This is a conspiracy theory. There is no evidence that this is true. Please stop spreading misinformation and conspiracy theories as if they were facts.
I know it's cool to not like Google and whatever, but I would hope that we can at least discuss facts on this website and not just sling FUD around.
Can you provide any detailed technical information that proves that Google intentionally crippled this new API for nefarious purposes?
Just to be clear, I am a long term Firefox user and probably will continue to use it. I just want to see some real proof for these claims.
The idea of an unprivileged content blocker sounds attractive to me, and considering how much effort Google puts into security on Chrome I don't think it's far fetched that this change is for security purposes.
Chrome was the first browser (afaik) to support running extensions with limited privileges, and I'm sure people were originally upset by this, but today it's clear that this was the right choice and massively increased browser security for the majority of users.
> Can you provide any detailed technical information that proves that Google intentionally crippled this new API for nefarious purposes?
This is not a technical decision by google, it is business strategy.
No company publically publishes strategy meeting notes, so asking for them is not a reasonable argument. Of course they are not public and anyone who was present at the meetings is under heavy NDAs.
Because Google is replacing the webRequest API with declarativeNetRequest. This new API has 2 benefits. The first is that it protects the privacy of users better. Extensions no longer get access to the full contents of a request. The second is that it ensures that poorly optimized web extensions can't slow down the performance of loading sites. Chrome is making this change to improve user privacy and improve performance.
uBlock Origin just needs to migrate to this new API. Despite the noise from people who just hate on big tech the only true difference as far as I know is that the browser will enforce a limit on the number of rules that can be added. This number exists to try and prevent bad performance from too many rules existing.
I want uBlock to get access to the full contents of requests. It actually helps my privacy, as it can perform tracker blocking.
> The second is that it ensures that poorly optimized web extensions can't slow down the performance of loading sites.
This is true for any code that is running on the browser. Luckily, uBlock Origin and the webRequest API allows me to block arbitrary Javascript and assets so that poorly written websites can't slow down the performance of loading sites.
>It actually helps my privacy, as it can perform tracker blocking.
The goal is to increase increase the level of privacy of the entire ecosystem. While ublock origin may be trustworthy there are many extensions that are not. It would be better to find a more privacy preserving replacement compared to having to trust extensions to be good actors.
>This is true for any code that is running on the browser.
Typically the code doesn't blocking the page from loading though. And again if this change results in faster loading speeds for users ecosystem wide this change is a win.
>There is an inferior port of uBlock to MV3
The downsides seem to be from wanting to be permissionless and not from not being able to replicate the functionally with manifest v3.
> While ublock origin may be trustworthy there are many extensions that are not. It would be better to find a more privacy preserving replacement compared to having to trust extensions to be good actors
By running arbitrary code on your computer you are inherently trusting the author of the code to be a good actor.
> Typically the code doesn't blocking the page from loading though.
Tens of megabytes of bloat block pages from loading all the time.
> And again if this change results in faster loading speeds for users ecosystem wide this change is a win.
uBlock speeds up loading because it blocks useless bloat such as advertisements. MV3 restricts the ability to block content, ergo it will slow down loading speeds.
It's not actually designed for privacy or whatever, it's simply a way to gimp adblockers so that Google (one of the largest online advertisement companies) can get more money from their advertisement business. You must be really naive if you don't understand this simple concept.
>By running arbitrary code on your computer you are inherently trusting the author of the code to be a good actor.
While you may be running arbitrary code, there is only so much it can do from within the sandbox it is in. Because we can't stop 100% of bad actors that shouldn't mean we should give up on security.
>Tens of megabytes of bloat block pages from loading all the time.
That is a separate issue from web extensions. Just because X is slow, it doesn't mean we should not speed up Y.
>MV3 restricts the ability to block content
No, it does not. You just need to use a different API / give it permission to do so.
>It's not actually designed for privacy or whatever
That is one of the reasons Google provided, so yes it is.
>it's simply a way to gimp adblockers
Then why did Google work with adblock extension developers to improve the API by adding things like dynamic rules? The reason is that this is for improving privacy / performance as opposed to trying to kill off extensions.
>You must be really naive if you don't understand this simple concept.
If Google wanted to get rid of ad blockers they would make them against the rules in their extension store. You have to realize that Chrome is software that is used by billions of people and not just you. Google has a responsibility to protect people's privacy and there are engineers who want to be able to move metrics like the number of malicious extensions removed each month or p99 page load speed.
> If Google wanted to get rid of ad blockers they would make them against the rules in their extension store.
You fail to understand the grand strategy. Outright banning ad blockers would be quite radical and may push people away from using Chromium. Simply progressively gimping ad blockers increases Google's revenue from advertisements while keeping all those users.
I do not use Chrome. I use Mozilla Firefox, since it supports a better webRequest API so that uBlock can block ads despite things like CNAME cloaking.
The goal is not to gimp ad blockers and Google is open to working with adblock extension developers so that they can continuing functioning with the new API.
>I do not use Chrome. I use Mozilla Firefox, since it supports a better webRequest API so that uBlock can block ads despite things like CNAME cloaking.
Chrome supports / is planning to support forwarding the domain of the CNAME record. This means that CNAME cloaking would no longer be a thing.
The whole ecosyst includes the webpages that you view though. The loss of privacy is much bigger than the gain considering that ublock is up there on the only extension in use
UBlock Origin is not the only extension that uses the webRequest API that people use. If that were the case they would not have removed it. Again ad / tracking blocking can still be done with the new API.
I can see your point about the goal to protect privacy, but it's another of those business decisions for the sake of the consumer that sacrifices choice of the consumer - which affects the likes of the HN crowd in a much higher percentage than the unwashed masses.
If there was a way for technical users to unlock the more risky settings, it would placate the conspiracy theorists. That doesn't appear to be the case, so the argument that Google is doing this to restrict and minimise ad blocking remain entirely valid.
It seems like at least in the case of Ublock, there is the ability for the creator to enable more broad access but they are choosing to not do so.
>At this point I consider being permission-less the limiting
factor: if broad "read/modify data" permission is to be used,
than there is not much point for an MV3 version over MV2, just
use the MV2 version if you want to benefit all the features
which can't be implemented without broad "read/modify data"
permission.
> The first is that it protects the privacy of users better.
That is an unjustifiably absolute statement.
In security you need to look at threat models, not just declaring something better or worse.
There are multiple parties you may (or may not) trust. For instance, the browser developer, the website developer and the extension developer. Different people legitimately have different threat models.
You seem to trust the browser developer (an advertising company driven by ad profits above all else) the most. In that scenario, your statement makes sense.
I trust the ad-blocker extension developer more than the other parties, so of course I want it to have full acess to block evil behavior.
It's fine to be absolute due to the contents of requests no longer being able to be accessed by extensions. There being less data that can be slurped up is a win.
>For instance, the browser developer
If you are Google you already trust yourself.
>Different people legitimately have different threat models.
The context of this change is to protect people's privacy from malicious extension developers.
>You seem to trust the browser developer
That is beside the point I'm trying to make.
>I trust the ad-blocker extension developer more than the other parties, so of course I want it to have full acess to block evil behavior.
But do you trust that every web extension that will exist will not abuse that full access? I sure don't. This change isn't because of trustworthy / high quality extensions, but because of malicious and slow extensions. By changing the API exposed Google wants to reduce the number of extensions in that second category without breaking the extensions in the first.
> But do you trust that every web extension that will exist will not abuse that full access? I sure don't.
I sure don't.
But that is not in my threat model because I have zero intention of ever installing every web extension that will exist.
In my threat model the evil parties are the advertising/spyware industry (which includes google) so I want powerful browser extensions to help with that problem.
Could you please stop posting unsubstantive and/or flamebait comments to Hacker News? You've been doing it repeatedly and that's not what this site is for.
