce the chance of a compromised extension have too much access.
Another problem is that it's static; my understanding is the extension creator needs to make a new list, get it approved by Google, put it in the repository, and get the user to download the update, before a new ad is blocked. Probably requires a restart of the browser, also.
Not sure if it removes the ability for the user to on-the-fly add any blocking, but I suspect it does.
He sold/handed over 'uBlock'. The new owner was malicious. Gorhill learned from his mistakes, started uBlock origin and decided he'll rather let an extension die than hand it over the next time.
I, as an end user want to be able to install whatever dangerous software I want, especially as a power user. I understand the potential consequences and I don't want or need the handrails. Options and freedom are good. This is why browsers need to be split off from for profit organizations to be managed by entities that aren't concerned with the fallout if someone installs malicious software.
I don't think this is a great path, though. Extensions like uBlock Origin should not only be available to people like us, who understand the risk of giving extensions more permissions, and would (hypothetically) have to click through some scary warning dialogs or edit config files to allow it. Your average-Joe user probably needs extensions like this even more than we do in order to remain secure on the web.
I agree it shouldn't be available just to people like us. My assumptions here are twofold, one Google doesn't want to deal with fallout from users being harmed in anyway by an extension installed from their ecosystem. It could have real monetary and regulatory impact on them. Two, this benefits their ad business by reducing how thoroughly ads can be blocked.
I think browsers should be moved away from for profit organizations to separate non corporate stewardship. With that you remove the overall susceptibility to fallout and can try to give more freedom over the features a browser has or how deeply extensions can integrate, for everyone. You also obviously remove the immediate monetary incentive to restrict freedoms.
Since you casually mentioned it—why would Google implement a safe API after removing the "dangerous" API that increased their ad sales? Given their recent history, and all.
The browser team could implement the ad blocker itself, instead of relying on third-party code. But even the apparently-best one of those (Brave) has a lousy interface for it.
It sounds like you're happy to hand control of your browser away for free. I've been writing code for a few decades, I don't know everything but I don't need someone to decide for me what's too dangerous for me to have access to.
If I was truly insane I'd go the Steve Gibson route and write a completely different browser from scratch. I'm aware it would take the rest of my life (or longer) at this point but the engine options are so few, and the ability to avoid the owners' restrictive BS limited enough, that I'd be happy as a clam to see a whole new reboot.
I'd jump onto even an alpha of that, just to bump numbers out of hope that ANY group could get together and get out from under the advertising trap.
uBlock origin makes the Web safer. End of Story. You cant argue about scammers going after high value targets without mentioned every other popular application out there.
I should not be able to write a JS popup that looks like a browser dialog - that would be a pretty good start to improving security of the platform. Instead they remove the APIs that run the ad-blockers. Then give the MAIN APIs used by scammers/ad networks to deanonymise, track and trick you, free access to your system without your agreement.
Talk about having your cake and eating it too. Its Prohibitionist rhetoric all over again.
> If adblockers (and other classes of legit and common extensions) can be migrated to a safe API
Sure, but Manifest v3, doesn't have such API. It has a very limited API, that can't do a lot of things uBlockOrigin does.
I am not even taking about way too small limit for filtering (30k urls, my current are at 80k+)
I mean in manifest v3 you can't hide various banners or fullpage overlays and similar. That to me is one of the more important parts of what uBlockOrigin does for me.
So at best I will get half of the functionality (that is if google raises the limit)
> EFF are smart people. They know what the actual security benefit is
yes. Chrome with manifest v3 + uBlockOrign (assuming we even get it for v3), is less secure than chrome with manifest v2 + uBlockOrign
EDIT: Almost forgot. You also cannot block, adds on google search, any more.
Yep. But note that MV3 is a lot more powerful than Safari's adblocking capabilities. It's still declarative, but supports dynamic rules, header modification, etc.
Web Extensions have never had a spec before. So of course Google is taking the initiative to aggressively re-define & cut down what an extension is, at the exact moment they try to turn it into a cross-browser standard.
Firefox is supporting Manifest v3 extensions however they are not imposing every limitation Chrome is on them and they are continuing to support features outside the scope of v3 like blocking webrequest.
A lot of the changes in v3 are actually pretty sensible, it's just 10% of the stuff shoehorned in creating 90% of the friction.
Firefox will make it possible to upload manifest V3 extensions to their store (eventually). It's a good thing because it makes it easier to make an extension that works unmodified for both.
Chrome is additionally planning to remove support for manifest V2 as well, Firefox can't start to do this because they don't support V3 in their store yet.
It will be interesting what Microsoft will do, at first glance they don't care about advertisement and allowing ad-block would bring a lot of users to their ecosystem. (they already have soft adblock out of the box)
That probably because their operating system is infested with advertisements and data exfiltration mechanisms. Why would they need the browser to do it too?
I miss the early days of Firefox extensions (circa 2004) where an extension could in very powerful ways completely change the layout/functionality of your browser; when they had near unlimited access to the XUL and could change anything and everything.
I used a ton of very useful extensions then. Nested tabs were one of my favorites. These days I've got a password manager, a bookmark checker, and a tab manager I wrote myself.
They're just not allowed to do anything too useful these days - I know what they have access to, I write Chrome extensions. A lot of them should just be standalone desktop apps.
Like most things, normies came in, shot themselves in the foot, made a fuss, and now we can't have nice things.
I wish Firefox would have left the old extension abilities. They could have easily added the WebExtensions standard to allow for cross-browser compatibility and not removed the old functionality.
They basically did, until the underlying browser became incompatible. That was the point: to have a stable API instead of extensions relying on implementation details, which includes multiple processes.
They didn't just broke them by necessity of rewriting the browser, though – they then actively blocked them on regular browser versions (non-Nightly/Developer Edition/etc.).
I tried installing Nyxt. I'm not sure how common CUA bindings are. I tried pressing Alt+Left and Alt+Right to navigate between pages, but got a strange error in the status bar: "Warning: Error on separate thread: There is no applicable method for the generic function # when called with arguments (NIL). See also: The ANSI Standard, Section 7.6.6". Which is baffling as a user.
The least worst web browsers these days are typically the older Firefox forks that have maintained XUL and powerful extensions. But this class of browsers is rapidly become few and those left are run by... controversial personalities.
While I also miss some of the capabilities, I also can understand why Firefox removed them.
Extensions systems which don't have very clear cut boundaries like XUL are just add a very hefty maintenance burden and make review extremely hard.
It's not really about "normies".
This doesn't really apply to the current change, as extensions already have clear boundaries and and as the article pointed out problematic apps likely won't be too much affected as they often already do things which bypass the constraints to avoid detection by the reviewer... (assuming I understand the topic correctly)
Has nothing to do with "normies". With the old extension system, Mozilla couldn't make any substantial changes to browser internals (like multi-process, among other things) without breaking everything. It makes sense to have clear boundaries between the core and extensions, and keep implementation details out of the extension interface.
E.g. mass downloaders have become quite a bit less useful because they can only download into the OS downloads directory without prompting for each and every download.
While a good message that does have actual merit if you know what's happening already, I don't see how this is a legitimate consideration of MV3.
The entire argument regarding security doesn't mention any of the reasons Chrome developers cite its security improvement, instead it brings up that Firefox "does good enough already" and that malicious extensions can still get past the review process. the review process is by itself improved with V3 as extensions that pull in code remotely can no longer get past the review process[0], especially with how many current extensions implement RCE C&C intentionally. They also say extensions are "usually interested in simply observing the conversation between your browser and whatever websites you visit" - that's 'usually', though; malicious extensions intercepting and modifying requests for their own benefit isn't unheard of.
Instead of only stating 'this is bad', it would be beneficial to include both (A) what they say (B) their basis for the decision, if any (C) why that line of reason is incorrect/deceiving.
Beneficial in what sense? If manifest v3 is still bad on net, then including chrome's counter arguments makes for bad rhetoric and thus does a poor job of advancing a valiant goal.
Anyone who pays attention to the web platform should know by now that any rationale Chrome (or Google in general) developers give for web platform decisions is made up. They repeatedly told us they had specific motives for AMP and it was all a lie, AMP was designed to tighten their grip on the advertising market. It's not the only example - the way their autoplay whitelist works is also transparently manipulative despite lies to the contrary - and I would bet money that MV3 is partially motivated by business incentives in the same way. Googlers' paychecks are signed by Ads and GCP and ad-blockers actively undermine the former.
Google has not provided any reason to not include "block request" functionality. And that the super bad faith underlying fact that poison their "reasoning".
There is still "block request" functionality, the change is that it's now declarative. This is the same way it works in Safari, and is (a) more efficient because you don't need to execute JS to evaluate each request and (b) more private because an ad/content blocker doesn't need to be given such broad permissions. There are serious tradeoffs (no request time js makes it less flexible) but it's still very capable and easily can be used to block Google ads.
The safari change absolutely kneecapped content blockers. Ublock dropped it[0], and the remaining few providers, like AdGuard, have to do all sorts of trickery[1] to get even close to the same performance.
If you're going to argue this is better, don't point us to such a clearly worse result.
I'm not arguing that V3 is better -- I think that's a complicated question, and I was trying to describe some of the tradeoffs. What I am arguing is that V3 does, contra my parent, support request blocking.
I quibble with this. Request blocking "as that has been understood", is preventing the request from leaving the browser. That's still demonstrably doable with mv3. What's changed is the mechanism. You can argue about the value of changing the mechanism, about the burden placed on plugin developers, or the efficacy of various APIs, but the functionality is inarguably still there.
You're being disingenuous. With Manifest v3, it is not possible any more to block requests dynamically which has huge implications for the efficacy of ad blocking (example: forget blocking youtube ads). Additionally, you're limited in how many static rules you can have.
Therefore, it's not just about changing the mechanism, the end result is clearly a lot worse. One can say, they crippled ad-blocking which this change. Hopefully, once the millions of people using ublock origin start noticing what's happening, they will move away from Chrome. I already did, ublock origin is worth more to me than any feature Google puts in Chrome.
I just hate that rhetorical game of "well, prima facie I meet your standard so what's the problem?" You met the standard before too, obviously that's not the problem
Fair point, apologies if I came off a bit harsh. I'm just really frustrated in the direction Google has taken with this whole thing.
I understand the average user probably shouldn't be able to easily hand over so much control to extensions, but on the other hand, dynamic ads shouldn't be able to serve malware or cryptominers.
I'd be a bit more open to the idea of a locked-down manifest if we had seen more good-faith attempts from AdTech to change the paradigm that makes content blockers almost a requirement.
This is just an attempt to rehash the same old arguments provided by Google that have been repeatedly debunked by developers and security researchers.
> I work on ads at Google, speaking only for myself
I'm doubtful about a person's ability to speak for themselves, when they have been consistently defending their employer on HN for years, at every occasion they got.
I’m sure you are an honest person working in good faith. But we saw very similar behavior from Google around AMP. They had a very narrow reasonable sounding explanation, and just ignored all criticism and requests from both users and publishers that didn’t fit their narrative. This went on for years.
Today we know AMP was also a anticompetitive plot to kill off header bidding.
Why should we to believe a word of what Google says about Manifest v3?
It's been years since AMP went live. Disagreeing while pointing to information that's been withheld for years and does not (to my knowledge) have a timeline for release... that does not make a very compelling argument. It amounts to "trust us". But we don't-- that's kind of the point.
I interpreted coffeefirst as referring to the current antitrust action against Google, and saying that I expect more information will come out as it progresses.
There will never be a smoking gun because the people cooking up these dark pattern schemes are generally smart enough to not document them. The problem they want solved gets broken up into pieces that are given credible cover stories and then when it is all integrated together the intended outcome happens without it ever being explicitly written down in an incriminating email.
Good point, that may be what they meant. Although I would not count on all of those details coming out: for years Google has been warning employees against using certain types of language that could in someway look bad from an antitrust/anticompetitive point of view. So I would expect that a lot of documentation, emails, etc will look anodine on the surface through self-censorship.
I don't expect anything that comes right out and says something like "we must implement AMP to as a strategy to remove competition from header bidding". Instead it will mostly be just the standard talking points about user experience and load times.
I could be wrong though: plenty of things have been revealed in things like text messages where people don't think of them as being part of an official record.
Recently a large software company managed to avoid looking into a bug report for several days about an inability to dial 911 on an Android handset until enough social media indignation was generated (1). However, the org in question ignored it until enough outrage on Reddit was generated and it was eventually noticed. Not one alarm bell seems to have gone off despite all those clever people and funky machines and the much vaunted AI/ML and stuff. That's a bug that might engender criminal liability in some jurisdictions.
In this case, it appears that multiple large orgs are involved: G and M. One provides the environment and the other appears to have dropped their drawers and crapped in it but in the end a telephone should always be able to make emergency calls regardless of what is installed or configured on it.
In the end this sort of thing might look like lack of responsibility due to arrogance due to lack of competition. I'm sure other interpretations are available.
Normally the above should be considered an example of whataboutery but I think your response deserves little else. If you have something to contribute then please do but not that sort of thing.
But it was your incorrect claim that was trivially disproved.
So if you weren't asked to, you're just astroturfing voluntarily. That's not better, it's worse: If one gives up one's integrity, one should at least get paid for it. Otherwise, one isn't acting just scummily, but scummily and stupidly.
Your linked claim is that "AMP was also a anticompetitive plot to kill off header bidding". Your linked "debunking" is about AMP pages delaying loading for non-AMP ads, which is completely unrelated to header bidding.
The claim, in a broader sense, was: "AMP is shit", or perhaps even "AMP is shit, and Google are anti-competitive arseholes". And those are certainly well-established enough by to make any attempt at defending against (either of) them delusional.
I'm happy to talk about specific claims if you want, but I was trying to respond to a specific false claim about header bidding and not signing up to defend all things AMP.
There is still "block request" functionality, the change is that it's now declarative. This is the same way it works in Safari, and is (a) more efficient because you don't need to execute JS to evaluate each request and (b) more private because an ad/content blocker doesn't need to be given such broad permissions. There are serious tradeoffs (no request time js makes it less flexible) but it's still very capable and easily can be used to block Google ads.
Docs: https://developer.chrome.com/docs/extensions/reference/decla...
(Disclosure: I don't work at Google or on ads anywhere, speaking only for myself)
I would believe this more if Mv3 didn’t allow extensions to inspect all web requests programmatically, just not block them. Want to exfiltrate your users’ data to attack or track them? Fine. Want to block ads. No way!
> There are serious tradeoffs (no request time js makes it less flexible) but it's still very capable and easily can be used to block Google ads.
Those serious "serious tradeoffs" made me completely stop using the web on my iPhone. Yeah, Safari content block can block roughly 80% of web ads, but those extra 20% are extremely annoying.
Web owners use all sorts of trickery to bypass adblockers and serve malware filled ads. Handicapping our current best defense tech against this is a sure as hell way to make me never open chrome again and completely purging it from any friends and family computer.
While there seems to be some disagreement with your position, I just wanted to thank you for being transparent about your involvement at Google. More people should act like that.
> (a) more efficient because you don't need to execute JS to evaluate each request
This is true, but I think overly performance-focused. It doesn't feel like that much time, so I think there's a valid complaint that it doesn't make sense to kneecap flexibility for speed.
> more private because an ad/content blocker doesn't need to be given such broad permissions
Sure, but this doesn't seem like the only possible solution for the people that own the browser. Why not only allow a restricted subset of JS that lacks any form of IO? Or if that's impossible/risky, why not something like Starlark or Lua?
I think this is based on a fundamental misreading of the problem. The privacy concern is that your data will leak, not merely that it's accessible to a third party. The cat binary can read my data, and I'm not at all concerned about that. So can my shell, and likewise on the concern.
Privacy doesn't necessitate this solution. It is one of the possible solutions, but I think is hard to sell as the best solution to the problem. It is likely the easiest.
I see a lot of people suggesting Firefox, which is great. But also, considering Chrome is basically Chromium, can't we just fork Chromium and keep using that?
Does Brave have their own extension repository yet, or are they still leaving that all up to Google? I don't see much value in Brave supporting a feature dropped from Chrome if it only has Chrome extensions and they all drop support for it anyway.
Firefox has said they will implement V3, but "we will diverge from Chrome’s implementation where we think it matters and our values point to a different solution."
Specifically, "we have decided to implement DNR and continue maintaining support for blocking webRequest. Our initial goal for implementing DNR is to provide compatibility with Chrome so developers do not have to support multiple code bases if they do not want to. With both APIs supported in Firefox, developers can choose the approach that works best for them and their users."
Can such a fork be upheld for a long time? Browsers are one of the most complex programs out there. I have my doubts even regarding whether Brave could maintain such a fork, let alone smaller entities.
IMHO it's really about "those who give up freedom for security deserve neither", as that classic saying goes[1]. The excuse of "security" has been used throughout time to take away personal freedoms, and with Google (and some of the other authoritarian parts of the industry) pushing very hard in one direction especially within the past few years, it's about time we started pushing much harder in the other. Indeed, good enough is good enough.
[1] I am well aware that was not the original context of the quote, but it's a nice rallying cry of the sentiment behind the movement.
I think the fact that it will significantly limit privacy and ad blockers is sufficient reason for a high level of criticism, which I took as the main point.
I didn't see dissecting the security details as the point they were trying to make. Instead it was to partially undermine the reasons Google said they were doing this.
Basically "here's why it's bad for privacy, and here are why Google's stated reasons for the update are insufficient to justify that"
"significantly limit privacy"? You either don't know what this change does or find it "significantly more private" when an extension developer has full read / write access to your web requests
I was referring to the much higher level of difficulty adblockers and the like will have in filling their intended purpose.
It seems like this is the clear interpretation of what I wrote and that you may be purposely misconstruing my comment in order to level a soft insult and condescending language at me over an opinion you don't agree with.
To give you a little benefit of the doubt though and assume you may just be passionate about the issue and don't intend to be insulting I will address your other point: Users giving away access to their web requests without realizing it is a problem. It is also one that can be addressed without making it much harder for privacy-minded users and the providers of those extensions to get what they want as well.
What Google says vs what's going on aren't necessarily the same thing, they have a long history of selling us the 'for your convenience' line while removing functionality that people depended on but that ultimately hurt Google's business interests: to be able to force feed you more ads.
They have long outlived their credit in the bank of the benefit of the doubt.
Yeah, for an article that claims in the title to be adressing Chrome users, it does a very poor job of actually telling these users what this "Manifest v3" thing is and why exactly it's a "raw deal" for them. Provided they even know what a "raw deal" is - for me it's a rarely-used US-specific expression, and I am only aware of it because of an R.E.M. song (https://genius.com/Rem-monty-got-a-raw-deal-lyrics).
The security improvement is negible compared to the danger of data extraction which ad blockers pretty effectively prevent in many cases. No, the security advantages just plainly aren't there and I think this is more driven by Google business interests.
Installing random plugins is a security issue. But web tracking is by far the more significant threat.
"extensions that pull in code remotely can no longer get past the review process"
When Google says "pull in code remotely" they dont mean from a remote server. Instead its 'code remote to Google' aka code you wrote yourself sitting on your hard drive. This kills greasemonkey/tampermonkey and all the other UserScript extensions. Google saw how great Apple is doing and fell in love with the concept of walled garden. Its their browser and they wont let you execute any code that wasnt approved by them.
Review by Google is completely worthless for my security considerations. I need my software to work for me, so Chrome will not be part of that anymore.
To say browser extensions pose a risk is true, but it hardly makes it in the top list of threats anymore. Malicious sites however still do and Google just restricted our ability to let third party tools provide essential services. Sure, these could be malicious, but that is generally not a wide spread IT problem of today. That should be also obvious to Chrome developers.
Accidentally they also restrict ad blockers? Come on, you are getting played.
One option is to just move away from browsers entirely. We can take some of the good things. Like maybe a small subset of HTML and web assembly. Add some minimal IO to web assembly.
A website being rendered by opaque, per-site web-assembly code, is not going to be amenable to uBlock, Greasemonkey or any other user-empowering extensions.
In this theoretical world you would generally not authorize any code (nor could any run by default) if you were just trying to view a web page. The HTML subset would be used for displaying information.
I honestly think that Google underestimated how much they are going to piss off users with MV3. There are thousands of extensions that will stop working and be impossible to build. But also there will be a lot of broken experiences as remote loading is forbidden and fixes will need a new release.
Can't wait, but that's a very good opportunity for Firefox as Firefox will become more powerful than Chrome
Or more likely, towards Edge, by virtue of requiring almost no effort to deploy the same set of extensions in a very similar browser in the hands of a company who doesn't require destroying privacy as much as google does to keep making money.
One of the "benefits" to Microsoft of using Chromium is reduced development costs and they're not going to get that if they let the forks diverge too much.
Right, but 'we don't support this!' would be a great look when most technical people are already strongly opposed to Manifest v3. I'd call it an easy win, but of course they'd have to maintain that and possibly implement / design their own API's when Manifest v4, for example, comes out... so it's definitely not as easy as it may seem.
I'm sure Microsoft wouldn't mind spending more on development if it means market share from Google if Chrome breaks everyone's extensions and they still work on Edge
Too be honest I don’t think the messages to use edge over chrome are really in the same category as the others. Googles plaster their homepage with a big banner of “hey chrome is so much better than what your using” and did for years.
In the article, Firefox is cited as intending to adopt MV3 for compatibility reasons. If they indeed do so, I'm not sure how much relief running Firefox will offer from the more evil aspects of MV3.
With Firefox's market share, not much. This could massively benefit Firefox adoption, though, because everyone relying on old extensions will have to switch.
From that viewpoint, the new restrictions could actually be a good thing.
At the point when Edge (Chromium) no longer supports proper adblockers, I would instantly stop using it and use Firefox for almost everything. It would be a 100% deal-breaker for me.
Right now, I have Firefox installed but don't use it much, because I don't see a compelling advantage.
They're not really "adopting" it as the way forward. Firefox will be able to use Mv3-type extensions, but the current extension types will continue to work.
As long as those extensions don't fetch and execute any JavaScript that hasn't been bundled at the time of Chrome store submission, they'll be fine. The biggest change happens at the API for monitoring and managing web requests.
Mentioning again to the entrepreneurical ones here that I want to pay money for something that works like old Firefox but uses the new supposedly more secure code base.
I pay for IntelliJ so why not pay for the just as important browser if I can get one that I like?
Just don't increase the pricing to Jetbrains level until you have Jetbrains level features.
> It might be great but for now refuse to support anything that further strengthen Googles grip on the market.
The question then becomes: "What else even is out there?"
Because if you're looking for something that's even remotely feature complete for browsing the modern day web, the majority of the current browsers out there are indeed based on Chromium, as expressed in this article, "Firefox is the Only Alternative": https://batsov.com/articles/2021/11/28/firefox-is-the-only-a...
Here's the table from the article in text format:
Browser Based on Chromium Open-source Market Share (desktop + mobile)
Chrome Yes No 64.7%
Chromium Yes Yes -
Edge Yes No 4.0%
Brave Yes Yes -
Vivaldi Yes No -
Opera Yes No 2.4%
Safari No No 19.0%
Firefox No Yes 3.7%
Firefox isn't perfect. I'm sure if you go back to the last major browser war, you'll see that Firefox didn't "win" that war. But they did win the fight they were fighting. They proved that you don't have to put up with the monopolistic behavior of Microsoft to browse the internet.
Today, Google and Microsoft and Apple are fighting Browser War 2, and it looks as though Google is winning. However, Firefox is still fighting, but not to win. But to prove that we don't have to put up with the monopolistic behavior of Google to browse the internet.
Firefox has had it's ups and downs. But "winning the war", in my mind, isn't the point of Firefox.
I think the controversies around firefox are blown way out of proportion. Yeah, there are some, but the amount of hate the project or the company gets on HN under every new version post is ridiculous.
It is an open-source project fighting a good fight, and the only one at that.
While I may be the only one around here to not know this, but I didn't realize Brave was OSS all the way through. That's great. I used FF for 19 years and switched to Edge fulltime in August ('21), and never looked back as each browser has its strengths and weaknesses. In the end, other than me being upset with feature removal in FF, I found Edge objectively comes out on top for me.
Vivaldi always seemed to hold the most promise but was buggy for me and still missing strong iOS integration that the competition has in place. Having used FF for so long, I was ready to go to a larger provider. So mainly, MS, Apple, or Google. Native browsers have big advantages so resisting those no longer made sense if I'm making a switch.
But Brave in my testing, did not completely convince me. Reviewing my testing notes-
Brave- no dedicated search bar option (important for privacy / prefetching and not having to continually retype your search query). Didn't get to mobile support and crossplatform sync. No dedicated extension store.
Of course, I had to give up on my dedicated search bar requirement, because FF's has been gimped by Mozilla, and Vivaldi had other unrelated usability flaws. So Edge it has been, and being completely honest, I've been thrilled with it. There's plenty other good here to overlook that and I haven't missed it as much as I thought I would.
All that said, I'm now going to keep Brave in mind, moving it up a notch. I always liked Eich which doesn't hurt. I don't fear a Chromium world, and never used FF because it wasn't, in fact I mostly resented it. I just don't see eye to eye with the anti-Blink crowd.
I think Firefox should've morphed into Brave, rather than be a separate project. A Brave that has Vivaldi's feature set would be perfect. Only thing missing then is major vendor support, and it'll always be non-native on all platforms, but at that point it could be overlooked.
For Firefox to fight its way back will require more than anti-Blink monoculture advocates supporting it. Blink has become the same as the USD, and isn't to be feared. For me, that's like saying you're resisting using the US Dollar because you don't want monoculture. Yet look at how much you can do with the USD. It enables quite a bit, embracing it just enables you to get other things done with less resistance. Users benefit. More important missions are at play. Like perhaps privacy, transparency, both things that Brave clearly focuses on. Or whatever one's chosen priorities are.
I legitimately love MS Edge, and I always keep Tor installed for the best privacy, but Brave is now my #2 pick for a daily driver and will be advocating for it for those that don't want to use their native browser.
I've been using Firefox for as long as I've been on the internet, but I got really tired of using it just because "It's not chromium". Mozilla been doing really stupid and frustrating decisions that made me feel like I'm in an abusive relationship. I've been eyeballing Vivaldi for a long time, and Firefox breaking compact mode finally broke the camel's back for me earlier this year.
When I switched to Vivaldi I felt like it's 2003 again, and I've just switched from IE to Firefox. Every single thing Mozilla removed from Firefox over the years is here, and most of the stuff I used hacky addons that would often break is here too! In the core browser, as first-class features, without the need to fiddle with userChrome.css or look through obscure flags. It really is a breath of fresh air and it puts into perspective how many excuses I've made for Firefox over the years. It's not worthy of being my browser, simple as.
Mozilla took my fundamental addons that separated Firefox from other browsers, they took my RSS reader, they took my cool Torrenting and Email clients that were a part of the browser itself. The TreeStyleTab requires you to go through obscure and hidden config files that often break with updates and the extension itself is not stable and fiddly. On top of that, I had way more Firefox extensions that aren't even different from Chrome extensions in major ways. In Vivaldi, I just get a nice panel with RSS, Calendar, Translator, Email client, Notes, whatever I want! The adblocker is built-in, the privacy features are built-in, you even get to put your tabs wherever you want. It has theming support that is as good as Firefox Colors, and it has custom search keywords that replace DuckDuckGos bangs for me more often than not. It even has the dark mode among other page filters, a screenshot tool, web page tiling! All the things that would turn my Firefox profile into a slow extension pile that barely works and longs for death.
Mozilla's "goals" of removing key features meant for people who actually would want to use a "google alternative" are laughable, and it's as bad on "privacy" axis as Chrome is because you have to use something like LibreWolf to get the actual privacy from it, very much like you have to use ungoogled-chromium with Chrome. If they think that turning the browser into a Chrome clone with some bumper stickers that say things like "Proud not to use Blink" and "We do say privacy a lot", then it's already dead to me.
Do you happen to know how they make money, or can maintain the project going forward? Seems they don't charge for their browser, and also claim they don't monetize their user's personal information at all.
Vivaldi generates revenue from partner deals with search engines.
Every time you search using one of the pre-installed search engines, you’re helping us grow, one search at a time. Currently, we work with DuckDuckGo, Ecosia, Startpage, Yahoo!, Bing, and Yandex.
The only exception is Google – we don’t make money when you search with Google. However, we know that some of you use this search engine daily, so we include it in Vivaldi.
TreeStyleTabs works out of the box without any sort of hacking around. I really don’t get this mentality. Firefox’s containers have no corresponding feature in chrome, they haven’t copied it and it is a huge win from a privacy PoV.
I had to modify userChrome.css twice to make it work over time, because obviously, you don't want the old tab bar there at the same time as TST. But also it was very unstable for me because every time I needed the left bar for something other than tabs it would crash or hang or get stuck. The rest of the browser would keep working fine, but the tab bar would not receive clicks or something like that. I had to restart Firefox every time that happened.
As for privacy containers - you can easily switch profiles in Vivaldi. It's not integrated to the same degree where you'd get tabs from many profiles in one window, but it works for me.
If you like Firefox Containers you should also know that, ironically, unlike Chrome Firefox doesn't have proper site isolation. [0]
> Mozilla took my fundamental addons that separated Firefox from other browsers, they took my RSS reader, they took my cool Torrenting and Email clients that were a part of the browser itself.
It was never the point of Firefox to offer them. Firefox originally started to be the slim alternative to the fat Mozilla suite.
> The TreeStyleTab requires you to go through obscure and hidden config files that often break with updates and the extension itself is not stable and fiddly.
What are you talking about? TST is very stable since years now and except for hidding the original tabbar, there is no need for using any config files. And even this is a stable setting which barely change every some years or so. Obviously, the first months in their transition to the new extension-system TST and Firefox were quite unstable and busy with filling the missing gaps. But that was 4 years ago. There still are some features missing, mostly for comfort, but it has settled down now and is very stable now. And still better than anything other browsers have...
> “ It’s also doubtful Mv3 will do much for security. Firefox maintains the largest extension market that’s not based on Chrome, and the company has said it will adopt Mv3 in the interest of cross-browser compatibility.”
I don’t understand why Firefox needs to adopt Mv3 for “cross-browser compatibility”. Is this to save extension writers time and effort or is it a mistake in the article?
The former. Firefox tries to make it possible to port Chrome extensions to Firefox with minimal changes. Mv3 contains lots of new stuff beyond nerfing adblockers.
Because of this, sometime in 2022 I will shut down Sitetruth, my fifteen year old ad blocking and site evaluation system. That offers add-ons for Chrome and Firefox, and puts a tag with company background info on each search result. Some search ads are removed, and some are de-emphasized. Some time next year, Google will probably force that add-on out of Chrome, as they tighten their grip over what browsers are allowed to do.
I did this as a technology demo, to demonstrate automated site background checking. The concept that you have to have a business address to sell online is almost archaic now, even though it's the law in the EU and California. So, today often the system often can't tie a web site to business records.
I was working on a project about 15 years ago that could tie a website to a business address. The underlying assumption is that many/most legitimate businesses that sell products have registered trademarks. The main purpose of a mark is to enable traceability back to a legitimate, non-ephemeral source for a product. If the reader disagrees that reputable products would have associated trademarks, then stop reading here. :)
These trademarks can be represented in a domain name or TLD. IP offices that register the marks generally obtain physical mailing addresses for physical correspondence. The crux of the idea is that the domain name and TLD do not have to be issued by ICANN. As such, it does not have to follow any pre-established conventions. Trademark registration systems already have unique identifiers and classifications that can be represented in the domain name/TLD. Thus we can create a new, collision-free naming system that offers more than ICANN, e.g., a direct association to an IP office.^1 This leverages the work of IP offices to collect business addresses (or at least addresses of the registrant's lawyers/agents who would by necessity have the business address of the registrant). Under this system the perceived legitimacy of the business is reliant on the trademark registration, not a "TLS certificate". The legitimacy of the domain name/TLD becomes dependant on the trademark registration, not an unaccountable, known-to-be-corrupt entity such as ICANN. To put it simply, names require an associated trademark. The system favours businesses that want to enable consumers to trace a product back to an original, legitimate source. It is a naming system for real(TM) business. :)
Personally, if I were trying to assess the legitimacy of a business, I would rather rely on the records of a trademark office versus the records of a TLS certificate provider. But that's just me.
1. ICANN of course, to ensure its own profits, chose to allow disputes to occur and create quasi-legal dispute resolution systems instead.
I used TLS certs, mailing addresses on web sites, purchased commercial business directories, Hoovers (before they were acquired by DNB), SEC filings, and Yahoo Directory (defunct). But not domain info, which was just too low-quality.
Snail mail addresses intended for humans were the most useful. Although they could be spoofed, that's very rare, and tends to attract legal attention.
Forgot to mention the key feature. Users can search for entities/products using trademark names and registration classes, i.e., by searching the appropriate name containing the entity/product name and/or classification. Currently, a page of search results from a "state of the art web search engine" can leave one guessing about the sites represented by the domain names listed in the URLs. The searcher trusts that the search engine "knows what she is looking for" and has performed a disambiguation for her, automatically.
Whereas under the new system, the domain names unambiguously indicate trademark-protected names of companies or products, including their trademark classifications. This tells the searcher exactly what type of entity/goods the site purports to describe/offer and the source of those goods. No need for the search engine to second guess what the searcher is looking for.
For example, a name might be formed as something like productX.companyY.classZ. A user could search for URLs with subdomain "productX" and TLD matching "classZ", or a search for domain matching "companyY" and TLD matching "classZ", or perhaps a more broad search for domain under "classZ".
Vivaldi didnt. All they said was they wont remove anything themselves aka it will be removed when it vanishes from Chromium codebase. Vivaldi cant afford to maintain their own fork of v2 code, they barely manage the UI as it is.
The article is not exactly well written. I don't really follow web developments anymore because the web, well, sucks; So, after reading, I'm still not even sure what "manifest v3" is about and why I should care.
I know websites track me. I know I get tons of ads. I know websites popup questions about cookies. I know they play videos that follow me around when I scroll. I know sometime in the past that shit would've been under my control. But I suppose I have rose-colored glasses on and that's just the way it is. After all, I remember blink tags.
It's for Browser extensions. Chrome extensions (and also Firefox and Safari). a fail called the "Manifest" that tells Chrome and the extension about the extension and contains all it's permission requests. Eg: "This extensions wants to modify all webpages", which is what ad blockers need to do.
Going forward extensions in the Chrome Web store will have to use Manifest v3. Which has less capabilities than previous version. Which will stop ad blockers working.
tl;dr. Ad blockers will not longer be possible in Chrome.
tl;dr Extensions with embedded spyware will no longer be able to record all of your web use. Malicious ones that steal credentials will be more easily identified. These types of extensions are installed far, far more than ad blockers.
> tl;dr. Ad blockers will not longer be possible in Chrome.
This is not completely true. Ad blockers like uBlock Origin that allow specific elements to be picked and blocked wouldn’t be allowed. All the requests (like ads) to be blocked would have to be declared in a list (like Safari Content Blockers, and presumably have a limit on the number of rules). The actual blocking will be done by the browser without the extension knowing which rules were applied to which pages.
"Like FLoC and Privacy Sandbox before it, Manifest V3 is another example of the inherent conflict of interest that comes from Google controlling both the dominant web browser and one of the largest internet advertising networks."
Thank you to the author for getting to the point: conflict of interest. Google cannot represent ("protect") users and sell to advertisers at the same time. No amount of blog posts/marketing/propaganda/arguing in forums can change that. Advertisers are paying Google for services, users are not. Google's entire racket has become heavily dependent on these conflicts. Google believes it must gain/preserve "user trust". Google wants users to believe it is on their side. That is what con arists must do.
Remember when other browsers announced they would not adopt FLoC. Websites also announced they would disable it as a courtesy for users through use of the Permissions-Policy response header.
DevTools still warns this is an "unrecognised feature". Does interest-cohort=() even work. Perhaps it does but in some jurisdictions FLoC is enabled by default in Chrome. The user has to manually disable it. Assuming the user evens knows what it is.
But really, how much can anyone rely on something like this. Users have no meaningful control over this browser. It is changing all the time, and "features" are tested on different groups of users, without ensuring their informed consent. Sure, a user extension may work now, but whether it works in the future is not within the user's control and, most importantly, Google's interests and the user's interests are almost certain to conflict.
"Google's efforts to limit that access is concerning, especially considering that Google has trackers installed on 75% of the top one million websites."
I have learned to enjoy blocking Google's incessant attempts to phone home. Google is curiously obsessed with TLS, so substituting a self-signed certificate for Google websites can actually be one of several ways to stop these connections, letting them fail at the proxy. It seems Google really does not want users to see what data Chrome is trying to send to Google. I wonder why.
Someone recently showed me an interstitial page they got while logging into Gmail, asking for their date of birth. It was very deceptive. It asked the user to "help us comply with...
395 comments
[ 3.2 ms ] story [ 139 ms ] thread> Manifest V3, or Mv3 for short, is outright harmful to privacy efforts. It will restrict the capabilities of web extensions—especially those that are designed to monitor, modify, and compute alongside the conversation your browser has with the websites you visit. Under the new specifications, extensions like these– like some privacy-protective tracker blockers– will have greatly reduced capabilities.
One would think that the article would then go on to detail exactly what these "new specifications" are and how would they reduce the capability of ad and tracker blockers.
That never happens. We keep getting statements to the effect that Manifest V3 is bad but we're never told what makes it bad.
What aspects of Manifest V3 limit ad blocker capabilities? Since Manifest V3 has been introduced way back in 2019 and, since then, has gone through various changes, are the quotes listed towards the end of the article recent or do they reflect an earlier version of V3?
There was controversy over changes to the WebRequest API but that was two years ago and, I believe, changes have been made. Are there still changes that break functionality? What changes were made over the past two years? Have things gotten better or worse?
The article gives absolutely no details.
Thank you. What you wrote is information that needs to be in the article but is not mentioned anywhere. The closest thing is a quote from Mozilla regarding their extensions security review process.
The whole point is that there would be no reason to allow any ad blocking extension access to the WebRequest API anymore.
The replacement, declarativeNetRequest, does not require the user to give any permissions, so the days of granting ad blocking extensions full access to every page are gone.
If you think Google is doing this for their own gain, I guess you can simply ask if declarativeNetRequest will be able to block all Google ads, or if you really need a turing complete language for that.
From what I see, it also has some strict limits. My basic uBlock+ install has 82780 network filter rules. Chrome seems to "only" guarantee 30000 rules, and I don't know if these match 1-to-1.
And there don't seem to be dynamic replacements, which might be useful to trick adblock detection. Not sure how far in the cat-and-mouse game we are on that front, but I sure don't like the idea of giving the mice highly limited rulesets while the cats can do and do whatever they like.
So if we assume rules are 1-to-1 (and in fact fewer rules should be present in declarativeNetRequest because certain rules like element hiding do not factor into declarativeNetRequest, and would be handled directly by the extension), you could fit ~5 adblocking extensions the size of your basic ublock install, and most of a 6th.
Now there are some advanced capabilities of some adblockers that have no equivalent available, but for common multi-plugin rulesets like EasyList, declaritiveNetRequest will support pretty much everything contained therein, (except cosmetic rules, which the plugin must apply separately, since they are not blocking requests, but modifying the page, which is quite different).
The answer to that is "no". declarativeNetRequest is a more restrictive version of what Safari current supports, and Safari ad blockers don't do as good of a job of blocking Google ads as ublock origin does.
Great, but I want to give my add blocker access to every web page. That's kind of it's purpose.
Sure it could be abused, but not if you used one of the community recommended blockers.
> If you think Google is doing this for their own gain, I guess you can simply ask if declarativeNetRequest will be able to block all Google ads, or if you really need a turing complete language for that.
I am not sure if it will be able to block all google ads. Pretty sure it wont be able to remove their ads from search results, since you wont be able to remove/hide parts of the site. Also it wont be able to remove annoying pop up adds (sure it might remove the content of the ad, but popup will remain - well depending how its implemented.)
Also it is only limited to 30k max urls in a blocker. Nowdays my blocker has 80k+ urls. So i guess I would have to pick an choose (If i continued to use chrome).
Why not? What stops someone from buying (or stealing or co-opting) uBlock Origin and using the fact that it has access to every user's web browsing to do some serious damage?
The WebRequest API’s blocking functions, which are central to the functionality of uBlock, are still slated to be removed.
Seems like a pretty clear case of being two-faced, and a small page laying out the details would be super helpful.
Or that extensions can still inject javascript, observe and log requests, exfiltrate data? I mean the api docs will tell you that. Extensions can do all that because they couldn't do a whole lot without those capabilities...normally used for legit purposes, but the apis can't really glean intent.
See things like onBeforeRequest for observe. Injecting javascript is called a "content script" in chrome extension terms. Exfiltrating data could be done in many ways, given that you can inject a "content script".
It's disappointing to see this sentiment again, as this has been Google's tactic in the past decade: feign innocence and initiate technical discussions, then move goalposts and start over until their opponents are exhausted.
When we first heard of Manifest V3, it took them months to find a ridiculous reason for no longer allowing proper control over requests in Chrome, and they kept jumping between performance, privacy and security, as researchers refuted all their technical arguments one by one.
By now there is nothing left to discuss, they'd just need to stop being malicious.
Heya, do you have any links for that? Haven't really been keeping up with this whole thing. I briefly looked at the Privacy Sandbox proposal page a while back in late 2020 to figure out what it was all about, but haven't really got anything on researchers refuting their technical arguments.
It will impact µBlock Origin negatively for example and I want this plugin to be able to access the page unrestricted.
Additionally, if a solution like Pi-hole was ever sufficiently mainstream, more sites would start serving their ads from the same hostname as the page. It's not difficult to do with the CDN providers most media sites already use.
Embedded devices are already "game over". You don't own them (even if you paid for them).
Controlling name resolution on your own network (and MiTM'ing HTTPS) makes you the same as a hostile nation-state actor. We can't have that.
Ugh, seriously. I have a Chromecast, and couldn't figure out why it wouldn't play things on my local network (via DNS names set up in my router's resolver). Turns out Google hard-codes their own DNS servers and doesn't allow you to change them.
The fix was to give the Chromecast a reserved IP address, and then set up some iptables rules on the router to redirect requests from it to 8.8.8.8 and 8.8.4.4 on port 53 to my router. I'm surprised that Chromecast is using old-school port-53 DNS and not DoH.
Extensions are forced to use a small subset of JavaScript with no dynamic code execution. Eval() is banned. Function is banned. Embedding a scripting language inside JavaScript to circumvent this is banned. This is a mere ghost of JavaScript left over. Google claims it's to make it easier for them to insure extensions are safe & protect users, but just as much, to me, this is to protect Google from capable & competent extensions allowing users to expand their agency: now extensions have to be narrow, fixed use, specific extensions. Tools like GreaseMonkey are all dead. The web becomes no where near the hackable medium it is, all for a little convenience for Google. https://github.com/w3c/webextensions/issues/72 https://github.com/w3c/webextensions/issues/139
A lot has been said & discussed about MV3's declarativeNetRequest; this is where the visible war has raged in MV3 for a while now. I'm not a huge fan but it's also one of the more minor side-shows in this debate, to me. High impact on ad-blocking, but ultimately there's enough compromise & wiggle room here, enough possibility to make this not awful, and if things are left truly bad, there will be enormous hell to pay & this will blow up. DeclarativeNetRequest feels like a side show to how much real ruin & savagery is being wreaked by the first two issues I outlined, being wreaked upon the most powerful & interesting & defining software humanity has, that we augment ourselves with as we do software: our user agent extensions.
I generally find Google to be quite a good steward for the web & am so happy they advance so many different initiatives & capabilities. But this is something that is extremely near & dear to me. The web is different & better than all other software, to me, because it is malleable, because the user-agent gives us power. MV3 is a radical curtailing of us the users. A radical shift towards a web that we have to simply accept, as is, that we cannot bend & shape as we want. Everything happening here feels abhorrent & disgraceful.
The process also feels totally goofy. Google is simply flipping the switch next month. They built what they wanted to as a new spec, debated some about feedback, leave comments that oh yeah, we maybe do need to do something about GreaseMonkey, maybe we do need to fix some of the missing use cases, but we're going ahead with Apocalypse Now anyways. This is the most hostile use of standardizing to destroy that I have ever witnessed.
If Google is having such a hard time hosting extensions as is, they need to stop. They need to close the Google Chrome Web Store for Extensions & stop trying to moderate it. Create a 3rd party store model, let other people serve as the agents of trust. They absolutely positively cannot be allowed to come along & standardize a much much much lower powered form of extension than what we've had, purely because they've had such a (sad fiddle) hard time running an extension store. Their justifications & pleading that these amputations to us are for our own good ring so very very false to me. Google needs to give up being a regulator of this power if it's too much for them.
I don't. Especially not with FloC[0][1].
[0]: https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-... [1]: https://developer.chrome.com/docs/privacy-sandbox/floc/
As for FloC, still trying to understand FloC's implications & make a position on it. Hearing it proposed, it sounds enormously stupid, but I'm not convinced it's in fact bad. Part of me even thinks it indeed sounds like a significant privacy win over where we are.
Rather than discuss FloC though I'm wondering what other efforts you would malign.
Uh, if that's what we're supposed to be using movie and TV streaming services for, I've been watching precisely the wrong things.
Seems more like a description of social media & (not unrelatedly) advertising. Or maybe porn.
> We will support blocking webRequest until there’s a better solution which covers all use cases we consider important, since DNR as currently implemented by Chrome does not yet meet the needs of extension developers.
I often have a month or more long streak between every time I have to use Ch#%!e ;-)
Bonus point for devs: If it works in Firefox it usually works everywhere since Firefox had always been reasonably standard compliant.
Thanks for saying this.
I don't really get how the extension ecosystem works anyway -- extension developers are usually just sharing something they use to be helpful/make a point, and then some tack on donations thing, right? Since nobody is doing this to get rich I suspect they won't chase marketshare.
Back to IRC DCC style sharing and distributed computing with VPN
No need to follow the money to do interesting engineering and computing. Interesting is subjective and wrapping a white paper in the cruft to host it as a service in the cloud isn’t interesting engineering
Part of me wonders if the chip shortage is real or just a way to hide big corp hoovering them up for DC hosted services.
This is not the reason for me at least to not use it as my main browser.
I recently tested and the speed is good and it is absolutely wonderful to have true full fledged extensions and complete themes.
My reason is that I'm worried if their security is good enough. If we could somehow be sure about that I'd actually happily leave modern Firefox behind for it.
Personally I'm hoping for someone to create a patch set and bulld binaries based on it to re-enable the old stuff, not by letting extensions muck around in the internals but by providing defined extensions points like:
- enable / disable tab bar
- provide your own tab rendering code
- etc
Some of the extensions I maintain will no longer work, or have reduced functionality for no acceptable reason, and some of the projects that I have been preparing to release have now been abandoned, because they rely on having proper control over requests in the browser.
At some point they disliked something in our extension that had been live for months, and disabled every release in the past year. At another point they found something wanting in a 2 year old release (not a recent one) and threatened to remove it from the store, our attempts to continue that conversation or just allow it to be pulled to save everyone some time met with crickets.
I really want to like firefox but I hate it more with every release.
It is just - for me at least - not lovable anymore.
Just like Amazon (your employer), Google has also been fined several times in the past decade for illegal business practices. Their illegal activities are extensively documented, and in some cases they were forced to change course due to regulatory intervention. Feel free to look it up, I don't think there is a need to relitigate objective reality.
If you're asking what illegal business practice Google will be engaging in when the Manifest V3 limitations will begin to be enforced: using their dominance in one industry to gain advantage and maintain dominance in another industry, to the detriment of consumers and competitors.
As the developer of extensions that are impacted by Google's anti-competitive actions, you can report how this impacts both you, and the market as a whole, to the competition and antitrust divisions of the government. I've posted links to forms and sites that you can use to report to the relevant state-level and federal-level regulators on HN here[1].
If you aren't in the US, the US also has antitrust legislation that applies to US companies operating in foreign countries, as well as a myriad of antitrust treaties and agreements with other nations. It might be worth it to also report it to the government of the country you reside in, as well.
[1] https://news.ycombinator.com/item?id=28176193
I think my main alternatives are Brave, Vivaldi and Firefox.
And while Brave might be based on Chromium, it is distinct; in addition to not crippling nativewebrequest as chrome will, it's native adblocker is compatible with the same lists as ublock origin. So I would go with Brave :)
EDIT: Except for MSFT... that would be interesting for sure.
Ironically, though, the larger Firefox's market share, the more Google will pay to be the default search engine in Firefox. Yes, it's perverse and a little gross that we depend on Google to such a large degree to keep Mozilla and Firefox funded, but having more users increases Mozilla's leverage over Google.
Anyway, your point isn't really relevant. Unless you believe Google is dictating nefarious things to Mozilla and has subverted Firefox (difficult since Firefox is open source, but not impossible), you should still be using Firefox. If you care about not continuing to give a giant, monopolistic advertising company control over the web, anyway.
The smaller Firefox's market share, the more Mitchell Baker gets paid.
That's because Group Policies are a Windows-only thing.
You can get the same (and more) control with an Enterprise subscription from Google which seems to cost about $50 per year, per device.
I'm sorry that your family are... having such a hard time making reasonable choices for themselves. I have literally never seen this anywhere, or heard any coworker ever report their family rampantly adding shitty extensions. I tend to see pretty clear & obvious signals about what extensions are good & ok when I go to consume. Bad extensions seem to be discovered fairly quickly & taken down. The world seems no where near as grimdark as you project to me.
Alas I think it requires a paid Google Enterprise account, but your family sounds like their need external management of their browsers. That they should, like a school computer, have an administrator & a denylist or perhaps even allowlist of what extensions they can use.
This post spreads so much Fear Uncertainty and Doubt. Trying to justifying ending a good thing because some creative user keeps finding a way to misuse, to not listen to sense, to not make good judgement... I find it unfortunate that such heavy fearmongering, such terror at the world is allowed to sway us so heavily.
Ultimately I want 3rd party sites hosting extensions. Not Google. And I want moderation teams able to surface claims that some extensions are bad. We need more choice, more democracy, more ability to help each other. Sunlight is the best disinfectant. Simply giving in to the bed-wetting terror of, oh no, freedom & denying ourselves user-agency is intellectual suicide for the web.
Stopped reading there, mate.
It doesn't sound like you think your family is at all educateable in any way, you seem to think this is a horrible lost cause & that we must withdraw power & good for the world to protect your vulnerable unfortunate hapless brood. That's how defenseless your post makes your people sound, that's the impression you're giving off. And you're using that as a weapon against the world, against good, against freedom, against capabilities. This is extremely menacing a position you've made, using your own family's purported victimization a weapon against good.
My guess would be that your family members got social engineered into installing that crap ("this web page only works with X, click here to install"), ort their browsers got exploited and hacked (very unlikely!). You'll probably need full MDM to prevent these websites from getting their users to enable extensions.
The problem with disabling extensions is that whatever has the capability of pushing extensions into your browser also has the ability to change the settings for addons. The only solution I can think of is to create a Chromium build that cannot run extensions at all.
And as a non windows user it took me a while to realize that this notifications come from the browser as desktop notifications and disable them. Its still a riddle for me how chrome managed to make it both very obvious and very unclear at the same time that this are websites desktop notifications. (As a counter example I used some sites which used desktop notifications on FF/Andriod instead of making a app just because notifications, that I loved)
I'm sorry that your family are... having such a hard time making reasonable choices for themselves. I have literally never seen this anywhere, or heard any coworker ever report their family rampantly adding shitty extensions. I tend to see pretty clear & obvious signals about what extensions are good & ok when I go to consume. Bad extensions seem to be discovered fairly quickly & taken down. I'm trying to imagine how folks even get to the Chrome Web Store in the first place if they have no idea what they are doing. The world to me seems no where near as grimdark as you project.
Alas I think it requires a paid Google Enterprise account, but your family sounds like their need external management of their browsers. That they should, like a school computer, have an administrator & a denylist or perhaps even allowlist of what extensions they can use.
This post spreads so much Fear Uncertainty and Doubt. Trying to justifying ending a good thing because some creative user keeps finding a way to misuse, to not listen to sense, to not make good judgement... I find it unfortunate that such heavy fearmongering, such terror at the world is allowed to sway us so heavily.
Ultimately I want 3rd party sites hosting extensions. Not Google. And I want moderation teams able to surface claims that some extensions are bad. We need more choice, more democracy, more ability to help each other. Sunlight is the best disinfectant. Simply giving in to the bed-wetting terror of, oh no, freedom & denying ourselves user-agency is intellectual suicide for the web.
It doesn't sound like you think your family is at all educateable in any way, you seem to think this is a horrible lost cause & that we must withdraw power & good for the world to protect your vulnerable unfortunate tribe. You're using that as a weapon against the world, against good, against freedom, against capabilities.
This is extremely menacing a position you've made, using your own family's purported victimization a weapon against good.
If adblockers (and other classes of legit and common extensions) can be migrated to a safe API, it makes the unrestricted and dangerous API much more manageable since what's left is much less likely to be legit or something people actually care about. For example you can have enhanced review processes, warn users more forcefully about the danger, start limiting the power of the API, implement new safe APIs for some of the remaining use cases, etc.
EFF are smart people. They know what the actual security benefit is, and choose to instead argue against a caricature.
How is that scary?
The browser by definition has unlimited access to read and modify (and monitor) anything I do in it.
And I trust gorhill a million times more than any Google employee, past, present or future.
How much do you think NSO Group would pay for this kind of access?
If you ran uBlock Origin, would you like to retire early?
Jbk from the VLC project has a lot of stories about turning down 6, 7 figure payments to bundle malware in VLC. Not everyone has the strong morals and unlimited stamina to withstand that.
Manifest V3 is created to solve a real problem. I have had browser extensions go rogue on me before (Stylish), and i would like it to not happen again. At the same time, uBlock Origin is a hugely important extension for making the web usable for hundreds of millions of people. A compromise must be found that moves their safety out of a single person's hands.
The only real complaint is that Chrome did not anticipate how large these lists need to be in 2021, and the limits are too low.
Not sure if it removes the ability for the user to on-the-fly add any blocking, but I suspect it does.
Use Stylus (https://addons.mozilla.org/en-US/firefox/addon/styl-us/) instead.
I think browsers should be moved away from for profit organizations to separate non corporate stewardship. With that you remove the overall susceptibility to fallout and can try to give more freedom over the features a browser has or how deeply extensions can integrate, for everyone. You also obviously remove the immediate monetary incentive to restrict freedoms.
If I was truly insane I'd go the Steve Gibson route and write a completely different browser from scratch. I'm aware it would take the rest of my life (or longer) at this point but the engine options are so few, and the ability to avoid the owners' restrictive BS limited enough, that I'd be happy as a clam to see a whole new reboot.
I'd jump onto even an alpha of that, just to bump numbers out of hope that ANY group could get together and get out from under the advertising trap.
I should not be able to write a JS popup that looks like a browser dialog - that would be a pretty good start to improving security of the platform. Instead they remove the APIs that run the ad-blockers. Then give the MAIN APIs used by scammers/ad networks to deanonymise, track and trick you, free access to your system without your agreement.
Talk about having your cake and eating it too. Its Prohibitionist rhetoric all over again.
Sure, but Manifest v3, doesn't have such API. It has a very limited API, that can't do a lot of things uBlockOrigin does.
I am not even taking about way too small limit for filtering (30k urls, my current are at 80k+)
I mean in manifest v3 you can't hide various banners or fullpage overlays and similar. That to me is one of the more important parts of what uBlockOrigin does for me.
So at best I will get half of the functionality (that is if google raises the limit)
> EFF are smart people. They know what the actual security benefit is
yes. Chrome with manifest v3 + uBlockOrign (assuming we even get it for v3), is less secure than chrome with manifest v2 + uBlockOrign
EDIT: Almost forgot. You also cannot block, adds on google search, any more.
https://developer.chrome.com/docs/extensions/reference/decla...
A lot of the changes in v3 are actually pretty sensible, it's just 10% of the stuff shoehorned in creating 90% of the friction.
https://blog.mozilla.org/addons/2021/05/27/manifest-v3-updat...
Chrome is additionally planning to remove support for manifest V2 as well, Firefox can't start to do this because they don't support V3 in their store yet.
Who cares? Just use Brave and kill Chrome off.
I used a ton of very useful extensions then. Nested tabs were one of my favorites. These days I've got a password manager, a bookmark checker, and a tab manager I wrote myself.
They're just not allowed to do anything too useful these days - I know what they have access to, I write Chrome extensions. A lot of them should just be standalone desktop apps.
Like most things, normies came in, shot themselves in the foot, made a fuss, and now we can't have nice things.
Case in point: With some limited maintenance and a compatibility shim for loading them, a number of old add-ons are still working on current Firefox versions: https://github.com/xiaoxiaoflood/firefox-scripts/tree/master...
It's written to be extensible/introspectable, and the extension language is Common Lisp.
Extensions systems which don't have very clear cut boundaries like XUL are just add a very hefty maintenance burden and make review extremely hard.
It's not really about "normies".
This doesn't really apply to the current change, as extensions already have clear boundaries and and as the article pointed out problematic apps likely won't be too much affected as they often already do things which bypass the constraints to avoid detection by the reviewer... (assuming I understand the topic correctly)
The entire argument regarding security doesn't mention any of the reasons Chrome developers cite its security improvement, instead it brings up that Firefox "does good enough already" and that malicious extensions can still get past the review process. the review process is by itself improved with V3 as extensions that pull in code remotely can no longer get past the review process[0], especially with how many current extensions implement RCE C&C intentionally. They also say extensions are "usually interested in simply observing the conversation between your browser and whatever websites you visit" - that's 'usually', though; malicious extensions intercepting and modifying requests for their own benefit isn't unheard of.
Instead of only stating 'this is bad', it would be beneficial to include both (A) what they say (B) their basis for the decision, if any (C) why that line of reason is incorrect/deceiving.
0: https://developer.chrome.com/docs/extensions/mv3/intro/mv3-o...
Docs: https://developer.chrome.com/docs/extensions/reference/decla...
(Disclosure: I work on ads at Google, speaking only for myself)
If you're going to argue this is better, don't point us to such a clearly worse result.
[0]:https://github.com/el1t/uBlock-Safari/issues/158 [1]:https://adguard.com/en/blog/safari-adblock-extensions.html
It is not a question that V3 breaks the gold standard privacy protecting extension.
Therefore, it's not just about changing the mechanism, the end result is clearly a lot worse. One can say, they crippled ad-blocking which this change. Hopefully, once the millions of people using ublock origin start noticing what's happening, they will move away from Chrome. I already did, ublock origin is worth more to me than any feature Google puts in Chrome.
I understand the average user probably shouldn't be able to easily hand over so much control to extensions, but on the other hand, dynamic ads shouldn't be able to serve malware or cryptominers.
I'd be a bit more open to the idea of a locked-down manifest if we had seen more good-faith attempts from AdTech to change the paradigm that makes content blockers almost a requirement.
> I work on ads at Google, speaking only for myself
I'm doubtful about a person's ability to speak for themselves, when they have been consistently defending their employer on HN for years, at every occasion they got.
Today we know AMP was also a anticompetitive plot to kill off header bidding.
Why should we to believe a word of what Google says about Manifest v3?
I completely disagree, and I think this will become clear as information continues to come out.
I don't expect anything that comes right out and says something like "we must implement AMP to as a strategy to remove competition from header bidding". Instead it will mostly be just the standard talking points about user experience and load times.
I could be wrong though: plenty of things have been revealed in things like text messages where people don't think of them as being part of an official record.
In this case, it appears that multiple large orgs are involved: G and M. One provides the environment and the other appears to have dropped their drawers and crapped in it but in the end a telephone should always be able to make emergency calls regardless of what is installed or configured on it.
In the end this sort of thing might look like lack of responsibility due to arrogance due to lack of competition. I'm sure other interpretations are available.
Normally the above should be considered an example of whataboutery but I think your response deserves little else. If you have something to contribute then please do but not that sort of thing.
(1) https://www.theregister.com/2021/12/09/android_911_teams/
[Edit: weird formatting snag, content unchanged]
So if you weren't asked to, you're just astroturfing voluntarily. That's not better, it's worse: If one gives up one's integrity, one should at least get paid for it. Otherwise, one isn't acting just scummily, but scummily and stupidly.
This is somewhat debunked in the article of this post.
> the change is that it's now declarative.
In the App MANIFEST. To my understanding, each update of those lists will require an app update (going through Store approval process).
If only it would have been dynamic, the end result would have been much better.
And again, there is no reason to disable dynamic updates if they are only lists of blocked URLs.
Thank you for letting us know you have a giant material conflict of interest and we shouldn't trust anything you say.
There is still "block request" functionality, the change is that it's now declarative. This is the same way it works in Safari, and is (a) more efficient because you don't need to execute JS to evaluate each request and (b) more private because an ad/content blocker doesn't need to be given such broad permissions. There are serious tradeoffs (no request time js makes it less flexible) but it's still very capable and easily can be used to block Google ads. Docs: https://developer.chrome.com/docs/extensions/reference/decla...
(Disclosure: I don't work at Google or on ads anywhere, speaking only for myself)
Those serious "serious tradeoffs" made me completely stop using the web on my iPhone. Yeah, Safari content block can block roughly 80% of web ads, but those extra 20% are extremely annoying.
Web owners use all sorts of trickery to bypass adblockers and serve malware filled ads. Handicapping our current best defense tech against this is a sure as hell way to make me never open chrome again and completely purging it from any friends and family computer.
This is true, but I think overly performance-focused. It doesn't feel like that much time, so I think there's a valid complaint that it doesn't make sense to kneecap flexibility for speed.
> more private because an ad/content blocker doesn't need to be given such broad permissions
Sure, but this doesn't seem like the only possible solution for the people that own the browser. Why not only allow a restricted subset of JS that lacks any form of IO? Or if that's impossible/risky, why not something like Starlark or Lua?
I think this is based on a fundamental misreading of the problem. The privacy concern is that your data will leak, not merely that it's accessible to a third party. The cat binary can read my data, and I'm not at all concerned about that. So can my shell, and likewise on the concern.
Privacy doesn't necessitate this solution. It is one of the possible solutions, but I think is hard to sell as the best solution to the problem. It is likely the easiest.
Specifically, "we have decided to implement DNR and continue maintaining support for blocking webRequest. Our initial goal for implementing DNR is to provide compatibility with Chrome so developers do not have to support multiple code bases if they do not want to. With both APIs supported in Firefox, developers can choose the approach that works best for them and their users."
https://blog.mozilla.org/addons/2021/05/27/manifest-v3-updat...
[1] I am well aware that was not the original context of the quote, but it's a nice rallying cry of the sentiment behind the movement.
I didn't see dissecting the security details as the point they were trying to make. Instead it was to partially undermine the reasons Google said they were doing this.
Basically "here's why it's bad for privacy, and here are why Google's stated reasons for the update are insufficient to justify that"
It seems like this is the clear interpretation of what I wrote and that you may be purposely misconstruing my comment in order to level a soft insult and condescending language at me over an opinion you don't agree with.
To give you a little benefit of the doubt though and assume you may just be passionate about the issue and don't intend to be insulting I will address your other point: Users giving away access to their web requests without realizing it is a problem. It is also one that can be addressed without making it much harder for privacy-minded users and the providers of those extensions to get what they want as well.
After manifest v3 it will be worse off.
Ublock origin provides a lot of privacy benefits, so people like me are 100% worse off.
Well I switched to Firefox, only really use chrome for testing nowdays.
What Google says vs what's going on aren't necessarily the same thing, they have a long history of selling us the 'for your convenience' line while removing functionality that people depended on but that ultimately hurt Google's business interests: to be able to force feed you more ads.
They have long outlived their credit in the bank of the benefit of the doubt.
Installing random plugins is a security issue. But web tracking is by far the more significant threat.
When Google says "pull in code remotely" they dont mean from a remote server. Instead its 'code remote to Google' aka code you wrote yourself sitting on your hard drive. This kills greasemonkey/tampermonkey and all the other UserScript extensions. Google saw how great Apple is doing and fell in love with the concept of walled garden. Its their browser and they wont let you execute any code that wasnt approved by them.
User Agent no more, Its Google Agent now.
To say browser extensions pose a risk is true, but it hardly makes it in the top list of threats anymore. Malicious sites however still do and Google just restricted our ability to let third party tools provide essential services. Sure, these could be malicious, but that is generally not a wide spread IT problem of today. That should be also obvious to Chrome developers.
Accidentally they also restrict ad blockers? Come on, you are getting played.
https://github.com/w3c/webextensions/issues?q=is%3Aissue+is%...
Can't wait, but that's a very good opportunity for Firefox as Firefox will become more powerful than Chrome
https://github.com/MicrosoftDocs/edge-developer/blob/main/mi...
They recently baked in a "feature" to hijack online shopping with some Pay Later garbage:
https://gizmodo.com/microsoft-keeps-making-its-edge-browser-...
Now they're running gross little popups if you browse to the Chrome installer in Edge:
https://gizmodo.com/seriously-what-is-going-on-with-microsof...
> “Microsoft Edge runs on the same technology as Chrome, with the added trust of Microsoft.”
> “That browser is so 2008! Do you know what’s new? Microsoft Edge.”
> “I hate saving money,” said no one ever. Microsoft Edge is the best browser for online shopping.
A bit tit for tat in my book.
From that viewpoint, the new restrictions could actually be a good thing.
Certainly nothing firm as far as it looks, but at the very least they're thinking about it, even though that change is somewhat problematic, too.
I’d suspect a majority of users isn’t even aware that browser extensions are a thing.
I pay for IntelliJ so why not pay for the just as important browser if I can get one that I like?
Just don't increase the pricing to Jetbrains level until you have Jetbrains level features.
It might be great but for now refuse to support anything that further strengthen Googles grip on the market.
The question then becomes: "What else even is out there?"
Because if you're looking for something that's even remotely feature complete for browsing the modern day web, the majority of the current browsers out there are indeed based on Chromium, as expressed in this article, "Firefox is the Only Alternative": https://batsov.com/articles/2021/11/28/firefox-is-the-only-a...
Here's the table from the article in text format:
To me it seems like Firefox is the only viable alternative and putting all of our hopes on a singular browser and the company behind it, especially given that there has recently been some controversy around it, seems risky. For example: https://itdm.com/mozilla-firefox-usage-down-85-but-why-are-e... and https://arstechnica.com/information-technology/2020/08/firef...Today, Google and Microsoft and Apple are fighting Browser War 2, and it looks as though Google is winning. However, Firefox is still fighting, but not to win. But to prove that we don't have to put up with the monopolistic behavior of Google to browse the internet.
Firefox has had it's ups and downs. But "winning the war", in my mind, isn't the point of Firefox.
It is an open-source project fighting a good fight, and the only one at that.
Vivaldi always seemed to hold the most promise but was buggy for me and still missing strong iOS integration that the competition has in place. Having used FF for so long, I was ready to go to a larger provider. So mainly, MS, Apple, or Google. Native browsers have big advantages so resisting those no longer made sense if I'm making a switch.
But Brave in my testing, did not completely convince me. Reviewing my testing notes-
Brave- no dedicated search bar option (important for privacy / prefetching and not having to continually retype your search query). Didn't get to mobile support and crossplatform sync. No dedicated extension store.
Of course, I had to give up on my dedicated search bar requirement, because FF's has been gimped by Mozilla, and Vivaldi had other unrelated usability flaws. So Edge it has been, and being completely honest, I've been thrilled with it. There's plenty other good here to overlook that and I haven't missed it as much as I thought I would.
All that said, I'm now going to keep Brave in mind, moving it up a notch. I always liked Eich which doesn't hurt. I don't fear a Chromium world, and never used FF because it wasn't, in fact I mostly resented it. I just don't see eye to eye with the anti-Blink crowd.
I think Firefox should've morphed into Brave, rather than be a separate project. A Brave that has Vivaldi's feature set would be perfect. Only thing missing then is major vendor support, and it'll always be non-native on all platforms, but at that point it could be overlooked.
For Firefox to fight its way back will require more than anti-Blink monoculture advocates supporting it. Blink has become the same as the USD, and isn't to be feared. For me, that's like saying you're resisting using the US Dollar because you don't want monoculture. Yet look at how much you can do with the USD. It enables quite a bit, embracing it just enables you to get other things done with less resistance. Users benefit. More important missions are at play. Like perhaps privacy, transparency, both things that Brave clearly focuses on. Or whatever one's chosen priorities are.
I legitimately love MS Edge, and I always keep Tor installed for the best privacy, but Brave is now my #2 pick for a daily driver and will be advocating for it for those that don't want to use their native browser.
When I switched to Vivaldi I felt like it's 2003 again, and I've just switched from IE to Firefox. Every single thing Mozilla removed from Firefox over the years is here, and most of the stuff I used hacky addons that would often break is here too! In the core browser, as first-class features, without the need to fiddle with userChrome.css or look through obscure flags. It really is a breath of fresh air and it puts into perspective how many excuses I've made for Firefox over the years. It's not worthy of being my browser, simple as.
Mozilla took my fundamental addons that separated Firefox from other browsers, they took my RSS reader, they took my cool Torrenting and Email clients that were a part of the browser itself. The TreeStyleTab requires you to go through obscure and hidden config files that often break with updates and the extension itself is not stable and fiddly. On top of that, I had way more Firefox extensions that aren't even different from Chrome extensions in major ways. In Vivaldi, I just get a nice panel with RSS, Calendar, Translator, Email client, Notes, whatever I want! The adblocker is built-in, the privacy features are built-in, you even get to put your tabs wherever you want. It has theming support that is as good as Firefox Colors, and it has custom search keywords that replace DuckDuckGos bangs for me more often than not. It even has the dark mode among other page filters, a screenshot tool, web page tiling! All the things that would turn my Firefox profile into a slow extension pile that barely works and longs for death.
Mozilla's "goals" of removing key features meant for people who actually would want to use a "google alternative" are laughable, and it's as bad on "privacy" axis as Chrome is because you have to use something like LibreWolf to get the actual privacy from it, very much like you have to use ungoogled-chromium with Chrome. If they think that turning the browser into a Chrome clone with some bumper stickers that say things like "Proud not to use Blink" and "We do say privacy a lot", then it's already dead to me.
Vivaldi also has an amazing history page.
Vivaldi generates revenue from partner deals with search engines. Every time you search using one of the pre-installed search engines, you’re helping us grow, one search at a time. Currently, we work with DuckDuckGo, Ecosia, Startpage, Yahoo!, Bing, and Yandex. The only exception is Google – we don’t make money when you search with Google. However, we know that some of you use this search engine daily, so we include it in Vivaldi.
(Source: https://vivaldi.com/blog/vivaldi-business-model/)
The other other source of revenue is bundled partner bookmarks (see again the linked document).
Not affiliated in any way, just thought if someone wanted to, they might donate.
As for privacy containers - you can easily switch profiles in Vivaldi. It's not integrated to the same degree where you'd get tabs from many profiles in one window, but it works for me. If you like Firefox Containers you should also know that, ironically, unlike Chrome Firefox doesn't have proper site isolation. [0]
[0] https://madaidans-insecurities.github.io/firefox-chromium.ht...
It was never the point of Firefox to offer them. Firefox originally started to be the slim alternative to the fat Mozilla suite.
> The TreeStyleTab requires you to go through obscure and hidden config files that often break with updates and the extension itself is not stable and fiddly.
What are you talking about? TST is very stable since years now and except for hidding the original tabbar, there is no need for using any config files. And even this is a stable setting which barely change every some years or so. Obviously, the first months in their transition to the new extension-system TST and Firefox were quite unstable and busy with filling the missing gaps. But that was 4 years ago. There still are some features missing, mostly for comfort, but it has settled down now and is very stable now. And still better than anything other browsers have...
Not OP, and unlike him still use Firefox but:
I lost a lot of functionality/workflow that I depended on. It worked one day until Mozilla deliberately made it not work.
It pisses me even more because it made that decision to be more like Chrome. If I wanted to Chrome I would just use Chrome.
If you don't see why people like me are upset when thing like this happen, we will just have to agree to disagree.
I don’t understand why Firefox needs to adopt Mv3 for “cross-browser compatibility”. Is this to save extension writers time and effort or is it a mistake in the article?
I did this as a technology demo, to demonstrate automated site background checking. The concept that you have to have a business address to sell online is almost archaic now, even though it's the law in the EU and California. So, today often the system often can't tie a web site to business records.
The concept of "legitimate business" is dead.
These trademarks can be represented in a domain name or TLD. IP offices that register the marks generally obtain physical mailing addresses for physical correspondence. The crux of the idea is that the domain name and TLD do not have to be issued by ICANN. As such, it does not have to follow any pre-established conventions. Trademark registration systems already have unique identifiers and classifications that can be represented in the domain name/TLD. Thus we can create a new, collision-free naming system that offers more than ICANN, e.g., a direct association to an IP office.^1 This leverages the work of IP offices to collect business addresses (or at least addresses of the registrant's lawyers/agents who would by necessity have the business address of the registrant). Under this system the perceived legitimacy of the business is reliant on the trademark registration, not a "TLS certificate". The legitimacy of the domain name/TLD becomes dependant on the trademark registration, not an unaccountable, known-to-be-corrupt entity such as ICANN. To put it simply, names require an associated trademark. The system favours businesses that want to enable consumers to trace a product back to an original, legitimate source. It is a naming system for real(TM) business. :)
Personally, if I were trying to assess the legitimacy of a business, I would rather rely on the records of a trademark office versus the records of a TLS certificate provider. But that's just me.
1. ICANN of course, to ensure its own profits, chose to allow disputes to occur and create quasi-legal dispute resolution systems instead.
Snail mail addresses intended for humans were the most useful. Although they could be spoofed, that's very rare, and tends to attract legal attention.
Whereas under the new system, the domain names unambiguously indicate trademark-protected names of companies or products, including their trademark classifications. This tells the searcher exactly what type of entity/goods the site purports to describe/offer and the source of those goods. No need for the search engine to second guess what the searcher is looking for.
For example, a name might be formed as something like productX.companyY.classZ. A user could search for URLs with subdomain "productX" and TLD matching "classZ", or a search for domain matching "companyY" and TLD matching "classZ", or perhaps a more broad search for domain under "classZ".
I know websites track me. I know I get tons of ads. I know websites popup questions about cookies. I know they play videos that follow me around when I scroll. I know sometime in the past that shit would've been under my control. But I suppose I have rose-colored glasses on and that's just the way it is. After all, I remember blink tags.
Going forward extensions in the Chrome Web store will have to use Manifest v3. Which has less capabilities than previous version. Which will stop ad blockers working.
tl;dr. Ad blockers will not longer be possible in Chrome.
This is not completely true. Ad blockers like uBlock Origin that allow specific elements to be picked and blocked wouldn’t be allowed. All the requests (like ads) to be blocked would have to be declared in a list (like Safari Content Blockers, and presumably have a limit on the number of rules). The actual blocking will be done by the browser without the extension knowing which rules were applied to which pages.
Thank you to the author for getting to the point: conflict of interest. Google cannot represent ("protect") users and sell to advertisers at the same time. No amount of blog posts/marketing/propaganda/arguing in forums can change that. Advertisers are paying Google for services, users are not. Google's entire racket has become heavily dependent on these conflicts. Google believes it must gain/preserve "user trust". Google wants users to believe it is on their side. That is what con arists must do.
Remember when other browsers announced they would not adopt FLoC. Websites also announced they would disable it as a courtesy for users through use of the Permissions-Policy response header.
https://wordpress.org/support/topic/add-interest-cohort-to-p...
https://github.blog/changelog/2021-04-27-github-pages-permis...
https://paramdeo.com/blog/opting-your-website-out-of-googles...
https://scotthelme.co.uk/what-the-floc/
DevTools still warns this is an "unrecognised feature". Does interest-cohort=() even work. Perhaps it does but in some jurisdictions FLoC is enabled by default in Chrome. The user has to manually disable it. Assuming the user evens knows what it is.
https://github.community/t/i-have-no-idea-what-the-interest-...
I found the CFTC, for example, has a nice usage of the Permissions-Policy header, better than the Guardian.
www.cftc.gov
permissions-policy: accelerometer=(),autoplay=(),camera=(),clipboard-read=(),clipboard-write=(),fullscreen=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
www.theguardian.com
permissions-policy: camera=(), microphone=(), midi=(), geolocation=(), interest-cohort=()
But really, how much can anyone rely on something like this. Users have no meaningful control over this browser. It is changing all the time, and "features" are tested on different groups of users, without ensuring their informed consent. Sure, a user extension may work now, but whether it works in the future is not within the user's control and, most importantly, Google's interests and the user's interests are almost certain to conflict.
"Google's efforts to limit that access is concerning, especially considering that Google has trackers installed on 75% of the top one million websites."
I have learned to enjoy blocking Google's incessant attempts to phone home. Google is curiously obsessed with TLS, so substituting a self-signed certificate for Google websites can actually be one of several ways to stop these connections, letting them fail at the proxy. It seems Google really does not want users to see what data Chrome is trying to send to Google. I wonder why.
Someone recently showed me an interstitial page they got while logging into Gmail, asking for their date of birth. It was very deceptive. It asked the user to "help us comply with...