Last year, Google outlined plans to make Chrome extensions safer by introducing changes to the ‘manifest version’ in Chromium.
Google suggested these changes would improve security, privacy and performance. Importantly, the search giant also suggested the changes would enhance user control. However, as the first of the proposed changes came to light, it became clear these changes might not be in consumer’s best interest.
The changes proposed by Google engineers would break content-blocking extensions like ad-blockers in all browsers based on the open-source Chromium project. That means browsers like Opera and soon Microsoft Edge. It also means the world’s most popular browser: Chrome.
Essentially, Google is looking to change the manifest version in Chromium. Currently, Chromium utilizes Manifest v2, which determines which APIs extensions can and cannot use. In other words, the manifest controls how extensions can interact with the browser.
Google introduced Manifest v2 in 2012, so it’s arguably past time for a modernized manifest that’s more in-line with the current web. As such, Google engineers are developing Manifest v3 and have shared a draft document outlining changes planned for the manifest.
You have to break a few APIs to make a new manifest
Manifest v3 includes several new APIs and significant changes to existing APIs that could potentially break many things, including content blocking extensions.
As spotted by The Register, Raymond Hill, the developer behind content blocking extensions uBlock Origin and uMatrix, posted a lengthy response to the proposed changes in a Chromium Bugs thread for Manifest v3.
Hill says the changes won’t benefit users, despite what Google says.
“Extensions act on behalf of users, they add capabilities to a *user agent*, [sic] and deprecating the blocking ability of the webRequest API will essentially decrease the level of user agency in Chromium, to the benefit of web sites [sic] which obviously would be happy to have the last word in what resources their pages can fetch/execute/render,” Hill wrote.
Currently, content blockers can leverage the ‘webRequest’ API to intercept network requests and block, modify or redirect them. In other words, content blockers can peak into requests sent from your browser to the webpage during loading. With relation to content blocking, this can be a powerful tool for spotting things and preventing them from being loaded.
However, the API can also cause delays in loading pages, as Chrome has to wait for the extensions to check every request. Further, that kind of access could pose a privacy threat to users if they install a malicious extension.
The new API severely limits what content blockers can do
Manifest v3 proposes changing the webRequest API so it can only read network requests and not modify them. Further, it would introduce a new API called ‘declarativeNetRequest’ that would allow Chrome to decide how to handle network requests. According to Google’s API documentation, declarativeNetRequest would reduce bottlenecks in page loading and provide users with more privacy as the API can’t “read the network requests made on the user’s behalf.”
However, Hill notes in his response to the changes that the new API is significantly more limited. While it would still allow content blocking extensions, only basic solutions like Adblock Plus (ABP) and similar content filters would work with declarativeNetRequest.
This means more advanced content blockers that offer users increased control over what gets blocked won’t work. It also means Hill’s uBlock Origin and uMatrix extensions won’t work.
Hill told The Register in an email that he understands the need for the API and that he supports it.
“However, I don’t understand why the blocking ability of the webRequest API — which has existed for over seven years — would be removed (as the design document proposes),” Hill wrote. “I don’t see what is to be gained from doing this.”
What is gained, what is lost
The important thing to remember is who is making the change.
Google is one of the biggest online ad companies in the world. This change puts Google back in control of network requests, and ultimately the content that makes it to users.
Further, Google and other online advertisers reportedly pay ABP to whitelist their ads, which explains why it comes out of this largely unscathed.
Finally, concerning the privacy argument Google is making: the new API takes away a user’s ability to define their privacy and gives that power to Google. And while that may be okay in most scenarios, what about when a third-party extension is more trustworthy than Google? Some users may prefer to have a third-party filter their network requests instead — even if it means reduced performance.
Given the stage of Manifest v3’s development, Google may yet address developers’ concerns. It’s still in the process of designing these changes, and everything is subject to change. The question is if it will change.
Source: Chromium Bugs Via: The Register, Android Police