I like that Ars tries to defend ad blocking, but please, prepare better, maybe talk to actual developers and avoid false accusations.
It’s completely okay to criticize Google for doing really controversial (to say the least) stuff like getting rid of blocking webRequest, but criticizing them for prohibiting inclusion of remote JS in the extension is simply bad work.
They could do a minimal fact check, remote JS was never allowed in Mozilla Addons store. A bit more research and they’ll learn that cosmetic filters updates do not require an extension update. A little bit more research and one can learn about the no-review-fast-track that Chrome WebStore plans to implement next year.
It isn’t “nothing else”, cosmetic rules can still be updated independently “over-the-air”. One more approach (a bit “hacky”) is to distribute cosmetic rules inside static rulesets (hide them in a separate “metadata” field).
I personally like the fast track idea as we can use the CWS infra to distribute updates quickly, but this is not the only way.
Differential updates are also possible and if they’re implemented, you can keep a normal release cycle (6 weeks for instance).
> It isn’t “nothing else”, cosmetic rules can still be updated independently “over-the-air”.
It's not just about cosmetic rules, it's also about DNR rules other than block/allow/allowAllRequest: redirect=, removeparam=, csp=, etc.
If the idea is that these DNR rules require non-fast-trackable thorough reviews, but dynamically updating them will bypass those thorough reviews, than I am at a lost to understand the logic of treating them as requiring thorough review.
If these DNR rules are considered potentially harmful thus requiring thorough reviews, why would they be allowed to be downloaded from a remote server and dynamically created in the first place?
There is also the content scripts-based filters, which is something that change every day. This is where we diverge, I chose to go fully declarative because this way these content scripts are injected reliably in a timely manner by the MV3 API.
This is not the case when injecting in a event-driven manner since the extension's service worker may need to wake up, fully restore its current state, then by the time it's ready to inject the content scripts programmatically, it might be too late as the target webpage has already started to load.
The “safe rules” concept is a little strange indeed, not very consistent.
I actually agree that for an MV3 ad blocker I’d better have a fully declarative default (emphasis on default), but I’d like to provide an option to grant more permissions and allow more rules. I’ll wait until declarative cosmetic rules become a thing before going this way though.
What I don’t like about your way is that it’s very difficult to use the MV3 version for filters development, filter list authors will have to re-build the extension every time they make any change to the underlying filters.
Maybe this is not a big problem though, we’ll only see it when MV3 becomes the only option and there will be more issue reports from its users.
> If the idea is that these DNR rules require non-fast-trackable thorough reviews, but dynamically updating them will bypass those thorough reviews, than I am at a lost to understand the logic of treating them as requiring thorough review.
While they solve similar problems, these are different systems with different constraints.
* In order to allow something through the review process without close examination, you need to be sure it will not compromise end users. The block, allow, and allowAllRequests actions are known to present minimal risk to user's web browsing activities. The same cannot be said for redirecting requests or modifying a request's headers.
* Dynamic rule registration logic can be statically analyzed for risk assessment purposes. For example, say you're looking at two extensions that both have dynamic rules. Extension A only dynamically register block rules based on remote configuration. Extension B has <all_urls> and passed an arbitrary JSON object to the updateDynamicRules call. Personally, I'd be very concerned about what Extension B could do at the developer's behest, whether intentionally or if the dev's servers are compromised. IMO Extension B may even cross the line on what store policy permits.
* Expectations for extension's static content are different from an extension's dynamic operations. If an extension has code that explicitly does something nefarious and that passes review, the review process will be raked over the coals by commentators. If an extension's static contents are benign but a developer makes it do something nefarious at runtime, there is more understanding that this behavior may not have been visible to reviewers during the review process.
I'm sure there are more differences worth mentioning, but I need to run.
As a final parting thought, if safe rules and fast track review were already implemented and dynamic rules were being proposed today, I expect we'd be having conversations about whether or not devs should be able to register unsafe dynamic rules. I think there's a realistic possibility that we wouldn't allow it. Or if we did, that this capability would be gated by a new permission with a warning.
Filter lists are composed of two types of rules: “cosmetic” and “network”. Network rules define what needs to be done with web requests (block or redirect). In MV3 these rules should now be implemented via new declarative API.
Cosmetic rules is a very wide subset of ad blocking rules that define how a web page needs to be changed. These are implemented the old way.
> I don't see any issues with ublock in firefox, so what's going on there?
uBlock Origin does not use remote JS so yeah, what’s going on with the article is a good question.
The article’s claim is factually incorrect, self-update will also still be possible to implement even without the fast track. It will be more complicated than it is now as we’ll need to do that via differential updates, but nevertheless.
This is the first time I've really looked into Manifest V3, and I'm confused as to how the "no remote JS" restriction is enforced.
What prevents a developer from using non-remote JS (code built into the extension) to tell the current web page to fetch remote JS from a server, and execute that? Obviously, web pages must be able to fetch remote JS, or the whole internet would break.
Google could delist such an extension from the Chrome Web Store. But Chrome (unlike Firefox, grr!) allows extension sideloading, so if I was UBlock Origin I would just say screw the Web Store, download from our website.
And then, once UBlock Origin can inject an unlimited amount of turing-complete Javascript onto the page, the sky is basically the limit... right?
Firefox extensions don't need to be listed in the web store, but they must be signed by Mozilla, no exceptions.
I have used both browsers, and I find sideloading in Chrome to be completely painless. I use many sideloaded extensions in Chrome (mostly because I wanted to make small edits to existing extensions).
I guess I'm trying to figure out whether all this fuss is really a limitation of Manifest v3, or merely Chrome Web Store policy. If the latter, I don't see a problem as long as sideloading is possible, and I really hope UBlock Origin will just go that route.
Sideloading is the real freedom which everyone should rally around and protect. (I am extremely unhappy with Mozilla's approach to this, if you can't tell.)
> Firefox extensions don't need to be listed in the web store, but they must be signed by Mozilla, no exceptions.
There is. But you must be running firefox on Linux, on specific distribution (i.e. Debian or Fedora), built by that distribution and the extension has to be installed system-wide by root. Then the signature won't be enforced.
So in a sense you're not running Firefox anymore, you're running a derivative from your distro which modified the source code. (I do appreciate that they do this, however.)
So what can the webRequest API do that couldn't just be accomplished via Javascript injection? From my perspective—admittedly not really understanding how UBlock Origin works—Javascript is basically all-powerful on a web page. Once you have that, I'm surprised that anything else could be a meaningful restriction.
Javascript is very powerful, but simple injected Javascript can't e.g. undo requests (from other scripts or just normal resources like third-party images) that have already happened. An injected script is not guaranteed to run before the site's own scripts, I believe.
Other than that, you can probably really do everything you could do with the webRequest API, but the complexity of doing it essentially reduces to the halting problem: You'd have to statically analyze all Javascript loaded by the page and figure out if it's going to do any requests you don't want to happen and then rewrite these parts. Maybe there's clever things you could do by shimming all web APIs that can issue HTTP or other requests, but that also doesn't sound fun.
On the other hand, with an API that just gets to veto every outgoing request, you can trivially achieve the same goal.
Another area where in-page Javascript is limited compared to an extension is the same origin policy. A very fancy ad-blocking extension could e.g. run an image classification AI on third-party image resources and hide the ones that look like visually distracting, flashing etc. ads by default – in-page Javascript can't.
Thank you! I guess the main problem is figuring out which elements are ads. Blocking certain requests is a handy way to do that, at least for as long as external ad servers are the norm.
> Simple injected Javascript can't e.g. undo requests (from other scripts or just normal resources like third-party images)
But could you detect the request, see what element it loaded in, and then hide that element? Or is that much more complicated than I'm imagining?
If you only care about visual annoyances I believe that should generally be possible (although I also don't know the details!), but many people also use content filters to stop third-party tracking.
JS is important, but it’s only a part of what’s required. webRequest allows the extension to manipulate web requests: blocking or redirecting them. MV3 tries to replace the old webRequest with a declarative alternative and it’s almost impossible to provide a declarative rule for every possible use case.
Getting non-technical users used to regularly sideloading extensions sounds like a recipe for disaster in terms of security.
I'm also not sure if sideloaded extensions can receive automatic updates, but the much bigger problem is getting people used to sideloading unsigned extensions with full web site access: Tech support scammers will have a field day with that.
It wouldn't be good for security. But I fundamentally believe that user freedom—the ability to do what big tech would rather they did not, such as adblocking—fundamentally depends on sideloading. You simply can't have one without the other. You're trusting the vendor to decide which software is safe, but that vendor will inevitably also consider which software makes them money.
On platforms where sideloading is either impossible (iOS) or usual (Android), adblockers are completely inaffective. The gatekeepers simply don't allow them to exist. This is true even though the maker of iOS ostensibly (!) isn't ad supported.
> I'm also not sure if sideloaded extensions can receive automatic updates
They can't (at least without some external software), which is why the ability to load remote Javascript would be important. For less frequent updates, they could prompt the user.
There’s a legal avenue for this kind of thing too: pass laws that enforce clear and transparent rules around what the gatekeeper can do and give legal recourse to participants to hold said gatekeeper accountable if they break them.
But it's still like putting the coal companies in charge of the EPA. You can add laws and mandates to try to tie their hands, but they're going to push the boundaries as much as they possibly can.
You could have app approvals go through some truly public, government-run agency... except frankly I'd object to that too on free-speech grounds.
I'm not a developer, but I trust the author of ublock Origin a lot more than I trust Mozilla.
Mozilla routinely fails its users and spends a lot of money on downright bad ideas. They are a pinnacle of intransparency and most of their press releases are written in Newspeak, far worse than Google, ironically.
In this very thread we have a discussion about Mozilla putting the boot on its formerly open extension ecosystem.
So it is an odd idea that the manufacturer of the browser (Google, Apple, Microsoft, or Mozilla) should have a say in how much I can trust my content blocker.
The last group of stakeholders I would want involved in decisions about my content blocker is the ad-funded tech industry.
Ad blockers work fine on iOS. Yes, compared to ublock some things get through but not many. I have had good success with 1Blocker and AdGuard. Apple has allowed those apps for years.
> Unsigned extensions can be installed in the Developer Edition, Nightly, and ESR versions of Firefox, after toggling the xpinstall. signatures. required preference in about:config
Exactly, not in regular, in those builds the xpinstall flag is ignored.
A lot of people recommend switching to Developer Edition to use unsigned extensions, but that's aligned to the Beta update channel. There's no way to get stable releases + unsigned extensions.
Whatever the security argument, I find this completely antithetical to user freedom, especially given that it's allowed in Chrome! I just can't believe that Mozilla is the one restricting their own users.
(It's also news to me that unsigned extensions can be enabled in ESR, I thought it was just Nightly and Developer. That's nice I guess.)
I used to run a homebrew'd extension to change my new tab page. Chrome makes it so annoying to use a sideloaded extension. Every time you start the browser, and every couple of hours when you open a new tab it will have a big popup warning you that an unsigned extension is running, and give you a big button to remove the extension that fires when you hit space or enter, and a tiny little subtext button to continue using the extension. After the 3rd time accidentally uninstalling the extension because I was typing in a search too quickly and not paying attention, I gave up on using it.
Google's showing their hand. You're here nitpicking. If something CAN be done, it usually WILL be done, especially if the actor is a business and the reward is power, influence, or profit.
Will you be one of the ones 'giving Google a chance' once they play their hand next year?
Because that agenda is hypothesis based on outsiders' observation of what Google is doing. It needs to be based on facts. Without facts, such an "agenda" is really just speculation and fear-mongering, not much better than the likes of Breitbart News.
Speculation like this is easy. I can also just speculate that the Ars has an agenda to slander Google. Expand that to a couple hundred words and you have an article. Now get people to read it and become angry. That's basically the sorry state of online journalism.
I'm more of a technologist than a product guy so I care more about the technologies coming out of Google. When I see major open source efforts like tensorflow or k8s I see goodwill and trust. Outside the realm of software, when I see principles or ideas or algorithms like CoDel, BBR congestion control, and SPDY (later becoming HTTP/2) and even later QUIC, MASQUE, I see the same (please excuse me for listing networking technologies because that's where my recent interests are). Here's a very simple thought experiment: if all the above technologies came from a different company say Cloudflare would you consider these earning them trust? The answer is an unequivocal yes.
The only reason why you might be unable to name a single thing Google did to earn them trust is perhaps because of rampant brainwashing by the anti-Google rhetoric.
What about MV3 requires going through the Chrome Web Store to update block lists? A quick look at the declarativeNetRequest docs (https://developer.chrome.com/docs/extensions/reference/decla...) shows that there are indeed static rulesets which need to be declared in the extension's manifest, but also dynamic rulesets which can be updated via JavaScript (and so presumably can be fetched and updated dynamically). I can't seem to find any specific limitation of dynamic rulesets vs. static rulesets.
That chrome.com page talks about not loading remote code and literally describes loading remote configuration as the correct fix:
> Alternative approaches are available, depending on your use case and the reason for remote hosting. This section describes approaches to consider.
> Configuration-driven features and logic
> Your extension loads and caches a remote configuration (for example a JSON file) at runtime. The cached configuration determines which features are enabled.
The uBlockOrigin FAQ seems to be mixing scripts to run as part of a page with declarative filter lists. I thought the whole point of Manifest V3 was to prevent extensions from snooping on online banking, email accounts, etc...
Nothing here seems to say that you couldn't update a declarative filter dynamically.
For an extension to be entirely declarative, it must package all the scripts to inject anywhere, the scripting.registerContentScript API doesn't allow injecting code as string[1], the content scripts must be part of the package.[2]
There is userScripts API which allows injecting code as string, but it's impractical as in Chromium-based browsers this requires extra steps by the user to enable the API.[3] In Firefox, the documentation for this API has the following note[4]:
> When using Manifest V3 or higher, use scripting.registerContentScripts() to register scripts
I've edited my comment to also include a link to the Chrome docs, but that FAQ entry also has the link to an issue in the webextensions repository indicating it's a limitation of MV3: https://github.com/w3c/webextensions/issues/112
But that issue has nothing to do with the question of whether the "filter lists" could be updated dynamically without store review. It's asking for a way of programatically triggering the update to the latest version of the extension in the store.
That feature request being fixed would do nothing to enable updates without store review. And likewise the feature for doing updates of the ruleset without a store review already exists but is not used by UBOL.
So the link doesn't actually support your claim of it being a limitation of MV3. The link is just irrelevant.
The FAQ hints at why UBOL doens't make use of that feature, but doesn't actually state it outright.
> So the link doesn't actually support your claim of it being a limitation of MV3.
From the issue: "In Manifest V3 remotely hosted code is no longer allowed."
Altought the parent was talking specifically about network requests, in which case you may be right and I missed it, but that's not the general problem. Blocking network requests is not sufficient for modern ad/tracking blocking and to be able to run effectively they need to inject scripts into the page, thus "remotely hosted code" is necessary, and the Chrome docs above says that it's not allowed.
The new complaint in the article was about dynamic updates not being possible. That is just demonstrably incorrect, and not countered in any way by the FAQ link.
But you're now trying to switch it to just a relitigation of switching to declarative blocking in general.
I think the article is talking specifically about downloading and running scripts for working around a particular site dynamically, such as Youtube ad blockers.
That said, I don't know if this really is a technical block from e.g. adding a script tag to a YouTube page to pull in a third party resource. My impression was that it was blocking arbitrary scripts specifically within the extension context, and not in the browser context.
> I think the article is talking specifically about downloading and running scripts for working around a particular site dynamically
The article specifically mentions "filter lists" being subject to review time.
> All updates, even to benign things like a filtering list, will need to happen through full extension updates through the Chrome Web Store.
> Is a filtering list update, which is essentially just a list of websites, really something that needs to be limited by the "no remotely hosted code" policy?
> So since all filter list updates now need to go through the Chrome Web Store, how long does a review take?
To me, this seems pretty clear: don't inject anything "executable" into a webpage except CSS.
It does look like you could maybe use a sandboxed iframe and ask it about page features and whether they should be blocked, and that this might be permitted.
Okay, refresh probably won’t help, but you can build logic gates in css, and css has for example, the ability to animate things forever:
animation-iteration-count: infinite;
Hypothesis - you can find a way to use animations and logic gates to build a very crappy cpu complete with program counter, and then use that to run arbitrary code.
If I'm trying to be gentler and more useful: I think some people are too excited to find Turing completeness, and don't really think through the necessary components and what you can and can't fudge before it doesn't count anymore. Many Turing machines are so barely functional to begin with that even slight reductions in capability will ruin their computational ability.
As to your hypothesis, you'd need a way to have an animation conditionally turn other animations on and off each time it loops. I don't think anything like that exists in CSS.
You're just making stuff up at this point with no evidence or source. If the intention was to forbid dynamic fetching of declarativeNetRequest filter lists, Google could also just... not have dynamic filter lists.
Google's playing the long EEE game. They do small things like this so people like you go around telling us it's not a big deal.
Will you say the same things 5 years from now? Google needs to be kicked out of consideration for web standards. They keep treating it like they own it.
I don't understand why Google counteracts indirectly. Why can't they just ban adblockers from the Chrome Web Store? If that's not possible, why not just remove specific adblockers one by one? Removing the big ones would probably stop most people from using them.
My assumption is that banning them outright will make it super obvious you can’t run adblock on chrome. With Manifest V3 limiting their capabilities but not getting rid of them, the layman user will still feel like they have adblock and aren’t likely to know it’s not as powerful as it was before.
Google might be trying to have their cake and eat it too - hamstring adblocking enough that their sites and ad networks can work around it but other sites and ad networks will remain blocked.
Help people save money on their insurance by playing as the Geico lizard! Find out the dirt on used cars as the CarFax fox! Yesterday's annoying mascots are today's folk heroes.
Ads will never be the 'new content'. If I want to read a news story, or find some key information, do you really suppose I will appreciate being confronted with "Avoid the Noid" or other fatuous games?
Banning them will invite antitrust regulation, because there's a conflict of interest between giving away the browser and crippling it to benefit their advertising business. I suspect that for the legal department, it's too close to the historical example of Microsoft leveraging its operating system dominance to benefit Internet Explorer and hurt competitors like Netscape. If they bury the anti-adblock strategy under layers of technicalities, they can plausibly deny that they're targeting particular vendors.
That would get them a lot of bad press and many people would leave. It might even get AGs attention. If they just do ambiguous annoying things, that's safer for them.
Perhaps that’s exactly why they don’t. They know there would be an exodus because they know what the install-base of ad blockers are in Chrome. Their market dominance is worth more than the marginal lost revenue from some ads being blocked.
They benefit from people blocking ads, just not their ads. And they can't just build something into their browser to block everyone else's ads by default because that'll be uncompetitive.
Is it? I've seen ad blockers try that "privileged ads" model. It's hilariously unpopular and unprofitable due to product market mismatch.
Maybe I am cynical about the law, but I assume the only reason they don't block other networks is because it would be their same advertisers, and they would be furious enough to take action.
Note however that they get to decide this criteria, I as a user does not have any input as to which ads are "disruptive". And hey, it just so happens that their criteria allows for their own ads.
Yes, which is not "block everyone else's ads". Your own first link says that websites eventually fixed their ads to comply with their "Better Ads Standards" and thus became able to show them again.
> Why can't they just ban adblockers from the Chrome Web Store?
The answer is legal antitrust lawsuits. Chrome has a near monopoly and Google is the largest advertising actor, banning ad blocking altogether risks giving ammunition to the inevitable antitrust lawsuits.
What they prefer to do instead is degrade their effectiveness step by step, it's way less risky for them.
Google has of course considered doing this. We can't know their exact calculus, but whatever it was, they came to the conclusion that playing cat-and-mouse is financially advantageous to them. Maybe it's a legal concern, maybe it's a market share concern, maybe adblockers don't actually erode their overall ad profitability to the degree we think it does. But whatever the reason, Google decided they will profit more this way.
There is a baseline assumption that this is motivated by ads. I really don't think Google is coordinated enough for ads to exert pressure between orgs in that way. People in chrome really are just optimizing for security and safety.
I am not sure if this is not a sarcastic take, but I will bite.
Google are generally not coordinated well on anything, but this current war on adblockers is a notable exception. Consider the following 3 things all happening in the same time frame:
1. Youtube's rollout of detecting adblockers and updating their code a couple times a day to prevent you from running an adblocker
2. The manifest v3 standard
3. The Privacy Sandbox trash
They are using the dominant position of Youtube as video content platform (point 1), chrome/chromium (point 2) as a browser engine and their current dominant position in the ads market (point 3) to achieve a couple of goals. With the privacy sandbox, they force ads to go through their ecosystem, with the manifest v3 they deliver a big kick to the adblockers, and with Toutube, they are using one of their most successful platforms to further push their ads agenda.
To me, unskippable ads are going to:
- make me hate the brand that's wasting my time by advertising crap I don't need and making me watch it
- make me hate the platform on which this ad is played, especially knowing the platform jumped through specific hoops to make the ads unskippable for even the power users
And if you've ever worked for 'em, even in a department related to neither Chrome nor Ads, you'll soon know the influence of the Ads team. Prestige, high-pressure jobs, top people, and influence everywhere.
That would also prevent lots of if not most people from using Chrome too. They have to pretend to care privacy & security so that they can put more into their pocket.
Not sure about the second part. Considering they have a dominant market position/gatekeeper/whatever, they probably have to actually make an argument for "why not" in the case of tracking blockers (age restricted content is another discussion entirely).
Otherwise, abusing dominance in the phone app store market to benefit their (also dominant) ad surveillance business sounds very, very much like something the DMA could and should punish.
If Google had their own porn app in the Chrome or Play stores, but banned all other porn apps, I guarantee they'd lose quite a few anti-trust related lawsuits, and quickly.
Absolutely clickbait. Nothing in the article suggests that review times are increasing, they’ve always been “from a few minutes to a few days”.
Also filters do not depend on extension updates at all, they are plain text files that can be updated at any time. Not to mention that they can contain “scriptlets”, which make them quite literally “remotely hosted code” and still allowed by MV3 (because they’re not raw JavaScript)
> We've covered this already. But we haven't talked about the other side of the equation: Ad block rules can't be updated quickly anymore. Today, ad blockers and privacy apps can ship filter list updates themselves, often using giant open-source community lists. Manifest V3 will stop this by limiting what Google describes "remotely hosted code." All updates, even to benign things like a filtering list, will need to happen through full extension updates through the Chrome Web Store. They will all be subject to Chrome Web Store reviews process, and that comes with a significant time delay.
If this is factually incorrect, it would absolutely warrant a correction to the article.
> If this is factually incorrect, it would absolutely warrant a correction to the article.
It is incorrect. MV3 definition updates go through an automated fast-track process for safe rules. See the presentation[1] and Q&A[2] at the recent Ad Blocking Summit.
I wouldn't hold my breath on a correction. Ron never corrects his articles, like when he confused the Privacy Sandbox with the Topics API a couple months ago[3].
Then it would make sense to write such articles if and when that happens. Until that point, the claims being made in this article are simply incorrect.
The only real part is that MV3 does not allow actual remote JS to be run on web pages. However you could still run it in a sandboxed iframe (not super helpful to adblockers though)
Not only does Google take a long time to review extension updates, but Chrome pulls extension updates infrequently. So even if you manage to get an update pushed to the store in 24 hours, it may take another day or more before your users actually get the update.
All of this put together means you really shouldn't trust Chrome extensions for anything important. If there's a security vulnerability in something like your password manager, the update is going to take days to reach your system.
Weirdly, earlier today I had a bunch of problems loading Google web properties on Firefox - GMail hung completely (wouldn't even load all the way! no more basic HTML option!) and Sheets was showing half-rendered documents (even after several refresh attempts). All the other sites were fine.
This happens periodically, where google services act funny with a Firefox user agent. Just use edge or chromes user agent string, and Google sites will work again.
This is such an annoying approach for Google to force people to using Chrome... I get that they're not testing stuff on Firefox, so much is obvious. But there are so many times things don't work properly in Firefox (YouTube loading slower, lag in Gmail, Drive having weird UI<>backend synchronization bugs) at a first glance, but as soon as you set the user-agent to Chrome, things just magically work perfectly fine, and all issues disappear.
Someone should really be doing a deep dive into this issue, because it's been going on for a long time, and is clearly anti-competitive. My guess is that they're really good at hiding this/making it look accidental rather than on purpose.
Gmail’s always very nearly unusable on mobile safari, mostly due to their user-hating decision to use custom scrolling. Constant accidental touch events when trying to scroll, and it breaks in weird ways that require reloads to fix. And that’s aside from the scrolling itself working poorly to begin with, but short of outright breakage.
IDK if it’s better in iOS Chrome, but it’d be pretty damning if it is, since they necessarily use the same engine on that platform.
Google might as well skip all this dancing around and build their ads straight into Chrome. Good luck doing some work while you have to watch a video ad every hour or so, and every page has ads literally in browsers "chrome".
It won't. But not because this is desirable. All these anti-user measures are small and gradual steps that regular folks won't immediately recognize. Something about a frog and boiling water.
Beyond that, how many ordinary non-techie people are ever checking the actual changes of their app? I'd bet basically never unless a changelog page opens immediately after the update. And that's not exactly going to be worded in an understandable way like "we're doing this to screw over your ability to do what you want on the web".
The frog boiling analogy doesn't work long-term though, because humans don't live forever, and new ones keep replacing the old ones. A new crop of college kids is going to look at Chrome and say "nope"
Or the college kids are acclimated to the Google ecosystem because they been using Google Classroom on the Google Chromebooks in their K-12 classes for years.
Chromebooks happen to be a perfect example of a product that’s only ever used by people forced to, in this case by their school, as opposed to something people buy with their own money.
That's cute. Seems like a classic case of "you can't make someone understand something when their job depends on not understanding it", but in case anyone at Google reads this, here's a hint: People won't use Chrome if adblock is ineffective. They will use Edge, or Safari, or (in case you think you can make backroom deals with Microsoft and Apple to implement this in their browsers too), they'll use Brave. It's not a winnable game, save your money and play something else.
> People won't use Chrome if adblock is ineffective
Look how long the most of humanity stuck to Internet Explorer, even with Chrome literally stickied on the Google front page and IE's more dramatic drawbacks.
Edge in particular is kind of a bloated mess now. I used to prefer it over the Chromium fork of the week (Currently Thorium and Cromite), but now its just too spammy and slow. No one is switching to that.
Also I have extremely mixed feelings about Brave. Maybe even net negative.
I actual installed the unusable mess that is edge, on my Linux desktop, because I like the sound of it's text to speech voice.
Turns out that feature is only available on windows.
Uninstalled and will never try that piece of rubbish again!
>People won't use Chrome if adblock is ineffective. They will use Edge, or Safari, or..., they'll use Brave.
This simply isn't supported by evidence. Most users today do not use ad-blockers at all. People who do are in the minority, though it seems the minority is growing as more people get fed up with ads, and learn about ad-blockers somehow. Most users just aren't as motivated to avoid ads as you think they are. And it's not just clueless non-technical users: look at the countless comments here on HN in articles of this type from technical people who refuse to block ads because they think they're somehow obligated to look at them, and who call people like you evil and immoral.
If adblock becomes ineffective on Chrome, I expect usage rates won't change much. If ad-blockers remain effective on other platforms and not on Chrome, I expect that users might slowly migrate to those other browsers, over the course of many long years, just like they did with IE, but it's still going to be a minority because, as it stands, it's only a minority that even cares. Other people are perfectly happy to be bombarded with ads.
No, I'm assuming HN users are probably the most technically capable and most likely to use ad-blockers, so if a large portion of them refuse, we can assume it's even worse in the outside world.
Also, I don't have any stats handy, but the ones I've seen show that ad-blocker usage is well below 50% overall, according to various industry stats, though that number is rising.
Well, I haven't seen these "HN users who refuse to use ad-blocker". Can you point to some example posts? I think you might have seen one or two and you're misreading the true sample size.
Anyway, an important point here to remember is: Users are not dollars. We are not all equally valuable to advertisers. Drug companies spend tons of money sending targeted advertising to doctors. If you're a fast-food worker, you don't see any of those ads. You get generic untargeted ads. These lucrative individuals tend to be more technical (most doctors I know are computer power-users), and are more likely to use adblock. So a relatively small percentage of users using adblock, as long as it's the right percentage of users, could have a huge effect on Google's bottom line here.
>Well, I haven't seen these "HN users who refuse to use ad-blocker". Can you point to some example posts? I think you might have seen one or two and you're misreading the true sample size.
I'm not going to do your research for you. These people post every time there's a big discussion about ad-blockers, and there's more than one of them. Perhaps they're a vocal minority, but they really do call everyone else here a bunch of thieves for not watching ads. Of course, there's no way to do an unbiased survey here to see what percentage of HN users they really are. But given how many tech workers work for ad-tech companies (Google, Apple, Microsoft, etc.), I don't think they're some vanishingly small percentage.
>So a relatively small percentage of users using adblock, as long as it's the right percentage of users, could have a huge effect on Google's bottom line here.
That's a very good point. But if your business model depends on annoying your most tech-savvy users and hoping they don't find technical means to avoid your annoyances, and then fighting with them (by trying to out-tech their technical measures) to annoy them further, you need a better business model.
I'm not trying to convince you. Anyone who reads this can click on any random article here about ads and see that I'm right, only a tiny fraction of the posts consider ad blocking "stealing". Now I don't know for sure that that means that it's a tiny minority of actual users, but I think that's a safer assumption than yours, based on what little data we have.
> business model depends on annoying your most tech-savvy users and hoping they don't find technical means to avoid your annoyances
No I agree, I think that Google has lost their collective minds and are making a huge blunder here. If they actually ban adblockers, then their most valuable crop of users will leave.
Now, right now, this is the moment for Mozilla to pull their heads out of their asses and really push to improve Firefox. Google is cranking up the user hostility, but if there's no viable alterative, people are gonna be stuck being spied on and tracked everywhere by chrome.
If we had an alternative, this would be the time for an organized push to get people on it. But Mozilla has either become complacent or been quietly bought out behind the scenes and Firefox isn't really competitive anymore.
Sure, you can still use Firefox. I do, begrudgingly. But it's not good enough to convince people to switch. It hasn't been for a very long time which is why we're in this mess in the first place.
I expect nothing will change and everyone will suffer for it.
Maybe people will get offline more. The internet as a whole is becoming exponentially shittier as time goes on. How much longer before it's completely intolerable?
Nothing is substandard in Firefox. Manifest 3 in Chrome is actually giving Google the ability to make Chrome substandard. I know it annoying to hear but I really think its better if people switch to Firefox.
Chrome is the standard. Any feature in Firefox that is not 1:1 with chrome is by definition substandard.
And I didn't say it was substandard, I said it wasn't good.
I find the UI to be bad. When you ask for customization, like disabling excess tabs from scrolling off the edge of the screen, forum users treat you like an idiot. Performance has always been worse, particularly on mobile. Session state is less reliable. WebUSB is missing. Microphone support is unreliable. Updates under Linux cause any link you click to softlock the browser with an error page until you manually restart. Linux support in general is very poor. Firefox recently fixed a bug with tooltip rendering that's been reported for what, 15 years?
Chrome has been better than Firefox for a very long time. That's why we all switched to chrome in the first place.
Now that chrome is the scourge of the internet, there's really just one alternative. Unless you count safari, but that's a different story.
We're in a bad situation and Mozilla isn't doing enough to make it better. They haven't been for a long, long time.
Sorry but lots of things are substandard in Firefox. On the rare occasion that I do use it the first thing I'm always promted with is "there's an update available - click here to restart" like it's 2003 again. Numerous pages have rendering problems with Firefox. Performance is not good enough. Dev tools have fallen behind. It aggressively pushes shitty "value-adds" like that lame bookmarking service (Pocket Mark or something). And the never ending UI refreshes are exhausting.
> Show me these pages that Firefox doesn't render well.
I'm not doing homework for you. Lots of pages don't render well in Firefox, it's a well known issue which is why it comes up in every thread about Firefox.
> Show me pages that tank Firefox performance.
Firefox in general performs poorly. Again, known long-term ongoing issue. Look at this thread where almost every top-level comment is sceptical that Firefox is even close to Chrome in performance: https://news.ycombinator.com/item?id=36770883
You can find ongoing performance benchmarks between Chrome and Firefox here, and it's not flattering for FF: https://arewefastyet.com
> How many of them will have -webkit-* and other engine-exclusive markup/CSS?
I don't care, at all. It's not my job, as a user, to debug performance problems.
> Firefox updates every 6 weeks, just like Chrome.
Check the y axis labels on arewefastyet. When FF is winning, it is often by a large multiple. When chrome wins it is usually by under a factor of two. It wins by a factor of three on one benchmark that I could find.
I don’t think many users will notice a factor of 2-3 in page render time, even if the benchmarks where firefox wins are all somehow not representative of real world use, but the chrome ones are.
As for pages that don’t render, I simply don’t see this problem at all. One bank I use refuses to let you log in if Linux appears in the user agent string, but that hits Chrome too. Do you have a single example?
>One bank I use refuses to let you log in if Linux appears in the user agent string, but that hits Chrome too.
So why do you do business with this bank? I have a bunch of accounts at different banks and other financial institutions, and have never had this problem. I'd never open an account at a bank this incompetent with IT issues.
Open and use more than 10 aws console tabs actively on Linux and Firefox will crash (all tabs).
Chromium can do more than double without crashing.
I still use ff whenever possible
There are several web apis that Mozilla refuses to support, for example webhid or webusb, which all chromium browsers have had for years at this point. Same for little css features and some bits in the webaudio and webrtc implementations.
I doubt your average user cares about whether WebHID or WebUSB are implemented. What popular sites (popular enough to cause significant browser market share disruption) use those APIs? (For the record, though, I fully agree with Mozilla's rationale behind not implementing them.)
Not sure what little CSS features you mean, but I haven't found any mainstream websites that don't render properly in Firefox. It's possible that the website maintainers have to do extra work to get them working in Firefox, but regular users don't care about that.
I do recall some things missing from WebAudio and WebRTC, but in practice I'm not sure I've run into any issues with Firefox's implementations. And, again, if website maintainers are doing extra work to make things behave properly with Firefox, regular users aren't going to notice or care.
Trezor is... a crypto hardware wallet? I can't imagine this sort of thing is popular enough to block firefox from mainstream adoption.
The pixel repair site is an interesting example, but AFAIK, Pixel phones have about 2% of the US market share and this website is only useful to a small number of those users (those who encounter a serious error) and isn't something even those users would be using often. If I had to use this website and couldn't get my phone fixed another way, I could install and use Chrome (or I presume another Chromium browser) and use it for this single purpose. It would take me only a few minutes/hours(?) and then I'd be done with it. Why would a site like this keep me using Chrome permanently? I just can't imagine that.
I think this is pretty typical of these niche web features. Like most users have no need for web midi and most likely don't even own a midi device that it would work with. But niche websites can find great value in the api being available and offer sites to users which bring them value without having them install a native app. Also I'm not sure if it's a good idea to give people a reason to install and use a competitors browser.
I don't think either of these are examples of websites that might plausibly be holding Firefox back from mainstream adoption. I was expecting something like "[popular feature] of facebook or youtube doesn't work"
I'm sure I'm not the only person who has Chrome installed as a backup, just in case I run across a site that doesn't work right in Firefox, or if I just suspect such a problem exists. Having an alternate browser installed is trivial; it's not like using a different OS.
Microsoft Teams (which I don't think many people use voluntarily) in particular breaks in stupid ways - and then in others if you spoof your user agent.
I use Microsoft Edge - have added their apt repository so updates are automagical. Edge, though based on Chrome's engine, still supports manifest V2 so adblockers such as UO still work fine. Even better, Edge let's you "appify" sites like Teams and Outlook - perfect for work. I use Edge for all my WFH needs, turning off UO for most MS sites (to avoid any subtle issues), and Firefox for all personal needs. Works for me. Oh, and Teams on Linux using Edge works a treat.
Lots of people here disagreeing with you that Firefox is worse, but I'm with you. I'm on an M1 MacBook Air, been a Chrome user forever, but when they started getting aggressive with adblocking on YouTube, I switched over to Firefox, both on macOS and iOS.
Boy, it is...worse. I really gave it the old college try. Brought over all my extensions, dove into the really good ones (some of which really are incredible), even customized the Firefox interface, etc. I went hard.
But eventually I ended up back on Chrome, purely due to performance. Firefox is simply very slow and choppy. It's not a good experience.
I'd love to go Safari full time, but I use so many Linux and Windows machines in addition to my Macs that I really need something cross-platform, and so Chrome has always been the best solution for me. It's a bummer but I think I'm on Chrome for the foreseeable future.
A majority of Firefox's funding comes from Google. I doubt they're willing to aggressively market their browser as "the one to use to get around Google's ads". I'm not sure of the exact figures but as I recall, losing Google's funding would be a company-ending event.
Good luck with that. This kind of approach might work with some projects where you don't need responsive updates and continuous development to keep up with changing standards and new vulnerabilities being continuously found, such as vim, but for a really big software project I'm not aware of this working at all. The Linux kernel is maybe comparable in size and scope, but it's developed by a bunch of corporate developers too, though they're scattered across different companies that all need the kernel. A web browser isn't really like a kernel; how many companies are going to contribute developers to a project like that?
Dunno, but it seems ublock origin's version in Chrome Web Store is 1.53.0, was last updated on 8-th of November. As of yesterday, that version can't get around Youtube's adblocking detection.
I built Ublock latest 1.54.2 from source, and so far (apart from being manifest v2), it can easily go around Youtube's adblock detection with no problem.
I wonder if the delay in the 1.54.x release in Chrome Web Store has something to do with Google purposefully delaying updates.
Is there a way to backup current Chrome version + settings + extensions, preferrably in a portable app/container. I'm pretty content with my setup and wouldn't mind running it for as long as possible. Hopefully in a few years we can have AI convert currently chrome exclusive extentions onto another browser. But right now it's still hard to swtich.
I actually tried to do the switch this week, still too many essential plugins/addons missing. I have some basic technical skills to rewrite some functions into userscripts. But it's still a fairly subpar experience.
I just kinda don't get this. I don't really think there are "essential" addons, aside from ad-blocking/privacy-related things (and Firefox is at least as good, and possibly better, than Chrome on those).
Like... sure, web browser UX isn't always the best, but by rejecting Firefox on the merits of optional addons, you're just saying that the convenience of how you prefer to interact with a browser is more important than your privacy and ability to block ads. Which is fair, I suppose, but let's call it what it is.
Meanwhile, we're back in the IE days: alternative browsers don't have enough market share to do much but accept whatever Google wants to do with the web.
Frankly I'm just tired of people making excuses for using a browser made by a company that is actively making the web worse and eroding our privacy, bit by bit.
Without getting into details there's a few niche extentions for my daily productivity that saves me a few hours every week. It's not critical, but it automates a bunch of things that would make switching cost for those tasks too high. Most of the missing things I can probably do without an adapt. I actually firefox UI more.
>we're back in the IE days
Reminds me of when Asian banks still required IE activex well into 2010s and one had to keep IE around, which was easy since it comes with Windows. I can probably use get used to firefox for most of my use case, but have to keep chrome around for some sites.
My use case, primarily for research/keeping up to date in my domain is auto copying 100s of articles curated through feedly/other sources that gets automatically appended to daily text document by clipboard watch from balabolka (text to speech program), with meta data comment of url/title and visible confirmation dialogue confirming successful text copy (no firefox addon does this after search), which balabolka also automatically read to me at 3x speed. Basically, everything I'm interesting in reading gets converted into a reasonably labelled/chaptered podcast and digest with searchable transcript. Chrome with combined with tab groups and extensions that sort/order/dedupes tabs by domain also streamlines the process. Combination of tab groups sorting behavior and ability auto label auto copied text cuts daily chore from to a fraction of the time it use to, which saves hours each week.
Google lens also very useful for OCRing text, or translating images of foreign language. I can also do that with powertoys, but it's more finicky and add extra steps, require hot keys to do efficiently vs on Chrome I can do most of it with just a mouse.
Perhaps they are worried about the antitrust implications of banning adblockers and would prefer to hide behind a technical change that nerfs adblockers but with ostensibly reasonable and unrelated logic.
I use Brave, Safari, Arc and Firefox, basically in that order. I never even installed Chrome once Apple introduced their own chips. Brave has always felt just like Chrome once you turn off their rewards stuff.
Arc is doing some really thoughtful integration of Chat-GPT, including cleaning up tab titles, that is worth paying attention to. I actually look forward to their ~weekly YouTube updates.
I wish. Likely most people just won't notice this happening, and won't realize their experience could be better with a different browser. Only people like us will. And if you read a lot of the comments here, seems like a lot of people who should know better still use Chrome.
Are there any decent alternatives for the Chrome Web store? Are there unified extension hubs for chromium/firefox with version history similar to how android has apk websites
Not sure about the larger impacts of V3. But, we have gone with V3 since the beginning, and now there is a better turn around time for reviews, typically in an hour and sometimes 24hrs max. Its been a much smoother process rather than having to wait for couple of days or even weeks sometimes earlier. I've heard it being much worse on V2.
Why can't adblockers fetch updated filter lists and adblock strategies from a server and execute them dynamically? This would allow not having to update extension source every time to fix updated website adblocking.
As a Firefox user since its beta, there is? Last I checked there remain 3 browser engines left. Mozilla’s Gecko, Google’s Blink, and Apple’s Webkit. Everything else is just variants using those engines, and the vast majority of those variants (Opera, Brave, Edge, etc) are Chromium-based/using Blink. That’s not a lot of difference. If you really want to get away from chrome, your mainstream option is just Firefox. Unless you’re on a Mac, or iPhone. Where you can choose between Firefox and safari.
Doesn't Firefox use Quantum now? Gecko is what used XUL and it was buried when they switched to WebExtensions.
Pale Moon uses a fork of Gecko called Goanna.
SerenityOS has an independent browser in the works, and netsurf is still around.
There are options, but people have put most of their eggs into two baskets and now we're stuck with things looking mostly the same but some have antifeatures.
I want a browser with uBO's functionality simply built in. Fuck your extensions or other attempts to endrun, Google. Stop it at the source and build request filtering into browsers directly.
I like (in no specific order) Orion (MacOS), Kiwi (Android), Fennec (Android), Thorium (desktop, Android), and I'm going to give Iceraven (Android) a try soon. What's everyone's favorite non-mainstream browser?
> Manifest V3 will stop this by limiting what Google describes "remotely hosted code." All updates, even to benign things like a filtering list, will need to happen through full extension updates through the Chrome Web Store. They will all be subject to Chrome Web Store reviews process, and that comes with a significant time delay.
So the author can't think of any other reason for this change other than to "slow down ad blocker updates"
MV3 does not stop those monetization offers. I don’t understand why you think they would stop.
Source: I have two open-source extensions with almost 1,000,000 active daily users combined, and the MV3 versions still elicit offers for me to sell them
Malicious extensions are less likely to make it passed the review process.
That in turn should deter bad actors from monkeying with their extensions but more importantly it makes it less likely that malicious extensions make their way to users browsers.
Yes, there seem to be really valid security concerns about the current extension interface. Perhaps Google is making the wrong tradeoffs here. I don't know, it's very complicated, but the article is not really engaging with those tradeoffs.
I still don't get why people who care about privacy (and ad-blocking) use Chrome. Firefox works really well these days, even if Mozilla's track record isn't the greatest of late. I haven't had a need to open a website in Chrome in... years? I can't even remember the last time.
Chrome != Chromium. The vast majority of the planet is using Chrome, not Chromium. Most average joes have no idea about Chromium.
Either way, whether you're using Chromium or Chrome, you're still entrenching Google's monopoly over the web.
Like the sibling said, the problem was IE's monopoly itself not the lack of more IE-based variants which wouldn't have helped at all, the same way how Chromium isn't helping counter Google's monopoly.
I don't think not having enough versions of IE was ever a problem. The problem starts when everyone builds their app to a platform that is very dominant and controlled by people who's interest are not always aligned with the user's interests.
You don't have to compile Chromium to have a browser incompatible with the websites that people build for Chrome, you can just use Firefox or Safari or write your own browser if you want to have a web browser that won't be able to run Microsoft Teams.
IE held back the development of the WWW. That would be the spot Safari has today. What Chrome is doing is much worse, since it is strangling the web, not just holding back new features.
Not true at all, IE what is the most innovative browser until it wasn’t. For example They invented Ajax, One of the core technologies that made the web what it is today.
The Teams doc from Feb 2023 is a bit out of date, or is just legal cya.
Still limitations, but I joined a Teams meeting the day before this comment with my microphone and external cam, and participated fully, using Firefox on MacOS.
Yes, some client functionality is still missing (I didn't share a screen, for example), but both sides (MS and FF) appear to be making improvements.
I use Teams fairly regularly in Firefox on Linux. Everything seems to work completely fine, with the exception of 1-on-1 calls. You can't send them, you can't receive them, and you can't even see when someone is calling you until the missed notification pops up. I have no idea why group calls work fine but those don't, but that's how it is.
Why would anyone want to use ms teams? I understand employers stuck in the fax age might demand it but it’s their problem if they want their data leaked. For personal and outside work no one should use ms teams.
Companies like to use Teams because it's basically free: they already subscribe to Microsoft's Office365 services, and Teams comes with it. To use a competitor, they'd have to pay for that separately. "Teams is shitty and buggy" isn't enough of a justification to convince upper management to shell out big bucks for licenses for something like Zoom when they're already getting Teams effectively for free.
not supporting a particular browser just means that if a bug report comes up about your product with that browser then nothing gets done, but since everyone develops towards standards bugs in FF will probably be minimal, especially if they do support Safari (because unlikely something does not work in both Safari and Chrome)
also the Teams link describes ways to work around limitations with teams on a particular browser that does not support the teams web app, which is what the article says FF etc. does not support.
i mean just because they arent supported doesnt mean they dont work just fine. the vmware bug is 2 years old.
honestly slowing down updates for adblockers sounds like a dangerous idea. sooner or later, someone will send you to court for an appstore monopoly, and sooner or later youll lose that case. in the meantime people lose interest in your ecosystem because of the increasingly predatory chicanery that makes their browsing experience suck. sending more eyes to firefox makes firefox better. eventually, better than even you.
This all smacks of "we've tried nothing and we're all out of ideas." Manifest V3 is dead on arrival if youre going to bury the average google user in an avalanche of unskippable ads and full screen GPU testers. nobody wants this modern hell, and you've everything in your power to reform or amend it to dial back the surveillance capitalism and hyper consumption.
Yeah, I only use Chrome once in a blue moon and have had a few dozen interviews through teams on web. Haven't had a problem yet (or, no more problems than Google meet/Zoom). My last role used teams on the day to day and Chrome wasn't even installed on my work machine.
Same question for Firefox. Because Firefox is both not privacy respecting (has telemetry by default) and not privacy protecting by default (does not block ads). Both are paid by the world's largest advertising company, not their users.
A browser that cares about privacy would be both zero telemetry and ship with an ad/tracking blocker by default. Ideally you would also be able to pay for it to align incentives (vs a third party paying for your browser on your behalf).
Mock me, or teach me.. but.. I use it still because it's very easy, quick, and good.. to use the translate page functionality.
Yes, I am also aware that Firefox has some technology (in the works?) that will do offline translation even. Cool.. except I still have yet to find a good, easy, fast, accurate translation feature for Firefox. There are some extensions, but none are as good.
Translation is the only reason I still break out Chrome now and then.
Firefox finally sort of has it, but it's not that good. Often it won't believe you that the page is in another language, so you can't translate at all, even by trying to force it. The translations can be weird and miss parts of the page.
I'm sure it'll get better, though, and once it does, I can delete Chrome entirely.
It has about 10 non-beta languages, and even amongst beta and non, the language is not available. Unfortunately. I would use it if it were. Thank you for taking the time to reply though.
There's some friction in moving my passwords, which are stored in my Chrome profile. Before you say "just use Bitwarden to sync passwords", I can't, because they block me from logging in based on "unusual network activity". I don't want to spend $3/mo for 1Password. I _could_ spend the first day after migrating resetting all of my passwords as I use different sites and probably will once ad blocking stops working for good on Chrome, but until then it's simple inertia.
I don't bother because Mozilla is just controlled opposition at this point, I'll stick to Chromium based ones like Brave for now as I don't consider there to be a meaningful difference.
Also Firefox mobile doesn't seem to have tab groups and is the only browser I've tried which doesn't have a proper Android tablet UI.
Brave mobile and Vivaldi mobile have it built in. Hell, Vivaldi even has its super useful two layer tab bar available on Android.
Firefox mobile's plugin support doesn't make up for it missing other basic usability features.
Similarly, Vivaldi mobile doesn't allow custom search engines, so Brave is the only one with the minimum feature set I need (tab grouping, vertical tab bar or two layer tab bar, ad block, custom search engine, android tablet UI), and since I want to be able to sync between all my devices, I use Brave on everything.
Firefox doesn't have support for AppleScript and this is crucial to my browser habits/workflow. Both Safari and Chrome/Chromium-based browsers have it. Once/if Firefox adopts it, which I doubt but hope so, I'll consider using it.
What "other browsers"? I know there's Firefox (it's my main browser, in fact), but where is the rest? Edge is Chrome, Safari is only available for iThings, so it's not like there's a big selection...
The video ranks different web browsers on a tier list from spyware tier to base tier based on privacy, usability, and other factors.
Brave is placed in excellent tier for its good default privacy settings and built-in ad blocking, though some dislike its use of cryptocurrency.
Firefox is only decent tier due to its many annoying default features, but can be excellent with the right privacy-focused user.js file.
Icecat is decent tier for free software purists due to its use of LibreJS blocking non-free scripts, though this breaks many sites.
Librewolf is excellent tier as an easy to use private version of Firefox without much configuration needed.
Chromium-based browsers like Vivaldi can be good but have limitations from not being fully open source.
Closed source browsers like Chrome, Edge and Opera are automatically placed in spyware tier due to privacy concerns.
Qutebrowser is decent tier for power users due to its keyboard-focused design but has issues with advanced ad blocking.
Waterfox is excellent tier as a lightweight Firefox fork, though its ownership by an ad company concerns some.
Overall, Brave, Librewolf and hardened Firefox are recommended as having the best balance of privacy, usability and customizability.
Brave is an ad company with weird crypto stuff sprinkled in. Not to mention that their past actions have shown that privacy to them is a marketing thing, not something that is at the core of how they operate.
There have been a few too many new things they introduced that run counter to a user centric privacy minded approach where they only did backpedal after enough negative publicity.
I generally agree. It's not a great situation. As a browser to use when something's broken in Safari, it works, and to my knowledge doesn't send history directly to Google.
There won't be any anytime soon. As per HN folk, whenever this discussion comes up there's always an massive angst outcry of "its impossible to create a new browser".
Yes but “takes money from” is fundamentally different from “shares the ideology of”. Do you think Google agrees with everything their advertising customers promote there and on YouTube?
Changes in the extensions must be reviewed so advertisers can break blockers for some days until the blockers are fixed and then some more days until Mozilla reviews the changes. Then they'll have another trick ready to break blockers again.
You're right. But the anti-blockers code needs to be addressed with more code, not just lists. That's not a hypothetical situation, it's happening right now with YouTube.
You're missing other players watching what happens with YouTube and amend their plans accordingly. If there's no effective way to block ad blockers, others will let Google do the fighting and move on when the conclusion comes out.
Google is punching WAY above its class. It does not own the Web, or the Internet, and there's a huge number of people willing to prove it.
It seems we agree that in the long run, it's unsustainable. My point is more modest: that in the specific topic of this post, using response time against the blockers, Firefox is also vulnerable.
The mechanism is actually very simple if the content is served using JavaScript, as is the case with videos: make the code that shows the ads create some token and then the media player will check if it's present, refusing to play otherwise.
You can circumvent it with code, but new code triggers new review and, when it's approved, the token is changed and back to square one. In the case of Firefox it might be faster, but I don't think extension maintainers and reviewers can be 24x7 available to play that cat & mouse game.
In Firefox you need to sign extensions to install them or go through the debug menu. Both methods are not easy for the regular user. At the end of the day, either blocking turns to be only for power users/programmers, or a new trust model for browsers is adopted.
Chromium and Firefox are both open source but how many % of their users have actually compiled them from sources? I haven't. Last time I checked, Chromium recommended a minimum 0.5 TB free space. And Firefox now requires two programming languages.
I feel bad for the normies who can't or won't go looking for ways to stay safe online.
I used to compile my own Firefox because I'm picky, but yeah, not everyone has time and patience for a 30-45 minute compile on 12 year old hardware. The RAM requirements for both Firefox and Chrome are ridiculous.
It wasn't this bad before we wanted to cram everything into JS and the DOM.
There's no API to intercept web requests in a blocking fashion in MV3, so extensions can no longer offer the ability to do custom request blocking. The entire list is static.
> Are they also disabling manual install of extensions from outside the extension “store”?
This has already been the case for years unless you enable developer mode and load the extension as an unpacked extension (directory full of files rather than normal extension file) in which case chrome will complain every time you start it.
DDG for the time being but honestly I am tempted by Kagi as well. Ad tech is cancer on the internet. I decided to quit Google after the trusted devices bullshit, but if I could remove junk listicles from my results that would be a big improvement.
Firefoxer here, HN folk are one of the most if not the most tech savvy communities in the whole planet. I don't understand why, in the name of an open internet for ours and the future, you don't refuse to use an actively hostile Chrome in your personal devices. Someone please explain this to me
Being savvy in a field does not correlate to making good decisions in said field, especially if rewards and incentives are not aligned.
Lots of tech people got their start on Google tech and don't mind ads. They're a strange breed of people who I guess just give into anything being pushed on them in tech.
5. Too much ego to admit they've been wrong for years when they told Firefox advocates that there was nothing wrong with using Chrome, that the advertising corporation with monopoly power was actually benevolent and wouldn't abuse their market position.
Chromebooks are really nice and you get great touchpad gesture input in Chrome. And obviously Chrome has better performance and power efficiency, etc. there.
I didn't use Chrome before I bought this Chromebook.
> Is it true that Manifest V3 will increase privacy and security of the browser?
> Honestly, I wouldn’t say so. I see the advantages of MV3 in terms of unification, cross-platform compatibility, and performance, but *I don’t see any advantages in terms of increasing user security, unfortunately*. *The amount of scam extensions in the Chrome Web Store remains high despite the fact that it has been a long time since the store stopped accepting non-MV3 extensions.*
And what, people are more likely to get virus from Google Ads or Ads overall than those improved security:
Well, it hasn't happened yet. Judging by many comments here, a lot of HNers still use Chrome. If people here still use Chrome, I see little hope of regular users ditching it for these sorts of reasons.
Ugh, that's a bad analogy and you know it. No actually what you're doing is a classic case of "it's in the EULA, so they can do it". Like, if tomorrow Google puts a clause in their EULA that they have the right to harvest the eyeballs of everyone who lives on Earth, you'd be scrambling for passage to Mars. "It's in the EULA! Corporations are all-powerful and can do anything, as long as they state it in the EULA!"
I no more fear Google banning ad-blockers than I fear Toyota putting spikes on all of their steering wheels. It would be much more painful to their bottom-line than any Toyota drivers, because people would do this magical thing called... not using that product.
Because many tech people who are sticks in the mud like this don't actually care about the browser, or the implications of what's happening in real time.
They'll eventually leave and wonder why nobody told them sooner.
Not exactly. Edge is fork of Chrome and diverged a lot from actual Chrome. You can load Manifest v2 extensions in Edge while it's not feasible in Chrome
Manifest v3 offers free performance and increased security & privacy. Gone are the days where any/every extension had access to every website you visited.
It would be a damn shame to throw this baby out with all the water.
uBlock in Firefox will not be updated to use Manifest v3, it will remain as is i.e MV2. Of course, there is an MV3 version of uBlock but that's castrated too going with your definition.
I really want to keep http but replace html and js with something more strict, lighter, secure and safe by design, that would prevent the use of targeted ads like it's possible in HTML.
I understand that companies might probably not use something else if it's harder to put ads because they could not make money, but there are still a lot of use cases where companies will prefer having a technology that's safe.
The law is evolving which means targeted ads will not be viable anymore.
Also, maybe a lot of internet media companies, including reddit, instagram, etc need to rethink their business model, why don't they try to sell news article through a platform like netflix?
I still don't understand why media companies are able to make money over content they never make on internet infrastructure they did not build, this baffles logic.
> [...] replace html and js with something more strict, lighter, secure and safe by design, that would prevent the use of targeted ads like it's possible in HTML.
You can't do that and still have a useful system. You'd have to start by neutering basic functionality like inline images, and when that turns out to not be enough (because ads can also be just text), you'd have to go down the path of censorship.
You can't do that because the ability to fingerprint (and thus track) user-agents is not an oversight in the design of the web (although third-party cookies did help kickstart the current trends), but a fundamental property of the universe - every existing "thing" radiates information, and our means to collect and process it are developing faster than our understanding of what needs to be done to conceal it.
> I understand that companies might probably not use something else if it's harder to put ads because they could not make money, but there are still a lot of use cases where companies will prefer having a technology that's safe.
You can try measuring commercial support for Gemini[1] to get an indicator of how valuable your proposed technology would be for companies. The current network effect of well... the network, is way too strong.
> Also, maybe a lot of internet media companies, including reddit, instagram, etc need to rethink their business model [...]
They don't need to rethink anything at all while what they're doing right now is 1. profitable, 2. legal, and 3. even when not exactly legal, the fines continue to be smaller than the profits.
> The law is evolving which means targeted ads will not be viable anymore.
Pretty much this, you can't solve social/political problems with technology. We could use a simpler/safer web, but the cost of switching outweighs the benefits. We could build better privacy protections into the core of our technology, but we will keep finding ways to leak information and fingerprint behavior.
The problem with Manifest v3 is not what Manifest v3 allows and what it doesn't, the problem is that Google are in a position to unilaterally force it, and antitrust no longer seems to be a thing.
The only real change we can hope for is a social/political change.
The popular move is already untenable: just let Google piss all over the Web and take it as theirs?
It's generally the ignorant and apathetic folks creating what's popular in the first place. If people had standards and gave a damn, they'd make better choices.
Isolating threats in the network is a legitimate strategy; it's the primary means to block spam on the Internet. Google may as well be spam given the industries it's in.
It’s completely okay to criticize Google for doing really controversial (to say the least) stuff like getting rid of blocking webRequest, but criticizing them for prohibiting inclusion of remote JS in the extension is simply bad work.
They could do a minimal fact check, remote JS was never allowed in Mozilla Addons store. A bit more research and they’ll learn that cosmetic filters updates do not require an extension update. A little bit more research and one can learn about the no-review-fast-track that Chrome WebStore plans to implement next year.