> Firefox, however, has no plans to deprecate MV2 and will continue to support MV2 extensions for the foreseeable future. And even if we re-evaluate this decision at some point down the road, we anticipate providing a notice of at least 12 months for developers to adjust accordingly and not feel rushed.[1]
[1]: https://blog.mozilla.org/addons/2024/03/13/manifest-v3-manif...
> We will keep Manifest v2 for as long as it’s still available in Chromium. We expect to drop support in June 2025, but we may maintain it longer or be forced to drop support for it sooner, depending on the precise nature of the changes to the code.
Note that June 2025 is the same date Google plans to drop support completely[1].
[0] https://vivaldi.com/blog/manifest-v3-update-vivaldi-is-futur...
[1] https://developer.chrome.com/docs/extensions/develop/migrate...
Neither Brave nor Vivaldi are proposing to maintain engine support for v2: they both point to the codebase retaining support after Chrome drops support (likely for enterprise) as being the driver of their ability to offer v2. Both say that once those codepaths are removed, so too will v2 support be removed from Vivaldi and Brave.
No idea when Google will make that call.
Also for those who use cloud bookmark/history/tab sync, people might just not want Google specifically to have that data; Vivaldi does its own sync.
https://learn.microsoft.com/en-us/microsoft-edge/extensions-...
[1] while pre-existing v2 extensions are still on the store at least for now (e.g. https://chromewebstore.google.com/detail/ublock-origin/cjpal... ) newer ones haven't been able to be added to the store for a long time already, e.g. see https://libredirect.github.io/faq.html#chrome_web_store
Perhaps it has to do with being a Google-funded browser.
I wonder how hard that would be to implement for someone who knew how to do it? Or if the code for that in vivaldi is open source?
Chrome Canary just killed uBlock Origin and other Manifest V2 extensions - https://news.ycombinator.com/item?id=41757178 - Oct 2024 (46 comments)
That one never made the frontpage, so I'm leaving the current thread up.
To extend ManifestV2 in Chrome, add the text below to a text file, saving and running it as a .reg will create and add a value of 2 to "ExtensionManifestV2Availability" in the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome key
(When you open/run a .reg file, it updates your registry, usually preceeded by a warning.)
Alternatively, you could do this manually by pressing the Windows key, type "run" (without the quotes) and enter, type "regedit" (without the quotes) and enter, then navigate as far as you can to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome key
You may find there is no "Chrome" key and will need to create it, as well as creating ExtensionManifestV2Availability
--------------------------------------
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
"ExtensionManifestV2Availability"=dword:00000002[1]: https://old.reddit.com/r/uBlockOrigin/comments/1d49ud1/manif...
REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome /v ExtensionManifestV2Availability /t REG_DWORD /d 2Also, just for clarification:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
"ExtensionManifestV2Availability"=dword:00000002
Save the file as:
EnableExtensionManifestV2.regMy only long-term hope for this space is that a nonzero segment of congressional representatives have had ad blockers installed by their aides, realize that their experience online takes a nosedive when MV2 is discontinued, and calls for hearings! Blocking isn't just about not seeing ads, it's about a user's freedom to set up their "user agent" to preserve their privacy online from sites that don't respect their wishes. That's a right that Google is using its market power to erode, and it's not something we should take sitting down.
More on MV3 from a few years ago: https://www.eff.org/deeplinks/2021/12/chrome-users-beware-ma...
Why would you even use the lite version on firefox when the original works?
Of course I'm still using the normal uBlock Origin in my main browsing profile.
Saying anything positive about MV3 or the lite extension seems to get you downvoted without explanation though, which is a nice example of how absurd this site is when it comes to anything related to Google.
Sometimes I think downvoting should require leaving a comment and reason, because I can't see any reason to downvote this other than "google bad".
This is not true.
People talk about the upside of the declarative API plenty, but adding one function doesn't mean removing another, and the conflation required to use that as a defense of google is what gets downvotes.
Some of the anti-monopoly investigations of Google might achieve this too.
The removal of MV2 is extremely clearly Google abusing their dominant market position to line their pockets at the expense of their users.
When this goes through, there will be another EU anti-monopoly investigation just for this.
I don't understand why and how it would be less capable, and so far I have not read the details of how/why.
So far, it's just rumors to me.
I will keep using firefox anyway, but honestly I am still waiting for a clearer explanation.
With v3, extensions have to predefine the rules for blocking. Which is the limiting factor
And there's a limit of 5000 such rules.
"Based on input from the extension community, we also increased the number of rulesets for declarativeNetRequest, allowing extensions to bundle up to 330,000 static rules and dynamically add a further 30,000." https://blog.chromium.org/2024/05/manifest-v2-phase-out-begi....
Read up here:
https://github.com/uBlockOrigin/uBOL-home/wiki/Frequently-as...
I switched from firefox to chrome for their superior devtools a few years back, but hopefully firefox has had time to catch up.
Everything old is new again!
#!/bin/sh
[ -z $CHROME ] && CHROME=chromium
TMPDIR=$(mktemp -d /dev/shm/chrome-XXXXX)
$CHROME --user-data-dir=$TMPDIR --no-first-run --no-default-browser-check "$@"
rm -rf $TMPDIR
I don't mind nice and powerful tools, but one thing I learned with Java (where the tools are so much nicer and so much more powerful) is that if you're leaning on them heavily, that's kind of a sign you've messed up. Like on the scale of severity (https://raw.githubusercontent.com/matthiasn/talk-transcripts...), at least as severe as really bad coupling or brittleness. Thank goodness for the tools that let people efficiently figure things out and get on with things, but it's really better to have not needed to be in such a situation to begin with.
I have a similar view with valgrind -- amazing tool everyone would rather exist than not, one could imagine a "Google Valgrind" and "Mozilla Valgrind" competing on mild differences of amazing, but really, life is better if you can just use a managed language and never have to deal with any flavor of valgrind. I think there are ways to do webdev that significantly reduce the need to use any browser dev tools at all, though the domain necessitates some use. ClojureScript in 2014 was showing the way.
Google is a de facto monopoly. They own the entire web. The gateway, the browser, the protocols, advertising, discovery.
Google is too big.
But, every time Mozilla does something slightly abrasive, HN users pile on about how Mozilla is ruining their privacy-respecting reputation, and then go back to using Chrome... The double-standard is really something else.
Maybe instead of getting someone else to break up Google for us, we could just... stop using their shit? I'm typing this from Firefox, I use Proton Mail (and pay for it!) for email, and I mostly search with DuckDuckGo (I know that's not perfect, either). I certainly don't feel like I'm living like a caveman...
/rant
I don't think the fact that Chrome is (was) better is the question, it's a question of how they got here.
Google took tons of money and threw it into Chrome and therefore developed something better. It's better because Google put more money into it than anyone else would have because, in the absence of considering using it to enshrine their search and ad revenue, it wouldn't make sense.
Isn't this part of the antitrust test?
I wouldn't be surprised if Chrome still performs better on Google-owned web sites, for obvious reasons. But, nobody is really going to notice a difference between Firefox and Chrome when visiting, e.g., your bank's web site.
So, it's been somewhere between six and eight years that Firefox has had comparable performance, comparable web dev tools, and way cooler extensions. I'm sure plenty of people will reply that this isn't true and there was some website just this week that FORCES them to stay with Chrome because they noticed a jitter once, but people on the internet are top-tier experts at rationalizing and I don't buy it.
We could've all jumped on board with Firefox when the e10s project landed, but nobody did because it was just slightly less convenient to switch than to not. I hope it was worth it for them.
Even once e10s supposedly fixed their problems another 4 years down the road, I didn't see any reason to rush back. I've switched to another Chromium browser, but I'd rather try a new engine entirely like Ladybird than switch back to Mozilla, until they prove they're not going to let the browser stagnate for so long again.
Most websites (except for those doing some really fancy stuff with new experimental web apis) tend to work just fine in Firefox. Google's sites are the only ones I regularly encounter that perform terribly and leak memory continuously.
Do you not remember all the ads promoting chrome? First was chrome-frame IE extension, then came all the ads - then tie-ins where you got Chrome in addition when you really wanted some other app.
They pushed it hard because they knew they had no real competitors and could eat up marketshare.
Firefox failed because it stagnated on performance and code quality (read: memory leaks for daaaaaaaaays) and ultimately because Mozilla was corrupted by Mitchell Baker and still is to this very day driving away nerds and engineers by the truckload.
Lest we forget, Internet Explorer lost to Firefox despite bundling with Windows. Edge still loses to Chrome despite bundling with Windows. Safari despite bundling with iOS and MacOS only survives thanks to the Walls of Applestantinope holding against the SelEUk Empire's onslaught.
I admire your optimism by the way that a few technologists saying "stop using Chrome, Google is evil, use Firefox" is enough to overcome the market dominance of a monopoly like Google's, but I sadly don't share it. People have been saying it (and similar things, like "don't use Windows, Microsoft is evil, use Linux") for decades with little success. Even the few people who do get swayed will switch back after a few instances of "I was late for my important meeting/was unable to open this important document because the website didn't work with Firefox".
Most people's tech choices are deeply pragmatic and based on familiarity. And to expect anything else is honestly foolish, in my opinion.
This is coming from a Firefox and Linux user by the way.
That is exactly how Firefox slew Internet Explorer.
leetcode all the time and dream of working at google and using chrome and writing javascript.
if the tech nerds took a stand and used firefox en masse, we wouldn't have this problem.
unfortunately it is now normie season. we have to travel through these dark times.
Tech nerds mostly knew that Windows was not a good server operating system. It was also not a fantastic software development environment unless you were using a big, all-inclusive, IDE that was probably aimed specifically at developing Windows libraries and applications.
But, Windows was (and still is) the choice for normies by a WIDE margin.
The tech nerds continued to mostly ignore Windows for server stuff, and more and more ignored it for other dev stuff, too (many migrating to Macs, some to Linux, etc).
If you have a lot of users, but no developers on your platform, you're playing a dangerous game. Eventually Microsoft found a way to have Linux running in Windows. I don't know or care if that "saves" Microsoft or Windows or whatever, but I do see that as a win for the tech nerds.
All we have to do is get the tech nerds to stop using Chrome. Chrome can't survive forever if the nerds stop using Chrome, if we stop optimizing our web pages specifically for Chrome, and if we stop writing and maintaining extensions for it.
Eventually, they'll probably cave and put back more stuff to make the nerds happy, in order to bring them back to the platform and save their normie userbase. Either that or Chrome will die. Both are fine with me.
Agreed 100% with this.
Google seems much too sure of itself making this change. I hope their arrogance pays off just the same as Microsoft's did with IE.
I think it's part of a much bigger trend in tech in general but also in Google: Removing user control. When you look at the "security" things they are doing, many of them have a common philosophy underpinning them that the user (aka device owner) is a security threat and must be protected against. Web integrity, Manifest v3, various DoH/DoT, bootloader locking, device integrity which conveniently makes root difficult/impossible, and more.
To all the engineers working on this stuff, I hope you're happy that your work is essentially destroying the world that you and I grew up in. The next generation won't have the wonderful and fertile computing environment that we enjoyed, and it's (partly) your fault.
However, it is important to also understand that the employee is not the only stakeholder. Government agencies answer to legislators, nonprofit management answer to donors, corporate management answer to investors, etc. There are layers of compliance that must be considered as well (internal policies, external regulations, different insurance costs, etc.). It is unsurprising that these fewer but generally deep-pocketed entities have an outsized influence on the market compared to more numerous but less moneyed end users. If you refuse to serve the former, you may quickly find yourself out of business.
There's another problem with Chrome, which is that nobody is actually paying for it. So the big corps move features along there only in the sense that they won't adopt it or will drop it otherwise. I don't think the big corps are pushing for Mv3 but they also probably don't care that it arrives either. Conversely, I wager Google estimates nearly nobody will revolt and leave Chrome over the loss of Mv2. It hurts ad-blocker developers and it hurts the most conscious users, but Chrome is a marketing product targeted at mass adoption first and foremost. I personally hope their estimation is wrong and the current browser monopoly breaks, but this may not yet be the breaking point.
Even if that happens, Chrome eagerly adopting enterprise policy support may keep it on life support in that environment, though.
You get what you pay for. Seeing that employee retention is frowned upon.
I recently quit my job, developing among others the means to "protect" media using DRM. While this was not a primary motivation, I'm glad to somewhat clean my hands.
The technology (dubbed Common Encryption) is a bunch of smoke and mirrors that a childishly easy to hack around. Yet clearly aimed against good faith consumers.
Take, for example, hardware attestation on android. There's not really any serious issue with this feature, it can be used to ensure your device is not compromised. This is for example how GrapheneOS enables its use with the auditor application.
But, on the other hand, Google abuses the feature to ensure that you are running a google signed OS if you want to use Google Pay. Meanwhile you can use banking apps which also use hardware attestation (although, from their perspective, they don't use enough of it to ensure it isn't being spoofed, and even then...) without any problem on GOS. Moreover, before Google Pay completely killed all of its competition, it was possible to even find third party banks which would provide you with the ability to pay with your phone without using google pay.
Likewise, secure boot is a great concept if you want to be more sure about the integrity of your laptop throughout its lifetime. But some companies have abused it to force you to use Windows. If you want to set up your own signing keys for secure boot, you end up having to deal with poorly managed UEFI keys from third parties which weaken the security of your machine. The feature, as it's implemented, is rarely designed with helping end user's secure their machines. But the core of the design is fine.
I think limiting root on a phone is also a really good idea, the issue is that Google likes to give themselves and their "system apps" special privileges. If APIs were exposed to allow you to bless your own applications with the right permissions, you would probably not care so much about root restrictions.
So all in all, fundamentally, most of these features are fine. They're genuinely great for security. But the main problem is how they're abuse by the companies in control and how little effort is put into allowing power-users to use those features for their own benefit.
When the OS is fundamentally in the user's control, they are limited in what they can do, but when the OS disregards it's owners preferences/desires and enforces it's creators desires.
Minor thing actually:
> If APIs were exposed to allow you to bless your own applications with the right permissions, you would probably not care so much about root restrictions.
I absolutely agree with this in theory, but in practice I'm not sure it would ever work because they just aren't going to put in the work to build and maintain APIs for things they don't care about, and there would be a very long tail of things to do (and sometimes those things are legitimately a lot of work). Call recording being a classic example.
But all in all, I very much agree. I love those features when they are in my control on my devices. Biggest issue is, they virtually never are and the number of occurences is trending down.
Anyway,
The modern Web Browser is an advertisement terminal. If Google would manage to eliminate having to serve content, they would certainly do it.
That was a world where the user base was much more limited and devices were less capable. Now we have children, grandparents, educated, and uneducated users with access to web connected devices. These devices now contain everything about you. Compromise of a device can destroy someone’s life.
Not only that, but compromise of a device can cause collateral damage to other devices on the same network.
We now have to cater to every user. Not just to the technologically adept. Look at what people believe on social media. The bar is so low to con people into compromising their device.
Write insecure software and you'll get screwed by hackers. Write secure locked down software nobody can touch or modify, and you'll get doubly screwed by a large corporation that wants to pound every penny they can out of your bloody corpse, upto the point your device is compromised by the corporation who can do whatever they want, but you cannot tell.
There is no win situation here, there are only trade offs.
The browser is called a user agent, but this shift to absolute security no matter what, no say about it is a shift to native apps, is a shift to the developer is in control, is a shift to this being Google and the sites browser, not ours, and that being done unilaterally with nearly no opt outs is the sort of mega tectonic shift that ruins this magical special unique place in software where users had some say in what was happening. We cannot pander to imagined ever worsening users forever.
It feels like the things being done in the name of security are really building an immense prison. The work being done to allow verified age and identity checking ranks up there highly in the this corals humanity, area, not giving us agency.
Tampermonkey still works fine with MV3
> We cannot pander to imagined ever worsening users forever.
The most popular software/hardware will always pander to the most users. That’s why they’re the most popular.
You can’t complain about the most popular option pandering to the most users. Well, you can complain, but you might be in the minority of the users.
> It feels like the things being done in the name of security are really building an immense prison.
I get that, but we are running so much untrusted code on our machines now. Applications that use thousands of dependencies with the hope that someone spots a bad actor.
That said, I don't like that the choice is being taken away. If you do want to tinker at that level with the technology you own, you should be given the choice. By all means make it not obvious how to get there - like, have people reboot their computers while playing Twister on their keyboards with interesting key combos, but give them the option.
> It is not fair that Siri is the only one that can access these things now.
That would be true if it was, but it isn't.
And manifest v3 makes things a bit more tedious but not impossible. There are other adblockers which still function just fine
IMHO that's actually part of an even bigger societal trend. "You will own nothing and be happy."
The ones in power want to control everyone and turn them into mindless sheeple to be exploited and milked. It's not just tech. There's another comment around here that mentions features being requested by large corporations and governments.
> To all the engineers working on this stuff, I hope you're happy that your work is essentially destroying the world that you and I grew up in.
May I be blunt? I grew up in it, so yes. I am. I was there for the Windows virus wildfires. I was there for the malware distribution schemes. I was there for the first wave of enshittification. For the dotcom crash. For the spam wars. For the search engines that didn't work. For the JavaScript injection attacks. For the world where "nobody knew you were a dog" as long as you didn't talk like yourself. I couldn't trust most of my relatives to use a computer the way we had to use them in the late '90s / early aughts. That's not a problem now.
For all its flaws, the modern system is cleaner, simpler, faster, and better for end users and no longer requires them to be super-nerds (and meanwhile, open and malleable devices are still there for the super-nerds to play with and work with). This was the goal---to make computers something that benefit everyone, not just the technorati and the priest-class.
May the past become a foreign country, hard for the modern mind to comprehend. May it always be so.
Here is one empirical data point.
I switched over to Firefox this morning and will advocate for it.
I've considered it for a while, but I never felt motivated to make the switch. It took me a good half hour to set it up the way I like it.
Nothing stops us from doing the same thing again. I've been recommending Firefox to all my family/friends/colleagues for years (ever since I've seen the writing on the wall for Chrome). While Firefox isn't perfect, it's in a much better place than Chrome is, and meets the the needs of nearly 100% of people.
No, it was driven by having a banner in the most privileged spot of the Internet, Google.com (the most visited site in the world with 0 ads on the homepage) saying that was faster and more secure than the alternatives. In fact Firefox benefited from some free ads on Google.com against Internet Explorer before Google developed Chromium.
https://www.reddit.com/r/chrome/comments/23jnmy/why_is_chrom...
This kind of not-freely-given consent was key to Chrome's growth.
From my perspective, all of you are saying a lot of things as if you know them to be true, but you have no idea whether they're true or not; really, you just find them to be plausible.
Later Google's ability to buy installs and put it on google.com came into play, but for at least the first 5 years and probably longer, chrome was a far faster, more secure, and more reliable choice. They also pioneered the multi-process model to isolate different components of the browser.
Am I missing any? https://gs.statcounter.com https://analytics.usa.gov https://www.w3counter.com
People who really care about this (tech minded people) are not using Chrome anyway, others (regular people) will switch to less powerful Manifest V3 adblockers that would probably be good enough and won't switch from Chrome.
I thought I knew that.
Then I switched from uBlock Origin to uBlock Origin Lite in Chrome, which is compatible with Manifest v3. I was prepared for the horrible onslaught of ads, expecting at least a quarter would start getting through, ready to switch to Firefox...
...and didn't notice a single change. Not a single ad gets through.
And at the same time, loading pages feels a little faster, though I haven't measured it.
Which has now got me wondering -- what if Manifest v3 really was about security and performance all along?
Because if Google was using it to kill adblockers, they've made approximately 0% progress towards that goal as far as I can tell. If they really wanted to kill adblockers, they'd just, you know, kill adblockers. But they didn't at all.
Adblockers do multiple things:
1. Visibly block ads from the user
2. Block the user tracking that's attached to those ads
3. Protect the user from malware
4. Save bandwidth and cpu cycles by not loading all that junk
5. Allow control to users over how a webpage is displayed to them
Arguably uBlock Origin Lite can only accomplish some of #1 and a sprinkle of #2 now. And even those abilities are compromised by artificially low limits imposed by chrome in v3 that will eventually allow ad networks to overwhelm those limits and get ads through to users.
Google is 100% boiling the frog here and you/the average user is left in the pot unaware.
And if we are being honest about those limits, they have already been exceeded. Ublock origin is going from 100,000 to 500,000 dynamic rules to just 30k rules(only 5k of those can be dynamic) in the lite version.
Adblockers have absolutely been neutered in v3.
Manifest v3 blocks user tracking -- if the request is blocked, any tracking attached to it is blocked. I'm sure it's not 100% perfect, but it's certainly working well enough in practice.
And what malware are you talking about? If a request is blocked, it's blocked. It doesn't matter if it's an ad or malware.
Manifest v3 is better at #4, because the junk isn't loaded, and the blocking is more efficient in terms of CPU.
And then #5 I don't know what you're talking about. I use Stylus and Tampermonkey to customize webpages and they continue to work great.
So I just don't see the evidence that "Google is 100% boiling the frog here". That's what everyone was saying, but now that Manifest v3 has come out, I just see adblocking that continues to work and uses less CPU to do it.
I see a lot of fearmongering around Google, but now that the results are in with Manifest v3... they just don't seem true. You're making all these claims, but I just don't see the evidence now that we're seeing how it works in practice.
These limits are easy targets for ad networks to overwhelm or outmaneuver.
That's what everyone was saying
No one was saying that adblockers would literally stop working, so it's beyond disingenuous to dismiss people's issues with these changes by just saying 'works for me'.
What evidence would you actually accept anyway? Do you need a leaked internal document from Google saying literally 'devs, go neuter adblockers' before you believe Google might have bad intentions surrounding people's ability to block ads and tracking?
If security and performance were the actual driving forces of DeclarativeNetRequest, then they would have simply added it in addition to the existing webRequest block functionality. uBlock Origin and most extensions would have happily moved the majority of their rules to the static list if it meant better performance and privacy while keeping around the webRequest blocks for the things that actually need it.
Google has gone from having only one nuclear-level option for influencing adblockers (aka delisting) to now having its boot softly pressed against their necks and plenty of levers to pull. And you want me to look at that and go, 'There's no direct evidence of malicious intention there... so perfectly normal and/or acceptable behavior by the world's biggest ad company'?
I will take this one.
First, your limits are out of date. The static minimum is 30k, but can now escalate to an order of magnitude higher depending on how many extensions are installed. The dynamic limit is now 30k, of which at most 5k can be "unsafe". Source: https://developer.chrome.com/docs/extensions/reference/api/d...
Second, even if the limits were correct: consider the possibility that 99% of those rules are irrelevant, out of date garbage that blocks nothing anymore but haven't been removed because there is neither process nor incentive on the extension dev's part to do so.
Ad uses pattern. UBO adds matching pattern. Ad switches to new pattern. Cat and mouse.
This happens widely, rapidly, and on an ongoing basis. The result is that the rule set is large and grows rapidly, but very little of it is actually useful day to day. From the user's perspective, the only cost is that the browser very slowly gets continually less performant, which they will not attribute to the extension.
This isn't hypothetical. I'm on the Chrome team. We analyzed the rule set contents. This is why we proposed the initial limits we did: they were plenty large enough to allow all the extensions we analyzed to do everything they actually wanted to do, if only you stripped the cruft.
The rule size increases since then primarily come out of a dialog process with ad blocking devs about their process and needs and what they see in the wild coupled with what we think we can manage to keep performant. There are compromises. I'm not on that team so I can't speak to details. But it's part of an honest attempt to have a dialog.
There are usually simple explanations for things, if people were truly willing to consider them without bias.
That's of course an oversimplification. But people who believe they're technically knowledgeable and adept are just as likely as other folks to fall for bullshit and be convinced to do things contrary to their own self interests. It's just a different type of bullshit.
No one wants to hear that, because we all want to tell ourselves that maybe everyone else is gullible, but WE'RE smart and rational. To a close approximation, though, none of us are.
I don't know and I don't have to. All I know is uBlock Origin Lite is still blocking everything. So it seems like 30K rules is plenty? Like it's not a meaningful difference for end users if it's blocking 99.99% vs 99.9999% of ads?
> No one was saying that adblockers would literally stop working
That's sure what it sounded like. That it would literally be so bad you'd have to switch browsers because of how degraded the experience would be.
> What evidence would you actually accept anyway?
The fact that the adblocking experience was significantly degraded for the average user -- e.g. that now 10% or 25% of ads were getting through.
> And you want me to look at that and go, 'There's no direct evidence of malicious intention there... so perfectly normal and/or acceptable behavior...
Yeah, pretty much. As far as I can tell, security and performance seem to justify the Manifest v3 changes. Occam's Razor says you don't need anything else. If you think there's malicious intention, then the onus of proof is on you.
I was told, time and time again, than Manifest v3 would result in an adblocking experience so bad that people would start switching browsers because of it, that Google was cracking down on adblockers to neuter them. Now that it's here and my adblocking works just as well, maybe even better (if it's sped up page loading times) -- then sorry, as far as I can tell the malicious intention was made-up.
> I was told, time and time again, than Manifest v3 would result in an adblocking experience so bad that people would start switching browsers because of it
Once enough ads catch up with the new limitations. Right or wrong, we're still too early for that.
When I tried UBO Lite recently it couldn't block YouTube ads, not sure if that's impossible with Manifest V3, or if UBO Lite just isn't updated regularly like UBO to defeat the YouTube anti-ad-blocking updates.
Update: looks like it's fixed now, not bad :)
That's not what the docs say [1]:
A single rule does one of the following:
- Block a network request.
- Upgrade the schema (http to https).
- Prevent a request from getting blocked by negating any matching blocked rules.
- Redirect a network request.
- Modify request or response headers.
[1] https://developer.chrome.com/docs/extensions/reference/api/d...
MV3 doesn’t allow extensions to know what requests are being made, so extensions can’t use your data maliciously.
Requests to ads that are blocked are blocked.
I think you’re thinking of Privacy-preserving ad measurement which is an option in Firefox and Safari. https://support.mozilla.org/en-US/kb/privacy-preserving-attr...
Now, if an ad blocker has webRequest permissions it’s a red flag.
For example https://developer.chrome.com/docs/extensions/develop/concept... uses webRequest to send telemetry back to some remote server.
With Manifest v3, let's say I'm an ad blocker and I want to get access to metrics not to violate privacy, but just to report them to the user (X domains blocked, Y out of Z requests blocked, etc). How would I get access to those metrics?
Otherwise, you can’t really without more invasive permissions.
https://stackoverflow.com/questions/74813523/chrome-extensio...
Which is something we know for a fact uBlock Origin doesn't do. It's open source, you can check the code yourself. MV3, on the other hand, doesn't do much to assure me that an addon isn't phoning home. Why not just give the user to ability to block network requests on a per-addon basis? Too difficult a task for the trillion dollar company? Or could it be that forcing users to switch to MV3 addons isn't about safety at all?
How exciting!
Time to do your part. Switch to ladybird!
(Insert imaginary we want you for the army poster here)
I was ecstatic about Ladybird from a "fun NIH project" but once it became "serious" it was quite the let down that the hot new independent kickstart was... built in C++. I'm not going to say the "R" word, mostly because I'm less interested "which" and more interested in the "what", but the one place I'd really like to see memory safety is the new small team ground up web browser (aka "remote code execution engine").
On that front https://servo.org/ is "alive" again under the Linux Foundation. It has a focus on being an easily embeddable engine and it seems to be picking up a bit of steam. Whether or not it really takes off remains to be seen. I'll be watching closely though!
I also adopted a workflow that has been very conveninent for many years, essentially using Chrome for personal stuff and Firefox for work and other various things (especially once container support arrived!). It's not going to be easy to undo years of muscle memory, but I guess it's time to bite the bullet.
> October 9th 2024: an update on Manifest V2 phase-out.
> Over the last few months, we have continued with the Manifest V2 phase-out. Currently the chrome://extensions page displays a warning banner for all users of Manifest V2 extensions. Additionally, we have started disabling Manifest V2 extensions on pre-stable channels.
> We will now begin disabling installed extensions still using Manifest V2 in Chrome stable. This change will be slowly rolled out over the following weeks. Users will be directed to the Chrome Web Store, where they will be recommended Manifest V3 alternatives for their disabled extension. For a short time, users will still be able to turn their Manifest V2 extensions back on. Enterprises using the ExtensionManifestV2Availability policy will be exempt from any browser changes until June 2025. See our May 2024 blog for more context.
The change here is actually about the stable channel.
Also, the title makes it sound like MV2 code has been removed from the source, but that's not the case.
None of your comments have actually provided evidence for this assertion, and the previous update dated June 3rd 2024 says users will start seeing a warning. So when between June 3 and October 9 did Google start actually disabling MV2 extensions, and where was it publicized prior to their October 9 update?
It's not an assertion. It's simple reading comprehension. How else can you interpret this?
"Over the last few months, we have continued with the Manifest V2 phase-out. Currently the chrome://extensions page displays a warning banner for all users of Manifest V2 extensions. Additionally, we have started disabling Manifest V2 extensions on pre-stable channels. [paragraph break] We will now [emphasis mine] begin disabling installed extensions still using Manifest V2 in Chrome stable."
> So when between June 3 and October 9 did Google start actually disabling MV2 extensions, and where was it publicized prior to their October 9 update?
I don't know if it was publicized, until now.
After all, when did they publicize that there would be a warning in Chrome stable? But there is a warning in Chrome stable. That started happening some time before this announcement.
Four months is a long gap between announcements.
So you literally don't know if it was news before now, but you're insisting on calling it "old news", apparently based solely on Google using past tense in their announcement.
That was just a figure of speech, which I don't wish to quibble over. I don't insist on using that phrase. The point, from the beginning, is that the HN submission title is not good.
It actually doesn't matter when exactly that Google began disabling MV2 extensions in Chrome canary, because what's the justification for focusing on canary in the submission title when the announcement says, "We will now begin disabling installed extensions still using Manifest V2 in Chrome stable"?
[EDIT:] I see that the submission title has now indeed been changed, so this argument has become redundant.
Submitted title was "Manifest v2 is now removed from Chrome canary"
> Additionally, we have started disabling Manifest V2 extensions on pre-stable channels.
Title could have been a bit more broad (probably should say "pre-stable" instead of "canary"), but I would say it is inaccurate.
That's actually not the most relevant part. The most relevant part is "We will now begin disabling installed extensions still using Manifest V2 in Chrome stable. This change will be slowly rolled out over the following weeks."
Google had already started disabling Manifest V2 extensions on pre-stable channels, prior to October 9.
The first paragraph is "what we've been doing." The second paragraph is "what we'll do now."
> Is Orion open-source?
> We’re working on it! We’ve begun with some of our components and intend to open more in the future.
> Forking WebKit, porting hundreds of APIs and writing a browser app from scratch has been challenging for our small team. Properly maintaining an open-source project takes time and resources we’re short on at the moment, so if you want to contribute at this time, please consider becoming active on orionfeedback.org.
Many excellent alternatives already exist that are also open and free, I don’t see a compelling argument to use this software on any device at the moment.
Ideally, yes.
WebKit is part LGPL, and part BSD.
So I think from purely a licensing point of view, they are probably not in violation. Provided that the way they are linking the LGPL-licensed code is compatible with the LGPL.
But like the other commenter said, I too would not run any web browser that was not fully open source, like this Orion browser.
Or do I not understand the obligations of LGPL?
I imagine they couldn't figure out what an appropriate warning window would look like for that kind of protocol.
Also, keep in mind advertisers are not unaware of all this movement. You don't think they'll try new tactics once they know everyone using chrome is now hobbled to solely static lists? That cloaking (or other approaches) won't then become really popular?
That's going away now. Now mostly everyone is vulnerable with the only recourse being pretty technical stuff, not just downloading a very popular plugin.
So advertisers will now be free to get more aggressive without much downside.
Edit: I do get that this sounds like conspiracy theory. But it really matches the Google boiling frogs approach. Removing the blocking onBeforeRequest, as one of the very first things in the manifest v3 spec was not a coincidence.
Besides, webRequest implementation in Chromium is a terrible collection of hacks on hacks. It is a good example how not to design or implement API. I will not be surprised if the removal of the API comes from a simple desire to remove that embarrassing code.
> I do get that this sounds like conspiracy theory.
> … was not a coincidence.
Could it be that it was coincidence? Do you have a solution for reducing extension malware without removing onBeforeRequest?
Yet you can still inject js right into the page. You just can't stop a page that was going to load from loading. They could have taken away the onBeforeRequest redirect capability and left just the onBeforeRequest cancel capability.
Not sure I've heard of any spyware/malware depending on just that cancel capability.
https://developer.chrome.com/blog/crx-scripting-api#breaking...
https://news.ycombinator.com/item?id=41812416
If you are really privacy conscientious, ad blocking extensions should be able to exist without any access to web requests now.
Removing the onBeforeRequest redirect didn't add much security either, since you can just ask for permission B instead of permission A and just inject code. Though, ad blockers don't need that anyway.
It’s insane to want extensions to snoop on all your requests in an attempt at more privacy.
It is a permission that could be used by a malicious extension to snoop, but that is far from the only use. Wanting the permission != wanting snooping.
There's no difference whatsoever.
And it's not surprising because on my iOS device I've been using similarly architected content blockers since 2015. There's no issue with declarative ad blocking.
Of course this differs with the kind of sites you visit. So you need to try it on your own. I can believe that perhaps for some people this is a downgrade, but don't automatically assume uBlock Origin Lite won't work well for you.
MV3 has a measly 30000 static rule limit. These rules are included with the extension and cannot be updated dynamically. And a 5000 dynamic rules limit. [2]
EDIT: Chrome now has a 300000 shared pool for static rules for extensions that go over their 30000 limit. And a 30000 dynamic rule limit [3].
[1] https://adguard.com/en/blog/adguard-for-safari-1-11.html
[2] https://adguard.com/en/blog/adguard-mv3-beta.html
[3] https://developer.chrome.com/docs/extensions/develop/concept...
"Based on input from the extension community, we also increased the number of rulesets for declarativeNetRequest, allowing extensions to bundle up to 330,000 static rules and dynamically add a further 30,000." https://blog.chromium.org/2024/05/manifest-v2-phase-out-begi....
Still sucks that the rules are static though. AdGuard devised a method to diff ruleset changes with the built in rules to generate dynamic rules between extension updates. So, I guess it works.
[1] https://developer.chrome.com/docs/extensions/develop/concept...
iOS I'll give you, but macOS can in fact run ex. Firefox.
> finally matching the security and the privacy in that regard.
"Matching" inferior security+privacy is not a good thing. The only way this is an improvement if you think the blockers are malicious; otherwise a useful tool in the users interest has been made less powerful.
Extensions and in turn MV2 blockers can easily be malicious.
https://usa.kaspersky.com/blog/dangerous-chrome-extensions-8...
Look at how many in Kaspersky’s list are advertised as ad blockers. The majority of users aren’t tech savvy like HN.
By my count 5, 6 if we include "Autoskip for Youtube", out of 34. That might be an argument for dropping extensions, but I don't think it's an argument for breaking ad blockers.
Those extensions used the same API that ad blockers used, but for malicious purposes.
So, you would support removing that API? Well, that’s what they did for MV3 and implemented an API just for ad blocking.
https://helpcenter.getadblock.com/hc/en-us/articles/97384768...
https://www.wired.com/story/fake-chrome-extensions-malware/
This has been never ending.
The Firefox version of uBlock Origin Lite was pulled due to unsatisfactory audit process: https://news.ycombinator.com/item?id=41707418
So make one that isn't incompetent? That's not really a counterargument to the general idea.
That's simply not true. Have you ever donde a side by side comparison, or are you just going by feeling?
Really?
Because I find adblockers on iOS are nowhere near as good - they let far more ads through, and they leave far more sites broken so I have to disable the ad blocker for the site to work.
Twitter and YouTube ads are blocked.
The drawback? It isn’t free.
[1] https://adguard.com/en/blog/adguard-browser-extension-mv3-re...
The main thing I missed was the ability to block arbitrary elements with the zapper. I use this for more than just ads, so losing it is a real loss in functionality. Otherwise it worked fine.
Right now most websites don't seem to require any specific chrome feature but with Google's pushing some API's like their Web Environment Integrity proposal I'm worried sites will start to lock their site to Google Chrome and their official Mobile clients.
It might've been better, had uBlock Origin Lite not happened, but is there still a migration opportunity here, and is Mozilla working it?
Every time I try to migrate my very large bookmark collection to another browser, it either misbehaves and partially loses some data or fails completely.
As to switching to Firefox? I'd love to, but Firefox on iOS refuses to put in an AdBlocker. Yea, you can use Firefox Focus but that one doesn't sync.
I don't understand Mozilla's stance on this.
[1] https://learn.microsoft.com/en-us/microsoft-edge/extensions-...
So it IS possible.
That's not true, he donated to organizations supporting California Proposition 8 which banned same-sex marriage which by the way was supported by the majority back then in California. That was also 16 years ago, it's time to let it go and stop spreading misinformation. You should instead not rely on ad-hominem and critize Brave for being ridden with cryptocurrency and doing shady stuff.
And donating to a specific cause shows a lot more commitment and understanding than a typical vote.
I'm curious about which extensions will be recommended to replace uBlock Origin after it's disabled. I'm sure those alternatives will see a surge in installs.
Also, why doesn't the creator of uBlock Origin update the V2 version to the V3 version? I know V3 version isn't as good as V2, but if you're developing that product, at least give your users something instead of leaving them with nothing. Otherwise, they may end up choosing poor alternatives.
Note that it does nothing to block DNS over HTTPS lookups. If your browser insists on going around your LAN's DNS setup, Pi-hole can't help you.
v3 removes the ability to block, but not the ability to monitor. It doesn't make anything more granular.
V3 introduces a hard limit on the total number network filters an extension is allowed to set and it's a laughably low number. Far below what uBO uses even on a barebones, default setup
For users switching from Arc, there is no good alternative, but Firefox with Sidebery and custom CSS comes close.
[1] https://addons.mozilla.org/en-US/firefox/addon/multi-account...
I would suggest zen browser [1] for those people.
The main one is the behaviour of pinned tabs. Pinning in Firefox turns it into an icon that is harder to hit and doesn't even protect it from closing. This makes them essentially useless, they should be moved to the front of the tab bar and be protected from closing.
The second is that when you use vertical tabs the tab bar acts like a title bar instead of a separate entity. This means you can't double click to create a new tab, and trying to drag a tab often results in the entire window moving. I have to use Tree style tabs and disable the normal tab bar completely to prevent this.
There are also things that I don't like such as how downloads are handled and I've has issues with my session tabs being saved properly.
Also in chrome, multiple profiles need multiple google account(If I understand the UI correctly)connected, but in Firefox no account is needed.
You can use Chrome with multiple profiles by disabling the "Allow Chrome sign-in" option so that none of your browser profiles are tied to a Google account. I don't know if that option can be toggled on a per-profile basis, because I happen to prefer it off for all of my browser profiles.
I'm not sure what other extensions would be broken in Manifest v3.
I agree that a lot of money is going to things other than the browser though.
First, exceptions are at the domain level. So you can't say "allow this domain on this site", you have to blanket-allow a domain or not.
Second, the UX for making exceptions isn't great. With uBO it's just a couple of clicks. With something like Pi-hole it's more complex: https://discourse.pi-hole.net/t/how-do-i-whitelist-or-blackl...
In general, though if an app sticks to "known good" DNS over HTTPS and pins its certificate to boot, it will bypass DNS-based adblocking very easily, and additionally will punish you by not working at all if you try to do any firewall/routing trickery.
I suppose they want everyone to stop using the Internet and read books.
Edit: Seems Google/Youtube are experimenting/testing with injecting ads directly into the video streams:
https://old.reddit.com/r/uBlockOrigin/comments/1de9kv5/youtu...
https://old.reddit.com/r/uBlockOrigin/comments/1etvawp/youtu...
The counter argument is that ad-blocking is an arms-race and the only reason a subset of traffic blocking methods is going to work at all is because there isn't a big enough incentive yet.
Other than that the arguments in favour of V3 are going to be about the same as for any API update. My guess is a few extra APIs and more granular permissions.
Feeling nostalgic for a time when browsing HTTP wasn't such a persistently-adversarial experience :(
Unless Supermium is following the manifest path too? Doubt it.
I remember how IE plugins roles: just dll inject into the process.
The difference here is are you downloading a random dll from a well known source or from http://free-vpn-fast-internet.dwnloadfree.ru/free-chrome-vpn...? My mom isn't going to know the difference and will click the big green DOWNLOAD NOW button blindly.
A javascript extension cannot do that. It is sandboxed and is bound to a permission system limiting what it can do on top of that.
Signing a DLL only proves that the author is who he says he is. Not that his intentions are good. Same for browser extensions.
So it's best to limit what the extension can do to begin with.
https://blog.chromium.org/2017/11/reducing-chrome-crashes-ca...