Because of this, sometime in 2022 I will shut down Sitetruth, my fifteen year old ad blocking and site evaluation system. That offers add-ons for Chrome and Firefox, and puts a tag with company background info on each search result. Some search ads are removed, and some are de-emphasized. Some time next year, Google will probably force that add-on out of Chrome, as they tighten their grip over what browsers are allowed to do.
I did this as a technology demo, to demonstrate automated site background checking. The concept that you have to have a business address to sell online is almost archaic now, even though it's the law in the EU and California. So, today often the system often can't tie a web site to business records.
I was working on a project about 15 years ago that could tie a website to a business address. The underlying assumption is that many/most legitimate businesses that sell products have registered trademarks. The main purpose of a mark is to enable traceability back to a legitimate, non-ephemeral source for a product. If the reader disagrees that reputable products would have associated trademarks, then stop reading here. :)
These trademarks can be represented in a domain name or TLD. IP offices that register the marks generally obtain physical mailing addresses for physical correspondence. The crux of the idea is that the domain name and TLD do not have to be issued by ICANN. As such, it does not have to follow any pre-established conventions. Trademark registration systems already have unique identifiers and classifications that can be represented in the domain name/TLD. Thus we can create a new, collision-free naming system that offers more than ICANN, e.g., a direct association to an IP office.^1 This leverages the work of IP offices to collect business addresses (or at least addresses of the registrant's lawyers/agents who would by necessity have the business address of the registrant). Under this system the perceived legitimacy of the business is reliant on the trademark registration, not a "TLS certificate". The legitimacy of the domain name/TLD becomes dependant on the trademark registration, not an unaccountable, known-to-be-corrupt entity such as ICANN. To put it simply, names require an associated trademark. The system favours businesses that want to enable consumers to trace a product back to an original, legitimate source. It is a naming system for real(TM) business. :)
Personally, if I were trying to assess the legitimacy of a business, I would rather rely on the records of a trademark office versus the records of a TLS certificate provider. But that's just me.
1. ICANN of course, to ensure its own profits, chose to allow disputes to occur and create quasi-legal dispute resolution systems instead.
I used TLS certs, mailing addresses on web sites, purchased commercial business directories, Hoovers (before they were acquired by DNB), SEC filings, and Yahoo Directory (defunct). But not domain info, which was just too low-quality.
Snail mail addresses intended for humans were the most useful. Although they could be spoofed, that's very rare, and tends to attract legal attention.
Forgot to mention the key feature. Users can search for entities/products using trademark names and registration classes, i.e., by searching the appropriate name containing the entity/product name and/or classification. Currently, a page of search results from a "state of the art web search engine" can leave one guessing about the sites represented by the domain names listed in the URLs. The searcher trusts that the search engine "knows what she is looking for" and has performed a disambiguation for her, automatically.
Whereas under the new system, the domain names unambiguously indicate trademark-protected names of companies or products, including their trademark classifications. This tells the searcher exactly what type of entity/goods the site purports to describe/offer and the source of those goods. No need for the search engine to second guess what the searcher is looking for.
For example, a name might be formed as something like productX.companyY.classZ. A user could search for URLs with subdomain "productX" and TLD matching "classZ", or a search for domain matching "companyY" and TLD matching "classZ", or perhaps a more broad search for domain under "classZ".
Yes this is the craziest part of the transition from V2 to V3. V3 is still bugged.
I crashed chrome by setting the incognito key to "split", and turns out there's no way to be sure that when you open an incognito page, your extension will be awake. What a mess.
I will postpone the "upgrade" the most I can, then I suppose I'll be forced to write a desktop app and pay hefty licenses to Microsoft/Apple. Google is just ignoring the complaints and the bug reports.
Wow, I kind of thought the headline would be an overstatement, but the article actually seems pretty even-handed and truthful in describing what's happening with Google's power over the browser market.
I, on the other hand, found the article to be terrible. Consider the following quote:
> Manifest V3, or Mv3 for short, is outright harmful to privacy efforts. It will restrict the capabilities of web extensions—especially those that are designed to monitor, modify, and compute alongside the conversation your browser has with the websites you visit. Under the new specifications, extensions like these– like some privacy-protective tracker blockers– will have greatly reduced capabilities.
One would think that the article would then go on to detail exactly what these "new specifications" are and how would they reduce the capability of ad and tracker blockers.
That never happens. We keep getting statements to the effect that Manifest V3 is bad but we're never told what makes it bad.
What aspects of Manifest V3 limit ad blocker capabilities? Since Manifest V3 has been introduced way back in 2019 and, since then, has gone through various changes, are the quotes listed towards the end of the article recent or do they reflect an earlier version of V3?
There was controversy over changes to the WebRequest API but that was two years ago and, I believe, changes have been made. Are there still changes that break functionality? What changes were made over the past two years? Have things gotten better or worse?
Follow the links in the first paragraph of the article, they go into details about the technical aspects of why Manifest V3 is harmful to users.
It's disappointing to see this sentiment again, as this has been Google's tactic in the past decade: feign innocence and initiate technical discussions, then move goalposts and start over until their opponents are exhausted.
When we first heard of Manifest V3, it took them months to find a ridiculous reason for no longer allowing proper control over requests in Chrome, and they kept jumping between performance, privacy and security, as researchers refuted all their technical arguments one by one.
By now there is nothing left to discuss, they'd just need to stop being malicious.
> as researchers refuted all their technical arguments one by one.
Heya, do you have any links for that? Haven't really been keeping up with this whole thing. I briefly looked at the Privacy Sandbox proposal page a while back in late 2020 to figure out what it was all about, but haven't really got anything on researchers refuting their technical arguments.
> There was controversy over changes to the WebRequest API but that was two years ago and, I believe, changes have been made. Are there still changes that break functionality? What changes were made over the past two years? Have things gotten better or worse?
The WebRequest API’s blocking functions, which are central to the functionality of uBlock, are still slated to be removed.
Blocked under the supposed reason of privacy, but extensions can still see every request, and inject whatever javascript they want, exfiltrate your data, etc. Meaning the reason is pretty clearly not privacy.
Or that extensions can still inject javascript, observe and log requests, exfiltrate data? I mean the api docs will tell you that. Extensions can do all that because they couldn't do a whole lot without those capabilities...normally used for legit purposes, but the apis can't really glean intent.
See things like onBeforeRequest for observe. Injecting javascript is called a "content script" in chrome extension terms. Exfiltrating data could be done in many ways, given that you can inject a "content script".
Thank you. I hope the author of the article reads this thread and ads a proper summary of the problematic changes that Manifest V3 introduces to the article.
The article does not mention changes over the last two years because there haven't been any to mention. The new WebRequest API still does not support blocking requests (and still does support _recording_ requests), and the replacement for that functionality is still very limited.
> WebRequest API still does not support blocking requests (and still does support _recording_ requests)
The whole point is that there would be no reason to allow any ad blocking extension access to the WebRequest API anymore.
The replacement, declarativeNetRequest, does not require the user to give any permissions, so the days of granting ad blocking extensions full access to every page are gone.
If you think Google is doing this for their own gain, I guess you can simply ask if declarativeNetRequest will be able to block all Google ads, or if you really need a turing complete language for that.
> The replacement, declarativeNetRequest, does not require the user to give any permissions, so the days of granting ad blocking extensions full access to every page are gone.
From what I see, it also has some strict limits. My basic uBlock+ install has 82780 network filter rules. Chrome seems to "only" guarantee 30000 rules, and I don't know if these match 1-to-1.
And there don't seem to be dynamic replacements, which might be useful to trick adblock detection. Not sure how far in the cat-and-mouse game we are on that front, but I sure don't like the idea of giving the mice highly limited rulesets while the cats can do and do whatever they like.
The current global rule limit is 300k rules per profile. This is shared between all extensions, which is shared amongst all extensions. This limit comes after the 30k per extension minimum, so if your extension uses 40k rules only 10k count against the global limit.
So if we assume rules are 1-to-1 (and in fact fewer rules should be present in declarativeNetRequest because certain rules like element hiding do not factor into declarativeNetRequest, and would be handled directly by the extension), you could fit ~5 adblocking extensions the size of your basic ublock install, and most of a 6th.
Now there are some advanced capabilities of some adblockers that have no equivalent available, but for common multi-plugin rulesets like EasyList, declaritiveNetRequest will support pretty much everything contained therein, (except cosmetic rules, which the plugin must apply separately, since they are not blocking requests, but modifying the page, which is quite different).
> The replacement, declarativeNetRequest, does not require the user to give any permissions, so the days of granting ad blocking extensions full access to every page are gone.
Great, but I want to give my add blocker access to every web page. That's kind of it's purpose.
Sure it could be abused, but not if you used one of the community recommended blockers.
> If you think Google is doing this for their own gain, I guess you can simply ask if declarativeNetRequest will be able to block all Google ads, or if you really need a turing complete language for that.
I am not sure if it will be able to block all google ads. Pretty sure it wont be able to remove their ads from search results, since you wont be able to remove/hide parts of the site. Also it wont be able to remove annoying pop up adds (sure it might remove the content of the ad, but popup will remain - well depending how its implemented.)
Also it is only limited to 30k max urls in a blocker. Nowdays my blocker has 80k+ urls. So i guess I would have to pick an choose (If i continued to use chrome).
> Sure it could be abused, but not if you used one of the community recommended blockers.
Why not? What stops someone from buying (or stealing or co-opting) uBlock Origin and using the fact that it has access to every user's web browsing to do some serious damage?
> If you think Google is doing this for their own gain, I guess you can simply ask if declarativeNetRequest will be able to block all Google ads
The answer to that is "no". declarativeNetRequest is a more restrictive version of what Safari current supports, and Safari ad blockers don't do as good of a job of blocking Google ads as ublock origin does.
> The new WebRequest API still does not support blocking requests (and still does support _recording_ requests), and the replacement for that functionality is still very limited.
Thank you. What you wrote is information that needs to be in the article but is not mentioned anywhere. The closest thing is a quote from Mozilla regarding their extensions security review process.
Browser extensions have a higher trust level than internet sites. V3 simply dis restricts the former which gives the latter more wiggle room. Sure, there are hostile browser extensions, but at that point security and privacy is already compromised.
It will impact µBlock Origin negatively for example and I want this plugin to be able to access the page unrestricted.
I agree with you. The article is terrible. It's a collection of reactions and scare quotes from industry figures. I followed the first few links in the article and they're not much better. You'd hope that EFF, of all people, would be able to make a simple and compelling summary of the issue.
While a good message that does have actual merit if you know what's happening already, I don't see how this is a legitimate consideration of MV3.
The entire argument regarding security doesn't mention any of the reasons Chrome developers cite its security improvement, instead it brings up that Firefox "does good enough already" and that malicious extensions can still get past the review process. the review process is by itself improved with V3 as extensions that pull in code remotely can no longer get past the review process[0], especially with how many current extensions implement RCE C&C intentionally. They also say extensions are "usually interested in simply observing the conversation between your browser and whatever websites you visit" - that's 'usually', though; malicious extensions intercepting and modifying requests for their own benefit isn't unheard of.
Instead of only stating 'this is bad', it would be beneficial to include both (A) what they say (B) their basis for the decision, if any (C) why that line of reason is incorrect/deceiving.
What Google says vs what's going on aren't necessarily the same thing, they have a long history of selling us the 'for your convenience' line while removing functionality that people depended on but that ultimately hurt Google's business interests: to be able to force feed you more ads.
They have long outlived their credit in the bank of the benefit of the doubt.
Google has not provided any reason to not include "block request" functionality. And that the super bad faith underlying fact that poison their "reasoning".
There is still "block request" functionality, the change is that it's now declarative. This is the same way it works in Safari, and is (a) more efficient because you don't need to execute JS to evaluate each request and (b) more private because an ad/content blocker doesn't need to be given such broad permissions. There are serious tradeoffs (no request time js makes it less flexible) but it's still very capable and easily can be used to block Google ads.
The safari change absolutely kneecapped content blockers. Ublock dropped it[0], and the remaining few providers, like AdGuard, have to do all sorts of trickery[1] to get even close to the same performance.
If you're going to argue this is better, don't point us to such a clearly worse result.
I'm not arguing that V3 is better -- I think that's a complicated question, and I was trying to describe some of the tradeoffs. What I am arguing is that V3 does, contra my parent, support request blocking.
I quibble with this. Request blocking "as that has been understood", is preventing the request from leaving the browser. That's still demonstrably doable with mv3. What's changed is the mechanism. You can argue about the value of changing the mechanism, about the burden placed on plugin developers, or the efficacy of various APIs, but the functionality is inarguably still there.
You're being disingenuous. With Manifest v3, it is not possible any more to block requests dynamically which has huge implications for the efficacy of ad blocking (example: forget blocking youtube ads). Additionally, you're limited in how many static rules you can have.
Therefore, it's not just about changing the mechanism, the end result is clearly a lot worse. One can say, they crippled ad-blocking which this change. Hopefully, once the millions of people using ublock origin start noticing what's happening, they will move away from Chrome. I already did, ublock origin is worth more to me than any feature Google puts in Chrome.
I just hate that rhetorical game of "well, prima facie I meet your standard so what's the problem?" You met the standard before too, obviously that's not the problem
Fair point, apologies if I came off a bit harsh. I'm just really frustrated in the direction Google has taken with this whole thing.
I understand the average user probably shouldn't be able to easily hand over so much control to extensions, but on the other hand, dynamic ads shouldn't be able to serve malware or cryptominers.
I'd be a bit more open to the idea of a locked-down manifest if we had seen more good-faith attempts from AdTech to change the paradigm that makes content blockers almost a requirement.
I’m sure you are an honest person working in good faith. But we saw very similar behavior from Google around AMP. They had a very narrow reasonable sounding explanation, and just ignored all criticism and requests from both users and publishers that didn’t fit their narrative. This went on for years.
Today we know AMP was also a anticompetitive plot to kill off header bidding.
Why should we to believe a word of what Google says about Manifest v3?
It's been years since AMP went live. Disagreeing while pointing to information that's been withheld for years and does not (to my knowledge) have a timeline for release... that does not make a very compelling argument. It amounts to "trust us". But we don't-- that's kind of the point.
I interpreted coffeefirst as referring to the current antitrust action against Google, and saying that I expect more information will come out as it progresses.
There will never be a smoking gun because the people cooking up these dark pattern schemes are generally smart enough to not document them. The problem they want solved gets broken up into pieces that are given credible cover stories and then when it is all integrated together the intended outcome happens without it ever being explicitly written down in an incriminating email.
Good point, that may be what they meant. Although I would not count on all of those details coming out: for years Google has been warning employees against using certain types of language that could in someway look bad from an antitrust/anticompetitive point of view. So I would expect that a lot of documentation, emails, etc will look anodine on the surface through self-censorship.
I don't expect anything that comes right out and says something like "we must implement AMP to as a strategy to remove competition from header bidding". Instead it will mostly be just the standard talking points about user experience and load times.
I could be wrong though: plenty of things have been revealed in things like text messages where people don't think of them as being part of an official record.
Recently a large software company managed to avoid looking into a bug report for several days about an inability to dial 911 on an Android handset until enough social media indignation was generated (1). However, the org in question ignored it until enough outrage on Reddit was generated and it was eventually noticed. Not one alarm bell seems to have gone off despite all those clever people and funky machines and the much vaunted AI/ML and stuff. That's a bug that might engender criminal liability in some jurisdictions.
In this case, it appears that multiple large orgs are involved: G and M. One provides the environment and the other appears to have dropped their drawers and crapped in it but in the end a telephone should always be able to make emergency calls regardless of what is installed or configured on it.
In the end this sort of thing might look like lack of responsibility due to arrogance due to lack of competition. I'm sure other interpretations are available.
Normally the above should be considered an example of whataboutery but I think your response deserves little else. If you have something to contribute then please do but not that sort of thing.
But it was your incorrect claim that was trivially disproved.
So if you weren't asked to, you're just astroturfing voluntarily. That's not better, it's worse: If one gives up one's integrity, one should at least get paid for it. Otherwise, one isn't acting just scummily, but scummily and stupidly.
Your linked claim is that "AMP was also a anticompetitive plot to kill off header bidding". Your linked "debunking" is about AMP pages delaying loading for non-AMP ads, which is completely unrelated to header bidding.
The claim, in a broader sense, was: "AMP is shit", or perhaps even "AMP is shit, and Google are anti-competitive arseholes". And those are certainly well-established enough by to make any attempt at defending against (either of) them delusional.
I'm happy to talk about specific claims if you want, but I was trying to respond to a specific false claim about header bidding and not signing up to defend all things AMP.
This is just an attempt to rehash the same old arguments provided by Google that have been repeatedly debunked by developers and security researchers.
> I work on ads at Google, speaking only for myself
I'm doubtful about a person's ability to speak for themselves, when they have been consistently defending their employer on HN for years, at every occasion they got.
I would believe this more if Mv3 didn’t allow extensions to inspect all web requests programmatically, just not block them. Want to exfiltrate your users’ data to attack or track them? Fine. Want to block ads. No way!
> (a) more efficient because you don't need to execute JS to evaluate each request
This is true, but I think overly performance-focused. It doesn't feel like that much time, so I think there's a valid complaint that it doesn't make sense to kneecap flexibility for speed.
> more private because an ad/content blocker doesn't need to be given such broad permissions
Sure, but this doesn't seem like the only possible solution for the people that own the browser. Why not only allow a restricted subset of JS that lacks any form of IO? Or if that's impossible/risky, why not something like Starlark or Lua?
I think this is based on a fundamental misreading of the problem. The privacy concern is that your data will leak, not merely that it's accessible to a third party. The cat binary can read my data, and I'm not at all concerned about that. So can my shell, and likewise on the concern.
Privacy doesn't necessitate this solution. It is one of the possible solutions, but I think is hard to sell as the best solution to the problem. It is likely the easiest.
> There are serious tradeoffs (no request time js makes it less flexible) but it's still very capable and easily can be used to block Google ads.
Those serious "serious tradeoffs" made me completely stop using the web on my iPhone. Yeah, Safari content block can block roughly 80% of web ads, but those extra 20% are extremely annoying.
Web owners use all sorts of trickery to bypass adblockers and serve malware filled ads. Handicapping our current best defense tech against this is a sure as hell way to make me never open chrome again and completely purging it from any friends and family computer.
While there seems to be some disagreement with your position, I just wanted to thank you for being transparent about your involvement at Google. More people should act like that.
There is still "block request" functionality, the change is that it's now declarative. This is the same way it works in Safari, and is (a) more efficient because you don't need to execute JS to evaluate each request and (b) more private because an ad/content blocker doesn't need to be given such broad permissions. There are serious tradeoffs (no request time js makes it less flexible) but it's still very capable and easily can be used to block Google ads.
Docs: https://developer.chrome.com/docs/extensions/reference/decla...
(Disclosure: I don't work at Google or on ads anywhere, speaking only for myself)
IMHO it's really about "those who give up freedom for security deserve neither", as that classic saying goes[1]. The excuse of "security" has been used throughout time to take away personal freedoms, and with Google (and some of the other authoritarian parts of the industry) pushing very hard in one direction especially within the past few years, it's about time we started pushing much harder in the other. Indeed, good enough is good enough.
[1] I am well aware that was not the original context of the quote, but it's a nice rallying cry of the sentiment behind the movement.
I think the fact that it will significantly limit privacy and ad blockers is sufficient reason for a high level of criticism, which I took as the main point.
I didn't see dissecting the security details as the point they were trying to make. Instead it was to partially undermine the reasons Google said they were doing this.
Basically "here's why it's bad for privacy, and here are why Google's stated reasons for the update are insufficient to justify that"
"significantly limit privacy"? You either don't know what this change does or find it "significantly more private" when an extension developer has full read / write access to your web requests
I was referring to the much higher level of difficulty adblockers and the like will have in filling their intended purpose.
It seems like this is the clear interpretation of what I wrote and that you may be purposely misconstruing my comment in order to level a soft insult and condescending language at me over an opinion you don't agree with.
To give you a little benefit of the doubt though and assume you may just be passionate about the issue and don't intend to be insulting I will address your other point: Users giving away access to their web requests without realizing it is a problem. It is also one that can be addressed without making it much harder for privacy-minded users and the providers of those extensions to get what they want as well.
"extensions that pull in code remotely can no longer get past the review process"
When Google says "pull in code remotely" they dont mean from a remote server. Instead its 'code remote to Google' aka code you wrote yourself sitting on your hard drive. This kills greasemonkey/tampermonkey and all the other UserScript extensions. Google saw how great Apple is doing and fell in love with the concept of walled garden. Its their browser and they wont let you execute any code that wasnt approved by them.
Anyone who pays attention to the web platform should know by now that any rationale Chrome (or Google in general) developers give for web platform decisions is made up. They repeatedly told us they had specific motives for AMP and it was all a lie, AMP was designed to tighten their grip on the advertising market. It's not the only example - the way their autoplay whitelist works is also transparently manipulative despite lies to the contrary - and I would bet money that MV3 is partially motivated by business incentives in the same way. Googlers' paychecks are signed by Ads and GCP and ad-blockers actively undermine the former.
Review by Google is completely worthless for my security considerations. I need my software to work for me, so Chrome will not be part of that anymore.
To say browser extensions pose a risk is true, but it hardly makes it in the top list of threats anymore. Malicious sites however still do and Google just restricted our ability to let third party tools provide essential services. Sure, these could be malicious, but that is generally not a wide spread IT problem of today. That should be also obvious to Chrome developers.
Accidentally they also restrict ad blockers? Come on, you are getting played.
Beneficial in what sense? If manifest v3 is still bad on net, then including chrome's counter arguments makes for bad rhetoric and thus does a poor job of advancing a valiant goal.
The security improvement is negible compared to the danger of data extraction which ad blockers pretty effectively prevent in many cases. No, the security advantages just plainly aren't there and I think this is more driven by Google business interests.
Installing random plugins is a security issue. But web tracking is by far the more significant threat.
I see a lot of people suggesting Firefox, which is great. But also, considering Chrome is basically Chromium, can't we just fork Chromium and keep using that?
Does Brave have their own extension repository yet, or are they still leaving that all up to Google? I don't see much value in Brave supporting a feature dropped from Chrome if it only has Chrome extensions and they all drop support for it anyway.
Firefox has said they will implement V3, but "we will diverge from Chrome’s implementation where we think it matters and our values point to a different solution."
Specifically, "we have decided to implement DNR and continue maintaining support for blocking webRequest. Our initial goal for implementing DNR is to provide compatibility with Chrome so developers do not have to support multiple code bases if they do not want to. With both APIs supported in Firefox, developers can choose the approach that works best for them and their users."
Can such a fork be upheld for a long time? Browsers are one of the most complex programs out there. I have my doubts even regarding whether Brave could maintain such a fork, let alone smaller entities.
Yeah, for an article that claims in the title to be adressing Chrome users, it does a very poor job of actually telling these users what this "Manifest v3" thing is and why exactly it's a "raw deal" for them. Provided they even know what a "raw deal" is - for me it's a rarely-used US-specific expression, and I am only aware of it because of an R.E.M. song (https://genius.com/Rem-monty-got-a-raw-deal-lyrics).
A lot of comments here are wondering what Firefox will do and if uBlock Origin would be made useless in Firefox like it would be in Chrome (once Mv3 is implemented). Short answer: Firefox is adopting various parts of Mv3, but will continue to support blocking webrequest, which is used by extensions like uBlock Origin. So uBlock Origin would become useless in Chrome, possibly Edge and a few other browsers, but not on Firefox.
Quoting from this update [1] from Mozilla:
> Google has introduced declarativeNetRequest (DNR) to replace the blocking webRequest API. This impacts the capabilities of extensions that process network requests (including but not limited to content blockers) by limiting the number of rules an extension can use, as well as available filters and actions.
> After discussing this with several content blocking extension developers, we have decided to implement DNR and continue maintaining support for blocking webRequest. Our initial goal for implementing DNR is to provide compatibility with Chrome so developers do not have to support multiple code bases if they do not want to. With both APIs supported in Firefox, developers can choose the approach that works best for them and their users.
> We will support blocking webRequest until there’s a better solution which covers all use cases we consider important, since DNR as currently implemented by Chrome does not yet meet the needs of extension developers.
Chrome has just been getting worse and worse over time, but if you can recall, Firefox was also a slug when it was at a peak of market dominance and before that MSIE...
The problem is that orgs and companies stop caring once they gain the primary market share. They also start dictating standards to everyone and ignoring user feedback. It's symptomatic of our current software development driven economy.
I recall when as a web dev I had to ensure my code was best supported by 3-4 browsers and don't miss that era at all, but it would be much better if proper regulation, consumer protection, and ethical corporate behavior came into play before hostile competition, corruption, and monopoly-driven "dictatorware" do in software market dominance for a change.
Mozilla never seemed to get out of that "the user is an idiot, best ignored" mindset even as their market share falls lower than a vendor-specific mobile browser. It's mind-boggling how just about everyone except the people calling the shots in that org can point out the problem.
I've used Firefox as a daily driver for over 15 years, and while I do think it treats me more like an idiot than it used to, and don't like that, I still feel far more in control, trusted, and able to configure it than I do with chrome.
How do you mean? I use both browsers and, while I certainly wasn't happy with the changes that accompanied their move to WebExtensions back around version 57, I don't find FF these days to be any worse overall than Chrome. Not trying to be argumentative, just not clear on your meaning.
I rely on Firefox for everything a browser does, and praise its many unique features and conveniences; I don't want to imagine using a garbage flavor of Chromium. But the folks at Mozilla keep hitting my morale. Examples-
1. History of installing and running arbitrary code on clients in the name of "Experiments" without user permission.
2. Full telemetry on by default.
3. Shoving their products like Pocket (added to the address bar by default, shows up as an advertisement on the page that opens after Firefox updates itself), Mozilla VPN (non-removable advertisement on every Private Window you open) in the name of revenue, while their clueless leadership enjoys fat paychecks for whatever value they bring to the organization.
4. Forcing undesirable changes down people's throat (removed the "Compact" density address bar after a redesign, hiding it under about:config).
They also removed live bookmarks, a feature I loved since 2002. There is a browser extension now, but I just moved to Inoreader (and Edge).
Final straw was the dedicated search bar not working with keyword shortcuts for other search engines. While the settings page claims those are supposed to work in the address bar and the search bar, they only work in the address ("omni") bar.
Too many features removed. I'd rather just go to my native browser and all the inherent advantages to it at that point, which as mentioned is MS Edge. I love it. In fact, their unnecessary additions (MS Shopping) actually opened my eyes to things I didn't know existed, like the Honey extension. I have no complaints about Microsoft Edge on Windows 11 or iOS. After 19 years of Firefox.
Get a DNS Sink (such as pfblockerNG-devel). Works without Add-Ons or client config and in any browser. uBlock Origin is really only used on my computer for when I am not at home.
No DNS based solution comes anywhere close to what uBO offers. You can hide elements you don't like. You can block individual scripts or resources in a web page, even if they are first party resources. No DNS sink solution can do that.
Browsing the internet would be an extremely bad experience for me if I just relied on a DNS sink.
Generally, I agree - the two complement each other. The difference is that uBO is client side and its use can be detected. A DNS sink will work, no matter what was configured on the server end. Further, the DNS sink will hide elements - everywhere ADs are placed I see simple whitespace. Finally, scripts are blocked from even getting loaded - e.g. stats for the top scripts blocked today (2 hours in) for me:
> Further, the DNS sink will hide elements - everywhere ADs are placed I see simple whitespace.
I find those leftover empty spaces extremely annoying. Imagine being interrupted by a big portion of nothing in the middle of an article. uBO hides those empty spaces as well.
And no, I don't use or like Reader Mode. It's yet another click I need to do to just read an article.
> Finally, scripts are blocked from even getting loaded - e.g. stats for the top scripts blocked today (2 hours in) for me:
That doesn't look like individual script blocking to me, you're just blocking domains. If the script you want to block is part of the first party domain itself, you can't just block it using a DNS sinkhole.
At this point, I'd go as far as to say that a web browser which doesn't support the complete capabilities of uBO, considering things like CNAME tracking exist, is a user hostile web browser. This includes all Chromium based browsers.
No, it looks like that protocol in RFC 8484 uses "application/dns-message" MIME type for its messages, whereas I was thinking the web server could replace domains with IPs in the contents of HTML/Javascript/CSS files sent to the browser("text/html" or "application/javascript" MIME types).
Mentioning again to the entrepreneurical ones here that I want to pay money for something that works like old Firefox but uses the new supposedly more secure code base.
I pay for IntelliJ so why not pay for the just as important browser if I can get one that I like?
Just don't increase the pricing to Jetbrains level until you have Jetbrains level features.
> It might be great but for now refuse to support anything that further strengthen Googles grip on the market.
The question then becomes: "What else even is out there?"
Because if you're looking for something that's even remotely feature complete for browsing the modern day web, the majority of the current browsers out there are indeed based on Chromium, as expressed in this article, "Firefox is the Only Alternative": https://batsov.com/articles/2021/11/28/firefox-is-the-only-a...
Here's the table from the article in text format:
Browser Based on Chromium Open-source Market Share (desktop + mobile)
Chrome Yes No 64.7%
Chromium Yes Yes -
Edge Yes No 4.0%
Brave Yes Yes -
Vivaldi Yes No -
Opera Yes No 2.4%
Safari No No 19.0%
Firefox No Yes 3.7%
Firefox isn't perfect. I'm sure if you go back to the last major browser war, you'll see that Firefox didn't "win" that war. But they did win the fight they were fighting. They proved that you don't have to put up with the monopolistic behavior of Microsoft to browse the internet.
Today, Google and Microsoft and Apple are fighting Browser War 2, and it looks as though Google is winning. However, Firefox is still fighting, but not to win. But to prove that we don't have to put up with the monopolistic behavior of Google to browse the internet.
Firefox has had it's ups and downs. But "winning the war", in my mind, isn't the point of Firefox.
I think the controversies around firefox are blown way out of proportion. Yeah, there are some, but the amount of hate the project or the company gets on HN under every new version post is ridiculous.
It is an open-source project fighting a good fight, and the only one at that.
While I may be the only one around here to not know this, but I didn't realize Brave was OSS all the way through. That's great. I used FF for 19 years and switched to Edge fulltime in August ('21), and never looked back as each browser has its strengths and weaknesses. In the end, other than me being upset with feature removal in FF, I found Edge objectively comes out on top for me.
Vivaldi always seemed to hold the most promise but was buggy for me and still missing strong iOS integration that the competition has in place. Having used FF for so long, I was ready to go to a larger provider. So mainly, MS, Apple, or Google. Native browsers have big advantages so resisting those no longer made sense if I'm making a switch.
But Brave in my testing, did not completely convince me. Reviewing my testing notes-
Brave- no dedicated search bar option (important for privacy / prefetching and not having to continually retype your search query). Didn't get to mobile support and crossplatform sync. No dedicated extension store.
Of course, I had to give up on my dedicated search bar requirement, because FF's has been gimped by Mozilla, and Vivaldi had other unrelated usability flaws. So Edge it has been, and being completely honest, I've been thrilled with it. There's plenty other good here to overlook that and I haven't missed it as much as I thought I would.
All that said, I'm now going to keep Brave in mind, moving it up a notch. I always liked Eich which doesn't hurt. I don't fear a Chromium world, and never used FF because it wasn't, in fact I mostly resented it. I just don't see eye to eye with the anti-Blink crowd.
I think Firefox should've morphed into Brave, rather than be a separate project. A Brave that has Vivaldi's feature set would be perfect. Only thing missing then is major vendor support, and it'll always be non-native on all platforms, but at that point it could be overlooked.
For Firefox to fight its way back will require more than anti-Blink monoculture advocates supporting it. Blink has become the same as the USD, and isn't to be feared. For me, that's like saying you're resisting using the US Dollar because you don't want monoculture. Yet look at how much you can do with the USD. It enables quite a bit, embracing it just enables you to get other things done with less resistance. Users benefit. More important missions are at play. Like perhaps privacy, transparency, both things that Brave clearly focuses on. Or whatever one's chosen priorities are.
I legitimately love MS Edge, and I always keep Tor installed for the best privacy, but Brave is now my #2 pick for a daily driver and will be advocating for it for those that don't want to use their native browser.
I've been using Firefox for as long as I've been on the internet, but I got really tired of using it just because "It's not chromium". Mozilla been doing really stupid and frustrating decisions that made me feel like I'm in an abusive relationship. I've been eyeballing Vivaldi for a long time, and Firefox breaking compact mode finally broke the camel's back for me earlier this year.
When I switched to Vivaldi I felt like it's 2003 again, and I've just switched from IE to Firefox. Every single thing Mozilla removed from Firefox over the years is here, and most of the stuff I used hacky addons that would often break is here too! In the core browser, as first-class features, without the need to fiddle with userChrome.css or look through obscure flags. It really is a breath of fresh air and it puts into perspective how many excuses I've made for Firefox over the years. It's not worthy of being my browser, simple as.
Mozilla took my fundamental addons that separated Firefox from other browsers, they took my RSS reader, they took my cool Torrenting and Email clients that were a part of the browser itself. The TreeStyleTab requires you to go through obscure and hidden config files that often break with updates and the extension itself is not stable and fiddly. On top of that, I had way more Firefox extensions that aren't even different from Chrome extensions in major ways. In Vivaldi, I just get a nice panel with RSS, Calendar, Translator, Email client, Notes, whatever I want! The adblocker is built-in, the privacy features are built-in, you even get to put your tabs wherever you want. It has theming support that is as good as Firefox Colors, and it has custom search keywords that replace DuckDuckGos bangs for me more often than not. It even has the dark mode among other page filters, a screenshot tool, web page tiling! All the things that would turn my Firefox profile into a slow extension pile that barely works and longs for death.
Mozilla's "goals" of removing key features meant for people who actually would want to use a "google alternative" are laughable, and it's as bad on "privacy" axis as Chrome is because you have to use something like LibreWolf to get the actual privacy from it, very much like you have to use ungoogled-chromium with Chrome. If they think that turning the browser into a Chrome clone with some bumper stickers that say things like "Proud not to use Blink" and "We do say privacy a lot", then it's already dead to me.
TreeStyleTabs works out of the box without any sort of hacking around. I really don’t get this mentality. Firefox’s containers have no corresponding feature in chrome, they haven’t copied it and it is a huge win from a privacy PoV.
I had to modify userChrome.css twice to make it work over time, because obviously, you don't want the old tab bar there at the same time as TST. But also it was very unstable for me because every time I needed the left bar for something other than tabs it would crash or hang or get stuck. The rest of the browser would keep working fine, but the tab bar would not receive clicks or something like that. I had to restart Firefox every time that happened.
As for privacy containers - you can easily switch profiles in Vivaldi. It's not integrated to the same degree where you'd get tabs from many profiles in one window, but it works for me.
If you like Firefox Containers you should also know that, ironically, unlike Chrome Firefox doesn't have proper site isolation. [0]
> Mozilla took my fundamental addons that separated Firefox from other browsers, they took my RSS reader, they took my cool Torrenting and Email clients that were a part of the browser itself.
It was never the point of Firefox to offer them. Firefox originally started to be the slim alternative to the fat Mozilla suite.
> The TreeStyleTab requires you to go through obscure and hidden config files that often break with updates and the extension itself is not stable and fiddly.
What are you talking about? TST is very stable since years now and except for hidding the original tabbar, there is no need for using any config files. And even this is a stable setting which barely change every some years or so. Obviously, the first months in their transition to the new extension-system TST and Firefox were quite unstable and busy with filling the missing gaps. But that was 4 years ago. There still are some features missing, mostly for comfort, but it has settled down now and is very stable now. And still better than anything other browsers have...
Do you happen to know how they make money, or can maintain the project going forward? Seems they don't charge for their browser, and also claim they don't monetize their user's personal information at all.
Vivaldi generates revenue from partner deals with search engines.
Every time you search using one of the pre-installed search engines, you’re helping us grow, one search at a time. Currently, we work with DuckDuckGo, Ecosia, Startpage, Yahoo!, Bing, and Yandex.
The only exception is Google – we don’t make money when you search with Google. However, we know that some of you use this search engine daily, so we include it in Vivaldi.
It's hard to take EFF seriously when they write so hyperbolically. What's clearly also the case is that Chrome extensions are one of the great modern security and privacy challenges --- to the point where multiple tech company security teams have people whose job it is just to screen them. Another detail that EFF doesn't want to share is that ad blockers are some of the worst offenders --- they demand maximal access to user data (think about how they work), and there are lots of them, not all of them, uh, implemented scrupulously.
EFF doesn't want to give you the other side of this story, because they're not an honest interlocutor.
If you had the other side of the story, you might still think Manifest v3 was a bad deal. Random ad blockers are very dangerous, but there are ad blockers that everyone trusts, and you might not want to make it harder for them to maintain their projects.
But EFF doesn't trust you to make that decision on your own.
I think this comment doesn't portrait the situation with abusive tracking honestly and I fail to see how this could get so many upvotes. No, adblockers are certainly not the worst privacy offenders. Sure, there are bad plugins, but that isn't an issue exclusive to blockers and the problem with infromation extraction is mostly relegated to malicious scripts on the websites themselves, as the article points out.
The worst privacy offenders are ad trackers and I don't think it has to be explained that Google has an interest in putting constraints on them. How much that influences Manifest v3 is everybodies guess of course.
But your framing is dishonest as Manifest v3 does take away user choice. A choice that allows you to install bad addons with all the implications. But turning that around and saying the EFF tries to take away choice is just false in this context.
I also fail to see hyperbole, I think this is the usual relativization that puts users in a worse spot than before.
> EFF doesn't want to give you the other side of this story, because they're not an honest interlocutor
And who would that honest interlocutor be in your opinion?
The best and most user oriented ad blockers will be affected by this and this is the actual security issue here. No other scenario comes even close.
There is no decision left to make once this change goes through. You can talk about improved security all you want, but the fact remains that uBlock Origin will be permanently crippled. This by far negates any security or privacy gain that Manifest v3 could possibly make.
This is in fact one of the best arguments pro to do the change:
* Chrome destroys ad blocking
* Advanced users now suffer the same internet as everyone else
* Advanced users will find a solution, and that solution can't be chrome anymore
* This starts an exodus of advanced users .
* Advanced users configure the browsers for everybody else, hence everybody else also joins the exodus
The end result is less of a monopoly.
This is the same mechanism that ultimately killed of IE and moved everybody to chrome: The monopoly of the time got so arrogant they didn't listen to their users, so users fled to a better alternative.
The strange thing is, groups of people have more or less the same tolerance for abuse, know their limits have already been violated for a while, and learn alternatives from each other. As a result, It takes a long time of abuse to trigger an exodus, but when it started, it starts everywhere at the same time. Then the abuser tries stopping the exodus by rolling back only the last change, but that's not enough anymore.
Unfortunately, Mozilla does not have a track record of listening to their user base too and afaik they never had any monopoly.
They just pushed their Track/Ad-Features out of desperation(?), which leads to the root of the problem: commodification of common goods like privacy and its resulting degradation.
Looking in the internet I see that "94% of Mozilla revenues came through royalties received by search engines to be featured on its Mozilla Firefox browser" I am afraid that at some point Mozilla can be forced to comply and cripple ad blockers too.
Hopefully someone will decide to come up with a totally new browser. I remember times when BitKeeper told Linus that they will somehow try to charge for using their tool to keep Linux kernel source code (can't remember the story, but they managed to irritate Linus, delicately speaking).
Linus sat down and started coding... and created Git.
Unfortunately browser is a more complicated piece of software, but maybe this is also a problem we should solve.
Perhaps Mozilla should put the more advanced features and customisation options behind a monthly subscription. I know people dislike monthly subscriptions, but the browser is perhaps THE most important tool you can use. Maybe it's time we start valuing it properly.
The share of those profits that goes to Firefox development is far less than one might think, especially if one consider the many millions that goes to management of Mozilla foundation. Firefox would be a very different project if all the royalties received by search engines featured in the Firefox browser went to improve Firefox.
As long profits from Firefox does not goes back into developing Firefox, a monthly subscription wouldn't change things.
> Hopefully someone will decide to come up with a totally new browser.
The enormous complexity of browsers these days makes this almost impossible.
A better solution would be for Mozilla to direct all funding directly to Firefox and try to find other ways to monetize the browser.
Brave is trying one approach but now they are also tied to the underlying Chromium engine. I am not sure what the effort will be like to try to maintain a fork that ignores Manifest v3.
The EFF doesn't need to give "the other side" because the other side is mostly
obvious to the target audience (which isn't random people, Google itself is a huge part of the target audience). Note that Google doesn't give the other side either. Also, nothing in politics works like that, if you want to get people to join your cause you don't end everything you say with "But keep in mind that $foo".
Still not giving the other side and using "dangerous" and other "think of the children" terms triggers my bullshit and what are you hiding detector. And the only thing vouching for them is their reputation.
Speaking of reputation EFF has been doing this shady speak for last few years and my respect for them is quite diminished. I suppose they can still do it because they have practicality a monopoly to "protect privacy online" with Apple being a distant second player.
So long as they're only interested in preaching to the choir, that's true. If they want to reach other people who are as zealous, they could stand to give a better full of the landscape.
Every time someone mentions this I have to think about the messed up ecosystem of Safari Webextensions.
Safari only allows extensions installed via the apple store, but every single adblocker there is a scam.
I'm not kidding you, I audited most of them. Chances are it's either a three years outdated list of adblock plus that doesn't catch anything or it's an extension that replaces all google analytics identifiers with their own to make money (even when it's a paid extension).
The only thing worse than Chrome is Safari at the moment. And Apple doesn't give a shit about anything there, I reported the malicious extensions to no effect at all.
So when thinking of the other side and "removal of choice" I don't have a healthier, audited ecosystem in mind...I have Safari in mind, which right now is a worse attack surface than IE6 back in the days when it comes to Privacy or Security.
Malicious extensions (as answer to comments). DONT install any of them, as I think they're scamware.
You can't list these apps, say they're scam or they don't work with no proof whatsoever except your word, especially when there's counter arguments they actually work.
Explain yourself, or are we supposed to take your word for gospel?
> Explain yourself, or are we supposed to take your word for gospel?
Not gonna waste more time on this tbh, as I'm building a competition to those products. If you don't believe me, stay in your walled garden. I've given you hints, start checking them for yourself or don't.
If I would post screenshots of MITMProxy, Little Snitch or something else, people would try to discredit them as fake anyways.
> If you don't believe me, stay in your walled garden. I've given you hints, start checking them for yourself or don't.
There's no need to be so confrontational. You made the claim, you'll probably be asked to show the technical reasoning behind your statements on a forum called Hacker News. But since you're working on competition, it's in your best interest to discredit similar products.
> If I would post screenshots of MITMProxy, Little Snitch or something else, people would try to discredit them as fake anyways
Sounds to me you're not prepared for people to show you might be incorrect. Honestly, I never doubted your position, I just wanted clarification for my own intellectual gratification. But you sound really defensive for some reason.
(By the way, I do not work in ad-tech nor in ad-blocking tech and I have no stake in anything slightly related to the matter at hand.)
As somebody currently using Wipr and not seeing any ads, would you mind bridging the gap between your assertions and my reality? Genuinely curious how we could be truthfully so out of step on this.
Yeah. Also I know that mine blocks ads, but parent alluded to a spectrum of malice and scamminess. If it cost $2 but it's a mediocre fork of ABP and that's all, then I'm already out the $2 and I might as well keep it installed. If parent claims it's outright malware that steals passwords, mines crypto and holds your cat pictures for ransom then I'm at least going to investigate.
Not that hard to make ones mind when I personally use two perfectly fine blockers, you posted no proof of your hyperbolic claims that all Safari ad blockers are scams and at the time I replied you hadn’t even posted any names of problematic blockers.
And now you’re calling me a scammer for criticizing your statements…
I use Wipr and it is great. I don't see ads, which is the reason I use it. So I don't see your point. Other than the fact that you are making a competitor, so you are incentivized to post something like this.
Time to share the testing protocol details, I think. Unless you want people to just believe that [4,5], two of 3 most recommended ad blockers for Apple devices, don’t work or don’t remain up to date.
Google could add a simple button in Chrome if they wanted to trust users to make their own decision about displaying Google advertisement on Chrome. Instead they went with a decision that results in more google advertisements reaching users, which means that it is EFF that doesn't trust users?
Technology changes means nothing without outcomes, or else it is just changes to electrical potential of positive and negative state. If extensions like uBlock Origin are crippled or forced to leave than the outcome is crap, which is what occurred when safari did a similar "step in the direction of privacy, security, and performance". I wonder if google was aware of this when making the decision.
> Random ad blockers are very dangerous, but there are ad blockers that everyone trusts, and you might not want to make it harder for them to maintain their projects.
The answer to "Random ad blockers are dangerous" is not: Let's cripple all adblockers to safeguard our "users".
The obvious answer is create a review process similar to what Firefox did. Maybe Google should use some of their 0.0001% annual income to contract a full time review team to protect us against rogue extensions.
I think an honest interlocutor would look at what's behind Big Corp double speech:
Google: Protect ad-revenue while pretending to protect users.
Apple: Protect Apple against government pressure while pretending to protect the children.
The article talks about the extension review process at Mozilla (hint: It's manageable) and bad/malicious extensions. So I'm not sure where your "other side of the story" bit comes from...
That seems like an unnecessarily uncharitable reading of what they're saying.
We are constantly handing over power to big tech in the name of security, and they inevitably end up using that power against us.
Yes there are shady actors out there, but that doesn't mean we have to give the tech monopolies a monopoly over what are the capabilities of the internet and who can be trusted.
The main issue is user choice. If I want to run an extension, no matter how malicious, on my machine, I should be able to do it. This applies for my phone too, which is a capable computer for all practical purposes.
Apple has normalized the "we know better" approach, and has enjoyed great success doing it. Google is simply following that same philosophy. They know better than you, what's good for you and what's bad.
We need a fully independent browser, open-source, and built on modern technology. That way, users who care about this can get what they want. And users who trust Google to get it right, can use chrome or one of its derivatives.
Firefox has (had?) that potential, but for whatever reason Mozilla seems unable to execute effectively. The result is that Firefox has become a follower, doing the same things Chrome is doing. Thus defeating the original motivation for users looking for an alternative.
Brave looks promising, but given that they build on top of chromium, I am not sure how long they can resist fundamental changes in the codebase. Or whether they even intend to provide the needed alternative.
All in all I feel this represents a sorry state of browsers, and consumer software in general.
> “ It’s also doubtful Mv3 will do much for security. Firefox maintains the largest extension market that’s not based on Chrome, and the company has said it will adopt Mv3 in the interest of cross-browser compatibility.”
I don’t understand why Firefox needs to adopt Mv3 for “cross-browser compatibility”. Is this to save extension writers time and effort or is it a mistake in the article?
The former. Firefox tries to make it possible to port Chrome extensions to Firefox with minimal changes. Mv3 contains lots of new stuff beyond nerfing adblockers.
I have a couple of popular extensions on the line, and I no longer see a way to stop Google without immediate government intervention. I am confident that they are not acting entirely in good faith, regardless of the much needed and useful parts of Manifest V3. They will get away with anything, be fined again in a couple of years for the growing list of illegalities they commit, and now they'll also harm the browser extension ecosystem.
Some of the extensions I maintain will no longer work, or have reduced functionality for no acceptable reason, and some of the projects that I have been preparing to release have now been abandoned, because they rely on having proper control over requests in the browser.
> I have a couple of popular extensions on the line, and I no longer see a way to stop Google without immediate government intervention
As the developer of extensions that are impacted by Google's anti-competitive actions, you can report how this impacts both you, and the market as a whole, to the competition and antitrust divisions of the government. I've posted links to forms and sites that you can use to report to the relevant state-level and federal-level regulators on HN here[1].
If you aren't in the US, the US also has antitrust legislation that applies to US companies operating in foreign countries, as well as a myriad of antitrust treaties and agreements with other nations. It might be worth it to also report it to the government of the country you reside in, as well.
I mean you can, but firefox doesn't treat you any better. We waited 2+ months to get a minor update through review, and getting it through that quickly took emailing several folks (including one from HN). During that whole process they also removed the display of your queue position, making it even more opaque.
At some point they disliked something in our extension that had been live for months, and disabled every release in the past year. At another point they found something wanting in a 2 year old release (not a recent one) and threatened to remove it from the store, our attempts to continue that conversation or just allow it to be pulled to save everyone some time met with crickets.
> Where do people get this sense of entitlement from? Please cite one law you believe Google has broken.
Just like Amazon (your employer), Google has also been fined several times in the past decade for illegal business practices. Their illegal activities are extensively documented, and in some cases they were forced to change course due to regulatory intervention. Feel free to look it up, I don't think there is a need to relitigate objective reality.
That's true, and so any thing that that company does that some rando doesn't like and claims is illegal we must assume is actually illegal, even when that rando explicitly avoids questions about what they actually think is illegal about it.
They've asked to name one law that I think Google has broken, which is already part of the public record.
If you're asking what illegal business practice Google will be engaging in when the Manifest V3 limitations will begin to be enforced: using their dominance in one industry to gain advantage and maintain dominance in another industry, to the detriment of consumers and competitors.
I miss the early days of Firefox extensions (circa 2004) where an extension could in very powerful ways completely change the layout/functionality of your browser; when they had near unlimited access to the XUL and could change anything and everything.
I used a ton of very useful extensions then. Nested tabs were one of my favorites. These days I've got a password manager, a bookmark checker, and a tab manager I wrote myself.
They're just not allowed to do anything too useful these days - I know what they have access to, I write Chrome extensions. A lot of them should just be standalone desktop apps.
Like most things, normies came in, shot themselves in the foot, made a fuss, and now we can't have nice things.
While I also miss some of the capabilities, I also can understand why Firefox removed them.
Extensions systems which don't have very clear cut boundaries like XUL are just add a very hefty maintenance burden and make review extremely hard.
It's not really about "normies".
This doesn't really apply to the current change, as extensions already have clear boundaries and and as the article pointed out problematic apps likely won't be too much affected as they often already do things which bypass the constraints to avoid detection by the reviewer... (assuming I understand the topic correctly)
Has nothing to do with "normies". With the old extension system, Mozilla couldn't make any substantial changes to browser internals (like multi-process, among other things) without breaking everything. It makes sense to have clear boundaries between the core and extensions, and keep implementation details out of the extension interface.
E.g. mass downloaders have become quite a bit less useful because they can only download into the OS downloads directory without prompting for each and every download.
I tried installing Nyxt. I'm not sure how common CUA bindings are. I tried pressing Alt+Left and Alt+Right to navigate between pages, but got a strange error in the status bar: "Warning: Error on separate thread: There is no applicable method for the generic function # when called with arguments (NIL). See also: The ANSI Standard, Section 7.6.6". Which is baffling as a user.
I wish Firefox would have left the old extension abilities. They could have easily added the WebExtensions standard to allow for cross-browser compatibility and not removed the old functionality.
They basically did, until the underlying browser became incompatible. That was the point: to have a stable API instead of extensions relying on implementation details, which includes multiple processes.
They didn't just broke them by necessity of rewriting the browser, though – they then actively blocked them on regular browser versions (non-Nightly/Developer Edition/etc.).
The least worst web browsers these days are typically the older Firefox forks that have maintained XUL and powerful extensions. But this class of browsers is rapidly become few and those left are run by... controversial personalities.
The security argument seems pretty simple. The end goal is that legit extensions that people regularly install should not need to ask for dangerous permissions, because a) it teaches the users that it's normal and b) since the extensions can become compromised later and abuse the permissions. Adblockers are probably the most common kind of extension, and are currently granted effectively unlimited access to read and modify every single web page you use. That's fucking scary.
If adblockers (and other classes of legit and common extensions) can be migrated to a safe API, it makes the unrestricted and dangerous API much more manageable since what's left is much less likely to be legit or something people actually care about. For example you can have enhanced review processes, warn users more forcefully about the danger, start limiting the power of the API, implement new safe APIs for some of the remaining use cases, etc.
EFF are smart people. They know what the actual security benefit is, and choose to instead argue against a caricature.
> Adblockers are probably the most common kind of extension, and are currently granted effectively unlimited access to read and modify every single web page you use. That's fucking scary.
How is that scary?
The browser by definition has unlimited access to read and modify (and monitor) anything I do in it.
And I trust gorhill a million times more than any Google employee, past, present or future.
The scary part is gorhill is able to sell or hand over the extension - as he has done in the past - to someone with looser morals and/or goals.
How much do you think NSO Group would pay for this kind of access?
If you ran uBlock Origin, would you like to retire early?
Jbk from the VLC project has a lot of stories about turning down 6, 7 figure payments to bundle malware in VLC. Not everyone has the strong morals and unlimited stamina to withstand that.
Manifest V3 is created to solve a real problem. I have had browser extensions go rogue on me before (Stylish), and i would like it to not happen again. At the same time, uBlock Origin is a hugely important extension for making the web usable for hundreds of millions of people. A compromise must be found that moves their safety out of a single person's hands.
It's a good point. Probably best to build it into the browser and let me add my own lists for it to use. That would be a good move for Firefox, they could have it off by default but it would help to reduce the chance of a compromised extension have too much access.
Another problem is that it's static; my understanding is the extension creator needs to make a new list, get it approved by Google, put it in the repository, and get the user to download the update, before a new ad is blocked. Probably requires a restart of the browser, also.
Not sure if it removes the ability for the user to on-the-fly add any blocking, but I suspect it does.
He sold/handed over 'uBlock'. The new owner was malicious. Gorhill learned from his mistakes, started uBlock origin and decided he'll rather let an extension die than hand it over the next time.
It sounds like you're happy to hand control of your browser away for free. I've been writing code for a few decades, I don't know everything but I don't need someone to decide for me what's too dangerous for me to have access to.
If I was truly insane I'd go the Steve Gibson route and write a completely different browser from scratch. I'm aware it would take the rest of my life (or longer) at this point but the engine options are so few, and the ability to avoid the owners' restrictive BS limited enough, that I'd be happy as a clam to see a whole new reboot.
I'd jump onto even an alpha of that, just to bump numbers out of hope that ANY group could get together and get out from under the advertising trap.
uBlock origin makes the Web safer. End of Story. You cant argue about scammers going after high value targets without mentioned every other popular application out there.
I should not be able to write a JS popup that looks like a browser dialog - that would be a pretty good start to improving security of the platform. Instead they remove the APIs that run the ad-blockers. Then give the MAIN APIs used by scammers/ad networks to deanonymise, track and trick you, free access to your system without your agreement.
Talk about having your cake and eating it too. Its Prohibitionist rhetoric all over again.
> If adblockers (and other classes of legit and common extensions) can be migrated to a safe API
Sure, but Manifest v3, doesn't have such API. It has a very limited API, that can't do a lot of things uBlockOrigin does.
I am not even taking about way too small limit for filtering (30k urls, my current are at 80k+)
I mean in manifest v3 you can't hide various banners or fullpage overlays and similar. That to me is one of the more important parts of what uBlockOrigin does for me.
So at best I will get half of the functionality (that is if google raises the limit)
> EFF are smart people. They know what the actual security benefit is
yes. Chrome with manifest v3 + uBlockOrign (assuming we even get it for v3), is less secure than chrome with manifest v2 + uBlockOrign
EDIT: Almost forgot. You also cannot block, adds on google search, any more.
I, as an end user want to be able to install whatever dangerous software I want, especially as a power user. I understand the potential consequences and I don't want or need the handrails. Options and freedom are good. This is why browsers need to be split off from for profit organizations to be managed by entities that aren't concerned with the fallout if someone installs malicious software.
I don't think this is a great path, though. Extensions like uBlock Origin should not only be available to people like us, who understand the risk of giving extensions more permissions, and would (hypothetically) have to click through some scary warning dialogs or edit config files to allow it. Your average-Joe user probably needs extensions like this even more than we do in order to remain secure on the web.
I agree it shouldn't be available just to people like us. My assumptions here are twofold, one Google doesn't want to deal with fallout from users being harmed in anyway by an extension installed from their ecosystem. It could have real monetary and regulatory impact on them. Two, this benefits their ad business by reducing how thoroughly ads can be blocked.
I think browsers should be moved away from for profit organizations to separate non corporate stewardship. With that you remove the overall susceptibility to fallout and can try to give more freedom over the features a browser has or how deeply extensions can integrate, for everyone. You also obviously remove the immediate monetary incentive to restrict freedoms.
Since you casually mentioned it—why would Google implement a safe API after removing the "dangerous" API that increased their ad sales? Given their recent history, and all.
The browser team could implement the ad blocker itself, instead of relying on third-party code. But even the apparently-best one of those (Brave) has a lousy interface for it.
I honestly think that Google underestimated how much they are going to piss off users with MV3. There are thousands of extensions that will stop working and be impossible to build. But also there will be a lot of broken experiences as remote loading is forbidden and fixes will need a new release.
Can't wait, but that's a very good opportunity for Firefox as Firefox will become more powerful than Chrome
Or more likely, towards Edge, by virtue of requiring almost no effort to deploy the same set of extensions in a very similar browser in the hands of a company who doesn't require destroying privacy as much as google does to keep making money.
Too be honest I don’t think the messages to use edge over chrome are really in the same category as the others. Googles plaster their homepage with a big banner of “hey chrome is so much better than what your using” and did for years.
One of the "benefits" to Microsoft of using Chromium is reduced development costs and they're not going to get that if they let the forks diverge too much.
Right, but 'we don't support this!' would be a great look when most technical people are already strongly opposed to Manifest v3. I'd call it an easy win, but of course they'd have to maintain that and possibly implement / design their own API's when Manifest v4, for example, comes out... so it's definitely not as easy as it may seem.
I'm sure Microsoft wouldn't mind spending more on development if it means market share from Google if Chrome breaks everyone's extensions and they still work on Edge
In the article, Firefox is cited as intending to adopt MV3 for compatibility reasons. If they indeed do so, I'm not sure how much relief running Firefox will offer from the more evil aspects of MV3.
With Firefox's market share, not much. This could massively benefit Firefox adoption, though, because everyone relying on old extensions will have to switch.
From that viewpoint, the new restrictions could actually be a good thing.
At the point when Edge (Chromium) no longer supports proper adblockers, I would instantly stop using it and use Firefox for almost everything. It would be a 100% deal-breaker for me.
Right now, I have Firefox installed but don't use it much, because I don't see a compelling advantage.
They're not really "adopting" it as the way forward. Firefox will be able to use Mv3-type extensions, but the current extension types will continue to work.
The article is hollow but from what I understand the gist of the issue is:
Google is cutting down on the extensions ability to read and modify your web requests on the fly. As a side effect adblocker type extensions need to pass their blacklist patterns to chrome which will enforce it on their behalf. Chrome cites improved privacy because users won't need to give random extensions full read write access to pretty much all their online activities and performance gains because arbitrary adblocking code cannot run anymore and it needs to be in form of a blacklist patterns. Lastly Apple Safari has been doing the same all along.
The opponent arguments (expressed in the article and by many people leaving comments here) are that this kneecaps some AdBlock extensions because they need to run arbitrary code as the declarative API is not flexible enough for them and this is part of Google covert plan to kill adblocking.
I personally agree with the Chrome team's argument here
I can see why Chromium-based browsers such as Vivaldi (non-opensource) are increasingly baking in features of popular extensions into the browser (ad-blocker, dark mode).
First, there's the risk of Chrome Web Store simply not being available to non-Chrome flavours. Next, the extensions APIs and ecosystem could head in any direction Google wants.
I use about 6 extensions, 3 of them self-compiled and sideloaded (JSON Viewer, Dark Reader, Violentmonkey).
I wish services like Pushbullet would open-source their browser extension. Isn't all the secret sauce on the server-side anyway?
I remember the old days when HN users would promote the hell out of chrome. They loved it, couldn't get enough of it.
A few others, including myself, were like... um guys, this browser is created by a company that makes its money from advertising that shows in browsers, do you really think this is going to turn out well?
You may see this as naive, but there was more confidence in Google (and big tech in general) to continue to "do no evil" in those days. I personally have never been upset with my firefox experience after their big re-write a few version back. The only benefits I see with chrome lately are when sites are clearly designed and tested only for Chrome. Not much of a benefit in the grand scheme of things, obviously.
Uh, okay - I was like twelve at the time so I try not to be too hard on myself (or others) for making similar mistakes. I'm not sure which part of my comment gave you the impression that I had not learned my lesson. Did you just feel like being rude to a random stranger? Or do you really think it's productive to go around blaming victims for getting grifted by professional grifters?
When Google Chrome came out, it was fast, reliable, secure, and it was not Internet Explorer. Chrome was what everyone needed back then. The competition was Firefox, which performance was getting slower (before Quantum). The problem was that Google shifted priorities for Chrome (or played the long game) to better support Google/Alphabet's interest.
Tech geeks forgot that pointy nosed bosses exist, y'know, the bad ones that seems to invariably hired for "accounting" reasons.
The google of old might have been OK, but at this point its as tedious to hear that they are "responsibile" as it was to hear that Microsoft Windows was "more customizable" than a mac and therefore somehow better. (I still know a lot of so called geeks that are ms fans for this reason).
A generation of socially unaware engineers got too popular and laid the groundwork for a behemoth that we let get too large...
Don't worry, FAANG still exists and is a major problem, the lesson shouldn't be that we need another player, just that monopolies, or things approaching them like big business, are always bad.
Vivaldi didnt. All they said was they wont remove anything themselves aka it will be removed when it vanishes from Chromium codebase. Vivaldi cant afford to maintain their own fork of v2 code, they barely manage the UI as it is.
"Like FLoC and Privacy Sandbox before it, Manifest V3 is another example of the inherent conflict of interest that comes from Google controlling both the dominant web browser and one of the largest internet advertising networks."
Thank you to the author for getting to the point: conflict of interest. Google cannot represent ("protect") users and sell to advertisers at the same time. No amount of blog posts/marketing/propaganda/arguing in forums can change that. Advertisers are paying Google for services, users are not. Google's entire racket has become heavily dependent on these conflicts. Google believes it must gain/preserve "user trust". Google wants users to believe it is on their side. That is what con arists must do.
Remember when other browsers announced they would not adopt FLoC. Websites also announced they would disable it as a courtesy for users through use of the Permissions-Policy response header.
DevTools still warns this is an "unrecognised feature". Does interest-cohort=() even work. Perhaps it does but in some jurisdictions FLoC is enabled by default in Chrome. The user has to manually disable it. Assuming the user evens knows what it is.
But really, how much can anyone rely on something like this. Users have no meaningful control over this browser. It is changing all the time, and "features" are tested on different groups of users, without ensuring their informed consent. Sure, a user extension may work now, but whether it works in the future is not within the user's control and, most importantly, Google's interests and the user's interests are almost certain to conflict.
"Google's efforts to limit that access is concerning, especially considering that Google has trackers installed on 75% of the top one million websites."
I have learned to enjoy blocking Google's incessant attempts to phone home. Google is curiously obsessed with TLS, so substituting a self-signed certificate for Google websites can actually be one of several ways to stop these connections, letting them fail at the proxy. It seems Google really does not want users to see what data Chrome is trying to send to Google. I wonder why.
Someone recently showed me an interstitial page they got while logging into Gmail, asking for their date of birth. It was very deceptive. It asked the user to "help us comply with the law" or some such. Of course, it was optional (the cookie had already been sent and the user was already logged in, unbeknowst to her) but there was no indication to that end. It appeared to be mandatory. The user was led to believe she could not proceed without entering a date of birth.
A company with millions in cash reserves behaves like con artist who cannot get a real job. It is impossible for me to take this seriously as business. A massive con. Yes. An honest business. No.
While I don't want to give Google PR tips here... There is a much smarter way for Google to achieve their aim...
Make the new manifest optional.
Point out that malicious extensions keep using the old manifest (which is more powerful and allows far more evil things).
Allow web developers to set a "disallow less secure extensions" http header. That allows banks and stuff to ensure an insecure old-manifest chrome extension isn't redirecting all your funds to North Korea while you do online banking.
Before long, ad networks will realise that setting this header nerfs adblockers too.
Most of the web will set the header to get more ad revenue.
In the press, it will be the evil people misusing the secure header rather then Google's fault.
The article is not exactly well written. I don't really follow web developments anymore because the web, well, sucks; So, after reading, I'm still not even sure what "manifest v3" is about and why I should care.
I know websites track me. I know I get tons of ads. I know websites popup questions about cookies. I know they play videos that follow me around when I scroll. I know sometime in the past that shit would've been under my control. But I suppose I have rose-colored glasses on and that's just the way it is. After all, I remember blink tags.
It's for Browser extensions. Chrome extensions (and also Firefox and Safari). a fail called the "Manifest" that tells Chrome and the extension about the extension and contains all it's permission requests. Eg: "This extensions wants to modify all webpages", which is what ad blockers need to do.
Going forward extensions in the Chrome Web store will have to use Manifest v3. Which has less capabilities than previous version. Which will stop ad blockers working.
tl;dr. Ad blockers will not longer be possible in Chrome.
> tl;dr. Ad blockers will not longer be possible in Chrome.
This is not completely true. Ad blockers like uBlock Origin that allow specific elements to be picked and blocked wouldn’t be allowed. All the requests (like ads) to be blocked would have to be declared in a list (like Safari Content Blockers, and presumably have a limit on the number of rules). The actual blocking will be done by the browser without the extension knowing which rules were applied to which pages.
tl;dr Extensions with embedded spyware will no longer be able to record all of your web use. Malicious ones that steal credentials will be more easily identified. These types of extensions are installed far, far more than ad blockers.
Off the three, brave seems the least worse one in terms of telemetry and the best in terms of respecting it's users' wishes. All are considered spyware by that site.
no, false, brave remains problematic, Firefox is the only one with more more privacy potential. With Firefox the user has much more freedom to modify important settings, while Brave remains spyware.
To anyone saying "just use Firefox", I would think again. I think Firefox is (marginally) better than Chrome, but they are also pulling some of the same bullshit:
apparently you didnt bother you read my comments on the linked issue, as well as the multiple issues I linked to it, including one that I opened myself [1]. My own issue was closed as wont fix.
To be fair, Firefox is the most popular of the 3-4 browsers that lets you install addons on Android. So the fact that the process is convoluted and tedious is less important - at least there's a process.
Previously extensions could be background pages, with access to DOM & Web Platform apis. MV3 currently reduces them to Service Workers, able to use far far far less capabilities. This is a massive massive downgrade for Extensions, unfathomable really. A Mozillaian proposed a less limited Limited Events Page but Google has snubbed it & not discussed. https://github.com/w3c/webextensions/issues/134
Extensions are forced to use a small subset of JavaScript with no dynamic code execution. Eval() is banned. Function is banned. Embedding a scripting language inside JavaScript to circumvent this is banned. This is a mere ghost of JavaScript left over. Google claims it's to make it easier for them to insure extensions are safe & protect users, but just as much, to me, this is to protect Google from capable & competent extensions allowing users to expand their agency: now extensions have to be narrow, fixed use, specific extensions. Tools like GreaseMonkey are all dead. The web becomes no where near the hackable medium it is, all for a little convenience for Google. https://github.com/w3c/webextensions/issues/72https://github.com/w3c/webextensions/issues/139
A lot has been said & discussed about MV3's declarativeNetRequest; this is where the visible war has raged in MV3 for a while now. I'm not a huge fan but it's also one of the more minor side-shows in this debate, to me. High impact on ad-blocking, but ultimately there's enough compromise & wiggle room here, enough possibility to make this not awful, and if things are left truly bad, there will be enormous hell to pay & this will blow up. DeclarativeNetRequest feels like a side show to how much real ruin & savagery is being wreaked by the first two issues I outlined, being wreaked upon the most powerful & interesting & defining software humanity has, that we augment ourselves with as we do software: our user agent extensions.
I generally find Google to be quite a good steward for the web & am so happy they advance so many different initiatives & capabilities. But this is something that is extremely near & dear to me. The web is different & better than all other software, to me, because it is malleable, because the user-agent gives us power. MV3 is a radical curtailing of us the users. A radical shift towards a web that we have to simply accept, as is, that we cannot bend & shape as we want. Everything happening here feels abhorrent & disgraceful.
The process also feels totally goofy. Google is simply flipping the switch next month. They built what they wanted to as a new spec, debated some about feedback, leave comments that oh yeah, we maybe do need to do something about GreaseMonkey, maybe we do need to fix some of the missing use cases, but we're going ahead with Apocalypse Now anyways. This is the most hostile use of standardizing to destroy that I have ever witnessed.
If Google is having such a hard time hosting extensions as is, they need to stop. They need to close the Google Chrome Web Store for Extensions & stop trying to moderate it. Create a 3rd party store model, let other people serve as the agents of trust. They absolutely positively cannot be allowed to come along & standardize a much much much lower powered form of extension than what we've had, purely because they've had such a (sad fiddle) hard time running an extension store. Their justifications & pleading that these amputations to us are for our own good ring so very very false to me. Google needs to give up being a regulator of this power if it's too much for them.
As for FloC, still trying to understand FloC's implications & make a position on it. Hearing it proposed, it sounds enormously stupid, but I'm not convinced it's in fact bad. Part of me even thinks it indeed sounds like a significant privacy win over where we are.
Rather than discuss FloC though I'm wondering what other efforts you would malign.
Have background pages ever had access to DOM? Usually all interaction with an observed tab is done through content scripts not background pages. Same goes for evaling JS code within the context of the inspected window.
By DOM access I assume they mean that since background pages are pages, you can do things like use IMG and SCRIPT tags to load resources, and perhaps a CANVAS to rasterize images that you then serve to pages via an extension URL or something. I've done stuff like that before so I can imagine there being use cases for it, but it's kind of niche.
I'd like to see the Firefox DevTools turned into an official user-controlled adblock system for Firefox. It has pretty much all the things you would need; control over the requests, control over the responses, control over presentation, control over JavaScript flow etc.
I've been using Chrome for such a long time now (since like a year after it launched), out of convenience and because it used to be fast (and more secure). It's definitely time to switch.
I think my main alternatives are Brave, Vivaldi and Firefox.
You realize Firefox only exists because it serves Google's interests right?
And while Brave might be based on Chromium, it is distinct; in addition to not crippling nativewebrequest as chrome will, it's native adblocker is compatible with the same lists as ublock origin. So I would go with Brave :)
> You realize Firefox only exists because it serves Google's interests right?
Ironically, though, the larger Firefox's market share, the more Google will pay to be the default search engine in Firefox. Yes, it's perverse and a little gross that we depend on Google to such a large degree to keep Mozilla and Firefox funded, but having more users increases Mozilla's leverage over Google.
Anyway, your point isn't really relevant. Unless you believe Google is dictating nefarious things to Mozilla and has subverted Firefox (difficult since Firefox is open source, but not impossible), you should still be using Firefox. If you care about not continuing to give a giant, monopolistic advertising company control over the web, anyway.
What will Brave, Vivaldi, etc, do when Google makes some change that breaks the current APIs? Do they have the resources and are willing to continue to support them?
Brave's long-term problem is that Google can set the cost of Brave's ongoing maintenance to whatever they want. In the 90s Microsoft called this "keeping the competition on a treadmill".
If Google is not able to control ad-blocking because all the Chromium clones refuse to play ball, what do you think they will do? I have no idea. Maybe just close Chromium entirely, and force all the clones to shut down since there's no way they have the engineering resources to keep up with Google.
EDIT: Except for MSFT... that would be interesting for sure.
Well I like both Brendan and Jon, and I actively dislike Baker's leadership of Mozilla. However, Mozilla seems to have the highest investment level into the their desktop browser. I'll test Brave first.
Semi-related question: Does anyone have a workflow for version pinning Chrome extensions? GSuite Admin lets you allowlist extensions, but I haven't seen a way to fix an extension to a trusted version.
In both Chrome and Firefox for Linux, you can create and maintain a package for your system-wide package manager that wraps your extension at whatever version you like.
If Chrome can kill uBlock and use its dominance to do user-hostile stuff, and Firefox goes along "in the interest of cross-browser compatibility", then what the hell's the point of Firefox in the first place?
I needed them to do that so I could watch Netflix. Debate it all you want, but it made my life measurably better and I'm glad they did it. This would only negatively effect me (and everyone else).
DRM doesn't limit anything for the user except for some video content. The day DRM prevents doing things to requests and such, like Manifext v3 does, then I will care. Right now, I'm happy to be able to watch One Punch Man on my laptop.
I'd guess even if Firefox did keep extensions unrestricted then slowly they would die away - given how much smaller the user base will be. We need some new power to emerge in this space.
If Firefox keeps full extension capability, as a superset of Chrome's gimped implementation, then extension developers can decide how they want to handle the incompatibility.
I don't really get how the extension ecosystem works anyway -- extension developers are usually just sharing something they use to be helpful/make a point, and then some tack on donations thing, right? Since nobody is doing this to get rich I suspect they won't chase marketshare.
There is surely a bias between users of extensions of uBlock Origin and users of Firefox. The userbase is still smaller, but maybe not enough to completely throw away development.
> We will support blocking webRequest until there’s a better solution which covers all use cases we consider important, since DNR as currently implemented by Chrome does not yet meet the needs of extension developers.
It would certainly be interesting they implemented blocking webRequest (just to keep compatibility with Chrome) and then added a Firefox-specific API for blocking web requests.
Are you sure you don't want to hard code the original "uBlock" instead of the "Origin" fork while you are at it? It already had a perfectly fine hostile takeover in the past, no need to wait for a new one.
Firefox has already been forked multiple times because of decisions from Mozilla, see [Pale Moon](https://www.palemoon.org/) or [Waterfox](https://www.waterfox.net/). Few people use those forks, for the simple reason that what has been removed from Firefox is not game-changing enough to mandate an exodus. However I agree that removing support for uBlock Origin will surely be another story.
> Few people use those forks, for the simple reason that what has been removed from Firefox is not game-changing enough to mandate an exodus.
This is not the reason for me at least to not use it as my main browser.
I recently tested and the speed is good and it is absolutely wonderful to have true full fledged extensions and complete themes.
My reason is that I'm worried if their security is good enough. If we could somehow be sure about that I'd actually happily leave modern Firefox behind for it.
Personally I'm hoping for someone to create a patch set and bulld binaries based on it to re-enable the old stuff, not by letting extensions muck around in the internals but by providing defined extensions points like:
Back to IRC DCC style sharing and distributed computing with VPN
No need to follow the money to do interesting engineering and computing. Interesting is subjective and wrapping a white paper in the cruft to host it as a service in the cloud isn’t interesting engineering
Part of me wonders if the chip shortage is real or just a way to hide big corp hoovering them up for DC hosted services.
As long as those extensions don't fetch and execute any JavaScript that hasn't been bundled at the time of Chrome store submission, they'll be fine. The biggest change happens at the API for monitoring and managing web requests.
Not even close to a replacement for the type of active, context-aware evaluation uBlock can do.
Additionally, if a solution like Pi-hole was ever sufficiently mainstream, more sites would start serving their ads from the same hostname as the page. It's not difficult to do with the CDN providers most media sites already use.
Yes. Next you'll have to MiTM the DNS over HTTPS. Next in the arms race comes certificate-pinning. Controlling your name resolution will probably remain possible on Linux, but I expect most other platforms will make it exceedingly difficult for "normal" users.
Embedded devices are already "game over". You don't own them (even if you paid for them).
Controlling name resolution on your own network (and MiTM'ing HTTPS) makes you the same as a hostile nation-state actor. We can't have that.
> Embedded devices are already "game over". You don't own them (even if you paid for them).
Ugh, seriously. I have a Chromecast, and couldn't figure out why it wouldn't play things on my local network (via DNS names set up in my router's resolver). Turns out Google hard-codes their own DNS servers and doesn't allow you to change them.
The fix was to give the Chromecast a reserved IP address, and then set up some iptables rules on the router to redirect requests from it to 8.8.8.8 and 8.8.4.4 on port 53 to my router. I'm surprised that Chromecast is using old-school port-53 DNS and not DoH.
HTTPS no, because you're still making regular old DNS queries for every domain, but DNS over HTTPS or stuff like Chromecasts using hardcoded DNS servers do effectively negate Pi-Hole.
It will be interesting what Microsoft will do, at first glance they don't care about advertisement and allowing ad-block would bring a lot of users to their ecosystem. (they already have soft adblock out of the box)
That probably because their operating system is infested with advertisements and data exfiltration mechanisms. Why would they need the browser to do it too?
Firefox is supporting Manifest v3 extensions however they are not imposing every limitation Chrome is on them and they are continuing to support features outside the scope of v3 like blocking webrequest.
A lot of the changes in v3 are actually pretty sensible, it's just 10% of the stuff shoehorned in creating 90% of the friction.
Web Extensions have never had a spec before. So of course Google is taking the initiative to aggressively re-define & cut down what an extension is, at the exact moment they try to turn it into a cross-browser standard.
Firefox will make it possible to upload manifest V3 extensions to their store (eventually). It's a good thing because it makes it easier to make an extension that works unmodified for both.
Chrome is additionally planning to remove support for manifest V2 as well, Firefox can't start to do this because they don't support V3 in their store yet.
Yep. But note that MV3 is a lot more powerful than Safari's adblocking capabilities. It's still declarative, but supports dynamic rules, header modification, etc.
I'm super impressed with Google's attention to Hacker News and getting their shills to come in and muddy the waters and refute. At least one guy admitted he's working for the man...
They're boiling the frog. It will get gradually more inconvenient, but still kind of viable, until the day they pull the plug entirely. The day that happens, Firefox is likely no longer a viable option and it is too late. If you care about the open Internet, the entire point of switching is to do it before it's too late. The writing has been on the wall for years now.
One option is to just move away from browsers entirely. We can take some of the good things. Like maybe a small subset of HTML and web assembly. Add some minimal IO to web assembly.
A website being rendered by opaque, per-site web-assembly code, is not going to be amenable to uBlock, Greasemonkey or any other user-empowering extensions.
In this theoretical world you would generally not authorize any code (nor could any run by default) if you were just trying to view a web page. The HTML subset would be used for displaying information.
If Google actually gave a crap about security, they would let you disable extensions. As it is, I have to routinely delete malicious extensions from every family member's Chromebook. Lord knows how they get there, but they always do. Since this new standard still lets extensions observe everything, I don't see what the point is.
I'm just not smart enough to figure that out. That first answer references steps that don't exist on any Chromebook I've ever seen. So I assume I have to enroll the machine in a group policy externally? I have no idea. Never been able to figure it out. I usually just end up installing an extension (oh, the irony) that blocks the extensions domain. :/
In most cases, you can get group policies like these to work if you manually create the registry keys that GPO would create for you. It's more complicated, but it can work.
You can only signed addons these days, so they must be sourced or at least signed by Google. Especially on Chromebooks which are more restrictive in the software they run.
My guess would be that your family members got social engineered into installing that crap ("this web page only works with X, click here to install"), ort their browsers got exploited and hacked (very unlikely!). You'll probably need full MDM to prevent these websites from getting their users to enable extensions.
The problem with disabling extensions is that whatever has the capability of pushing extensions into your browser also has the ability to change the settings for addons. The only solution I can think of is to create a Chromium build that cannot run extensions at all.
Remindes me one time one time a old person I sometimes help out got social engineered to enable desktop notifications for a website.
And as a non windows user it took me a while to realize that this notifications come from the browser as desktop notifications and disable them. Its still a riddle for me how chrome managed to make it both very obvious and very unclear at the same time that this are websites desktop notifications. (As a counter example I used some sites which used desktop notifications on FF/Andriod instead of making a app just because notifications, that I loved)
This post carries a lot of water for user-hating user-blaming anti-extensions.
I'm sorry that your family are... having such a hard time making reasonable choices for themselves. I have literally never seen this anywhere, or heard any coworker ever report their family rampantly adding shitty extensions. I tend to see pretty clear & obvious signals about what extensions are good & ok when I go to consume. Bad extensions seem to be discovered fairly quickly & taken down. I'm trying to imagine how folks even get to the Chrome Web Store in the first place if they have no idea what they are doing. The world to me seems no where near as grimdark as you project.
Alas I think it requires a paid Google Enterprise account, but your family sounds like their need external management of their browsers. That they should, like a school computer, have an administrator & a denylist or perhaps even allowlist of what extensions they can use.
This post spreads so much Fear Uncertainty and Doubt. Trying to justifying ending a good thing because some creative user keeps finding a way to misuse, to not listen to sense, to not make good judgement... I find it unfortunate that such heavy fearmongering, such terror at the world is allowed to sway us so heavily.
Ultimately I want 3rd party sites hosting extensions. Not Google. And I want moderation teams able to surface claims that some extensions are bad. We need more choice, more democracy, more ability to help each other. Sunlight is the best disinfectant. Simply giving in to the bed-wetting terror of, oh no, freedom & denying ourselves user-agency is intellectual suicide for the web.
This wouldn't happen with proper adblockers. Also, if a user or a malicious script has permission to install extensions, I assume it would also have permission to toggle "enable extensions" setting.
I very very quickly edited my words but thanks for sharing. Got flagged anyhow. I'm still absolutely mystified to hear about such huge sorry sad sappy stupid problems occuring with blitzing regularity. I cannot imagine how your people discover trouble so readily.
It doesn't sound like you think your family is at all educateable in any way, you seem to think this is a horrible lost cause & that we must withdraw power & good for the world to protect your vulnerable unfortunate hapless brood. That's how defenseless your post makes your people sound, that's the impression you're giving off. And you're using that as a weapon against the world, against good, against freedom, against capabilities. This is extremely menacing a position you've made, using your own family's purported victimization a weapon against good.
I'm absolutely mystified to hear about such huge sorry sad sappy stupid problems occuring with blitzing regularity in your tribe. I cannot imagine how your people discover trouble so readily.
It doesn't sound like you think your family is at all educateable in any way, you seem to think this is a horrible lost cause & that we must withdraw power & good for the world to protect your vulnerable unfortunate tribe. You're using that as a weapon against the world, against good, against freedom, against capabilities.
This is extremely menacing a position you've made, using your own family's purported victimization a weapon against good.
I did this as a technology demo, to demonstrate automated site background checking. The concept that you have to have a business address to sell online is almost archaic now, even though it's the law in the EU and California. So, today often the system often can't tie a web site to business records.
The concept of "legitimate business" is dead.