It's not whether uBlock Origin is a security risk, it's whether the APIs it's using are a security risk, lest they fall into the hands of a less benign actor.
(I also wish they'd kept the APIs open, just stating the other case.)
>Why does everyone else know better than the user what the user should be doing?
See windows and the malware infested ecosystem. People obviously don’t know what they’re doing, and/or don’t have the time vet every little action they do on their computer.
I'm sympathetic to concerns about people who don't know what they're doing, but if I'm a Safari user, I have to value keeping myself safe first. This change makes ordinary users safer, but makes power users less safe.
I understand why Apple is doing it. But I'm still going to advise responsible owners to ditch Safari and pick a browser that will do a better job of blocking trackers.
The problem is that all of the spyware says exactly the same thing. If the API exists, ordinary users are going to be asked to make huge security decisions with no effective way to tell whether the vendor (or the new owner who just bought it) is being honest.
> I'm sympathetic to concerns about people who don't know what they're doing, but if I'm a Safari user, I have to value keeping myself safe first.
This change still means that Firefox will have better adblocking and privacy tools than Safari. It's a tradeoff -- and if I'm a user that's already conservative about granting extensions permissions, I don't see how I get any benefits from this. I only get the downsides in the form of less effective blockers.
Ka-Block actually advertises itself as being less effective than uBO. It's selling point is that it's a simpler extension that blocks fewer ads and trackers, under the assumption that this is good enough and on it'll on average be faster because of the reduced overhead.
> Some ads will get through this filter, and that's ok. We already have extensions that block every ad that's ever appeared on the web with a completionist zeal that must be admired.[0]
If you're blocking ads just to make pages load faster, Ka-Block is probably fine. If your primary goal is to protect your privacy, you shouldn't be using Ka-Block.
For privacy concerns, I would imagine that preventing the methods of tracking is much safer and more effective in the long-run than blocking the trackers themselves. Apple seems to be pushing pretty heavily on that front.
Definitely agreed. But nobody (including Apple) is going to pull that off for a pretty long while.
In the meantime, it's useful to be able to do things like block all third-party AJAX requests and whitelist them on the fly on a per-site basis, or intercept CDN requests for common libraries and redirect them to locally hosted versions.
Extensions like UBlock Origin may be a band-aide, but sometimes band-aides are useful if you're waiting for an open wound to heal. In the same way, when I give people privacy advice, I'm optimizing for things they can do right now.
To be clear, I agree, I just didn't think GP was fairly stating the alternate case.
As an aside, no one is stopping you from binary patching Safari on macOS, provided you don't mind turning off SIP. The nice API just isn't there anymore.
I suspect that from Apple's (and Google's, and to some extent Mozilla's) point of view this is all about the computer doing what its user tells it to do — 'its user,' unfortunately, being Apple, Google or Mozilla. We the people using the computers aren't adults capable of making our own decisions and being responsible for the consequences, but rather livestock farmed either directly (Apple) or indirectly (Google & Mozilla( for money.
Your computer is a desk weight without the (or an) OS and software that runs on it. Each os/or software package down to libraries make trade offs that restrict their usage from general purpose to a specific set of functionality. It is impossible to write a line of functioning code without constraining the concept of "general purposes" as you have implied above -- each line of code does "something" not "Everything" by its very nature.
(I also wish they'd kept the APIs open, just stating the other case.)