Google’s Proposed Chrome Changes Would Cripple Ad Blockers, Other Extensions

Google’s Proposed Chrome Changes Would Cripple Ad Blockers, Other Extensions

Google has proposed a series of changes to Chrome that, if adopted in their current form, could cripple how ad blocking works within Chromium-based browsers. The impact of the changes wouldn’t be limited to ad blocking — other projects like NoScript and a wide range of other extensions would, according to their authors, also be impacted.

Google’s proposed changes, detailed in its Manifest V3 document, would make significant changes to how extensions fundamentally work within Chrome. Extensions, for example, will no longer be permitted to load code from remote servers or to automatically apply to all sites (users will have an option to choose to run extensions on specific sites or on every site). But the biggest problems appear to be with Google’s plans to deprecate or limit the use of its webRequest API. As Ars Technica details, webRequest allows extensions to evaluate each network request that the extension is intended to monitor and to make decisions about what happens to it. Requests can be modified in-flight to change how the browser behaves in a wide variety of scenarios. Ad blockers, script blockers, and a number of various privacy-oriented extensions rely on this capability.

Google wants to replace webRequest with a new API, declarativeNetRequest. Using the old webRequest API requires that the browser ask the extension how content should be handled. The new API instead requires that the extension declare to the browser what it can do and how it does it. The problem is, the new API has a fraction of the capability of the old one. Extensions are also currently hard-limited to a constraint of 30,000 items to be filtered. As Ars notes, the current version of uBlock Origin ships with 90,000 filters by default and supports up to 500,000.

The advanced functionality of extensions like uBlock isn’t possible under the new rules.
The advanced functionality of extensions like uBlock isn’t possible under the new rules.

Thus far, feedback from actual extension developers has been unilaterally negative. The hard-coded limit on blocked or redirected URLs has been criticized by almost everyone in the Google Chromium development thread. Anti-phishing and anti-malware extension developers are also concerned because the new rules require that extension data be stored in plaintext, whereas some security-related extensions store information in hashed form.

While there have been reports that AdBlock Plus will have an easier time functioning under these rules than extensions like uBlock Origin, one of the authors of that extension argues that even ABP will be harmed, noting that the declarativeNetRequest API “only covers the same limited subset of filter capabilities implemented in Adblock Plus that it does in uBlock Origin.” Instead of being able to implement powerful, custom rulesets, he argues that extensions would now be limited to “providing filter rules.” This would fundamentally limit the ability of extension developers to respond quickly to website efforts to bypass their work. Security extension developers also raised these concerns, noting that the new API disallows updating content-blocking lists in real time. This alone makes it impossible for security extensions to provide fast updates.

Google’s responses, thus far, have been fairly limited. The company has been stressing that the webRequest API will be sticking around in some capacity since declarativeNetRequest can’t handle everything. It’s still evaluating the contexts in which webRequest will be allowed to function, however.

Google’s claim that these changes will improve security and performance have been met with a gimlet eye overall. Several developers have pointed out that the performance impact of running uBlock or other ad blockers on websites is so large, any performance gains Google gets from adopting a faster API will be completely subsumed by the sharp limits on the amount of content those extensions are actually able to block. Speeding up page loads by 20 percent may not mean much if you’re loading 3-5x more data relative to using an ad blocker. Security extension authors have also argued that the security risk to breaking their own products is larger than the sum total of the improvements Google is hoping to gain.

For now, Manifest V3 remains a draft document. If Google decides to implement the current version of the standard, Firefox may see a sudden uptick in adoption. It’s now the only major cross-platform browser in active development that isn’t based on Chromium.

Continue reading

Ingenuity Mars Helicopter Aces Fourth Flight, Gets Mission Extension
Ingenuity Mars Helicopter Aces Fourth Flight, Gets Mission Extension

NASA has confirmed that it will be adding a new component to Ingenuity's Mars mission — it's no longer just a technology demonstration, and it'll get extra flight time on the red planet as an "operations demonstration."

Click-Fraud Chrome Extensions Removed from Store After 500,000 Downloads
Click-Fraud Chrome Extensions Removed from Store After 500,000 Downloads

Researchers from security firm ICEBRG report finding a cluster of scam extensions in the Google Web Store with a combined download figure of more than 500,000.

Flaw in Grammarly Browser Extension Exposed User Documents
Flaw in Grammarly Browser Extension Exposed User Documents

Grammarly promises to catch your typos and grammatical errors, but for a while, it was also exposing your personal documents to potential snooping by any website you visited.

Google Bans Cryptocurrency Mining Extensions from Chrome Store
Google Bans Cryptocurrency Mining Extensions from Chrome Store

Google is fed up with cryptocurrency extensions ignoring its guidelines and rules and is yanking the entire category of extensions, effective immediately.