Browser Add-on Google’s Manifest V3 Still Hurts Privacy, Security, and Innovation

SpiderWeb

Level 9
Verified
Well-known
Aug 21, 2020
446
What I have seen of young people confirms with what @Nightwalker is posting. Younger generation accepts that advertising is a constant background noise. I don't have the source at hand anymore, but I have read a study on the correlation between the length and frequency of the advertising intervals corresponding with the the attention span (time) of kids at (high)school. Another observation study confirmed that youngsters pick up their phone and start to socialize digitally during TV advertising. They seem to accept and understand that advertising funds the 'free' internet services they are using (valid point made by @blackice and @oldschool).

The irony of advertising is that when everyone is shouting for attention, people tend to give less attention and are harder to reach. Brave's own advertising (from which people can still can opt out) has a 4 times higher click through rate than market average (that is an incredible 400% higher response).

So despite Google's big-data and user-tracking we will see more alternative advertising vehicles (Brave, Vivaldi, Opera) in future with a better timed and dosed advertising frequency to prevent people like @Digmor Crusher and @SpiderWeb doing everything they can to prevent ads to reach them.

Also economic-political forces like the EU privacy laws, China's internet wall and territory claims and Russia's geo-political USSR revival will eventually split the internet into different digital worlds.
You are absolutely right about that. The new generation is different from ours. Our generation rejects all forms of ads out of principle, almost for ideological reasons to maintain privacy. This new generation doesn't mind interactive brands and alternative advertising, they feed into it ironically and unironically, a generation starved of attention will turn to anyone who does pay attention to them and companies capitalize on that. They are aware of the massive army of parody and fan accounts on social media and they know those people wouldn't mind getting a paycheck. There has been a seismic shift towards powerful subliminal advertising like Brave or Apple promising privacy in one domain while also selling it away in another.
 

Arequire

Level 28
Verified
Top poster
Content Creator
Feb 10, 2017
1,730
Morally my personal feeling is that it doesn’t have to be illegal. You are taking something without paying for it, which is why there are so many pay walls now. People aren’t going to work for free when the ad revenue dries up. This is why sites have been dropping dead for years. You can use a different term than pirating, but the end result is you consume content without compensating the creator. I really would like some sort of middle ground, but I fear we’ve blown right past it. Ads are terrible and nobody wants to see them, including me. But, I don’t feel I’m owed the fruits of someone else’s labor just because there’s no legally binding contract. That’s just my personal conviction.
I agree that something doesn't have to be illegal to be morally objectional, but like you said morality is personal; it's subjective, which is the problem with using it as the basis of any argument.
If you look at this post I made back in 2017, you'll see that, at the time, I chose to use Privacy Badger because it automatically unblocked ad networks that honoured Do Not Track, and that I felt uncomfortable blocking networks that did the right thing. I also said that I believe publishers deserve compensation for their work, and I still hold these views today but in a significantly diminished state, because the publishers were never really the problem, the advertising industry was, and in the 5 years since I made that post, that same multibillion dollar industry has done little to nothing to address the problems I outlined in that post. So while I do still feel bad about depriving publishers of compensation, that bad feeling is mostly gone when I think about how the industry propping up those publishers continues to exploit and facilitate genuine harm towards consumers, and then rages at them when they choose to engage in the only defence they have against it: Blocking ads.

I really would like some sort of middle ground
I would too but who decides what a middle ground looks like? Eyeo (Adblock Plus's developer) claims its Acceptable Ads program is the ideal middle ground; allowing ads to be delivered and publishers to profit off them, but forcing them to adhere to strict placement and sizing guidelines, and according to Eyeo the majority of their userbase agrees. But once again subjectivity raises its head, because ads being annoying is the least of my (and probably a lot of other people) problems with them. The ads under the AAs program still engage in data collection, and they still act as a vector for malware delivery.

Ultimately I believe the entire industry needs reforming, but it's not going to do so voluntarily and lawmakers have proven they're only willing to impose meager adjustments on it. So what we have is what we're stuck with, and publishers will sadly continue to be caught in the crossfire.

(Man, imagine being able to engage in political discussion like this, instead of all sides just screaming obscenities at each other ad-infinitum. Sigh.)
 
Last edited:

silversurfer

Level 85
Verified
Honorary Member
Top poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
8,096
L

Local Host

Driving GorHill out of business is Google's dream but they can't because he works on uBO as a hobby. The truth is the API that uBO is using is perfectly compatible with Manifest V3. But Google Chrome only allows enterprises to utilize that API. Imagine if someone said that only corporations are allowed to use firewalls, consumers must allow all traffic in and out. This is how completely bonkers Google has become. Chromium will deface the Internet and the question is, will people migrate to Firefox fast enough to provide balance like they did in the 2000s? If Mozilla goes bankrupt, we're all screwed.
I honestly couldn't care less about GorHill, he is an attention seeker. Adguard is already working on a new engine that supports Manifest V3, so is not going anywhere for anyone looking for an AdBlocker extension on Chrome.

The time GorHill spends whining would be better used converting his extension to V3, but I assume he lacks the knownledge to do so, and that is fine, his competition is already working on it with positive results (and I don't mean only AdGuard).

Fact is even Firefox is going to implement V3 eventually, and despite the current stability issues, there is no denying V3 is safer than V2 (extensions have to much control over the browser with V2, is a malware haven).
BTW, since most people here don't seem to use facebook I should let them know that it's impossible to block facebook video ads. The host/urls that facebook use to serve normal video and video ads are identical. So it's not possible for filter maintainers to differentiate them. Fanboy couldn't do it, Adguard couldn't either. I even sent Alex of Adguard my browser's HAR log file, but that didn't help. So if Google wants, they can implement such things in the future, making it even harder for us to block ads. But they have not yet. I'm not taking Google's side here, but thankfully this Manifest V3 is at least better than what facebook does.
Google used the same tech on YouTube videos, and is true for a while AdGuard failed to block both, but currently AdGuard can block both YouTube and Facebook ads with no problems, as long as you have AdGuard Extra enabled (which is by default) on the Desktop APP.
A problem with the piracy analogy is that by pirating a movie, you are directly violating legally binding property rights placed on that movie. It's a clear breach of the law.
Publishers don't have the same legal standing. No one signed a contract with them agreeing to view ads in exchange for accessing the content on their website. And while publishers argue that there's an unwritten agreement between them and visitors to their site, and that viewing ads is the price users must pay for accessing their content, their argument collapses when you think about the fact that their unwritten agreement would also have to extend to the myriad of—mostly invisible—third parties present on most websites nowadays.
Is not illegal to download pirated content in most countries, is only illegal to redistribute, plus you never run into malware if you get the content from the right sources (scene releases), the whole malware thing is a scare campaign from the copyright holders to keep you away.
 
Last edited:

SeriousHoax

Level 43
Verified
Top poster
Well-known
Mar 16, 2019
3,244
Google used the same tech on YouTube videos, and is true for a while AdGuard failed to block both, but currently AdGuard can block both YouTube and Facebook ads with no problems, as long as you have AdGuard Extra enabled (which is by default) on the Desktop APP.
Maybe it was possible before, but at the moment Adguard has no solution to this. As I said, I talked to Alex from Adguard, more precisely GitHub user Alex-302 with whom I had a conversation on Telegram. I saw fanboy also said the same thing about facebook video ads on the EasyList forum.
Is not illegal to download pirated content in most countries, is only illegal to redistribute, plus you never run into malware if you get the content from the right sources (scene releases), the whole malware thing is a scare campaign from the copyright holders to keep you away.
I agree with this.
 

plat

Level 28
Verified
Top poster
Well-known
Sep 13, 2018
1,692
The time GorHill spends whining would be better used converting his extension to V3, but I assume he lacks the knownledge to do so, and that is fine, his competition is already working on it with positive results (and I don't mean only AdGuard).

Wow, don't you think that's a little harsh there? I can't think of any other program that improved my quality of life online more than uBlock Origin. You pay for many things to improve the quality of yourr "real" life:--you pay for that. uBlock Origin has always been free.

If I'm ever compelled to get another content blocker for whatever reason, fine. It's important to where i'd pay for that. But I'll always be grateful to Mr. Hill for his excellent and free program.
 
L

Local Host

Wow, don't you think that's a little harsh there? I can't think of any other program that improved my quality of life online more than uBlock Origin. You pay for many things to improve the quality of yourr "real" life:--you pay for that. uBlock Origin has always been free.

If I'm ever compelled to get another content blocker for whatever reason, fine. It's important to where i'd pay for that. But I'll always be grateful to Mr. Hill for his excellent and free program.
I have nothing to thank GorHill for, uBlock is a fork from two other projects, he pretty much dropped the original uBlock and threw the responsability on top of someone else.

Later he regrets it, forks his own project and discredits everyone that tried to help him with the original project.

Plus there is no denying he currently just seeking attention, we all already heard his concerns about the V3 Manifest ages ago.

He either mans up and starts working on uBlock Origin to support V3, or you guys can start looking for alternatives, sooner rather than later, cause even Firefox is going to enforce V3 eventually.

As stated the competition is already working on it, instead of complaining it about it monthly.
 
  • Like
Reactions: Nevi and Sorrento

oldschool

Level 70
Thread author
Verified
Top poster
Well-known
Mar 29, 2018
5,997

gorhill commented yesterday •​

edited​

There is also the issue of denyallow filter option, not supported by the declarativeNetRequest API.
There has been changes in the DNR API, and new conditions have been added which I think will allow to implement denyallow:
  • excludedRequestDomains
  • requestDomains
excludedRequestDomains= should be usable directly as a replacement of denyallow=:
The rule will not match network requests when the domains matches one from the list of excludedDomains [sic].
Chrome extension manifest v3 proposal · Issue #338 · uBlockOrigin/uBlock-issues
 
Last edited:

oldschool

Level 70
Thread author
Verified
Top poster
Well-known
Mar 29, 2018
5,997
The clock is ticking. Which popular extensions will be ready?
 

silversurfer

Level 85
Verified
Honorary Member
Top poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
8,096
For compatibility reasons, Mozilla will still use most of the Manifest V3 spec in Firefox so that extensions can be ported over from Chrome with minimal changes. But, crucially, Firefox will continue to support blocking through Web Request after Google phases it out, enabling the most sophisticated anti-tracking ad blockers to function as normal.

In justifying that decision, Mozilla has been clear in recognizing that privacy is a core value for people who use its products, as chief security officer Marshall Erwin told The Verge.
“We know content blocking is important to Firefox users and want to ensure they have access to the best privacy tools available,” Erwin said. “In Firefox we block tracking by default but still allow advertisements to load in the browser. If users want to take the additional step to block ads entirely, we think it is important to enable them to do so.”

As for Google’s claims about the security benefits of its MV3 changes, Erwin said that immediate security gains from preventing Web Request blocking were “not obvious” — especially since other non-blocking features of Web Request had been kept — and didn’t seem to make significant reductions in the likelihood of data leakage.

Regardless, Google seems to be holding course. Despite the flurry of criticism from ad blocker developers, Google spokesperson Scott Westover told The Verge that the company did support blocking and only intended to limit the type of data certain extensions could collect.
“We’re happy to see Mozilla supporting Manifest V3, which is intended to make extensions safer for everyone,” Westover said. “Chrome supports and will continue to support ad blockers. We are changing how network request blocking works because we are making foundational changes to how extensions work in order to improve the security and privacy characteristics of our extensions platform.”
 

oldschool

Level 70
Thread author
Verified
Top poster
Well-known
Mar 29, 2018
5,997
“We’re happy to see Mozilla supporting Manifest V3, which is intended to make extensions safer for everyone,” Westover said. “Chrome supports and will continue to support ad blockers. We are changing how network request blocking works because we are making foundational changes to how extensions work in order to improve the security and privacy characteristics of our extensions platform.”
Simply more "Blah, blah, blah"!🖕Google
 

oldschool

Level 70
Thread author
Verified
Top poster
Well-known
Mar 29, 2018
5,997
I just found this:

gorhill commented 2 days ago



Following AdGuard's publication of an experimental mv3-based version of their extension, I commented on Hacker News about the fact that the extension still required broad permission which leads to the warning "Read and change all your data on all websites" at install time.
This defeats Google's widely advertised (and repeated by many) statement that declarativeNetRequest will improve privacy:
The declarativeNetRequest API is an example of how Chrome is working to enable extensions, including ad blockers, to continue delivering their core functionality without requiring the extension to have access to potentially sensitive user data.
At the time of my comment, my understanding was that the broad permission required by AdGuard.MV3 was due to the fact that it still is required to implement cosmetic filtering and scriptlet injection.
However I found out that even if sticking to solely deal with network requests (no cosmetic filtering, etc.), broad permission to "read and change all your data on all websites" is still required still when supporting redirection or header modification, i.e. the redirect=, csp=, and removeparam= filter options.
The only way to avoid broad permission requirement is to use declarativeNetRequest to only block network requests and nothing else, i.e. throw out filters which are meant to redirect to a local resource (redirect=), filters which are meant to remove query parameters (removeparam=), and filters which are meant to further limit what websites are allowed to do by adding content-security-policy headers (csp=). For example, merely adding a simple switch to toggle JS on and off would require broad host-permissions (hence triggering the warning at install time), since this requires injecting scrpt-src 'none' in response headers to prevent JS execution.
Chrome extension manifest v3 proposal · Issue #338 · uBlockOrigin/uBlock-issues
 

plat

Level 28
Verified
Top poster
Well-known
Sep 13, 2018
1,692

Hill's conclusion is that adhering to the ad giant's vision makes for a subpar content-blocking extension. He wrote, "At this point I consider being permission-less the limiting factor: if broad 'read/modify data' permission is to be used, than there is not much point for an MV3 version over MV2, just use the MV2 version if you want to benefit all the features which can't be implemented without broad 'read/modify data' permission."
Overprotective parent illustration, a child under glass
Google: We're not killing ad blockers. Translation: We made them too powerful, we'll cram this genie back in its bottle
CONTEXT

That advice won't be viable as of January, when Manifest v2-based extensions will stop working in Chrome. That's likely to be the case for Microsoft Edge, which has endorsed MV3. Apple Safari introduced support for MV3 in version 15.4 and while Apple has not indicated whether it intends to drop support for MV2, it removed the blocking WebRequest API years ago. Outliers like Brave and Mozilla have said they plan to continue support for MV2, though some resources will be required to do so. Brave, for example, will need to launch its own extension store because the Chrome Web Store won't be an option.

Didn't know this about Brave, sorry (don't follow Brave developments). Interesting, will it continue supporting v 2 for the longer term? Will see.
Be brave, Brave! ✊
 

oldschool

Level 70
Thread author
Verified
Top poster
Well-known
Mar 29, 2018
5,997
This is the first in a multi-part series on the security of browser extensions in which the author examines their design, potential vulnerabilities, etc.: Anatomy of a basic extension I thought this would be appropriate as some readers may want to know more, especially with the advent of MV3. Enjoy! :cool:

He begins thus:
I am starting an article series explaining the basics of browser extension security. It’s meant to provide you with some understanding of the field and serve as a reference for my more specific articles. You can browse the extension-security-basics category to see other published articles in this series.

Before we go for a deeper dive, let’s get a better understanding of what a browser extension actually is. We’ll take a look at a simple example extension and the different contexts in which its code runs.
The rest of the series, so far:
Impact of extension privileges
Attack surface of extension pages
When extension pages are web-accessible
 

oldschool

Level 70
Thread author
Verified
Top poster
Well-known
Mar 29, 2018
5,997
And there is this follow-up from gorhill. Note the last paragraph.

µBO Minus would beat Adguard MV3 if it had a disable-per-site switch. It's next on his to-do list and I'm waiting for it.

gorhill commented 2 days ago •​

edited​

Follow up regarding my above comment concerning requestDomains and excludedRequestDomains properties which were added to declarativeNetRequest API at some point (Chromium 101 as per documentation, so somewhere in April 2022).
The experimental uBO Minus MV3 version confirms the requestDomains property works well to dramatically reduce the number of rules as a result of filter lists conversion. For instance, with the default uBO filter lists, all the filters of the form ||hostname^ (or hostnames from hosts files such as Peter Lowe's) are being coalesced into a single DNR rule, such that what is typically counted as ~39K distinct network filters in uBO is being coalesced into a single DNR rule.
Overall, what is counted as ~82K distinct in uBO with default lists, is converted to ~21K DNR rules, thanks to the requestDomains property. This renders the DNR rule limits as quite less of an issue -- I estimate that even after adding one of the largest regional list, the DNR rule count in uBO Minus would still be under the 30K mark. For instance, consider that I use Steven Black's hosts in my own personal configuration, and theoretically the whole hosts file would fit into a single DNR rule (unless there is an undocumented limit about the number of entries in a requestDomains property). Sidenote: uBO proper uses such coalescing internally in its filtering engine to efficiently store/lookup large set of hostnames.
And as for the excludedRequestDomains I confirm that they are properly converted denyallow= filters, which in the past I identified as not convertible to DNR rules.
Additionally, the experimental version also confirms that the DNR priority property works well to implement the important filter option.

One of the biggest issue at this point is the inability to implement the overview pane in the popup panel, thus also preventing the implementation of the advanced-user mode and the ability to point-and-click to set dynamic rules.
There also can be no information about what is not blocked, i.e. the Domains connected figure in the popup panel. I have often argued that this is a more important piece of information than the number of blocked network requests.
The no-large-media-elements feature can't be implemented as this requires to inspect response headers on the fly.
The redirect-rule= filter option is also not compatible with DNR redirect action due to differing matching algorithm. In uBO, redirect filters do not compete with block/allow filters, as the redirect directives are looked up only after a network request has been matched to a block filter, whichever that is. This works differently in the DNR matching algorithm, redirect rules compete with other block and allow rules.
There is no concept of exception modifier filters in DNR, i.e. csp=/removeparam= exceptions cannot be accurately translated to DNR rules. For a specific example, all the removeparam= filter exceptions from AdGuard URL Tracking Protection, meant to override the main *$removeparam=utm_source filter, can't be converted to DNR. At best, those exception filters maybe could be less accurately be excepted using the excludedRequestDomains property of the main *$removeparam=utm_source filter.

Side note about the experimental uBO Minus MV3 extension: I did not pick the Minus part out of spite, it's to make clear that this is not uBO proper and I want to be sure there is no expectation that this will be the case. I picked Minus for the same reason that the Plus in Adblock Plus was to highlight that this was an improvement over the previous Adblock version.
Now the fact that uBO Minus does not require broad read/modify data on all websites can be seen as an improvement over uBO proper by many people who are uncomfortable with granting such broad permissions to an extension. In that case, if you have a better qualifier than Minus, I welcome suggestions.
 
Last edited:

oldschool

Level 70
Thread author
Verified
Top poster
Well-known
Mar 29, 2018
5,997
Here is a thread with some good technical pro's and con's re: MV3, but you have to skim through the whole thread to find them o_O🤓:
“UBO Minus (MV3)” – An Experimental uBlock Origin Build for Manifest V3 | Hacker News
Here's the original post:
I approve (of both the release and the name).
I see plenty of folks in here lamenting this release at all - in the hopes that the lack of it will push folks to Firefox. It won't. Those who care about this are already on Firefox, and frankly - Firefox isn't going to be the answer here (to be clear, this is opinion).

I'm also not thrilled at manifest v3, although for very different reasons than the adblocking limitations - I do lots of extension development, and I think the service worker approach taken is a bad mistake, forcing a distributed consensus model onto extensions without understanding the limitations that model imposes given how often extensions span multiple js contexts (across tabs/frames/content_scripts/windows/etc).

Frankly - the environment is also still riddled with bugs... everything from docs that are wrong, to serious issues like a service worker not activating on simple, basic, required events (like chrome.action.onClicked, which is literally about as basic as it gets for extensions).

Overall - my first impression of the manifest v3 upgrade was fairly neutral (it's not really solving any of my pain points, and it requires a lot of changes to support - but it seemed functional). My opinion after porting several large extension projects to the space is... bad. It's a bad set of changes as implemented in chromium right now.
 

Gandalf_The_Grey

Level 64
Verified
Honorary Member
Top poster
Content Creator
Well-known
Apr 24, 2016
5,367
And there is this follow-up from gorhill. Note the last paragraph.

µBO Minus would beat Adguard MV3 if it had a disable-per-site switch. It's next on his to-do list and I'm waiting for it.
It has now a disable per site switch with the current uBO Minus (MV3) 0.1.22.9086 :

Schermopname (1).png
 
Top