Google engineers have proposed changes to Chromium which would completely break content-blocking extensions, including various ad blockers, ostensibly for "security" reasons.
Per The Register:
In a note posted Tuesday to the Chromium bug tracker, Raymond Hill, the developer behind uBlock Origin and uMatrix, said the changes contemplated by the Manifest v3 proposal will ruin his ad and content blocking extensions, and take control of content away from users.
Content blockers may be used to block ads, but they have broader applications. They're predicated on the notion that users, rather than anyone else, should be able to control how their browser presents and interacts with remote resources.
Manifest v3 refers to the specification for browser extension manifest files, which enumerate the resources and capabilities available to browser extensions. Google's stated rationale for making the proposed changes is to improve security, privacy and performance, and supposedly to enhance user control.
"Users should have increased control over their extensions," the design document says. "A user should be able to determine what information is available to an extension, and be able to control that privilege."
But one way Google would like to achieve these goals involves replacing the webRequest API with a new one, declarativeNetRequest.
[...] Hill, who said he's waiting for a response from the Google software engineer overseeing this issue, said in an email to The Register: "I understand the point of a declarativeNetRequest API, and I am not against such API. However I don't understand why the blocking ability of the webRequest API – which has existed for over seven years – would be removed (as the design document proposes). I don't see what is to be gained from doing this."
Hill observes that several other capabilities will no longer be available under the new API, including blocking media elements larger than a specified size, disable JavaScript execution by injecting Content-Security-Policy directives, and removing the outgoing Cookie headers.
And he argues that if these changes get implemented, Chromium will no longer serve users.
The Register points out that this will not just affect Google Chrome and Chromium, but also Chromium based web browsers such as Brave Browser and Microsoft Edge.
(Score: 3, Insightful) by Apparition on Thursday January 24 2019, @02:03AM (4 children)
A Firefox developer posted on Reddit [reddit.com] believes that the Manifest v3 is "reasonable."
Mozilla Firefox may not be as safe as I hoped.
(Score: 2, Interesting) by nitehawk214 on Thursday January 24 2019, @05:19AM
If I have to choose between potentially insecure browser extensions using obscure cpu bugs and not having adblock or script block... I know which one I will pick.
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh
(Score: 0) by Anonymous Coward on Thursday January 24 2019, @08:48AM (1 child)
The real problem here is morons use blacklists. How dumb can you be to think you could list all the bad domains online??! There must be millions of bad domains with thousands new springing up every single day. The majority of the internet is evil and there to abuse you, to extract value from your movements and actions. I wouldn't want to administer that mole farm. It's simply impossible. Using a blacklist might give you a warm fuzzy feeling of doing something but all you really got was false feeling of security (and apparently large memory requirement too).
The only sane way is to use a whitelist. Block everything and the give special privileges to only what you need and want.
This shit should be built into the browser to begin with, so no extension would be needed. Like somebody said above, you should only need to install some extension to enable them to spy you and get astronomical memory usage...
Of course, google will never do that because their business model is spying, sadly like most of the web today.
/rant
(Score: 0) by Anonymous Coward on Sunday January 27 2019, @01:43PM
Black lists are not moronic. They are an old way to manage a known problem. Same as a standard firewall and domain level filtering.
True, they are hard to manually maintain. A lot of people don't know to install a filter such as pi-hole.
Get a grip. We need to help people become technically self sufficient. We all benefit.
(Score: 0) by Anonymous Coward on Thursday January 24 2019, @11:46AM
Show me the stats. Prove it.
I have never read such bullshit since I last looked at a vendor's contract proposal.
FFS.
The machine I am using has 4 CPUs, 16GB ram, and the only top it runs hot is when I game. Performance? Seriously? Get screwed. It's a web site.
If anything, there is a decrease in performance as a bunch of scripts run that would otherwise be blocked, and a bunch of files downloaded and data sent across the network that otherwise would not happen. I can prove this. UMatrix shows me the content that is disallowed. I can use F12 Dev Tools with and without the blocking to show how much slower it is. So. Prove it.
As for security, well, I only load plugins I trust. I own this PC. I chose this. I wear it if I am wrong. Don't remove my ability to make decisions away for myself from me. Stop "helping" me in a way that I don't need.