Manifest v3 update (Mozilla Firefox)

silversurfer

Super Moderator
Thread author
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,176
Two years ago, Google proposed Manifest v3, a number of foundational changes to the Chrome extension framework. Many of these changes introduce new incompatibilities between Firefox and Chrome. As we previously wrote, we want to maintain a high degree of compatibility to support cross-browser development. We will introduce Manifest v3 support for Firefox extensions. However, we will diverge from Chrome’s implementation where we think it matters and our values point to a different solution.

For the last few months, we have consulted with extension developers and Firefox’s engineering leadership about our approach to Manifest v3. The following is an overview of our plan to move forward, which is based on those conversations.

High level changes​

  • In our initial response to the Manifest v3 proposal, we committed to implementing cross-origin protections. Some of this work is underway as part of Site Isolation, a larger reworking of Firefox’s architecture to isolate sites from each other. You can test how your extension performs in site isolation on the Nightly pre-release channel by going to about: preferences#experimental and enabling Fission (Site Isolation). This feature will be gradually enabled by default on Firefox Beta in the upcoming months and will start rolling out a small percentage of release users in Q3 2021.
    Cross-origin requests in content scripts already encounter restrictions by advances of the web platform (e.g. SameSite cookies, CORP) and privacy features of Firefox (e.g. state partitioning). To support extensions, we are allowing extension scripts with sufficient host permissions to be exempted from these policies. Content scripts won’t benefit from these improvements, and will eventually have the same kind of permissions as regular web pages (bug 1578405). We will continue to develop APIs to enable extensions to perform cross-origin requests that respect the user’s privacy choices (e.g. bug 1670278, bug 1698863).
  • Background pages will be replaced by background service workers (bug 1578286). This is a substantial change and will continue to be developed over the next few months. We will make a new announcement once we have something that can be tested in Nightly.
  • Promise-based APIs: Our APIs have been Promise-based since their inception using the browser.* namespace and we published a polyfill to offer consistent behavior across browsers that only support the chrome.* namespace. For Manifest v3, we will enable Promise-based APIs in the chrome.* namespace as well.
  • Host permission controls (bug 1711787): Chrome has shipped a feature that gives users control over which sites extensions are allowed to run on. We’re working on our own design that puts users in control, including early work by our Outreachy intern Richa Sharma on a project to give users the ability to decide if extensions will run in different container tabs (bug 1683056). Stay tuned for more information about that project!
  • Code execution: Dynamic code execution in privileged extension contexts will be restricted by default (bug 1687763). A content security policy for content scripts will be introduced (bug 1581608). The existing userScripts and contentScripts APIs will be reworked to support service worker-based extensions (bug 1687761).

Implementation timeline​

Manifest v3 is a large platform project, and some parts of it will take longer than others to implement. As of this writing, we are hoping to complete enough work on this project to support developer testing in Q4 2021 and start accepting v3 submissions in early 2022. This schedule may be pushed back or delayed due to unforeseeable circumstances.

We’d like to note that it’s still very early to be talking about migrating extensions to Manifest v3. We have not yet set a deprecation date for Manifest v2 but expect it to be supported for at least one year after Manifest v3 becomes stable in the release channel.
 

silversurfer

Super Moderator
Thread author
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,176

Mozilla expects to launch extensions Manifest V3 support in Firefox in late 2022​

Mozilla plans to introduce support for the extensions Manifest V3 in the organization's Firefox web browser in late 2022. Preview versions are already available in development editions of the web browser.

While Mozilla plans to introduce support for Manifest V3 in Firefox, it won't remove support for APIs that are essential to privacy extensions. Content blockers and other privacy extensions will continue to function in Firefox as before, provided that developers continue to support them.

Firefox extensions won't be limited by Manifest V3​

Mozilla announced in 2019 that it would implement support for Manifest V3 in Firefox but would make adjustments to certain limitations. A new blog post on the Mozilla Add-ons Community blog sheds light on the adoption and the differences between Mozilla's and Google's implementation.

The decision to remove the blocking part of the WebRequest API and to replace it with the limiting declarativeNetRequest API was at the center of the controversy. Mozilla notes that the new API limits "capabilities of certain types of privacy extensions without adequate replacement".

Mozilla will keep the WebRequest API in Firefox to make sure that privacy extensions are not limited in providing the functionality they are designed for. The organization will implement the declarativeNetRequest API for compatibility reasons according to the blog post.

Mozilla will "continue to work with content blockers and other key consumers of this API to identify current and future alternatives where appropriate".

Firefox will also support Event Pages in Manifest V3 and introduce support for Service Workers in future releases.

Developers may turn on the preview in the following way in current development editions of the browser:
  1. Load about:config in the web browser's address bar.
  2. Confirm that you will be careful.
  3. Search for extensions.manifestV3.enabled and set the preference to TRUE with a click on the toggle.
  4. Search for xpinstall.signatures.required and set the preference to FALSE.
  5. Restart Firefox.
Extensions may then be installed via about:debugging. Permanent installation of Manifest V3 extensions is possible in Nightly and Developer editions of the Firefox web browser. The implementation is not complete at the time of writing.
 

silversurfer

Super Moderator
Thread author
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,176
Mozilla reaffirmed this week that its plan has not changed. In "These weeks in Firefox: issue 124", the organization confirms that it will support the WebRequst API of Manifest v2 alongside Manifest v3.
Again, a reminder that Mozilla plans to continue support for the Manifest v2 blocking WebRequest API (this API powers, for example, uBlock Origin) while simultaneously supporting Manifest v3.
 

silversurfer

Super Moderator
Thread author
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,176
Mozilla plans to add support for Manifest v3 browser extensions to its online store – addons.mozilla.org – so developers can have them cryptographically signed for distribution.

Manifest v3 (Mv3) refers to a set of APIs and capabilities that are intended to become the new standard for browser extensions. It's a software architecture revision initially proposed by Google for Chromium-based browsers and subsequently endorsed by Mozilla for Firefox (Gecko-based) and by Apple for Safari (WebKit-based).

Starting Monday, November 21, developers will be able to upload Mv3 extensions for signing. As a result, those using Firefox Nightly and Developer Edition will be able to test extensions refactored for the new rules, prior to the spec's general availability with the scheduled January 17, 2023 release of Firefox 109.
 

Captain Holly

Level 6
Verified
Well-known
Jan 23, 2021
255
I am sorry to see Firefox caving in to Google and MV3 like this. I had really hoped FF and Mozilla would stick to their guns and not go along with MV3. Now I wonder about the specialty type browsers like Avast/AVG Secure browser or Brave and Vivaldi that have their "own" built-in ad blockers. I wonder how those will be affected by MV3. Do the browser devs make their own proprietary ad blockers or are they just borrowed from the Google store and will still carry the same MV3 burdens?

C.H.
 

Gandalf_The_Grey

Level 83
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,345
The built-in adblockers as for example Brave are not affected.
They don't use an extension:
Google's upcoming Manifest V3 update for extensions has the potential to break many ad blockers. But Manifest V3 will not prevent Brave from blocking ads. We built ad blocking into the browser itself so it will not be affected by Google changing its rules for extensions.

Vivaldi:
 

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,822
I am sorry to see Firefox caving in to Google and MV3 like this. I had really hoped FF and Mozilla would stick to their guns and not go along with MV3.
Mozilla not adopting MV3 sounds like a good idea in theory, but the effect of not doing so will mean extension developers won't be able to easily port their Chrome extensions to Firefox, thus they'll likely stop developing for Firefox altogether.
Now I wonder about the specialty type browsers like Avast/AVG Secure browser or Brave and Vivaldi that have their "own" built-in ad blockers. I wonder how those will be affected by MV3. Do the browser devs make their own proprietary ad blockers or are they just borrowed from the Google store and will still carry the same MV3 burdens?
Brave's ad blocker won't be impacted. Vivaldi believes theirs won't be impacted either. Can't speak for Avast/AVG; as far as I'm aware they haven't addressed whether it'll impact their browsers or not.

@Gandalf_The_Grey Beat me to it. :p
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,863
Adblocking will continue to work in Firefox for now. So that's not a concern for the near future. Excluding this uncomfortable issue of ad blocking, I do think that MV3 is good for improving browser security. So Mozilla won't stay behind the pack and make it more difficult for extension developers. But I have doubts about how long they'll be able to keep supporting the old API. I think they should follow Brave and build their own browser integrated adblocker free from the MV3 impact. This will help them attract some users.
Mozilla's implementation of Mv3 will differ in two critical ways from Google's. First, it will provide developers with access to the APIs Google considers too troublesome to retain.

"While other browser vendors introduced declarativeNetRequest (DNR) in favor of blocking Web Request in Mv3, Firefox Mv3 continues to support blocking Web Request and will support a compatible version of DNR in the future," said Shane Caraveo, engineering manager for WebExtensions at Mozilla, in a blog post. "We believe blocking Web Request is more flexible than DNR, thus allowing for more creative use cases in content blockers and other privacy and security extensions."
 

silversurfer

Super Moderator
Thread author
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,176
I am sorry to see Firefox caving in to Google and MV3 like this. I had really hoped FF and Mozilla would stick to their guns and not go along with MV3.

You may missed the fact that Mozilla will continue to support even MV2 addons for Firefox, the question remains for how long, but nobody knows that yet it's just speculation only ;)

 

silversurfer

Super Moderator
Thread author
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,176
Mozilla highlights that its implementation of Manifest V3 differs from Chromium's implementation in two major ways:
  • Firefox continues to support Manifest V2's web request blocking API next to Manifest V3's declarativeNetRequest API. Extension developers may use either in their extensions.
  • Firefox will support Manifest V3's Event Pages, but will also continue to support Service Workers.
Firefox's Manifest V3 compatibility will improve over the next year, according to Mozilla.

Mozilla rolled out a new Unified Extensions button in Firefox Nightly already that relies on Manifest V3 and gives users greater control over the website access of extensions. You see how it looks in the screenshot ...

firefox-manifest-v3-new-ui.webp
 

silversurfer

Super Moderator
Thread author
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,176

Firefox found a way to keep ad-blockers working with Manifest V3​

In a Tuesday blog post explaining the new extensions system, Mozilla says it adopted Manifest Version 3 to make things a lot easier for people developing extensions for both Chrome and Firefox. But while its implementation is largely meant to be cross-compatible, the organization says its version is different from Google’s in “some critical areas,” mainly security and privacy.

Google also cited those areas when it added Manifest V3 to Chrome in 2021, calling the move “part of a shift in the philosophy behind user security and privacy.” But one of the changes in the update broke features in several popular content and ad-blocking extensions by removing a feature they used to block certain network requests (be those to trackers, advertisers, or anyone else).

I won’t go too deep into how it did that — we have an explainer that goes into the technical side of things — but the high-level takeaway is that Mozilla’s version of Manifest V3 keeps the feature Google removed, while adding support for the more limited replacement as well. That should make it so content-blocker developers don’t have to create new (and potentially more limited) versions of their extensions, while making it easier for other developers to write multi-platform extensions.

I won’t go too deep into how it did that — we have an explainer that goes into the technical side of things — but the high-level takeaway is that Mozilla’s version of Manifest V3 keeps the feature Google removed, while adding support for the more limited replacement as well. That should make it so content-blocker developers don’t have to create new (and potentially more limited) versions of their extensions, while making it easier for other developers to write multi-platform extensions.

There are downsides to this approach; Mozilla itself admitted last year that there can be security risks to leaving that feature in. Apparently the foundation believes it’s worth the risk to preserve content blocking, which it called “one of the most important use cases for extensions.”

 

silversurfer

Super Moderator
Thread author
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,176
[...] our series of community updates designed to provide clarity and transparency as we continue to deliver Manifest V3 related improvements with each new Firefox release.

The engineering team continues to build upon previous MV3 Chrome compatibility related work available in Firefox 126 with several additional items that landed in Firefox 127, which was released on June 11. Beginning in the 127 release, the following improvements have launched:
  • Customized keyboard shortcuts associated with the _execute_browser_action command for MV2 extensions will be automatically associated with the _execute_action command when migrating the same extension to MV3. This allows the custom keyboard shortcuts to keep functioning as expected from an end user perspective.
  • declarativeNetRequest getDynamicRules and getSessonRules API methods now accept the additional ruleIds filter as a parameter and the rule limits have been increased to match the limits enforced by other browsers.
The team will land more Chrome compatibility enhancements in Firefox 128 in addition to delivering other Manifest V3 improvements, at which time MV3 will be supported on Firefox for Android.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top