I guess the biggest issue I have with V3 is I don't really "get it".
The idea was initially that extensions have too many privileges and that malware can leverage those privileges for harm. I'd love data here! This is such a good area to share information on, as someone in security I'd really value that.
I'd like to see case studies on malware, or even broad things like "malware uses these permissions X% of the time".
But back to the point, assuming that this is true, how does V3 help? Specifically, what can malware not do with V3 that it could do before? Given the data, how will this impact the threat landscape?
I can think of some obvious things, like that you can't have dynamic scripts - cool, makes sense, I bet malware loves that and removing it seems like it'd be a huge win.
But WebRequests? I'm sure malware was using it, I guess, but what in V3 makes the malware use case for it harder? It seems like we're getting something that can be used maliciously just like before, but it's somewhat weaker in ways that malware won't care about? Again, data here would be great. I'd love to see "X% of malware used it this way, we removed that way".
Communication has seemingly been pretty bad around the motivations, which has led to a lot of people being pretty upset and confused about the changes.
Google, please share the data and reasoning!
edit: With regards to uBlock Lite specifically, I'm looking forward to seeing it evolve. I do like the idea of having a permissionless blocker that works decently and can then have the opt-in approach. I don't honestly consider it a massive security win though.
The reason you don't get it is that taking away the functional part of onBeforeRequest() doesn't really help with privacy. Because extensions can, for example, still inject arbitrary javascript if those permissions are in the manifest.
What it really does is ensure that adblockers can't do heuristics, and instead have to rely solely on semi-static lists of urls. That's a nice outcome if you're a company that makes most of their money from ads.
There's not really a nice way to say that aloud though, so trying to make it sound it's a way of ensuring extensions honor privacy and security sounds better.
Yeah, I said this in another comment, I don't really believe that to be the case. I'm not saying that a conflict of interest doesn't exist, I just don't believe that this move is part of an overall plan to have Google start bypassing adblockers.
It's not really unprecedented for them to offer up (often attractive and plausible) trojan horse reasons for why they do things that aren't the real reason. AMP, to me, is one good example. There are others.
I don't know what else they would really gain, or why else onBeforeRequest() was the most important thing to take away when extensions have so many other ways they can do harm.
Perhaps another way to look at it is not Google actively defeating adblockers, but giving a gift to their customers that pay for ads...making it easier for those customers to deal with the rising tide of adblockers, paywall end-arounds, etc.
> Perhaps another way to look at it is not Google actively defeating adblockers, but giving a gift to their customers that pay for ads...making it easier for those customers to deal with the rising tide of adblockers, paywall end-arounds, etc.
This assumes that Google's ads will start to bypass the V3 adblockers. V3 in and of itself does nothing, Google's ads are still blocked by the updated adblockers.
> I don't know what else they would really gain
Well that's what I'm asking haha I'd like to hear from them on this. Even if some people at Google are nefariously implementing V3 for some future plan to bypass adblockers, surely some people at Google believe that there are benefits to the work.
"Google's ads" is a broad category. I imagine there's many already defeating ad blockers. They wouldn't start with adsense or their ads on google search.
Ah, there's lots. What used to be "DoubleClick" still exists under a different name, a sort of more publisher controlled private-ish instance of Adsense/Adwords. Then ad-like things..embedded google shopping results, local search, google flights, travel/hotel widgets, etc. Ads inside products like Maps, etc.
Most bad extensions I've come across when trying to vet what I'm installing fall into two categories: those that are passively malicious: inserting redirections to affiliate links (or sometimes randomly spawning ad), and those that are "actively malicious" by scanning for browsing history and then sending that over to be sold off.
I guess the general idea of manifest v3 is to limit the page/extension boundary to being declarative in nature. I haven't looked into this too much to know how restrictive it is in practice, but at least one such thing is that webRequest is neutered so extensions can't run their own logic for request pre/post processing (where they might try to obfuscate/disguise the target redirect), instead they have to declare the list of redirect targets upfront, where presumably they can be scanned by trivial static analysis.
While I think there is indeed a problem of malicious extensions, I don't believe that manifest v3 is the solution. Switch to a more granular but still non-declarative permission model might be useful to gain a stronger signal on malicious extensions, or maybe requiring web store extensions to be declarative but allowing "power-users" to still manually install non-declarative extensions.
I don't think so. That gets repeated a lot but I think people are just unaware of the fact that Google ads are particularly uninvasive and easy to block. If ad blockers are less capable that will only help Google's competitors, not Google. Another comment the other day confirmed that Google's ads continue to be blockable with V3.
This could change - AdSense ads could start implementing bypasses. I think that's unlikely because Google would likely end up with a few lawsuits, questions about browser monopolies, and a congressional hearing. Certainly the EU would be on their asses. One day that may change, but I don't see this move as being part of any specific plans to improve AdSense revenue.
> That gets repeated a lot but I think people are just unaware of the fact that Google ads are particularly uninvasive and easy to block.
Not true in my experience, i have encountered adsensw that pretty invasive to my 2012 laptop's cpu core i3 gen3 (i know its pretty old), i dont think any ads should be that way.
You are right about requiring more case studies. In the same context, MV3 extensions are being moved away from persistent background pages to ephemeral service workers. There's a thread and several very popular crbugs for how the web-based service workers don't work well for extensions (https://github.com/w3c/webextensions/issues/72). Given all this, the Chrome team continues with the change citing increased performance when using service workers. However, even when extension developers continue to come out with claims of decreasing performance, the Chrome team - as in the malware case - has not provided any case studies on how it is so sure about the increased performance (or efficiency, memory use, etc.) of SWs.
The idea was initially that extensions have too many privileges and that malware can leverage those privileges for harm. I'd love data here! This is such a good area to share information on, as someone in security I'd really value that.
I'd like to see case studies on malware, or even broad things like "malware uses these permissions X% of the time".
But back to the point, assuming that this is true, how does V3 help? Specifically, what can malware not do with V3 that it could do before? Given the data, how will this impact the threat landscape?
I can think of some obvious things, like that you can't have dynamic scripts - cool, makes sense, I bet malware loves that and removing it seems like it'd be a huge win.
But WebRequests? I'm sure malware was using it, I guess, but what in V3 makes the malware use case for it harder? It seems like we're getting something that can be used maliciously just like before, but it's somewhat weaker in ways that malware won't care about? Again, data here would be great. I'd love to see "X% of malware used it this way, we removed that way".
Communication has seemingly been pretty bad around the motivations, which has led to a lot of people being pretty upset and confused about the changes.
Google, please share the data and reasoning!
edit: With regards to uBlock Lite specifically, I'm looking forward to seeing it evolve. I do like the idea of having a permissionless blocker that works decently and can then have the opt-in approach. I don't honestly consider it a massive security win though.