- Mar 29, 2018
Yes, because it needs more permissions and so has more features. gorhill seems committed to the permission-less approach.Personally I find AdGuard Browser Extension v3 0.3.11 better than uBO Minus (MV3) 0.1.22.9086.
AdGuard blocks YouTube adds here and uBO does not:
AdGuard v3 and Next DNS complement each other on my PC. In the last 2 days…. With Chrome….Despite the best efforts from AdGuard team and Gorhill unfortunately manifest v3 extesions are bound to be lackluster, it is flawed design after all.
There are some viable alternatives for now:
1- Brave with its native adblocker based on Rust.
2 - Firefox
3 - AdGuard for desktop
4 - Manifest v3 + some DNS adblocker like NextDNS, AdGuard DNS and Control D.
No surprise there from the research I've been doing.
Google continues extensions Manifest v3 push even though some APIs are not ready yet - gHacks Tech NewsSome Chrome extensions may not be ported to Manifest v3 yet because of missing APIs. All that with the January 2023 deadline looming.www.ghacks.net
Manifest V2 to V3: Challenges and Security Considerations. - Least AuthoritySecuring Decrypted Secrets
With browser wallet extensions, one critical security challenge is where to safely keep the decrypted secrets when the wallet is unlocked. In Manifest V2 extensions, background pages are used to store secret values in variables in memory, such that they can be persisted (at least as long as the browser is running), but are not stored to disk. None of this is possible with service workers, which are short-lived event handlers that typically do not maintain state. The only way to persist data between handled events in Manifest V3 using existing methods is by utilizing IndexedDB, Caches, or the chrome.storage API. However, all of these resources require that secret data is written to disk, thus creating a different set of security challenges.
A proposal was made to add the chrome.storage.session API to the chrome.storage API, which enables extensions to store variables in memory so that service workers and other parts of the extension can access these values as long as the session is active. Although the chrome.storage.session API is enabled in the newest chromium versions (starting from version 100 and higher), it has not been formally announced and, at the time of writing, is listed as pending in the chrome extension documentation. This modification to the API is not battle tested, and the impact that the usage of this API has on the security of browser extensions wallets is not yet known.
Unsupported Encryption and Key Derivation Packages
Another challenge caused by the switch to Manifest V3 is that encryption and key derivation packages that are considered to be secure, such as argon2 and libsodium-js, are currently not supported in Manifest V3 because of their usage of WebAssembly, which is disallowed for extensions in the new manifest version. For libsodium, this could be a bug in the code used to switch between wasm and asm, whereas argon2 is currently compiled only to wasm. Our team has previously discussed the common usage of insufficiently secure key derivation algorithms and weak encryption algorithms and we intend to publish a blog on this subject in the near future. The incompatibility of argon2 and libsodium-js with Manifest V3 currently limits the options for secure key derivation and encryption methods. It seems likely that WebAssembly will be supported for extensions in Chrome in the future, but the fix is not in production yet.
ConclusionIn Manifest V3, in order for secret data to be stored securely, the chrome.storage.session API must be used, even though it has neither been officially launched nor sufficiently tested and audited as a secure medium for persisting secret data. In addition, encryption key derivation and encryption packages that are known to be secure are currently incompatible with Manifest V3, which limits the options available for the implementation of sufficiently secure cryptography.
We encourage community members and stakeholders to closely monitor developments in chromium based browser extension security.
Google has announced more details regarding turning off support for the Google Chrome Manifest V2 extension as the company pushes more developers to transition to Manifest V3.
An update from the Chrome team says that they will proceed in careful, experimental steps, ensuring a smooth end-user experience during the phase-out of Manifest V2 in June 2023.
During that time, Google will support extension developers with guidance and information on the new protocol and how they can best roll out versions that support it without their users experiencing hiccups.
Today's update provides more granular information on the roll-out of Manifest V3 (and phase-out of Manifest V2), adding the following milestones:
Based on this update, the deadline for lifting Manifest V2 support has been pushed back by five months, from January to June 2023.
- In January 2023, with the release of Chrome 112, Chrome may run experiments to turn off support for Manifest V2 extensions in Canary, Dev, and Beta channels.
- In June 2023, with the release of Chrome 115, Chrome may run experiments to turn off support for Manifest V2 extensions in all channels, including Stable channel.