Google enables controversial extension Manifest V3 in Chrome 88 Beta
Google unveiled plans to upgrade the extension Manifest that Chromium-based browsers such as Google Chrome use to version 3 in early 2019. The initial draft was criticized heavily, especially for Google's plan to limit the webRequest API that content blockers and other extensions use. The new API, declarativeNetRequest, had filter limits and other restrictions that would mean the end for many ad blockers for Chrome.
Companies like Brave or Vivaldi voiced their concern over the proposed changes and let users know that they would do all that is in their power to retain support for Manifest V2 in their browsers.
Mozilla, maker of Firefox, revealed that it had no "immediate plans" to remove the blocking part of the webRequest API.
Google introduced Manifest V3 in Chrome 80 Canary in November 2019, and has now introduced the new manifest in Chrome 88 Beta.
Manifest V3 includes many useful additions and Google decided to focus on those improvements in the announcement. According to Google, Manifest V3 includes the following improvements over the previous version:
- Remotely hosted code is no longer supported. Google notes that remotely hosted code has been an attack vector that posed a "significant risk to user privacy and security".
- Performance is improved through the introduction of service workers (which replace background pages) and by moving to a "more declarative model for extension APIs".
- Privacy is improved by making more permissions optional and the ability to "withhold sensitive permissions at install time".
Google notes that it has received a lot of feedback when it published the first draft, and that it used the feedback to improve APIs, including the controversial declarativeNetRequest API. Company engineers added support for "multiple static rulesets, regular expressions within rules, declarative header modification, and more" to the API since then.
Google's Chrome Web Store will accept submissions of extensions that use Manifest V3 from January 2021 on when Chrome 88 hits the Stable channel. The company has not set a date yet for the removal of support for Manifest V2 extensions.
Andrey Meshkov, Co-founder and CTO of AdGuard, suggests that the maintainers of other Chromium-based browsers may be able to maintain support for Manifest V2 for "some time" but that it seems unlikely that support will be available indefinitely. Meshov believes that Mozilla will also replace Manifest V2 with V3 in the organization's Firefox web browser.
Now You: What will you do when Manifest V3 becomes the only Manifest supported by your browser?
Actually i doubt Manifest V3 will go into Fiefox. Reason is simple – Mozilla is generally dont care. At very first, when WebExt was just proposed it was supposed that Firefox will be directly compatible with Chrome extention. And its never happen. Different formats. It was generally code and APi compatible, buuut…from that time Mozilla significantly extended APis they initially used and its not so compatible anymore. Firefox for long time have APIs which Chrome never implemented, this is why NoScript never got ported to Chrome (albeit Google did proposed such task to NoScrip dev).
Its way more easy to develop for both FF and Chrome now, but its still different browsers. So, why bother with compatibility?
I don’t care about the tech nonsense. I just want my extensions to work. Developers should not have recode and update extensions everytime a browser company changes the rules on a whim. If this means an extension I use stops working, Google will notice how vocal I can be.
Not being an internet tech, I read all these comments about privacy add-ons/extensions and I wonder why everyone just does not switch to AdGuard. Just because it is not free or is there another reason?
Hi,
I am currently using using NextDNS which functions in the same way as Pi-Hole.
I am using the FREE version of NextDNS detailed below, it is full featured with NO CRIPPLING OF ANY PART OF IT SERVICE!!!!!!
Free
300,000 queries/month1
Unlimited devices
Unlimited configurations
Access to all features
Community support
I am usually a heavy internet user spending many, many, many hours browsing the internet and also have 3 streaming services for video.
I have never once exceeded the limit of 300,000 queries per month
Their website states that if you have extraordinarily high usage the PRO VERSION is $2.99 per month/$29.90 per year.
But I am extremely happy with my FREE account and will most likely never need the PRO VERSION.
It performs very well indeed and is highly configurable with a broad selection of Filter Lists and also has Allow Lists/Deny Lists
@Charlie
AdGuard is not that popular because uBlock Origin is free and tends to work better. But, since adblocking extensions are about to get crippled by Google, I expect AdGuard’s popularity to increase. The popularity of Brave or Vivaldi or Opera or any other browser that comes with a native adblocker will likely also increase.
The adblocker is just one aspect of privacy protection, though, other must have extensions IMHO include HTTPS Everywhere, LocalCDN, Cookie AutoDelete, ClearURLs.
Already using Brave and HTTPS Everywhere. Will look at the others you mentioned.
Because it’s not free. The same way Google, MS, Apple etc are evil if they try to make money and at the same time provide free services. It’s called self entitlement. Give them a crack for AdGuard please.
This privacy story is driving us nuts. The web is like the Ocean: anything you drop in remains in, filtering is only possible by bits UBlock Origin, Tor browser & Qwant search or else?… thanks for sharing yr thoughts.
Real tired of trying however a secured way of communication is named “carrier pigeon”.. reliable, unless u see falcons around (same story as google & friends).
Not sure what this means, users who don’t care about privacy wouldn’t care. Those with privacy angst without the drive to do much about it will be worried because 3 is larger than 2, I suppose. Those who play the game, ie., if they can try to take my data, I can try to prevent it, already use external privacy means and won’t be too upset if extensions become less effective.
I mean, really, privacy in your browser running in an OS that calls out thousands of times a day? Use your internet provider’s dns service? Hand out triangulation data to your neighbors’ low security network by keeping your wifi SSID visible? What else….?
Hey all, setting up a pi-hole is awesome, fun, and pretty easy. Watch a few videos. It has so many benefits. Sure, you have to buy a raspberry pi and some stuff, but it is weirdly inexpensive to do. You filter your whole network. I have a block list that filters spying from smart TV’s, for example.
Also, I tried to use my router to filter my network, and it does work, but every time I would re-flash my custom firmware, I had to rebuild the custom software in the router. Time consuming. Pi-hole is a separate thing, and almost set-and-forget.
I still use uBlock Origins, though. The pi-hole blocks stuff alright, but uBlock smooths out the looks of what’s left.
You don’t even need to buy RPI AFAIK, but pi-hole is even more limited than Manifest v3 DNR blocking. It has it’s own advantages like network-level blocking and rules count is not artificially limited, but it is not context aware. Just look at this: https://github.com/uBlockOrigin/uBlock-issues/wiki/About-%22Why-uBlock-Origin-works-so-much-better-than-Pi%E2%80%91hole-does%3F%22
Yes, thanks. I agree. Some very valid points. And I use uBO as well, as I say. The motivation behind my post was to encourage users to consider the pi-hole as well. The network-wide aspect is great (though far from perfect) for entire households full of “smart devices” and less technical users.
This was the problem that everyone predicted when Mozilla dropped their own extension platform in favour of WebExtensions. XUL was within their control. WebExtensions is ostensibly an open standard but like everything related to Chromium is essentially under Google’s control and they can make changes at whim. Mozilla no longer have the resources to maintain breaking changes to the extension platform . They will have to follow suit when Google drops support for Manifest V2 in Chrome.
“Mozilla, maker of Firefox, revealed that it had no “immediate plans” not remove the blocking part of the webRequest API.”
This is very poorly written. It makes no sense. Please edit this paragraph.
Google is evil! None of these changes benefit the user in the end. Continue to use alternatives.
I don’t use any google products so this won’t affect me at all. Bring on manifest v4 already; the removal of any illusion of control. #breakupgoogle, #breakupfacebook, #dieinafirealready
Ad-blocker developers protest because? ” . . . extensions don’t have full control over the network request management.” It’s a control issue controversy. Who gets final say over what is delivered to a user.
As mentioned in an earlier comment, those who use numerous add-ons for Firefox or extensions for Chrome are giving full permission for those add-ons and extensions to peruse, identify, harvest, whatever the term is, a lot of personal data. That’s one reason Google is attempting, feebly perhaps, to improve privacy and security”
“As Chrome hands over all the data in a network request, extensions which use the Web Request API have access to read and modify everything that a user does on the web. So while content blockers like uBlock Origin wisely utilize the potential of this API, Google claims that other extensions with malicious intentions have abused the same to gain access to users’ personal information. According to Google, 42% of malicious extensions have used the Web Request API since January 2018. Google also claims that there are “significant performance costs†involved with the API as the blocking version of it requires a persistent and often long-running process which is fundamentally incompatible with ‘lazy’ processes.”
https://www.xda-developers.com/google-chrome-manifest-v3-ad-blocker-extension-api/
Yes, I understand the other side of the story; however, when I have to give permissions to an add-on, I really question whether I need the add-on.
Google claims, “We are not preventing the development of ad blockers or stopping users from blocking ads. Instead, we want to help developers, including content blockers, write extensions in a way that protects users’ privacy.”
A great summation of the situation: “From the explanations above, it is clear that Declarative Net Request is not a 1:1 functionality clone for the blocking capabilities of the Web Request API, and extension developers are bound to be miffed when their hard work will get handicapped by such changes. But Google’s reasoning also carries weight — Web Request is too powerful, and its powers need to be curtailed in the larger interest of the user community (which comprises of average users along with enthusiasts).”
Some clipped wings-egos.
Google is lying. Not for the first time, even if counting Manifest v3 only.
Nothing is preventing add-ons to to use Web Request api still present in Manifest v3 to passively observe network requests and steal data.
About “significant performance costs†– as for this day not even one performance analysis supporting this claim is available.
Why Google want so badly DNR? Quoted from early Manifest v3 draft:
> a) we have control over the algorithm determining the result and b) we can prevent or disable inefficient rules.
They don’t even try to hide, they will disable some blocking rules.
For those who whant you can also use AdGuard Windows who intercept the browser connection and remove ads before it arrive to the browser like that problem solved (and myself don’t care about cookie) (i’m using edge) and for google chrome it even remove X-client cookie from Google
what about windows and edge spyware you use? is adguard handling them too?
I have no problems with ads, but I block all tracking techniques, many of which invented by Goolag The Cancerâ„¢ “blackhats”… So this V3 is not an issue for me, simple firewall/hosts rules, like block *google* and all their IP ranges (long list).
I’m more concerned about the goolag recaptcha spyware, present in almost every site that manages sensitive info, the triangle syncing is probably the best anti-privacy/profiling/tracking technique they ever invented, and it’s something you can’t avoid if you need to use services you paid for.
Chrome? Avoided like the plague since it came out.
Oh, recaptcha – what a mess. Now that could make an interesting ghacks article. Privacy issues, circumventing it, etc.
“Meshov [Co-founder and CTO of AdGuard] believes that Mozilla will also replace Manifest V2 with V3 in the organization’s Firefox web browser.”
That worries the Firefox user I am.
“What will you do when Manifest V3 becomes the only Manifest supported by your browser?”
I’ll likely compensate the lack of adblock filters (uBO here) resulting from the limit-rulesets by an increased system-wide defense, even though the latter is already quite important (5.5MB of urls, 13MB of domains managed by DNSCrypt-proxy). But, whatever the limit-rulesets let’s not forger that uBO’s ability to filter access to 3rd-part sites is in itself a fundamental tool.
What I know, for sure, concerning myself is that if the worst scenario should ever arise (impossibility to bypass advertisement) I’d be bound to reserve the Internet for administration, bank tasks in the same way I practically never watch TV and when I do, only public TV (FranceTV here) and ARTE which are the only two TV networks to handle advertisement in a reasonable way. Also, i.e. I don’t watch YouTube on TV ever since I noticed their unblockable ads (of course) when I’ve been used ever since to display ad-free YouTube videos. So, same YouTube on the Internet as on TV and count me out.
Google is an ad company so their behavior is logical. But, driven to no choice, I’d totally change my attitude concerning the Web and, maybe would that be the start of a return to good old times.
> “Meshov [Co-founder and CTO of AdGuard] believes that Mozilla will also replace Manifest V2 with V3 in the organization’s Firefox web browser.â€
> That worries the Firefox user I am.
They make a an app that blocks ads from outside the browser, they would do extremely well if that happened. So of course they’re going to say / believe that.
The Future of Content Blockers in Firefox – Adblocker Dev Summit 2020
https://www.youtube.com/watch?v=tpDFS-GUytg
Manifest v3 talk starts @ 01:16 minute
Brave Browser for iOS Updates App to Remove Reward Features That Violated App Store Rules
https://www.macrumors.com/2020/12/10/brave-browser-removes-reward-features/
@Me
Apple wants their usual 30% cut. This is not the first example of apps having to be modified, or worse be removed from the App Store (either by their creators or by Apple). Apple is being greedy.
Chrome extension format (by definition all webexts) is a curse upon browser and user freedom. These moves will only further extend Google’s control over it. I find it concerning there’s even discussion about limits being increased from initial annoucements – it makes no difference and is merely a lure to accustom users before clamping down on it. Google is an advertisement company first and foremost. I suppose more user-oriented browsers unfortunately relying on chromium codebase will do necessary changes to prevent such blatant crippling, thought it’s hard to believe many mainstream adopters will follow so considering we have been waiting for years for anyone to make the current extension APIs anything more than the current joke they are.
Nonsense, nobody, including Google, can’t and don’t force all other browsers not to add the “freedom” they want or need into their implementations of chromium. They need to work themselves for it, I know it’s easier to just copy paste google’s code, but I think they will manage. If they can’t why do they even exist?
@Thaumiel
There is no need to fix or modify the extension APIs. Chrome’s competitors (apart from Edge) just ship with native adblockers that will continue to work no matter how Google cripples the extension APIs. Problem solved.
Also, system- and network-wide adblockers are a thing.
As expected, Version 88.0.4324.41 (Official Build) beta (64-bit) and its installed extensions still work for me. I will wait until next year to see what extension programmers say and do. Perhaps I will have to give up the Internet as I have for TV, and just spend more time reading books. 🙆â€â™‚ï¸
anything that enhances my security and privacy is welcome..good job google.
The claim is “Privacy is improved”, not “User privacy is improved”.
I hope that’s sarcasm. The words “privacy” and “Google” do not belong in the same sentence for any other purpose than an explanation of how Google compromises privacy.
That’s just paranoid people have about privacy. There is no privacy on World Wide Web…it’s just about who you trust the most..Google is doing everything to protect people from bad people who are hackers/thieves and whatever else they do…I rather trust Google than some guy somewhere who created an extension to block ads..you see where I am getting at? Google already knows who you are even if you don’t use Chrome Browser..their ability to track people is on all electronics…you name it from streaming devices to smart TV’s Phones to name a few…there is no escaping it no matter how much you try too….unless you throw away everything and live off the grid.
It’s possible to keep Google from tracking your search and browsing history with a quick switch of a browser and search engine. You over-exaggerate this so much. Also, you’re going to trust Google, a monopolistic tech company that never transparently told users from the start that they were collecting everyone’s data, more than a person who has dedicated so much of their time to making an open-source extension in collaboration with a community, that anyone can audit? The creator doesn’t even accept donations and the extension sends data nowhere. So, that’s an interesting decision if I’ve ever seen one.
Like the saying goes..”Nothing’s for FREE” ….you think some random guy on internet spending all of his time maintaining his Extensions because he cares for you? lol.. I don’t think so. so yeah, I trust Google a USA company over some random guy from anywhere, from Russia, China perhaps? …only god knows who is behind on every extension there is…could be the bad guy Hacker people try to protect themselves from. lol
@looni: being an USA corp. means nothing, you have never heard of people like Assange and Snowden?
Go read “When Google Met Wikileaks” or search for “Google is not what it seems” and have some culture.
The 150K rule limit is old news, now google raised this number to 300K max rules for Chrome 89
https://9to5google.com/2020/12/09/chrome-88-beta-extension-manifest-v3/
“One critique of declarativeNetRequest as it existed is that it only supported a maximum of 30,000 rules, while EasyList, one of the most popular sets of ad blocking rules, has over 60,000 rules. While Chrome 88 will still only allow 30,000 rules across all extensions, Google says that limit is set to expand to 300,000 in time for Chrome 89”
I think 300k is more than enough. uBlock Origin with most of the filter lists enabled without cosmetic filters is around 100k in filter rules.
Pale Moon/Basilisk may have a traction in userbase after V2 is removed.
Good one!
I don’t care. Filtering should be done at the OS and/or router level. This way is much more reliable and efficient. All current adblocking extensions are terrible.
You need both.
This breaks other extensions too, not only ad blockers!
Yulia, what software do you recommend for that please? I mean OS level blocking, with auto updated lists like uBlock Origin. I don’t want to mess around with my router.
Nothing I’ve use, NOTHING, gives me the granular control of uBlock Origin. Whatever element I want, an ad or simply part of the website that insults my aesthetic sensibilities, anything, I can block out.
The article is low on info from an end users perspective. It says that they’ve made changes following feedback but no mention of whether ubo etc think it’s enough. Of course Firefox will follow, when didn’t they follow their paymasters lead?
For the naysayers and against misinformation:
1) This doesn’t mean anything until the Manifest V2 code is actually removed from Chromium. The two will coexist for a while.
2) Native adblockers like the ones included in Brave, Vivaldi, Bromite, Opera are not affected, as they are not extensions and thus not under extension restrictions.
3) System- and network-wide adblockers like AdGuard or Pi-Hole exist.
4) We don’t know yet whether the 150K rule limit is absolute or rather akin to the one in Safari, where you can have multiple 50K-limit-rulesets, resulting in a much higher number than 50K rules that is the nominal limit for Safari. Could be the same for Chromium.
I will switch to a browser that allows me to block any and all ads especially those hosted by Google.
Not again…
Focus, let’s focus.
No, I don’t mean the damned browser!
@ULBoom
“I can feel your anger. It gives you focus, makes you stronger.” – Palpatine
Focus on whatever you like, hopefully not on me.
Seems rather pointless to have a 150k limit, if you can bypass it by doing multiple smaller ones.
That‘s the current situation in Safari, a nominal rule limit exists, but can be bypassed. Not sure if Chromium will be the same, best to assume that there won‘t be a method to bypass the rule limit there. But the possibility is there regardless.
That’s all nice and dandy but i use Firefox. It’s simply the best browser with the most freedom. :)
it’ll eventually work its way into Firefox.
@Geka
It’s the undisputed king of telemetry, with some monetized anti-features to come. They’ll also implement Manifest V3 before long.
Firefox is down to 4% overall market share for a reason.
Seriously? The “undisputed king of telemetry?” That’s a reach if I’ve ever seen one. Call me when Mozilla can start reading people’s browser history. Then we can start talking about being an “undisputed king.” For now, I think that title goes to Chrome.
“Call me when Mozilla can start reading people’s browser history.”
Sending visited domains to Cloudflare by default in some countries (by changing the user DNS provider).
“Origin telemetry” plans to collect some anonymized browsing history if not already.
They made an (opt-in I think) experiment massively collecting browsing history.
Maybe more, it’s hard to keep track of everything they busy bees are doing.
Wake up man.
@lolrepeatlol
Why am I even debating with a self-proclaimed Firefox fanboy? Don’t even bother to alter the post, I have a screenshot already.
https://old.reddit.com/r/brave_browser/comments/kcbb07/brave_is_being_packed_full_of_terrible/gfs9a5i/
Kindly move your arse back to r/firefox, where your fanboyism will be appreciated.
Google is not selling Telemetry as a Service AFAIK – check “Mozilla Glean”.
@lolrepeatlol
You are a bit late to the party, it’s not like collecting the browsing history of users it never happened with Mozilla:
https://www.zdnet.com/article/firefox-tests-cliqz-engine-which-slurps-user-browsing-data/
Firefox has the most outgoing connections out of any browser today:
https://www.netmeister.org/blog/browser-startup.html
Read the second article, then tell me that Firefox is not the king of telemetry with a straight face.
And again, Chrome ≠Chromium, you deliberately pick the worst Chromium-based browser so that Firefox hopefully looks better, and even that attempt is bound to fail. Try again.
The telemetry in Firefox can be easily disabled while you can’t disable it in Chrome. That’s the big difference. With Firefox you have total freedom and that’s why i support Mozilla :)
@Geka
And with “easily” you mean about:config instead of visible UI options, including hidden-by-default about:config entries, is that correct? That has to be a bad joke.
One can have Chromium without telemetry, it’s called Ungoogled Chromium. Or Bromite. Or Brave. Or Vivaldi. There are more Chromium variants than Google Chrome, if you use it, then that’s your loss. They are also more private than Firefox, needless to say.
> With Firefox you have total freedom and that’s why i support Mozilla :)
Sure thing, buddy. They have completely removed about:config on mobile, as well as the ability to install all extensions (they define now which extensions can be run). You also can’t remove the hardcoded trackers Firefox on Android ships with for some reason: https://old.reddit.com/r/privacy/comments/blt6ft/mobile_firefox_app_shares_your_data_with/
Expect the same for the desktop. There are already connections you can’t disable within desktop Firefox, e.g. firefox.settings.services.mozilla.com…
I refuse to further discuss with people who fall for and repeat Mozilla’s marketing, yet fail to do ANY research of their own. Time can be wasted in better and more pleasant ways.
About:config is available in beta and nightly version.. Both are very stable and has new features. With regards to extension actually you can install any add from add on store.all you need to do enable the custom add on collection menu. Create your own add on collection and then configure the custom add on collection.
They have deliberately hidden it as some add on might not support in mobile.
@Azharuddin
Dude, it’s a Nightly version, which is a flashy name for an alpha build. Could break at any moment and updates daily. The concept of add-on collections is stupid on Mozilla’s part, there should be no such thing. Before that, people could install add-ons right away from AMO. And as you said, not all work because Mozilla removed APIs they actually had with Firefox 68 on Android, and have yet to recreate. The new Firefox on Android is unbelievably bad and the reviews on the Google Play Store more than prove it.