It keeps amazing me how these Manifest V2 vs. V3 discussions, fail to address the elephant in the room: intercept and modify network requests.
Do you want your web browser — that you may be using to access your banking account, or your shopping account, or an internet, or any sort of private content you want to keep secure — to allow every extension you install, forever and ever, to “intercept and modify network requests”… even if it initially didn’t, but then over time the developer, or whoever the developer might sell it to (see AdBlock and uBlock), might decide to “intercept and modify network requests”, for any reason they want, without any warning?
What is so wrong with the browser ASKING THE USER before denying/granting that permission to random extensions?
And how about having the browser let the user decide whether an extension is allowed to do that, on a per-website basis? I know, you can tell uBlock Origin to ignore a website… and “trust me, bro”? How about the browser enforced that instead?
The point is that under offering users the ability to have all network requests altered is not secure. The user needs to authorize it and there are valid reasons to do so, but there are also bad actors, that will misuse that. I am pretty security conscious, but I can’t tell you which extensions have which permissions on which devices I use, between Firefox, chrome, safari on windows 10,11, android, iOS and opensuse. Placing all the responsibility on the user just removes it from where it should be, which is privacy focused code.
Is that what manifest v3 does though? Ask the user? I haven’t paid a lot of attention but thus far my overall impression has been that they are simply going to forbid a lot of useful things wholesale. Things that ad blockers need to function.
No, neither does. V2 browsers show a generic warning on first install, V3 removes the API. Google argues that it’s a security issue… and yes, it is. Their solution though, is some kneejerk BS. Mozilla argues that it’s a user’s right to privacy to block ads and trackers… and yes, I agree. They don’t address the security part, though! So it’s an “all or nothing” choice, which is silly.
Ad blockers can still work on V3… not as thoroughly and not as pretty, but more secure. It’s a nonsense trade-off, when both issues could be addressed by giving users more control.
It looks like neither Google nor Mozilla want to put in the work or take on the responsibility, while ad blocker developers are simply cheering for the less secure option… which makes me uneasy.
I actually haven’t used an ad blocker in a very long time. I block third-party cookies and trackers, and disturbingly that seems to prevent almost all advertising from working. In fact I frequently get told by sites to turn off my ad blocker, which is impossible since there’s nothing to turn off.
My bigger problem is that these browsers have no good built-in way to clean out the “IndexedDB”, “Service Worker”, “File System” and “Local Storage” directories in my profile. They are essentially frankenstein cookies without expiration date so they keep accumulating. I use the “Cookie AutoDelete” extension for cleaning them up, but it looks like that will stop working with Manifest V3. Once that happens I’m switching back to Firefox or some other browser that gives me enough control to avoid being tracked, and to save 10+ GB of disk space.
IndexedDB et al, can be cleared from the devtools, I think should be cleaned when removing browsing data, or can be deleted directly through the OS. “Cookie AutoDelete” should still work with V3, but it may need some updates, and it seem like it hasn’t been updated since 2022.
It keeps amazing me how these Manifest V2 vs. V3 discussions, fail to address the elephant in the room: intercept and modify network requests.
Do you want your web browser — that you may be using to access your banking account, or your shopping account, or an internet, or any sort of private content you want to keep secure — to allow every extension you install, forever and ever, to “intercept and modify network requests”… even if it initially didn’t, but then over time the developer, or whoever the developer might sell it to (see AdBlock and uBlock), might decide to “intercept and modify network requests”, for any reason they want, without any warning?
What is so wrong with the browser ASKING THE USER before denying/granting that permission to random extensions?
And how about having the browser let the user decide whether an extension is allowed to do that, on a per-website basis? I know, you can tell uBlock Origin to ignore a website… and “trust me, bro”? How about the browser enforced that instead?
Nice FUD you got there.
Firefox does ask the user for this permission
uBlock Origin is open source and can be freely audited by everyone. https://github.com/gorhill/uBlock
Does anyone check that updated versions pushed to the extension store, match the available source, and have no extra “features” included?
uBlock (not Origin) was also open source, then it got sold to AdBlock, which also had been sold, to a company that charges advertisers to bypass it.
uBO is in Firefox’ “recommended add-ons” list which are reviewed after every update.
You can check their criteria here:
https://support.mozilla.org/en-US/kb/recommended-extensions-program
Yes, but other extensions are not and can access the same permissions. They can even steal the unlock origin source code to do so.
They could but only after you installed them and explicitly gave them the permission to do so. i don’t get your point.
The point is that under offering users the ability to have all network requests altered is not secure. The user needs to authorize it and there are valid reasons to do so, but there are also bad actors, that will misuse that. I am pretty security conscious, but I can’t tell you which extensions have which permissions on which devices I use, between Firefox, chrome, safari on windows 10,11, android, iOS and opensuse. Placing all the responsibility on the user just removes it from where it should be, which is privacy focused code.
Is that what manifest v3 does though? Ask the user? I haven’t paid a lot of attention but thus far my overall impression has been that they are simply going to forbid a lot of useful things wholesale. Things that ad blockers need to function.
No, neither does. V2 browsers show a generic warning on first install, V3 removes the API. Google argues that it’s a security issue… and yes, it is. Their solution though, is some kneejerk BS. Mozilla argues that it’s a user’s right to privacy to block ads and trackers… and yes, I agree. They don’t address the security part, though! So it’s an “all or nothing” choice, which is silly.
Ad blockers can still work on V3… not as thoroughly and not as pretty, but more secure. It’s a nonsense trade-off, when both issues could be addressed by giving users more control.
It looks like neither Google nor Mozilla want to put in the work or take on the responsibility, while ad blocker developers are simply cheering for the less secure option… which makes me uneasy.
I actually haven’t used an ad blocker in a very long time. I block third-party cookies and trackers, and disturbingly that seems to prevent almost all advertising from working. In fact I frequently get told by sites to turn off my ad blocker, which is impossible since there’s nothing to turn off.
My bigger problem is that these browsers have no good built-in way to clean out the “IndexedDB”, “Service Worker”, “File System” and “Local Storage” directories in my profile. They are essentially frankenstein cookies without expiration date so they keep accumulating. I use the “Cookie AutoDelete” extension for cleaning them up, but it looks like that will stop working with Manifest V3. Once that happens I’m switching back to Firefox or some other browser that gives me enough control to avoid being tracked, and to save 10+ GB of disk space.
IndexedDB et al, can be cleared from the devtools, I think should be cleaned when removing browsing data, or can be deleted directly through the OS. “Cookie AutoDelete” should still work with V3, but it may need some updates, and it seem like it hasn’t been updated since 2022.
V3 blocks it