Google, which makes most of its money from online ads, insists it wants ad blockers to continue working under the latest, more locked-down iteration of its Chrome browser extension platform, known as Manifest v3.
“We have been working closely with the developers of many extensions – including ad blockers, shopping extensions, productivity enhancements, developer tools, and more – to evolve the platform,” said David Li, Chrome product Manager and Simeon Vincent, Chrome developer advocate, in a blog post on Wednesday.
To emphasize that point, the post quotes Sofia Lindberg, tech lead at Adblock Plus maker Eyeo – paid by Google and others not to block their ads – offering a similar assurance “that ad-blocking extensions will still be available after Manifest v3 takes effect.”
There was much doubt about that last year when developers involved in content blocking and privacy-focused browser extensions warned that the technical changes being discussed could reduce the effectiveness of such tools or eliminate them entirely.
Raymond Hill, maintainer of popular open-source content-blocking extension uBlock Origin, warned that if the contemplated API changes went forward as proposed, uBlock Origin could no longer exist. And the Electronic Frontier Foundation expressed concern that Manifest v3 would harm its Privacy Badger extension.
Manifest v3, available in Chrome Canary since October 2019, is now available in the beta version of Chrome 88, due for release to the general public on January 19, 2021. Manifest v3 is intended to make extensions “more secure, performant, and private-respecting by default,” as Li and Vincent put it.
Google’s claim that Manifest v3 will improve performance by eliminating code bottlenecks found in Manifest v2 extensions was rebutted last year in a study produced by Cliqz, a privacy-focused browser and search service based in Germany that sought to compete with Google and surrendered in April.
But in terms of security and privacy, there’s no doubt Chrome extensions have plenty of room for improvement. Manifest v2 and its predecessor made it trivial to create malicious, data-stealing code, something that has occurred with alarming regularity. As a way to measure the problem, Alexandre Blondin, Chrome product manager, pointed out in a blog post on Wednesday that when Google integrated the Chrome Web Store with its Google Safe Browsing infrastructure, “the number of malicious extensions that Chrome disabled to protect people grew by 81 percent.”
Fed up with damage control after a decade of misbehaving browser extensions, Google finally resolved to be proactive and redefine what’s possible for extension developers.
Microsoft will adopt Google Chrome’s controversial Manifest V3 in Edge
Manifest v3 is a revision of the capabilities, or more specifically the application programming interfaces (APIs) available to those developing web extensions for Chrome and for other Chromium-based browsers like Microsoft Edge. There’s not yet a settled browser extension specification endorsed by the W3C. Firefox adheres to the WebExtension API, which is similar but not identical to Manifest v2.
Mozilla last year said it would wait until Manifest v3 stabilized before deciding how much of it to adopt in Firefox, though it suggested it would not follow in lock-step.
“Mozilla is making progress on Manifest V3 and is currently talking to developers about its approach,” a Mozilla spokesperson told The Register. “The company will be sharing an update on this early next year.”
About five months ago, an Apple software engineer indicated that work is underway to implement Manifest v3 in Safari, which currently supports v2 after the iGiant earlier this year adopted the WebExtensions API.
After Manifest v3 was announced in October, 2018, extension developers became concerned that the changes being formulated would break things, require code to be rewritten, or make certain capabilities less feasible.
One major sticking point was the introduction of the
declarativeNetRequest API as a replacement for the blocking version of the
webRequest API. The latter allows extensions to intercept and rewrite web requests on the fly, a powerful capability that can be easily abused. Its replacement as initially conceived required blocking rules to be declared in advance and imposed low limits on the number of rules allowed.
Extension developers doubted they could make the alternative API work for them, to say nothing of the other API changes like the replacement of background pages with service workers. But Li and Vincent insist the
declarativeNetRequest has been improved since it was first conceived, thanks to developer feedback. “The API,” they say, “is designed to be a privacy-preserving method for extensions to block network requests without needing access to sensitive data.”
The Register asked Hill for his thoughts on the current state of Manifest v3, and he declined, saying that he hasn’t had time to look through the newly posted documentation and consider its implications. He did say, however, that privacy defenses added to uBlock Origin, like CNAME-uncloaking, require a flexible API, and if Manifest v3 proves too limited, responses to similar user-hostile issues in the future may also be constrained.
This is just yet another challenge ahead, to find new technical solutions against the incessant attempts at eroding user agency
As an example, Hill pointed to Google’s Server-Side Tagging, which allows third-parties to bypass content blockers.
“This is just yet another challenge ahead, to find new technical solutions against the incessant attempts at eroding user agency, which browsers are meant to serve,” he said in an email.
Others are already convinced Manifest v3 remains unfixed. “Although we appreciate the problems of unsafe extensions addressed in part by Manifest v3, we view Manifest v3 as doing serious harm to privacy,” said Brendan Eich, CEO and co-founder of Brave Software, in an email to The Register. “Manifest v3 removes or degrades capabilities needed by top tracking-prevention extensions. Whether intended or accidental, this looks likely to advance Google’s dominance in privacy-invading web advertising.”
Eich’s organization makes a competing web browser, Brave, that’s based on the open-source Chromium project overseen by Google, and it implements a variety of privacy-focused changes. According to Peter Snyder, senior privacy researcher at Brave, Manifest v3 still imposes limits on rules lists that are too low and provides no current syntax to easily say “block something with these six query parameters, in any order,” which he argues is necessary to target tracking tools.
Google tells Chrome extension devs to declare their code’s usage of personal data
Snyder also points to the way security tools and privacy tools share the same limited allotment of rules, forcing users to choose between one or the other. “Finally, Manifest v3 freezes the heuristics and capabilities extensions can use to determine how to protect privacy,” he said. “Manifest v3 says to trackers ‘if your URLs can’t be described in this format, they’ll never be blocked by Chrome users.’ This transfers power from the extensions (and so the users) to Google and websites, and we expect privacy harming software to quickly adapt.'”
Asked whether Google believes Manifest v3 has addressed developer concerns, a Google spokesperson said, “One of our goals is to make it as easy as possible for developers to achieve their core use cases while needing less access to user data.”
In keeping with that goal, Google plans to require extensions in its Chrome Web Store on January 18, 2021 to public display their privacy practices, a move similar to Apple’s “privacy nutrition labels” in App Store listings. It also plans to change the default permission model for extensions that access website data.
“Once you grant an extension permission to access a website’s data, that preference can be saved for that domain,” explained Blondin. “You can also still decide to grant an extension access to all the websites you visit, but that is no longer the default.”
According to Li and Vincent, the Chrome Web Store will begin accepting extensions written to conform to Manifest v3 when the stable version of Chrome 88 gets released. At some point thereafter, no less than a year, support for Manifest v2 extensions will end.
webRequest API, however, will remain available in enterprise versions of Chrome. “Extensions installed through Chrome’s administrator policies can still use the blocking version of the
webRequest,” a Google spokesperson told The Register in an email. “There is no cost to set up a profile using Chrome’s administrator policies; this is a feature that is included with every version of the Chrome browser.” ®