I’ve been dealing with Chrome extensions and their many crashes here for some time. Every time something crazy happens to a developer who steals user data and so, like the 15 cases this past month, the four last week that Facebook shot, and even the popular tab suspension tool got sneaky, there is talk of something called ‘Manifest v3’ ”which can help end everything. What exactly is this Manifest v3, and is it ultimately the solution to the Chrome extension issue? Will it have detrimental consequences for extensions that are not malicious? We’re going to darken it all today, so sit back, have a drink and let’s get started.
Manifest v3 was launched in 2018 and has a long and controversial history. In fact, it’s a new platform that makes Chrome extensions safer, better, and more private by default. In the first place, it is not allowed to offer remote-centered code in extensions uploaded to the Chrome Web Store, which could make it easier to identify potential threats in the review process.
It also allows extensions to be updated faster, thanks to a new memory-only service worker using fewer resources. In addition, it gives users greater visibility and control over how extensions that use the new manifest use and share their data. One of the best tricks is that it allows users to withhold sensitive permissions from the extensions while installing them.
In fact, the whole idea behind Manifest v3 is to provide ways in which extensions can work well without having constant access to user data. Not only that, but Google wants to move to a future where all extensions from Manifest v2 to v3 are upgraded so that potential performance issues do not affect the overall end-user browsing experience (poorly coded extensions are known to store RAM ) and so that they can maintain a capable, powerful and feature-rich platform that can be enhanced by extensions and not hindered by them.
At this point you may be wondering why it looks so famous. Well, there are actually two reasons. First, the Google Play Store has followed exactly the same approach over the past few years. Developers are expected to clearly state how they will use your data and for what purpose each permission you request will be used within the context of their Granular Permissions experience.
In Android Q, Google allowed you to go even further and allow an app only permissions while it works as opposed to in the background if you wish, and displays a persistent notification while accessing any permissions so that you can remain in full control of your privacy from moment to moment.
Second, I’ve reported several times about how the Chrome Web Store would mimic much of this in January, and now, here we are. Chrome will give users control over access to data extensions, and developers who respect users’ privacy will receive a ‘quality mark’ from Google (seen below) that can help users make informed decisions about which extensions are safe to use to install and use. In a nutshell, Google wants to wrestle with the out-of-control approach that the web store has been working on for so many years – it feels free for everyone, and it’s unacceptable. The Web Store extensions should be very much in line with the informative and professional look of Play Store offerings going forward, and Manifest v3 is directly responsible for all of these changes.
Okay, let’s face it – if Manifest v3 is so great, why is it considered controversial? The main problem is that developers like Raymond Gorhill, the trusted, amazing creator of the popular uBlock Origin and other adblockers, have to use a new ‘DeclarativeNetRequest’ API, which will limit the number of filter entries to 30,000, which just does not once is not close enough. In the process of limiting how many entries an extension can contain to prevent malicious abuse, Google literally paralyzes the feature that even allows adblockers to exist!
Ad Blocker is one of the most popular types of extensions, and a handful of the biggest developers in this space went to Google to complain – so much so that Google had to remove several comments on the Chromium Bug tracker and move the discussion to a private wire. In one response, a Googler said that they are not planning to break extensions, but that there are some cracked eggs in the process of ensuring user privacy and security, no matter what.
Our goal is not to break extensions. We work with extension developers to minimize this breach while still promoting the platform to improve security, privacy and performance for all users.
Chromium Bugs
At the time of writing, we are not sure if Manifest v3 has been modified to make an exception for adblockers, and if it does, it should be done on an individual basis according to the developer’s trust level and relationship with Google in these private discussions . . uBlock Origin’s developer, Raymond, posted a bunch on his Twitter account about how the argument regarding the performance cost of privacy-oriented browser extensions does not seem valid. In doing so, he quoted an article from the ACM Digital Library discussing it. The article was written by Kevin Borgolte, and Nick Feamster, who are professors at Princeton University and the University of Chicago, respectively.
Contrary to Google’s claims that extensions that inspect and block requests negatively affect browser performance, we find that a browser with privacy-oriented request-changing extensions performs similarly or better on our benchmarks compared to a browser without extensions. In fact, even a combination of such extensions does not perform worse than a browser without any extensions. Our results highlight that privacy-enhancing extensions not only enhance users ‘privacy, but can also enhance users’ browsing experience.
ACM Digital Library
Either way, Manifest v3 is now basically implemented with Chrome 88, so whether it destroys popular adblockers as we know it or not remains to be seen. We’ll keep you posted on how it will all unfold, but from now on Google seems to have created a one-year migration period to start using the new DeclarativeNetRequest API – to allow them to invent a new method to circumvent its restrictions or to cease their activities. In the meantime, they will support the old webRequest API of Manifest v2 extensions until the time expires.
What are your thoughts on all this? Are you using uBlock Origin or another adblocker? Do you think these types of extensions slow down your browsing experience? One, two, three, discuss!
