Hacker News new | past | comments | ask | show | jobs | submit login
Mozilla’s Manifest v3 FAQ (blog.mozilla.org)
266 points by Findus23 11 months ago | hide | past | favorite | 106 comments

The tone of this post concerns me.

What comes across is that Google is not collaborating with Mozilla over the Manifest v3 changes.

Instead of using and appreciating the engaged Firefox developer ecosystem we have PM conference rooms in Google mandating huge changes based on... well they've been shady so far about their choices on Manifest v3.

The other thing that keeps bugging me about this is -

We need a tiered App store for browsers. Part of the lockdown Google wants to do isn't wrong but its driven by having WAY too many bad actors and shoddy developers in their Chrome store.

If you have an opensource web extension, a reasonable community and with reproducible builds? You can use more powerful API versions.

If you are jrando bizplan #2000283 you get the kinda trusted tier.

Frankly if Debian had a web browser extension "store" with 20 things in it, I'd use that exclusively and turn off both the Chrome and the Firefox store 100%.

> Frankly if Debian had a web browser extension "store" with 20 things in it, I'd use that exclusively and turn off both the Chrome and the Firefox store 100%.

There are a handful of extensions for Firefox and Chrome in the Debian repositories: https://packages.debian.org/search?keywords=webext-&searchon...

WOW that's awesome!

It's actually pretty close... no Vimium but ublock origin/matrix, tree style tab, privacy badger, browserpass


Here is what's in Sid -


> a tiered App store

We kinda have one; the tiers are "the public app store" and "your enterprise's private collection of apps, whitelisted by GSuite policy on your GSuite users."

Things are in equilibrium because no big player is complaining; and no big players are complaining because they have all their needs met by just 1. getting custom extension builds from vendors, 2. signing them with their enterprise cert, 3. pushing them to some object store, and 4. telling GSuite to allow them (https://docs.google.com/document/d/1pT0ZSbGdrbGvuCsVD2jjxrw-...).

> we have PM conference rooms in Google mandating huge changes based on... well they've been shady so far about their choices on Manifest v3.

I'd like one of the PMs at Google working on this feature to engage in actual community discussion around this issue.

Google is not a monolithic corporation. Individual people are responsible for these decisions. These people are obligated to discuss why they are making these changes, else they deserve to be called out if they refuse to do so.

Is it too much to ask for these PMs to take some personal responsibility and engage in discussion for the far-reaching changes they are forcing upon society?

I don't think Google would have published a public note about their plans if there hadn't been a previous discussion.

> Frankly if Debian had a web browser extension "store" with 20 things in it, I'd use that exclusively and turn off both the Chrome and the Firefox store 100%.

Yeah like the F-Droid [0] appstore ecosystem for Android.

[0] - https://f-droid.org/

> What comes across is that Google is not collaborating with Mozilla over the Manifest v3 changes.

Well… duh? Google will do whatever it wants with no regards to anyone else unless they're forced to do otherwise, and "the market" will not force them to do otherwise unless their very large browser majority falls. From the moment mozilla decided (/ was forced) to adopt chrome extensions they were bound to follow google's whims.

Having done a fairly long stint in the telephony world, I can say that the general purpose of standards committees is to rush through a whole bunch of hacky changes on your platform and then strong arm everyone else to implement what you did -- the more work they have to do the better; the worse it fits into their original ecosystem the better. Your goal is to make your competition perpetually play catch up and to have a slightly wonkier version of your system.

People in large organisations take this stuff very seriously and it can be difficult for other people to concentrate on making a good spec that will work well for everybody. The idea is that the market is pretty much the same size whether you have a fantastic application or a hacked together application. What matters for the company is what percentage of the market share you have. It's worth a considerable amount of fit-for-purpose in order to lock in eternal advantage over your competition.

> In the absence of a true standard for browser extensions, maintaining compatibility with Chrome is important for Firefox developers and users.

About as close as Mozilla can come to outright saying, "Chrome is big enough and we're small enough that what they do _is_ the standard."

Still, it's encouraging to see that they're not removing the blocking API for now. I kind of hope this does push a few adblocker extensions to abandon Chrome.

I find it rather discouraging to hear they are not removing the blocking API for now. It's basically an empty statement, not reassurance. They still may or may not remove the API, they don't want to promise anything or show any commitment to users' needs and priorities.

It's basically the same as what happened two months ago with Firefox for Android being EOL'd pending a major re-write that may or may not support extensions. Mozilla is not willing to publicly commit to keeping their key features alive, and they keep hinting at the possibility that they will be leaving users behind in an attempt to be more like Chrome.

And the other point of view, directly from Mozilla:

> We're certainly aware of how significant ad blocking extensions are. This release required a great quantity of features with only a six month timeline until now.

> We already support a very limited set of the WebExtensions API to offer features like Reader Mode. Rest assured that more features will land in the coming months.

Source: https://news.ycombinator.com/item?id=20298143

This reads like FUD to me. The dev team know how important extensions are to their users. Can you provide a source that implies Fennec will be EOL before Fenix has extension and/or ad-blocking support?

In that discussion (and indeed in the message you quote), the mozilla developers had every incentive to say, if it were true, « we have decided not to replace fennec with fenix on Android until fenix supports ad-blockers ».

They very visibly didn't take the opportunity to do so.

From what I can make out on github, they're planning to replace fennec with fenix around the time the next ESR comes out (which I think is early 2020), and there isn't currently a project in progress to add the necessary web-extension support to fenix.

Thanks for this.

>From what I can make out on github, they're planning to replace fennec with fenix around the time the next ESR comes out (which I think is early 2020), and there isn't currently a project in progress to add the necessary web-extension support to fenix.

Would you mind linking the GitHub issues that have lead you to draw this conclusion, so I can take a look?

https://blog.mozilla.org/futurereleases/2019/06/27/reinventi... says they were planning in June to have a "feature-rich, polished" fennec release "this fall".

https://github.com/mozilla-mobile/fenix/issues/879 "[Meta] Fennec -> Fenix Transition" appears to say the transition will happen in Q4 2019.

The Android releases of fennec used to be updated for each Firefox release, but moved to ESR with the most recent ESR release. I think that means that since then nobody has been keeping the Android port working as changes come in (but ESRs are supported for a year or more, so maybe I'm wrong to think that the date of the next ESR release is relevant).

https://github.com/mozilla-mobile/fenix/issues/574 is about web-extension support; the recent updates say:

« Product is looking into feasibility » « Tentatively adding needs:gv label until we know what additional GV work will be needed to support general purpose extensions. »

The issue is labelled 'Feature:FennecTransition' and 'feature request'. It isn't labelled 'should', and some other 'Feature:FennecTransition' issues are.

It isn't clear to me whether they're planning to release a new version of "Firefox" on Google Play that uses the fenix codebase, or release fenix as a separate app and declare that the fennec one is obsolete.

https://github.com/mozilla-mobile/fenix/issues/879 and https://github.com/mozilla-mobile/fenix/issues/934 have some interesting hints, but I can't tell what they've decided.

GV is short for GeckoView, relevant-looking bug is here: https://bugzilla.mozilla.org/show_bug.cgi?id=1468844

Apparently they are using "Raptor" for testing (https://wiki.mozilla.org/TestEngineering/Performance/Raptor) which includes a webextension, and they fix that area of the webextension API when it breaks. But in https://bugzilla.mozilla.org/show_bug.cgi?id=1562844 they mention that many components of Fennec are not implemented in GV so the corresponding API is broken.

I'm guessing the work is mostly about enabling the addons manager, so it might fit in Q4 or it might not. But it is worrisome that it isn't marked as blocking the transition.

They've already released fenix as a separate app: https://play.google.com/store/apps/details?id=org.mozilla.fe...

I would rather they call it "Firefox Lite" (in a nod to Facebook Lite etc.) and used some in-app notifications than to try to mass migrate with a version update as it seems they are plotting to do.

Perhaps interesting: this post that implies that implementing full extension support might not be that much work: https://sammacbeth.eu/blog/2019/09/04/geckoview-extensions.h...

A rewrite that is faster than Chrome for Android.

It may be faster than Chrome on Android, but it's certainly not faster than Firefox on Android with adblockers. Not loading/parsing multi-megabytes of Javascript and images is huge. Loads of ads these days incorporate entire JS framework toolchains resulting in a binary bigger than the page they're being injected into. Eliminating a few ads and the rest of your browser could be a lot less efficient and still perform well. That's all before discussing how adblockers also reduce who is tracking you everywhere.

In my experience and limited testing, even with warmed-up caches, Chrome (without Adblocker) was faster than Firefox (with or without Adblocker), sadly.

I still use Firefox due to the security benefits of ad blocking, but I don't find the experience particularly enjoyable (although, thinking of it, it may have either significantly improved in the past ~half a year, or I just don't notice because of a more powerful CPU in my new phone).

It certainly is faster than Firefox for Android.

There are benefits to adblocking of course.

But there's no point lying.

Eh. That may be the intent but they aren't there yet. I tested Firefox Preview on Speedometer 2.0 and got the same result I did with Firefox for Android 68. Chrome gets double the score (runs per minute) on my device.

What they should be saying is, "No, what Google is doing is Wrong with a capital WRONG and we're not going to accept their wishes in closing off what's left of the open Web."

But then they'd have to give up all their Google funding. And they're way too cowardly and corporate to do that.

> "closing off what's left of the open Web."

Seems a little over the top to me!

Also, Mozilla is very good at standing up to Google. They beat them on webasm, rust is arguably supplanting go, and most of all, it was Mozilla that effectively killed web components which were very dear to Google.

> rust is arguably supplanting go

Two very different languages with very different goals. Neither want nor ever will suplant the other.

Rust is challenging C++ fairly head-on.

Golang is challenging Java, C#, Python, nodejs etc. It was also supposed to challenge C++ but based on how the language turned out, if that is ever true then C++ probably wasn't the right language for that project in the first place...

How did Mozilla kill web components?

> adblocker extensions to abandon Chrome.

Ha. As if that will ever happen. They'll probably just pivot to something else.

The reason Chrome can try to ditch ad blockers is that they are big enough, that your only choice is Chrome or GTFO.

Your choice can well be firefox and chrome as a fallback when a website doesn't work and you care enough to bother opening chrome for it. Chrome has already ditched adblockers on mobile, firefox with adblockers and reader mode is a MUCH better mobile web experience.

> Chrome has already ditched adblockers on mobile

nit: chrome has never had extensions (or ad blockers) on mobile

(Disclosure: I work for Google)

That's not even a nitpick. The parent got it completely wrong.

If Chrome mobile never supported extensions, then it's false to claim they "ditched" them.

From the original post, it's more like a language parsing issue - Chrome was original a desktop-only application and it had extensions. When it was ported to Android, they ditched extensions, as well as jettisoning numerous other features.

Thus, not "completely wrong."

They being an ad company were smart enough not to ever allow the camel to get its nose under the tent.

> firefox with adblockers and reader mode is a MUCH better mobile web experience

Oh, I fully agree. But just having a better, faster, less ad ridden browser is not enough. The sheer networking effect is propping up Chrome on Android.

I only had a few issues with some videos playing.

do you really need the fallback? i've yet to need chrome for anything, since i rarely use google products other than maps.

i've found the use of google captcha on governmental, financial, and some commercial sites frustrating though. i'll abandon a site that has google captcha if usage is anything less than critical.

Like you alluded to, some websites perform much better in Chrome (in particular Google's own websites, but there's some other offenders like roll20.net).

There's an FF extension called Buster made someone here on HN that helps workaround Google's current generation of captchas. It doesn't work 100% of the time, but the success rate is still higher than doing it myself.

Some sites need NoScript disabled to work. Even using the "temporarily trust everything" option doesn't work. Since it's easier to just paste the URL into chrome than disable a plug-in and remember to re-enable it later, I do that.

linkedin doesn't work for me on firefox, so i rarely even attempt to use it. but if someone a care about wants to link to me, i have to use chromium for that.

that's odd. does the whole site not load, or just certain features don't work?

i use firefox with all kinds of privacy/blocking extensions and can access linkedin just fine (as long as first-party javascript can execute).

> We have no immediate plans to remove blocking webRequest

> immediate

We know exactly what this kind of talk means. Don't blow smoke up our ass, Mozilla, just give it to use straight: We'll have `blocking webRequest` for as long as Google allows it.

And in case anyone from Mozilla is listening, this could well be existential for you. Right now, your pro-privacy stance is a principal factor in users choosing Firefox over Chrome.

Follow Google - and all its shady practices - and you will lose a large chunk of those users. Many of them, to use current terminology, are "key influencers": technically savvy people who advise family and friends what to do. Lose them and the outlook is, I suspect, pretty grim.

You're clever people. You'll know this. Google has a good few smart folk too (even if their motivation is questionable). It's easy to see this is difficult for you: Google is your primary funding source. Fail to comply with their wishes, and that funding might well disappear.

As has been noted in other threads, the tension between privacy principles and funding is a huge threat.

For the good of the open web, I desperately want a successful Mozilla, and a technically excellent Firefox at the forefront of a pro-privacy, anti-surveillance re-balancing of the internet.

I don't doubt the difficulty in filling a $300M funding hole. I'd gladly pay $30 per year for a pro-privacy Firefox. Another 9,999,999 is a tall order. On the other hand, you have c250M users...

Since there is no visible way of leaving a +1 (or a +1000) on HN, I feel like I have to respond to this since it resonates so deeply with me.

Particularly on account of funding, I know I would also gladly pay $30 per year for a privacy, freedom and power use oriented Firefox instead of this new direction they keep taking it in. And so would many of my acquintances.

Perhaps there is merit to organizing a website for people to be able to pledge this.

This tech people influencing friends and family lore has been disproven many times. No non tech user is using duck duck go.

Where are you getting this information? Plenty of "tech" people influence their friends and family with respect to what software/hardware to consider. My entire immediate family uses DuckDuckGo as their search. All of their (Mozilla) browsers have DDG set as the default. Not a complaint from anybody; DDG does a damn fine job.

One data point doesn't change the fact that HN hasn't mass converted the world to use DDG. They may also be telling you they use DDG while they use !g or Google.

But similarly, one data point that DDG hasn't overtaken Google doesn't mean that tech people's preferences don't influence ordinary people.

I thought it was generally well-accepted that developers mass-moving friends and family off of IE 11 was part of the reason why other browsers ended up beating it.

Similarly, I thought it was mostly accepted that part of the reason so much of the web was optimized for Chrome was because Chrome had genuinely better developer tools, and developers preferred to optimize first in Chrome and second in other browsers.

Maybe there's more disagreement on those points than I realized.

Even on the subject of DuckDuckGo, which is probably not going to be mass-adopted any time soon (if at all), actual usage numbers are increasing faster than any other major search provider, including Google[0]. Whether or not those numbers are coming from ordinary people or tech people, clearly somebody is being convinced to use DDG. Is it going to be a revolution? Probably not. But it's not nothing.

I really wish people would stop defining success as a monopoly. Even in the browser space, the goal isn't to make Chrome vanish. We just want Firefox to have a big enough user-base across enough markets that it can't be ignored. Even 20-30% would probably do it. Mozilla doesn't have to kill Chrome.

Similarly, if every non-tech user keeps searching on Google, and DuckDuckGo just becomes a great search engine that every programmer prefers, that's a pretty big win. I would not call that a loss.

[0]: https://duckduckgo.com/traffic (of course saturation does play a role here)

I supplied one data point. You supplied...?

But now you're saying "mass converted the world" whereas before your goalposts were set at "friends and family."

I understand Google's motivation for nuking ad blockers, as well as their motivations for denying every which way that that is what they want to do under whatever security justifications they can bring up, even true ones.

I don't see Mozilla's motivation to remove that at the moment.

I mean, speaking for myself, I'd drop them both and follow a fork of the browser that lets uMatrix work, and that's not something I've considered very many times in the past 20 years. Control over what my browser actually connects to has become a top-3 feature concern for me. I was going to say "I suppose 'working' is technically more important to me", but then I mentally wargamed out whether I'd be willing to use a slightly nonfunctional browser to have uMatrix and noticed that I actually already put up with a slightly nonfunctional browser to use it, because uMatrix already breaks a number of sites until I do some whitelisting.

Even if there's a security impact to extensions having too much access to the web request cycle, there's a security impact to them not having enough access to the web request, too.

The majority of funding Mozilla’s comes from Google, including receiving a portion of all ad revenue through google search.

A “adopt manifest v3 or we cut your funding in half” could be behind the scenes.

I think that's an important thing to remember - we can always fork it and move on if they choose to remove the blocking webrequest API.

However, how long that fork can persist, remain secure and retain feature parity is an open question. Should Mozilla cave and the community fork be unpopular, Google will definitely have a monopoly on the browser space.

Or, potentially, it's an equivocation because they want to give Google the appearance of maybe caving later (or at least the inability for Google to claim that they had the opposite appearance), while secretly hoping something changes such that they don't have to cave (and also, possibly, applying pressure below the radar to achieve that end.) Politics!

I switched from Chrome to Firefox a couple of months ago when the Chrome adblocking changes were announced.

I'll happily find something other than Firefox if it goes down the same route.

Try out Pale Moon or Waterfox.

I wouldn't want to claim that strongly that they won't remove it if I were Mozilla - for all they know, Chrome might still come up with a proper alternative that satisfies the use cases of all blocking extensions, but also performs better. Obviously Firefox would then transition as well.

This points to the disturbing truth of how incredibly complete Google's monopoly is: Even browsers not based on Chrome are strongly pushed to implement Chrome's platform changes anyways.

Mozilla abandoning their much more powerful XUL-based extension system for Chrome's inferior WebExtensions wasn't already an indicator towards that?

It's been known since around 2010 or 2011 that the full extension system was too powerful for effective maintenance of Gecko. Going through XPCOM for everything prevents effective optimization within the codebase, and generally ensures that the APIs have to become less ergonomic compared to modern C++ (or JS, for that matter). Furthermore, multiprocess content tabs was heavily delayed because turning it on would break practically every extension (since you could no longer have synchronous access to content).

Moving away from that was definitely the right approach for Mozilla, but the timetable and effort into bringing up a non-XUL/XPCOM-based extension mechanism definitely left something to be desired.

Pretty much as soon as they added multi processor support they had to start throttling background tabs anyway, same as chrome. It's not at all clear that going multi process was a win. And years after they change their are still a bunch of things extensions did that don't work anymore. I was never a huge fan of XUL or any non-native UI, but it did it's job for years and it's replacement doesn't.

And due to their follow google nature of monthly updates there's no stable version to fall back on.

Multiprocess was and is a huge win for performance, stability and security. In the post-Spectre world it's essential.

> Moving away from that was definitely the right approach for Mozilla

Perhaps, but it also made Firefox into a browser that can no longer meet my needs.

What are your "needs"?

Perhaps it's your needs, not Firefox, that are incorrect.

Not the parent, but a short list of mine:

link location bar extension: this cannot be replaced with a webextension as mozilla refused to add the necessary API

websocket monitor extension: this is being built into the dev tools, after 2 years and counting

tab groups / panorama: every single extension that tries to replace this is terribly broken, because the provided extension APIs don't really support this use case or are super racey

like the link location bar extension it's impossible to write an extension to replicate the old refresh/stop/go button in the url bar. You can have 3 buttons, but that's stupid.

All that and mac (nightly & dev-edition) users only recently got back to the level of performance from pre 57 Firefox due to work described here: https://bugzilla.mozilla.org/show_bug.cgi?id=1429522#c26 (ongoing).

And before I get crucified: there aren't any better browsers, so I'll be sticking with Firefox, but it sure isn't anywhere near as useful as it used to be.

> Perhaps it's your needs, not Firefox, that are incorrect.

Giving a list of my needs is pointless. Also, I never said that Firefox was incorrect. I said that it no longer meets my needs.

Mozilla has made a business decision to address a user demographic that I am not a part of. I don't have enough information to be able to say if that decision was correct or not. All it means is that I no longer use Firefox.

Firefox is faster and more secure now that they don't have to maintain compatibility with a bunch of old extensions that touch a bunch of internal stuff. Firefox's WebExtension API goes well beyond Chrome's at this point and is still adding features.

Firefox is a clone of Chrome now, that google makes a little bit janky when you browse google sites.

> more powerful XUL-based

At the time of conception, it was pretty great. However, that much customizability came at two expenses.

1) Web devs can't use XUL, because it's its own little cosmos, you as Web dev couldn't mod Firefox UI

2) The XUL was legacy software and super hard to optimize.

Repeal and replace would have been fine, but instead we got repeal and here's a mobile OS. And new extensions can't mess with our look and feel.

Stop conflating unrelated matters.

Mozilla's decision to remove XUL Extension support was directly a result of their decision to replace XUL in favor of HTML5 as the UI design language of choice.

Safari doesn't feel the pressure to implement this API - why does Firefox?

Chrome's June 2019 statement about Manifest v3 in which they tell us all how much they really care about users and this totes isn't to weaken ad blocking(which directly affects their revenue - that's just a coincidence - pinky promise!):


Here's an interesting thought experiment: what would it take to convince you that this change really is being made for performance and security reasons, and not to hurt ad blocking?

Given the level of cynicism directed at Google by the HN community, is it even possible for Chrome to lock down extension permissions in a way which wouldn't be seen as some sort of aggressive move against ad blocking? Keep in mind that secure, user-friendly permissions systems do have to be somewhat restrictive in order to be effective (see Android, iOS, etc), and that ad blocking extensions will necessarily be impacted as a result.

#1: They would have to give a rationale for the change which actually makes sense. The privacy explanation does not make sense because the observational capabilities of the API are explicitly not being removed. Therefore there is no benefit to user's privacy as a result of the changes. The performance explanation also doesn't make sense if we look at the numbers that adblocker vendors have been publishing in response to these changes.

#2: In light of the backlash to the proposal they would have to actually consider not implementing the change or at least consider some alternative implementations. So far all they have done is say "we've heard your concerns, and we're just going to do it anyway". Many interesting ways have been proposed to achieve the same supposed benefits as what Google claims manifest v3 will provide. But they have not responded to any of those ideas and are blindly persisting with their proposed model with all its downsides. So why even act like this is some kind of open process which involves real developers?

#3: They would need to demonstrate that they are actually concerned about the ability of adblocker vendors to deliver good products. They could have created a transition window from the old API to the new API to see in practice how adblocker vendors choose to use it and what limitations they face. But they haven't done that, instead they announce they're killing the old API the same moment they introduce the new one. That to me demonstrates that they don't really care if it's sufficient for those vendors or not.

If the observational web request API was also deprecated, that wold be a strong indicator that Google's intentions were good.

If Gorhill (and other extension developers) endorsed the changes, that would be a strong indicator to me consider that they might be user-friendly, and that the concerns about them were overblown.

Google could also theoretically just convince me outright. They would need to convince me that extensions were currently hurting my privacy, security, and web experience more than ads. That would be very difficult, but theoretically possible. A blog post that solidly addressed critics point-by-point, rather than simply saying, "no that's wrong", would go a long way.

It's not helpful to Google now, but if the Chrome team built up a reputation for being more thoughtful, I also wouldn't be more likely to take them at their word in the future. I've written about this in the past, but Chrome has been handling developer criticism poorly for a pretty long while, and that pattern eventually reduces developer goodwill. When it comes to trust, everyone is a Bayesian.

That doesn't mean I don't try to consider their arguments, and it doesn't mean by default I assume the worst, but I'm only considering Google's arguments on their own merits. If the changes don't make sense to me, I'm not going to assume by default I should accept them anyway. They can't just say, "trust us, we've seen the numbers."

It doesn't lock down the ability of extensions to inspect and spy on all your traffic just block it. This in and of itself demonstrates the purpose.

Also lets be real there are only a handful of adblocking extensions that have most of the market share run by legit players they could trivially vet and whitelist a small number of extensions that are allowed this privilege.

It's not about security its clearly about ruining adblocking. A tiny blocklist that can only be updated with the extensions ensures that it is always trivial to work around blockers. One can simply ask which which version of the extension one has and load ads from a url/host created since.

> what would it take to convince you that this change really is being made for performance and security reasons, and not to hurt ad blocking?

Is there a security argument for this change? I must have overlooked it.

As for performance: users have a choice about what extensions they use. If Google sincerely believes that their proposed limited content blocking API is adequate, then they can expect that users will notice the performance advantage and move to a new ad blocker even if the old API remains present. That's the main mechanism by which uBlock Origin has largely replaced AdBlock Plus.

On the other hand, in the (fairly likely) case that we find out the new ad blocking API doesn't allow for very thorough blocking, and the ads that make it through slow things down more than our current generation of full-featured blockers, then the lower overhead of the new API really doesn't help end users in any meaningful way.

Divest Chrome to an independent foundation. There is nothing cynical in being suspicious of the dominant ad business on the internet misusing their position. There is nothing they can do to alleviate that mistrust short of giving up control (or being forced to in the pending antitrust action).

> what would it take to convince you that this change really is being made for performance and security reasons, and not to hurt ad blocking?

It's a fair question, but there are several of things that would at least help convince me.

They could demonstrate that they have tried all other solutions that would solve the security issue.

They could demonstrate that the performance benefits of the change would be bigger than the performance benefits of ad blocking.

They could implement a more performant/secure API that still allows full ad blocking.

They could build ad-blocking into chrome (doesn't seem likely to me, but it would convince me).

Maybe make this step after discussing & listening to the other browser makers who support extensions.

Maybe listen to the people who actually write the ad blockers.

>"I think they've been trying to give the impression that they’re working with the developer community, when in fact they’re pretty entrenched in what they want to do," says Jeremy Tillman, president of the privacy and security-focused ad blocker Ghostery."


> what would it take to convince you that this change really is being made for performance and security reasons, and not to hurt ad blocking?

A strong argument for how that change accomplishes those things, along with evidence.

Google has not been able to provide either of those things.

Perhaps if Google got out of the ad serving business.

I hope the ad blockers completely abandon Chrome when this change gets pushed through, rather than attempting to work around it.

Google is using a slow-frog-boil approach to re-desensitize their users to ads, and it's working. The only thing that will work here is a big splash of cold water to the face.

Maybe Chrome losing all of its ad-blockers overnight will finally start making a dent.

Unfortunately the owners of the most popular adblocker have successfully created a revenue generating business out of adblocking and aren't about to abandon Chrome.

Outside of uBlock Origin the popular ad blockers are business (see pay for acceptable adds), there's no way they abandon chrome.

Chrome launched without any support for extensions. chrome.webRequest didn't appear until the end of 2013.

In the absence of a true standard for browser extensions, perhaps Mozilla should consider trying to form one by leading with a strong example instead of weakly implying that they will eventually probably cave to the monopolist.

It's also quite disappointing how there is seemingly no one from Mozilla here, engaging with us on this topic. Instead, the only communication we get is one-sided corporate speak, with no real ability to respond.

If anyone from Mozilla is reading, who do you think will spread Firefox among non-technical users if not the type of crowd that frequents HN?

> In the absence of a true standard for browser extensions, perhaps Mozilla should consider trying to form one by leading with a strong example instead of weakly implying that they will eventually probably cave to the monopolist.

That's exactly what they've tried to do. Firefox exposes a `chrome` namespace object to extensions which is intended to be more or less API compatible with what Chrome provides and added the `browser` namespace object where improvements to the base compatibility are added (e.g. switching from callback based APIs to Promise based APIs). See the bit from the wiki below and the link to the browserext spec:

> Mozilla has worked with Microsoft and Opera to implement browser extensions so that developers can write extensions that work across multiple browsers. The preliminary specification[1] matches what Google has implemented in Chrome so that extensions will work on Chrome, Edge, Opera and Firefox.[2]

[1]: https://browserext.github.io/browserext/

[2]: https://wiki.mozilla.org/WebExtensions/Spec

Well, it's not enough to try, unfortunately. They have to persist and this talk about the importance of keeping compatibility with Chrome in the context of blocking webRequest removal is not very encouraging.

This is disappointing. Mozilla can't seem to make up their mind if they want to offer a different product from google or just "Chrome, but for nerds"

> Cross-origin communication: In Manifest v3, content scripts will have the same permissions as the page they are injected in. We are planning to implement this change.

What will this mean for GM.xmlHttpRequest in userscripts? Adding content from several different sites with userscripts can be very powerful.

Was wondering about that too - but this seems to be just a Spectre defense, not a change in what extensions can do.

The change[1] only affects content scripts because they run in the same process as the website. You're still able to fetch arbitrary origins in a background page. So GM has to move the fetch to the background page, then send the content to the script via message passing.

[1] https://www.chromium.org/Home/chromium-security/extension-co... .

Stylus (Stylish without the tracking) sure is a nice interface, but you don't really need an add-on for that functionality. Create "chrome/userContent.css" within your Firefox profile directory and populate it with something like:

    @-moz-document domain(example.com) {
        img { opacity: 0.05 !important; }
Note that there's some about:config flag that needs to be switched since the version that got released today.

Mozilla really needs to get that if they compete with Google on Google’s terms, they’re rapidly heading toward extinction.

Mozilla ought to be the browser for a private and usable web, but it seems they have occasional sneezes where you question what they’re doing (this, pocket in recent memory).

I'm extremely worried that once Google disables ad blockers in Chrome, websites will wholesale block any and all non-Chrome browsers. Be it through user agent sniffing, feature detection, or fingerprinting, Firefox simply won't work anymore.

The future of the web where Google is in complete control is straight up nightmare fuel. Microsoft in the early 2000s never scared me as much as the future we're headed into does.

This won't be IE versus Netscape since websites are no longer served as plain old HTML. They're messy, thick, and impenetrable javascript blobs--not documents. We're not arguing about websites simply not rendering correctly in the less popular browser. This is a battle for the absolute control over information distribution.

What do we do to prevent what's happening?

Google already shot down XHTML, which was rich with semantics. That was a web written for documents and tools that could query those documents for meaning.

Whatever Google has become needs to be dismantled. The ad company can't be the browser company and phone company. It's a perverse alignment of incentives.

> This won't be IE versus Netscape since...

Well, also since Chrome if open source, cross platform, and standards compliant, and IE was none of those.

And Google (unlike Apple) allows competing browsers, based on modified Chrome code, or entirely different engines.

Soon we will have a good, cross platform Edge browser, thanks to Google, and a menu of browser options in Europe thanks to the EU. (Maybe other countries should push for the same.)

But Chrome if no IE.

And I believe that in Europe they will soon be

perhaps a more optimistic take on "no immediate plans": there could eventually be an alternate standard for webrequest that addresses Chrome Devs' (perhaps legitimate) privacy concerns around most extensions being able to sniff, modify, and log all of your traffic on the entire web with a single, unobtrusive modal click. There is room to make the web platform more secure without stripping power from the user-agent, surely, or giving bad actors a trivial foothold. Frankly, my concerns around the webrequest API are numerous, the only reason IMO that Chrome isn't deprecating webrequest in Enterprise builds is for corporate spyware.

At the very least a new webrequest spec that is more ergonomic and more safe than the webrequest API (without neuturing adblock) could show whether the emperor has no clothes, vis a vis "Google Adtech is directly influencing Chrome and web platform development" plots

"no immediate plans to remove blocking webRequest" ... yikes

Really interesting what the new Edge is going to do in this regard...

I dont like the idea of extensions being able to inject data in either direction.

On top of that, I'm not in favor of extensions doing anything to improve security - I want that in the base browser.

It seems I'm in a minority here, but I was never comfortable installing any adblock extension because the existing request blocking API means that the extension would see all web traffic generated by me (including private URLs that are otherwise not known to anybody but me).

I personally feel that now with manifest 3, I can actually install adblockers since the newer APIs do not share all my web traffic with the extensions.

Can somebody explain why removing blocking API was overall a bad decision by Chrome?

> the newer APIs do not share all my web traffic with the extensions

The webRequest API can observe the URLs you visit without needing blocking permission.

And so does the webNavigation API, the tabs API, history API, content scripts, possibly cookies API and whatever else does not come to my mind.

Shouldn't those be visible in the permissions prompt, prior to installing the extension?

> Extensions would still be able to use webRequest but only to observe requests, not to modify or block them.

What's the point of an ad blocker if it doesn't block ads?

I’d like to see this done along the lines of how iOS handles keyboards: allow full web request reading and modification, but only in a sandbox that is per-origin.

uBlock is open source, you can verify that the extension in your browser is the same that is published in the github repository.

The blocking API being removed is an issue because the replacement does not cover all use cases and severely limits what ad blockers can do to intercept filtered content.

Google is obviously aiming to boil the frog slowly and make ad blockers a such terrible experience that Chrome users will not use them.

A humble proposal: A build of firefox that initially differs from Mozillas in that

- it has a different default search engine selection that can be sold in the same way that Mozilla sells this same feature to google presently

- no ads on new tab page

- bundled with ublock origin

The goal being to increase the value of selling the search engine selection while decreasing the value of mozillas in effect siphoning off some of the value of mozillas primary revenue stream.

Such funds could be donated back to Mozilla or used to maintain a fork that doesn't ruin adblocking. Their choice.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact