Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Sunday December 12 2021, @11:54PM   Printer-friendly

Chrome Users Beware: Manifest V3 is Deceitful and Threatening:

Manifest V3, Google Chrome's soon-to-be definitive basket of changes to the world of web browser extensions, has been framed by its authors as "a step in the direction of privacy, security, and performance." But we think these changes are a raw deal for users.  We've said that since Manifest V3 was announced, and continue to say so as its implementation is now imminent. Like FLoC and Privacy Sandbox before it, Manifest V3 is another example of the inherent conflict of interest that comes from Google controlling both the dominant web browser and one of the largest internet advertising networks.

Manifest V3, or Mv3 for short, is outright harmful to privacy efforts. It will restrict the capabilities of web extensions—especially those that are designed to monitor, modify, and compute alongside the conversation your browser has with the websites you visit. Under the new specifications, extensions like these– like some privacy-protective tracker blockers– will have greatly reduced capabilities. Google's efforts to limit that access is concerning, especially considering that Google has trackers installed on 75% of the top one million websites.

It's also doubtful Mv3 will do much for security. Firefox maintains the largest extension market that's not based on Chrome, and the company has said it will adopt Mv3 in the interest of cross-browser compatibility. Yet, at the 2020 AdBlocker Dev Summit, Firefox's Add-On Operations Manager said about the extensions security review process: "For malicious add-ons, we feel that for Firefox it has been at a manageable level....since the add-ons are mostly interested in grabbing bad data, they can still do that with the current webRequest API that is not blocking." In plain English, this means that when a malicious extension sneaks through the security review process, it is usually interested in simply observing the conversation between your browser and whatever websites you visit. The malicious activity happens elsewhere, after the data has already been read. A more thorough review process could improve security, but Chrome hasn't said they'll do that. Instead, their solution is to restrict capabilities for all extensions.

As for Chrome's other justification for Mv3– performance– a 2020 study by researchers at Princeton and the University of Chicago revealed that privacy extensions, the very ones that will be hindered by Mv3, actually improve browser performance.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 1) by fustakrakich on Sunday December 12 2021, @11:57PM (22 children)

    by fustakrakich (6150) on Sunday December 12 2021, @11:57PM (#1204453) Journal

    With the firewall

    --
    La politica e i criminali sono la stessa cosa..
    • (Score: 0) by Anonymous Coward on Monday December 13 2021, @12:18AM (15 children)

      by Anonymous Coward on Monday December 13 2021, @12:18AM (#1204456)
      >p> Use safari

      disable javascipt.

      Those 750,000 teackers? Don't work. I see people complaining about ads on, say, ars - I'm going "what ads?"

      Same with fmylife.

      Same with the guardian

      • (Score: 2) by bzipitidoo on Monday December 13 2021, @12:33AM (14 children)

        by bzipitidoo (4388) on Monday December 13 2021, @12:33AM (#1204457) Journal

        The main issue with blanket disabling Javascript is that it breaks the crap out of so many websites. Though, I am thinking I may have to start using NoScript regularly now, ad blocking alone is not enough. Some websites have abusive script that so heavily uses your CPU that it'll even bog down the mouse pointer.

        • (Score: 1, Insightful) by Anonymous Coward on Monday December 13 2021, @12:47AM (2 children)

          by Anonymous Coward on Monday December 13 2021, @12:47AM (#1204458)

          So what if most sites don't work without javascipt? There are millions of sites - I would consider facebook, twitter, and the green site not working to be a bonus.

          The 3 local tv station I have bookmarked (I ignore the rest - who has time to look at the same story on half a dozen sites) all work, NO autoplay videos. NO ads. NO problem o!

          Save bandwidth, preserve privacy - boycott sites that require javascipt.

          • (Score: 4, Insightful) by mhajicek on Monday December 13 2021, @08:16AM (1 child)

            by mhajicek (51) on Monday December 13 2021, @08:16AM (#1204561)

            So what is that then I can't do my taxes, or file papers with the government, or register my kid for school, etc. Many of these entities don't do business through any other channels anymore.

            --
            The spacelike surfaces of time foliations can have a cusp at the surface of discontinuity. - P. Hajicek
            • (Score: 1, Informative) by Anonymous Coward on Monday December 13 2021, @03:43PM

              by Anonymous Coward on Monday December 13 2021, @03:43PM (#1204649)
              I call bullshit. You can still download the tax forms and print them out and mail them in. Paper and the USPS are still a thing. As for the rest, the AFA requires that you have alternate methods. You just have to pick up the phone in most cases and you'll be told where to mail stuff.
        • (Score: 5, Touché) by Runaway1956 on Monday December 13 2021, @12:50AM (1 child)

          by Runaway1956 (2926) Subscriber Badge on Monday December 13 2021, @12:50AM (#1204459) Journal

          It might be more accurate to say that javascript breaks the internet. When you fix the internet, malware mostly stops working. Surely you don't miss the malware?

          • (Score: 5, Funny) by JoeMerchant on Monday December 13 2021, @02:40AM

            by JoeMerchant (3937) on Monday December 13 2021, @02:40AM (#1204493)

            Remember when you could run Java embedded in a webpage? When you could embed an .exe and click it and run it in a frame on a webpage?

            Javascript says it's in a sandbox, my cat knows what sandboxes are good for.

            --
            🌻🌻 [google.com]
        • (Score: 1, Informative) by Anonymous Coward on Monday December 13 2021, @02:35AM (1 child)

          by Anonymous Coward on Monday December 13 2021, @02:35AM (#1204488)

          The main issue with blanket disabling Javascript is that it breaks the crap out of so many websites.

          No, those web sites are broken. Always remind employers that the creators of these non-sites are incompetent.

          • (Score: 0) by Anonymous Coward on Tuesday December 14 2021, @02:49AM

            by Anonymous Coward on Tuesday December 14 2021, @02:49AM (#1204849)

            lolol can't hear you over my salary

            - APK the HTML 5 dev

        • (Score: 3, Interesting) by JoeMerchant on Monday December 13 2021, @02:38AM (2 children)

          by JoeMerchant (3937) on Monday December 13 2021, @02:38AM (#1204490)

          I think the main argument against Mv3 is that it's about to break the crap out of so many websites.

          I like my HTML5, I like embedded video players in websites, I can even be talked into the idea that CSS is a good thing. But... so so much of Web 0.1 through today is construction by accretion, like a coral reef. Stuff stuck on stuff stuck on stuff, occasionally smothering a few things, but even then they are still down there supporting the superstructure.

          Can we please start letting some of this crap go? I don't know the details, but that "feels" like the good side of Mv3 - and I'm sure there's a very very dark side to go with it, along the lines of: "we now control the tracking much better than we did in the past..."

          Google is no panacea, "don't be evil" was always a weak joke, but Forbes has been waging an open FUD campaign against Chrome, and Google in general, for a long time now - and it makes it hard to swallow any opinion piece on whether a new change in Chrome is good for you, or not.

          --
          🌻🌻 [google.com]
          • (Score: 2, Informative) by Anonymous Coward on Monday December 13 2021, @07:43AM (1 child)

            by Anonymous Coward on Monday December 13 2021, @07:43AM (#1204553)

            MV3 doesn't affect websites at all. It's only for extensions.

            • (Score: 3, Informative) by JoeMerchant on Monday December 13 2021, @12:51PM

              by JoeMerchant (3937) on Monday December 13 2021, @12:51PM (#1204600)

              So, if they block my Last Pass extension, then only passwords they cache in the browser will remain, breaking the majority of my secure web activities.

              If they block my uBlock, I'll be deluged with even more ads.

              If they block my proxy I'll be exposed as browsing from my actual IP address, again breaking all kinds of stuff.

              I assume my Google mail checker will continue to inform me of the thousands of unread messages I have...

              --
              🌻🌻 [google.com]
        • (Score: 5, Interesting) by Reziac on Monday December 13 2021, @02:52AM (3 children)

          by Reziac (2489) on Monday December 13 2021, @02:52AM (#1204497) Homepage

          Been using NoScript on SeaMonkey for ages, set to default to block all, and thanks to that and a good HOSTS file, I don't need to bother with an adblocker on this box. Yeah, on first visit to some infested site you need to pick through the (sometimes long) list of javascript hosts, but generally if you start with rootname.com and rootnamecdn.com you'll get the necessary ones to make the site work. A few others that serve APIs, Cloudflare, and the like will also be needed. But after using NoScript for ...ten? years or so... I still have probably 90% blocked. Some I only allow temporarily. Sometimes I find the site is LESS usable with JS active.

          The nuisance level of NoScript is FAR below that of having my screen turned into a visual cesspit.

          Protip: very often a site that demands JS to work can be read perfectly well as plaintext, if you disable CSS. (I use PrefBar for that)

          --
          And there is no Alkibiades to come back and save us from ourselves.
          • (Score: 3, Interesting) by Jiro on Monday December 13 2021, @07:04AM (2 children)

            by Jiro (3176) on Monday December 13 2021, @07:04AM (#1204546)

            That's why we have DNS-over-HTTPS. Like Manifest, they did it for "privacy", but the effect is that your browser is able to resolve hostnames using a nameserver of the browser manufacturer's choice, and it is no longer possible to block this using a hosts file or anything else. Right now, it's possible to turn this off or pick your own DNS server in your browser, but we all know the story about the frog in the pot of boiling water. All Google needs to do is wait a bit and add a "new privacy feature" to not permit you to turn off DNS-over-HTTPS.

            • (Score: 2) by Reziac on Monday December 13 2021, @07:34AM (1 child)

              by Reziac (2489) on Monday December 13 2021, @07:34AM (#1204551) Homepage

              So, this will bypass DNS server as set in the OS network settings?

              DNS-over-HTTPS sounds like a very nasty way to pretty much pwn everyone. :(

              --
              And there is no Alkibiades to come back and save us from ourselves.
              • (Score: 2, Interesting) by Anonymous Coward on Monday December 13 2021, @09:54AM

                by Anonymous Coward on Monday December 13 2021, @09:54AM (#1204570)

                It can. That is why many people oppose it or accuse Google and the rest of having bad motives for introducing it. There was already a perfectly good alternative (DoT or DNSCrypt) but it didn't have the public mind share so DoH managed to bury it in PR.

    • (Score: 0) by Anonymous Coward on Monday December 13 2021, @01:55AM (2 children)

      by Anonymous Coward on Monday December 13 2021, @01:55AM (#1204473)

      Thinking out loud (and I know next to nothing about how the internals work):

      + Current ad blockers, EFF PrivacyBadger, etc, are add-ons to the browser. The add-ons must be able to figure out what traffic goes to/from the site requested by the user, and what is coming in from 3rd party sites, and lots of other details.

      + You propose using the firewall to do this, but I can't be bothered to white list separately all the pages that I might want to view. That sounds next to impossible for most cases where people chase down links when doing web research (of whatever kind).

      + Perhaps we'll soon see another type of firewall that also tracks requests and opens appropriately? Any idea how this might work--independently of whatever browser was in use?

      • (Score: 0) by Anonymous Coward on Monday December 13 2021, @04:34AM (1 child)

        by Anonymous Coward on Monday December 13 2021, @04:34AM (#1204518)

        Mist all the work is done for.you. Only trick send all dns to pihole. To rules in the firewall.

        My network 10% off all traffic is blocked coed.

        Only issues I had paramount+ uses some slime 3rd party to server ads. To make wife happy to see ST:Disco. Connected tv to outside of firewall and done

        The others roku wants to talk to mothership “logs”. 50 times per sec trying to pound through. Since I tossed roku to outside network for ST:Disco. That. Wnt away too. Though it was fun to see it try all sorts and f addresses to get around firewall block and pihole. It found 3 of 5 WiFi routers that I use as AP and backhual. And asked them for the info. They sent request on to pihole.

        • (Score: 2) by stretch611 on Tuesday December 14 2021, @07:24AM

          by stretch611 (6199) on Tuesday December 14 2021, @07:24AM (#1204904)

          If you can't read AC.... (Heck, I make a lot of typos and I can write a novel with fewer flaws than the parent.)

           

          Use a Pi-Hole [pi-hole.net]. Obviously due to the name, many people install them on a Raspberry Pi computer. (Even the cheap Pi-Zero is more than sufficient for pretty much any SOHO network.) However, You can install he pi-hole software on a server or virtual machine.

          Pi-Hole maintains a blocklist which is automatically updated. Once you install the pi-hole software all you need to do is change your DNS. You can do this on each individual computer (or not, if you don't want to utilize blocking on all computers,) or the easy approach is just to change the DNS settings on your router.

          That's it, you are done.

          In addition, pi-hole installs a web based dashboard. This has various statistics on all the DNS requests processed by your pi-hole. From the interface you can also manage a whitelist and a blacklist of your own if you are not happy with all the results.

          --
          Now with 5 covid vaccine shots/boosters altering my DNA :P
    • (Score: 0) by Anonymous Coward on Monday December 13 2021, @02:07AM (1 child)

      by Anonymous Coward on Monday December 13 2021, @02:07AM (#1204478)

      The Internet is more than just websights.

      The year might be 2021, but my dominant collaboration tool is still email.
      (of course, #2 is websites like this one that still think it's 1998...)

      • (Score: 0) by Anonymous Coward on Monday December 13 2021, @02:46AM

        by Anonymous Coward on Monday December 13 2021, @02:46AM (#1204495)
        text, phone calls, email is 3rd (and I don't use a freemail like google or whatever). No video stuff (no zoom, no facetime, no whatever). For the amount of bandwidth video sucks up, it's one of the lowest bandwidth ways of actually communicating ideas.
    • (Score: 0) by Anonymous Coward on Monday December 13 2021, @02:40AM

      by Anonymous Coward on Monday December 13 2021, @02:40AM (#1204492)

      I find the best way is simply to avoid Chrome.

      Friends don't let friends use Google.

  • (Score: 4, Informative) by dalek on Monday December 13 2021, @12:53AM (13 children)

    by dalek (15489) on Monday December 13 2021, @12:53AM (#1204460)

    Firefox is implementing Manifest V3 for compatibility reasons. However, their implementation seems better than what Chrome is doing. One major issue seems to be with removing webRequest and replacing it with declarativeNetRequest. Here's what Mozilla plans to do [mozilla.org]:

    Google has introduced declarativeNetRequest (DNR) to replace the blocking webRequest API. This impacts the capabilities of extensions that process network requests (including but not limited to content blockers) by limiting the number of rules an extension can use, as well as available filters and actions.

    After discussing this with several content blocking extension developers, we have decided to implement DNR and continue maintaining support for blocking webRequest. Our initial goal for implementing DNR is to provide compatibility with Chrome so developers do not have to support multiple code bases if they do not want to. With both APIs supported in Firefox, developers can choose the approach that works best for them and their users.

    We will support blocking webRequest until there’s a better solution which covers all use cases we consider important, since DNR as currently implemented by Chrome does not yet meet the needs of extension developers.

    As per this recent discussion [mozilla.org], it seems like there's not a clear decision on deprecating background pages and replacing them entirely with service workers.

    While far from perfect, Firefox seems to be handling this better than Google. Although Firefox is implementing Manifest V3, it seems like they will be preserving at least some functionality needed to avoid breaking extensions.

    --
    THIS ACCOUNT IS PERMANENTLY CLOSED
    • (Score: 0) by Anonymous Coward on Monday December 13 2021, @01:13AM (11 children)

      by Anonymous Coward on Monday December 13 2021, @01:13AM (#1204464)
      It's still stupid. Why bother trying to be 100% compatible with every new standard that comes up? How about a browser that doesn't support autoplay videos, or cas overrides of user preferences, or emojis, or browser fingerprinting, or all the other crap that most people don't want. Maybe I don't want unicode. Or images preloaded.
      • (Score: 0) by Anonymous Coward on Monday December 13 2021, @03:52AM

        by Anonymous Coward on Monday December 13 2021, @03:52AM (#1204509)

        Because Google pays the tab for Firefox?

      • (Score: 1, Insightful) by Anonymous Coward on Monday December 13 2021, @07:49AM (8 children)

        by Anonymous Coward on Monday December 13 2021, @07:49AM (#1204554)

        Because if you don't, you'll have a browser that nobody can use.

        All of those things - except emojis and fingerprinting, which is a dark pattern, not a standard - are easily disabled, either with options or a simple extension. Firefox is actually one of the best browsers for avoiding fingerprinting. It's pretty much the only thing Firefox actually does right.

        You do want Unicode. Well, unless you can't read. Text is useful for everyone else, and what you don't seem to be aware of is that Unicode is the only way to render text on any modern OS.

        • (Score: 2) by PiMuNu on Monday December 13 2021, @09:37AM (7 children)

          by PiMuNu (3823) on Monday December 13 2021, @09:37AM (#1204568)

          > You do want Unicode.

          As I occasionally point out, two thirds of the world do not use the latin alphabet as a first alphabet. I realise this is (likely) not the case for GP, however clearly someone like firefox/the internet have to support unicode.

          • (Score: 0) by Anonymous Coward on Monday December 13 2021, @10:46AM (2 children)

            by Anonymous Coward on Monday December 13 2021, @10:46AM (#1204575)

            Even that is sort of a weak argument because the real difference for most is ASCII versus Unicode at this point. Even if you use the Latin alphabet, there is still a good chance you use something outside of ASCII during the course of your day.

            • (Score: 1, Interesting) by Anonymous Coward on Monday December 13 2021, @03:57PM (1 child)

              by Anonymous Coward on Monday December 13 2021, @03:57PM (#1204652)

              A good chance? Try no chance whatsoever. My document format of choice is plain text. Don't send me a pdf or a docx or whatever - I'll just send it back with a "bad format - please send in plain text."

              Same as if someone says they posted it to facebook or twitter - don't expect me to see it, I don't use either one.

              Want to tell me something? Do it in person, a phone call, a text. And very rarely, an email. Don't have my phone number? Then I probably don't know you, so why wouI want to hear from you?

              One reason for the vast amounts of spam is because it's dirt cheap and can be easily automated.

              • (Score: 0) by Anonymous Coward on Monday December 13 2021, @09:47PM

                by Anonymous Coward on Monday December 13 2021, @09:47PM (#1204752)

                Yet another person who thinks their experience is the world. For additional fun, they don't know the difference between plain text formats and character encoding.

          • (Score: 0) by Anonymous Coward on Monday December 13 2021, @03:49PM (3 children)

            by Anonymous Coward on Monday December 13 2021, @03:49PM (#1204650)
            More than half the world uses English as their first or second language. So no, I don't need unicode, and neither does more than half the world. Having addresses that use unicode urls that LOOK like ascii is a nasty security flaw. I want a browser that replaces unicode with a warning.
            • (Score: 2) by janrinok on Tuesday December 14 2021, @06:16AM (2 children)

              by janrinok (52) Subscriber Badge on Tuesday December 14 2021, @06:16AM (#1204895) Journal

              So if I had £1, or €1 for that matter, every time I have to write my home address which contains an accented è, and I am told that I don't need unicode I would be a very rich person indeed. Let alone travel outside the only country that thinks it is the whole world (USA). You personally don't need unicode because your view of the world is probably limited to one country, and you do not even consider your neighbours. The rest of us know that the world is a much bigger place. During my life I have lived and worked in Russia, Germany, France, Croatia, Bosnia and the UK. I have had to use the appropriate language in each case. And I've done that without travelling farther than perhaps a state or two in the USA. Five different alphabets or more! And I have travelled to at least a dozen more countries covering every continent - and managed with little more than a phrase book.

              Your 'half of the world speaking English' probably contains Ireland and Scotland - where some people actually do still speak Gaelic, and guess what? Gaelic has accented letters that are not found in English: à, è, ì, ò, and ù. How would you write addresses or names for these 'English' speaking people. Use English!? But the addresses and names are not in English. The place names are not in English. OK, lets look at Wales - er no, they have a diacritic Ê or ê. So within a few hundred miles we have several languages that don't work without an extension to ASCII. How about another 'English' speaking country - Canada? They speak both English and French. OK, lets consider New Zealand - where words having a Maori (sorry, that should be Māori) origin can appear, especially in people's names. ( I suppose you simply discounted them - they should all change to speak the same language as you do).

              The various attempts at linguistic inclusivity, whether successful or otherwise, were developed because there is a need. No matter where you live, it is important to be able to communicate with your potential customers, your neighbours (Germany, France, Spain, Scandinavia...), your allies and maybe potential enemies - where different alphabets are common and in use all over the place. Peoples' names, places, addresses, formal documents.

              Your world view may be fine for you - the rest of us know that the world is much bigger place. Your English (ASCII only) browser already exists and has done for decades - but it has been superseded because it wasn't up to the task of being usable in the real world.

              • (Score: 0) by Anonymous Coward on Tuesday December 14 2021, @08:43PM (1 child)

                by Anonymous Coward on Tuesday December 14 2021, @08:43PM (#1205097)

                EVERYBODY, UNDERSTANDS, ENGLISH. YOU, JUST, HAVE, TO, TALK, LOUDER, AND, SLOWER.

                • (Score: 2) by janrinok on Wednesday December 15 2021, @07:36AM

                  by janrinok (52) Subscriber Badge on Wednesday December 15 2021, @07:36AM (#1205240) Journal
                  ...And point. It is important to point at what you want while speaking loudly and slowly as if to some young partially deaf child.
      • (Score: 0) by Anonymous Coward on Monday December 13 2021, @02:02PM

        by Anonymous Coward on Monday December 13 2021, @02:02PM (#1204619)

        Because millions of people have their favorite browser extension, and thousands of browser extension developers don't have the time and interest to create one extension for Chrome-compatible browsers and another for Firefox. If Firefox doesn't do this, their market share will fall even faster as people find that their favorite browser extension only works on Chrome.

    • (Score: 0) by Anonymous Coward on Monday December 13 2021, @04:45AM

      by Anonymous Coward on Monday December 13 2021, @04:45AM (#1204525)

      We will support blocking webRequest until there’s a better solution which covers all use cases we consider important

      They know "until" means forever, because Google is not going to create something in V4 that helps that kind of extension, and creating a FF-only method is too much work when you can just maintain the previous. Or they will drop it some time in the future, and fuck the extension developers (it would not be the first time they do) and by extension (haha) the user base.

  • (Score: 5, Informative) by progo on Monday December 13 2021, @01:47AM (6 children)

    by progo (6356) on Monday December 13 2021, @01:47AM (#1204471) Homepage

    If you think "oh I'll just use Firefox", remember who pays the foundation that pays Firefox developers' salaries.
    https://www.androidheadlines.com/2020/08/mozilla-firefox-google-search [androidheadlines.com]

    • (Score: 0) by Anonymous Coward on Monday December 13 2021, @02:00AM (3 children)

      by Anonymous Coward on Monday December 13 2021, @02:00AM (#1204476)

      At least FF can be set to not auto update -- I plan to continue to use an older version that doesn't support this new crap.

      I'm not so sure about Chrome, can it be locked to an older version, or is it like Win10 that updates whenever the hell it wants to?

      • (Score: 4, Informative) by Runaway1956 on Monday December 13 2021, @02:06AM (1 child)

        by Runaway1956 (2926) Subscriber Badge on Monday December 13 2021, @02:06AM (#1204477) Journal

        https://www.isunshare.com/internet/3-ways-to-disable-chrome-from-auto-updating-in-windows-10.html [isunshare.com]

        3 Ways to Disable Chrome from Auto-updating in Windows 10

        • (Score: 2) by Reziac on Monday December 13 2021, @02:43AM

          by Reziac (2489) on Monday December 13 2021, @02:43AM (#1204494) Homepage

          Good info, thanks.

          Tho the only place I myself use Chrome is on the linux box... where I can freeze versions, and seems like that may be a good idea.

          --
          And there is no Alkibiades to come back and save us from ourselves.
      • (Score: 0) by Anonymous Coward on Monday December 13 2021, @07:53AM

        by Anonymous Coward on Monday December 13 2021, @07:53AM (#1204555)

        Since Firefox is also supporting the old standard, you don't have to stop updating it.

        Well, unless you want to for other reasons. Tabs haven't really worked right on Firefox Android since the latest UI overhaul. The previous version introduced new and exciting bugs, different from the old stale ones!

    • (Score: 2, Insightful) by Anonymous Coward on Monday December 13 2021, @02:34AM

      by Anonymous Coward on Monday December 13 2021, @02:34AM (#1204487)

      Mozilla obviously receives their product development orders from Google. Mozilla hasn't listened to their users in a decade. No surprise they went from 40% browser marketshare to 3% in just a few years.

      Hey, I can't blame them for following orders. If I was paid $500M/yr in exchange to "Make Firefox as shitty, rigid, and uncustomizeable as Chrome" and in your spare time "Show off your Social Karen Justice Cancel Culture Victimization Warrior Outrage Offended Trigger RunToMySafeSpace BringMyEmotionalSupportCaneToadToWork skills ",most of us would be tempted in return for a seven or eight-figure chunk of that annual pot of gold.

      Sucks though because the once independent Mozilla has become nothing but another tentacle appendage controlled by Google.

    • (Score: 2) by mhajicek on Monday December 13 2021, @08:20AM

      by mhajicek (51) on Monday December 13 2021, @08:20AM (#1204562)

      I use Brave.

      --
      The spacelike surfaces of time foliations can have a cusp at the surface of discontinuity. - P. Hajicek
  • (Score: 3, Informative) by ealbers on Monday December 13 2021, @03:50AM

    by ealbers (5715) on Monday December 13 2021, @03:50AM (#1204508)

    It should read..."Google has infected 75% of websites with their virus/malware...."

    If google is involved, your bank accounts, personal information and children are threatened.

    That is a fact. Microsoft, Apple and Facebook share the same designation.

  • (Score: 1, Troll) by ealbers on Monday December 13 2021, @03:58AM

    by ealbers (5715) on Monday December 13 2021, @03:58AM (#1204512)

    Google, Apple Microsoft and Facebook are threats to the Constitution of the United States and Democracy.

    You must choose, freedom, Democracy and the rule of law, or fascism with Google, Microsoft, Facebook and Apple as your Lieges/Rulers.

    They are more a threat than any terrorist organization. THEY are more a threat to the USA than any foreign government since Russia or China/USSR

    Pick a side.

     

  • (Score: 1, Informative) by Anonymous Coward on Monday December 13 2021, @07:28AM (7 children)

    by Anonymous Coward on Monday December 13 2021, @07:28AM (#1204550)

    Not saying it's good... just not that bad.

    The documentation is available [chrome.com]. Basically, instead of running Javascript to decide whether to block, allow, or modify a request, you have to do it with a regex.

    And, of course, regexes are a lot less powerful than Javascript. But the blocking functionality seems to map pretty closely onto what Adblock Plus does, for example (ABP block lists ARE regexes). And since ABP works at the page element level, not the request level, it's still going to be able to see the elements in question. ABP is going to be fine. Like Ghostery, of course, they'll have to migrate to the new API: content scripts, in this case. Instead of running a script in your extension, and modifying the page DOM as a child of it, you inject your scripts into the actual page, and run them there, accessing your extension's state via service workers. This really is a major rewrite... but it's not a loss of capability.

    For script blocking, I use uMatrix (and Noscript on Firefox for Android, where uMatrix isn't available any more). If you use uBlock Origin it's pretty similar. The blocking functionality seems to map closely onto what these extensions do. The biggest concern I have is that there's a limit on the total number of blocking rules, and the limit is global across the whole browser. Google provides an API to determine what the limit is, but I couldn't find the actual default value in the documentation. However, if the extension can no longer see what requests are being made, the UI might not work any more. But it seems like the APIs will still work in read-only mode, which they can use to provide information for the UI.

    The Ghostery devs seem to be concerned about having to use service workers instead of background pages. Personally, I have been completely happy with service workers. The name is misleading, of course - they're not really either of those things - but in their intended role of running code decoupled from any particular page, they work just fine. I can certainly appreciate the headache if you have a lot of existing code based on background pages and now have to migrate it, because the APIs are certainly different, but this is not a loss of capability, just extra work for devs. I'm not unsympathetic, but it's easy to overstate the case here. Maybe there's some aspect of background pages that I don't know I'm missing, but I find the service workers API to be pretty much just better in general.

    So to sum up, this is far from a nothingburger. It's a major breaking change that will force a fire drill on most extension developers and will cause some kind of headache for just about everyone. But I'm not finding any actual loss of capabilities in the change.

    • (Score: 1, Interesting) by Anonymous Coward on Monday December 13 2021, @08:14AM

      by Anonymous Coward on Monday December 13 2021, @08:14AM (#1204560)

      AndroidPolice says the rule limit is 300,000. That's... kind of enough, and kind of not? It's a lot of rules, but ABP can exceed it. It should be something the user can raise.

      NoScript devs say that having to use regexes prevents innovative filtering strategies from being developed, but I'm actually not sure I agree. I certainly see their point. You don't necessarily want to limit your filtering rules to regexes, even though every content blocker I know of currently does, or uses something even less powerful than regexes. But your extension doesn't have to think in regexes, it just has to express block rules to the browser in the form of regexes. It doesn't matter if the actual determination is made by something as simple as the user clicking a block button, or as complex as a content-aware AI. In the end, you're still just matching that URL string.

    • (Score: 2, Interesting) by Anonymous Coward on Monday December 13 2021, @08:42AM (4 children)

      by Anonymous Coward on Monday December 13 2021, @08:42AM (#1204563)

      Then you aren't looking hard enough or don't understand how these extensions work. It's really that simple. This change does literally nothing to prevent malicious extensions but does neuter a lot of what different blockers can do now. If a fixed set of 300,000 "regexs" (some lists are already more than that) declared at extension install is all that was really necessary to block ads, extensions would be completely unnecessary. But such blockers running as extensions are necessary because you have to be able to react programmatically to requests to get the expected results. Content scripts don't cut it either, for a number of reasons, including hurting performance, still allowing (malicious) content to be downloaded, making blockers reactive, and putting them more at the mercy of the content they are trying to block in the first place.

      But the thing is, you may not know all this and how all the various extensions work, but Google does. And they picked the perfect way to neuter content blocking extensions without affecting much else. It's just too bad for them that they were so obvious about it. They are usually more stealthy in their attempts.

      • (Score: 1, Informative) by Anonymous Coward on Monday December 13 2021, @11:09AM (3 children)

        by Anonymous Coward on Monday December 13 2021, @11:09AM (#1204577)

        Static install-time lists of rules are only one way to use the new API. You can also modify or replace the static lists via API calls (they're not all that static, as it turns out), which then persist across browser sessions. Or, you can dynamically create new rules, which last only for the current browser session. The only time you cannot change the rule when you could before is actually during a request. For example, you can't block a request, while you make a different request to some server somewhere, and find out if you should allow the original request. But that's not usually what happens, because it would be incredibly slow. uMatrix, for example, loads the page, according to whatever rules it already has, and then through the UI you can change the rules, and if necessary reload the page. ABP downloads its huge lists separately, and stores them locally.

        Service workers can normally rewrite URLs programmatically, which would basically replicate the original functionality, but I'm not sure if the scope rules will allow it to happen from an extension.

        I haven't found anything that background pages can do that content scripts can't. It seems to be just a question of switching to the new API. Your objections might be arguments why MV3 isn't very useful, but they aren't reasons why content blockers won't be able to work.

        But I don't agree that it's not useful. The history of browser extensions has been one of browser vendors making extensions work more like ordinary web development. Every time there's a change, the extension makers complain, and every time, they adapt. Things like background pages are single use technology that only exist to support extensions, and now that code can be removed. Service workers are just regular Javascript, and content scripts almost are. That means it's easier for regular web developers to write extensions, because they have to learn less new stuff.

        • (Score: 0) by Anonymous Coward on Monday December 13 2021, @11:04PM (2 children)

          by Anonymous Coward on Monday December 13 2021, @11:04PM (#1204789)

          Your uMatrix and remote-API examples are complete red herrings. Most content blockers don't run in a default-deny configuration and then retroactively allow stuff when things break. This means that for a content blocker, you end up loading a page and all the content you wanted blocked, let it get parsed by the browser, then you have to inject or potentially reload. What awesome UI for the everyday user (and a great way to have malvertising run loose and go by unnoticed because the page refreshed). And that is what you are going to have to do because the dynamic and session rules limit are much smaller than the global limit on rules. Also, most content blockers don't do remote lookups (although some do mind you) but there are plenty of ways to react to the outgoing request that don't require that. For example, three of the major content blockers wait until the DNS results come back to determine if the name CNAMEs or DNAMEs to a tracking server. No extra time but can make a big difference and dramatically cuts the number of rules. I could go on about all the other things they do and tests they run on requests because content blockers have come a long way from the original ABP rules.

          And I'm not saying some (most?) of the changes can't be useful, especially when all the chromium issues for what is broken/unimplemented are fixed. But it is equally true that some of the design decisions were made by Google, a company that makes a majority of its money from ads, were specifically to neuter content blockers or degrade their user experience. When most of the non-Google/non-Chrome experts are crying foul or not propagating certain changes, maybe just maybe, the problem isn't that they all see an imaginary problem or are too lazy to change. Maybe there might actually be a problem they see and you can't see or don't want to see. Google already broke service worker's observational capability in advance before [chromium.org] and there are a number of other equally worrying issues on their tracker, so beware and hope that at least that bug is fixed before January 17th.

          • (Score: 0) by Anonymous Coward on Tuesday December 14 2021, @07:42AM (1 child)

            by Anonymous Coward on Tuesday December 14 2021, @07:42AM (#1204906)

            Most content blockers don't run in a default-deny configuration and then retroactively allow stuff when things break.

            That's the only way to use a content blocker. It does whatever it does, and then if a page breaks, the user pokes an option (anything from enabling scripts on a subdomain to turning the whole content blocker off) and reloads the page. That's just the nature of the system. If you absolutely need every page to work right every time, you can't use a content blocker. Or the Internet, probably.

            You aren't supposed to put all your rules in the per-session lists. They are only for when a user does something like "temporarily allow X on this page."

            BTW, I checked all my ABP rules and there are about 110,000 of them currently. Like I said, you can exceed the limit of 300K... but it's not a bad guess. uBlock uses most of the same rules. Not sure what happens if two extensions try to create the same rule.

            For example, three of the major content blockers wait until the DNS results come back to determine if the name CNAMEs or DNAMEs to a tracking server.

            Maybe on Firefox, which is the only browser that ever supported that API. For other browsers, AdGuard crawls the DNS system, identifies the bad CNAMEs, and then publishes them [github.com] for everyone else to build into their regexes.

            maybe just maybe, the problem isn't that they all see an imaginary problem or are too lazy to change. Maybe there might actually be a problem they see and you can't see or don't want to see.

            Well, here's an example. A Ghostery dev was complaining [githubmemory.com] that the sky is falling, they need megabytes of data, it won't fit into storage.local. Except, for extensions, there's a permission you can set that gives you unlimited storage. AND you can use IndexedDB, which is also pretty much unlimited.

            The same dev rejected out of hand the clever solution of building a large regex around the | operator to bypass rule list limits, on grounds of performance, even though | is a high performing operation in a regex that is probably faster than running two different regexes - even if the engine decides to backtrack. My guess is, though, that Google is going to use a non-backtracking engine, because backtracking engines can exhibit exponential performance, and the intended use doesn't need to cover everything that regexes can do in the wide world.

            Google already broke service worker's observational capability in advance before

            OK, but that's a bug that's going to bite lots of extensions, not just content blockers. They're going to have to fix it. Bugs aren't evidence of conspiracies.

            • (Score: 0) by Anonymous Coward on Tuesday December 14 2021, @10:01PM

              by Anonymous Coward on Tuesday December 14 2021, @10:01PM (#1205127)

              I agree it is the only way to truly use a content blocker, but name one that ships in a default-deny configuration. The closest is NoScript but even they don't anymore because too many people freaked out when things broke.

              Not supposed to put all your rules in the session list? What else are you going to do when the lists get updated, which instantly renders your manifest lists obsolete. The only choice is to add the rule dynamically and the only thing you can do with reactive rules. Better hope your ABP comes up with a way to get your 110,000 rules to fit within the 5,000 limit in the time between updates.

              DNS was just an example of one of the things they do. But since you brought it up, better hope that AdGuard list stays the same between updates or you either miss some malvertising or run out of your 5000 non-manifest rules real quick. We'll have to see if it is worth using up your more-precious 1,000 regex rules on them.

              And your counter about Ghostery freaking out about storage (better hope they approve that permission or no one hits one of the IndexedDB limits) or regex (and if you think the performance of running one giant regex is better than a number of simpler ones or a bloom filter, bench it yourself) compared to this. This isn't just one developer saying this. There is the EFF, Mozilla/Firefox, Microsoft, Gorhill, NoScript, DHowe, AdGuard, and a number of other major extension and browser makers all saying how it isn't good enough.

              And that but was one of many that affect this situation, many that are worse and still unfixed. Fact of the matter is that unless they fix ALL of them in the next 34 days, with Christmas and New Years also intervening, the manifest v3 situation is even worse than how it exists on paper. Considering how long many of those bugs have been left unworked for years, and many untriaged, I don't think that is looking good. But maybe the sunshine will force their hand before 2023. Just 400 days to find out, which is a shorter time some of those bugs have been open.

    • (Score: 0) by Anonymous Coward on Thursday December 16 2021, @07:23PM

      by Anonymous Coward on Thursday December 16 2021, @07:23PM (#1205628)

      I use uMatrix on Android in Kiwi browser, based on Chromium,it supports extensions, uMatrix, UBlock Origin work normally.

  • (Score: 0) by Anonymous Coward on Monday December 13 2021, @09:00AM

    by Anonymous Coward on Monday December 13 2021, @09:00AM (#1204564)

    This is no point in playing on a field where the rules are made by the enemy and change underneath you.

    Head off to https://gemini.circumlunar.space/ [gemini.circumlunar.space] and leave the hinternet behind.

  • (Score: 0) by Anonymous Coward on Monday December 13 2021, @01:44PM (1 child)

    by Anonymous Coward on Monday December 13 2021, @01:44PM (#1204616)

    If we had stuck to requiring all browsers to be W3C compliant, then Google would not be dictating things. Pale Moon really struggles with some web sites due to their 'chromitazation'. If I lose that browser, it is on to un-googled Chromium. Not buying anything pushed to me in advertisements. They are just wasting bandwidth and energy pushing ads.

(1)