Most active commenters
  • kuhsaft(9)
  • tyingq(6)
  • yjftsjthsd-h(4)
  • kccqzy(3)

←back to thread

"Begin disabling installed extensions still using Manifest V2 in Chrome stable"

(developer.chrome.com)
552 points freedomben | 45 comments | 11 Oct 24 14:20 UTC | HN request time: 1.879s | source | bottom
1. blakesterz ◴[11 Oct 24 14:36 UTC] No.41809847[source]
Has anyone been using the v3 compatible version of uBlock Origin? Have you noticed much of a difference? From what I read there isn't supposed to be much of a difference?
replies(8): >>41809855 #>>41809863 #>>41809873 #>>41809987 #>>41810060 #>>41810246 #>>41810440 #>>41812912 #
2. kccqzy ◴[11 Oct 24 14:37 UTC] No.41809855[source]
I have been using the Firefox version of it for more than a year by now, basically as soon as it came out. I commented on HN that I was going to do it: https://news.ycombinator.com/item?id=37219071

There's no difference whatsoever.

And it's not surprising because on my iOS device I've been using similarly architected content blockers since 2015. There's no issue with declarative ad blocking.

Of course this differs with the kind of sites you visit. So you need to try it on your own. I can believe that perhaps for some people this is a downgrade, but don't automatically assume uBlock Origin Lite won't work well for you.

replies(3): >>41810031 #>>41810168 #>>41810257 #
3. joshdavham ◴[11 Oct 24 14:38 UTC] No.41809863[source]
I use Adblock Plus, and ad blocking still perfectly works. Not sure about uBlock origin though.
4. tyingq ◴[11 Oct 24 14:40 UTC] No.41809873[source]
Static list of uris versus live heuristics. So "much of a difference" depends a lot on what you browse. If your browsing is covered by the static list, yes...there's little difference.

Also, keep in mind advertisers are not unaware of all this movement. You don't think they'll try new tactics once they know everyone using chrome is now hobbled to solely static lists? That cloaking (or other approaches) won't then become really popular?

replies(1): >>41810029 #
5. tapoxi ◴[11 Oct 24 14:51 UTC] No.41809987[source]
I've been using Lite for the past few months, I've seen no real difference. I think if you're particular about rulesets or are heavily customizing uBlock you may want to consider switching browsers, but I'm happy enough that I'm remaining on Chrome.
6. fpoling ◴[11 Oct 24 14:55 UTC] No.41810029[source]
A lot of other ad blockers use static lists for years. The fact that they work tells that ad industry does not see the blockers as a problem that needs to be dealt with. It can also be that so far the increased cost of development of ads that are immune to simple static lists is not worth it.
replies(2): >>41810062 #>>41810095 #
7. drivebycomment ◴[11 Oct 24 14:55 UTC] No.41810031[source]
Anyone jumping up and down about MV3 while using Mac or iOS are hypocrites, since MV3 is essentially doing the same thing Safari did years ago, finally matching the security and the privacy in that regard. The reduction in adblocking is so miniscule in aggregate - since declarative approach will always cover all the major advertisers - that it's not even a meaningful "trade-off".
replies(3): >>41810082 #>>41810142 #>>41810156 #
8. kuhsaft ◴[11 Oct 24 14:57 UTC] No.41810060[source]
I’ve been using AdGuard. There are some limitations with MV3, but it’s not noticeable [1]. AdGuard uses dynamic rules for updating rules between extension updates and for custom user rules. There’s the option using their system level AdBlocker too.

[1] https://adguard.com/en/blog/adguard-browser-extension-mv3-re...

9. tyingq ◴[11 Oct 24 14:58 UTC] No.41810062{3}[source]
Right. Advertisers didn't bother with all these tactics because normal chrome users could download a plugin without any major hurdles to thwart it. Why drive people that wouldn't otherwise use an ad blocker to do so?

That's going away now. Now mostly everyone is vulnerable with the only recourse being pretty technical stuff, not just downloading a very popular plugin.

So advertisers will now be free to get more aggressive without much downside.

Edit: I do get that this sounds like conspiracy theory. But it really matches the Google boiling frogs approach. Removing the blocking onBeforeRequest, as one of the very first things in the manifest v3 spec was not a coincidence.

replies(2): >>41810962 #>>41812143 #
10. SoftTalker ◴[11 Oct 24 15:00 UTC] No.41810082{3}[source]
I see boatloads of ads in Safari on iOS. To the point that web browsing on my phone is intolerable, so I don't do it.
replies(2): >>41810308 #>>41811151 #
11. vlovich123 ◴[11 Oct 24 15:02 UTC] No.41810095{3}[source]
I’ve noticed a huge number of websites have interstitials pop up asking you to remove your ad blocker. While some let you bypass it anyway some don’t. Clearly the websites themselves seem to care.
12. yjftsjthsd-h ◴[11 Oct 24 15:06 UTC] No.41810142{3}[source]
> Anyone jumping up and down about MV3 while using Mac or iOS are hypocrites, since MV3 is essentially doing the same thing Safari did years ago,

iOS I'll give you, but macOS can in fact run ex. Firefox.

> finally matching the security and the privacy in that regard.

"Matching" inferior security+privacy is not a good thing. The only way this is an improvement if you think the blockers are malicious; otherwise a useful tool in the users interest has been made less powerful.

replies(2): >>41810438 #>>41810448 #
13. kuhsaft ◴[11 Oct 24 15:08 UTC] No.41810156{3}[source]
It’s similar, but not the same. Safari lets you dynamically generate rules that are then compiled for privacy and efficiency. The limits were increased to 150000 rules per content blocker due to user demands [1]. And each extension can have multiple content blockers.

MV3 has a measly 30000 static rule limit. These rules are included with the extension and cannot be updated dynamically. And a 5000 dynamic rules limit. [2]

EDIT: Chrome now has a 300000 shared pool for static rules for extensions that go over their 30000 limit. And a 30000 dynamic rule limit [3].

[1] https://adguard.com/en/blog/adguard-for-safari-1-11.html

[2] https://adguard.com/en/blog/adguard-mv3-beta.html

[3] https://developer.chrome.com/docs/extensions/develop/concept...

replies(1): >>41810276 #
14. michaelt ◴[11 Oct 24 15:09 UTC] No.41810168[source]
> And it's not surprising because on my iOS device I've been using similarly architected content blockers since 2015. There's no issue with declarative ad blocking.

Really?

Because I find adblockers on iOS are nowhere near as good - they let far more ads through, and they leave far more sites broken so I have to disable the ad blocker for the site to work.

replies(1): >>41810578 #
15. internet2000 ◴[11 Oct 24 15:18 UTC] No.41810246[source]
Another happy user of uBlock Origin Lite on Chrome here. No difference. 1Blocker on Safari user since Apple came out with the declarative adblocking system there as well.
16. the_gipsy ◴[11 Oct 24 15:18 UTC] No.41810257[source]
> There's no difference whatsoever.

That's simply not true. Have you ever donde a side by side comparison, or are you just going by feeling?

17. nolist_policy ◴[11 Oct 24 15:20 UTC] No.41810276{4}[source]
The limit is 330000 rules:

"Based on input from the extension community, we also increased the number of rulesets for declarativeNetRequest, allowing extensions to bundle up to 330,000 static rules and dynamically add a further 30,000." https://blog.chromium.org/2024/05/manifest-v2-phase-out-begi....

replies(1): >>41810349 #
18. kccqzy ◴[11 Oct 24 15:22 UTC] No.41810308{4}[source]
This is such a data-free anecdote. Which websites are showing ads? Which ad blocker did you install on iOS?
19. kuhsaft ◴[11 Oct 24 15:28 UTC] No.41810349{5}[source]
It looks like it’s a shared quota now with a minimum per extension [1].

Still sucks that the rules are static though. AdGuard devised a method to diff ruleset changes with the built in rules to generate dynamic rules between extension updates. So, I guess it works.

[1] https://developer.chrome.com/docs/extensions/develop/concept...

20. drivebycomment ◴[11 Oct 24 15:39 UTC] No.41810438{4}[source]
One of the most common API malware extensions use is what MV3 blocks, and adblock extension is one of the common malware vectors:

https://helpcenter.getadblock.com/hc/en-us/articles/97384768...

https://www.wired.com/story/fake-chrome-extensions-malware/

This has been never ending.

replies(1): >>41810918 #
21. Cthulhu_ ◴[11 Oct 24 15:39 UTC] No.41810440[source]
I for one am just going to wait it out and see what the internet looks like nowadays without an adblocker, if it doesn't auto-update. It's been so long.
22. kuhsaft ◴[11 Oct 24 15:39 UTC] No.41810448{4}[source]
> The only way this is an improvement if you think the blockers are malicious

Extensions and in turn MV2 blockers can easily be malicious.

https://usa.kaspersky.com/blog/dangerous-chrome-extensions-8...

Look at how many in Kaspersky’s list are advertised as ad blockers. The majority of users aren’t tech savvy like HN.

replies(1): >>41810894 #
23. eek2121 ◴[11 Oct 24 15:52 UTC] No.41810578{3}[source]
That is the fault of the blockers themselves. The one I use (https://apps.apple.com/us/app/1blocker-ad-blocker/id13655310...) works extremely well and even uses a local VPN setup for app ad-filtering.

Twitter and YouTube ads are blocked.

The drawback? It isn’t free.

24. yjftsjthsd-h ◴[11 Oct 24 16:25 UTC] No.41810894{5}[source]
> Look at how many in Kaspersky’s list are advertised as ad blockers

By my count 5, 6 if we include "Autoskip for Youtube", out of 34. That might be an argument for dropping extensions, but I don't think it's an argument for breaking ad blockers.

replies(1): >>41811442 #
25. yjftsjthsd-h ◴[11 Oct 24 16:28 UTC] No.41810918{5}[source]
Okay, if you absolutely must then make that specific API require extra audit approval from the extension store, but breaking it outright is throwing out the baby with the bathwater; in a world where the FBI outright recommends an adblocker because ads are such a strong malware vector ( https://techcrunch.com/2022/12/22/fbi-ad-blocker/ ), it's irresponsible to undermine uBo.
replies(1): >>41811409 #
26. kuhsaft ◴[11 Oct 24 16:34 UTC] No.41810962{4}[source]
onBeforeRequest was removed because it is a massive spyware and malware vector.

> I do get that this sounds like conspiracy theory.

> … was not a coincidence.

Could it be that it was coincidence? Do you have a solution for reducing extension malware without removing onBeforeRequest?

replies(2): >>41812139 #>>41812147 #
27. HDThoreaun ◴[11 Oct 24 16:54 UTC] No.41811151{4}[source]
Which adblocker are you using? I have adguard and dont get ads on most safari sites but its just static DNS blocking so first party ad servers like youtube dont get blocked.
replies(1): >>41819924 #
28. kccqzy ◴[11 Oct 24 17:23 UTC] No.41811409{6}[source]
Nobody likes extra audit approvals. The platform doesn't want to spend resources doing the audit. The developers don't want to be audited.

The Firefox version of uBlock Origin Lite was pulled due to unsatisfactory audit process: https://news.ycombinator.com/item?id=41707418

replies(1): >>41815890 #
29. kuhsaft ◴[11 Oct 24 17:26 UTC] No.41811442{6}[source]
> That might be an argument for dropping extensions

Those extensions used the same API that ad blockers used, but for malicious purposes.

So, you would support removing that API? Well, that’s what they did for MV3 and implemented an API just for ad blocking.

replies(1): >>41816936 #
30. tyingq ◴[11 Oct 24 18:40 UTC] No.41812139{5}[source]
> onBeforeRequest was removed because it is a massive spyware and malware vector.

Yet you can still inject js right into the page. You just can't stop a page that was going to load from loading. They could have taken away the onBeforeRequest redirect capability and left just the onBeforeRequest cancel capability.

Not sure I've heard of any spyware/malware depending on just that cancel capability.

replies(1): >>41812211 #
31. fpoling ◴[11 Oct 24 18:41 UTC] No.41812143{4}[source]
Even if Google did want to reduce effectiveness of ad blockers, doing that via removal of blocking webRequest API is a double-edged sword. It may push users to alternate browsers with more effective ad-blocking.

Besides, webRequest implementation in Chromium is a terrible collection of hacks on hacks. It is a good example how not to design or implement API. I will not be surprised if the removal of the API comes from a simple desire to remove that embarrassing code.

32. throwaway48476 ◴[11 Oct 24 18:41 UTC] No.41812147{5}[source]
I made a plugin for scraping using onBeforeRequest. It's very useful.
33. kuhsaft ◴[11 Oct 24 18:47 UTC] No.41812211{6}[source]
That uses a different manifest permission.

https://developer.chrome.com/blog/crx-scripting-api#breaking...

replies(1): >>41812785 #
34. tyingq ◴[11 Oct 24 19:35 UTC] No.41812785{7}[source]
That's remotely hosted code...also a problem, but you can inject code that's not remotely hosted.
replies(1): >>41812857 #
35. kuhsaft ◴[11 Oct 24 19:40 UTC] No.41812857{8}[source]
The point is that it’s a different permission.

https://news.ycombinator.com/item?id=41812416

If you are really privacy conscientious, ad blocking extensions should be able to exist without any access to web requests now.

replies(1): >>41812928 #
36. chlorion ◴[11 Oct 24 19:45 UTC] No.41812912[source]
I used the lite version while on chromium for some time. I noticed no difference in terms of blocking ads.

The main thing I missed was the ability to block arbitrary elements with the zapper. I use this for more than just ads, so losing it is a real loss in functionality. Otherwise it worked fine.

replies(1): >>41817087 #
37. tyingq ◴[11 Oct 24 19:46 UTC] No.41812928{9}[source]
I feel like we're losing the plot here. Removing the cancel capability of onBeforeRequest didn't improve security much. It did, though, hobble ad blockers to just dealing with static lists if they want to prevent an ad from downloading in the first place.

Removing the onBeforeRequest redirect didn't add much security either, since you can just ask for permission B instead of permission A and just inject code. Though, ad blockers don't need that anyway.

replies(1): >>41813460 #
38. kuhsaft ◴[11 Oct 24 20:35 UTC] No.41813460{10}[source]
It’s insane to think that an extension with the ability to snoop on all your requests is more privacy oriented than one that can’t.

It’s insane to want extensions to snoop on all your requests in an attempt at more privacy.

replies(2): >>41814561 #>>41815862 #
39. tyingq ◴[11 Oct 24 22:40 UTC] No.41814561{11}[source]
Well, I would allow it for one specific extension that I feel does more good than harm for the capability. Call me insane.
40. Dylan16807 ◴[12 Oct 24 02:28 UTC] No.41815862{11}[source]
It only sounds insane because you're saying "want extensions to snoop" to describe "want extensions to run a function call locally".

It is a permission that could be used by a malicious extension to snoop, but that is far from the only use. Wanting the permission != wanting snooping.

41. Dylan16807 ◴[12 Oct 24 02:33 UTC] No.41815890{7}[source]
> The Firefox version of uBlock Origin Lite was pulled due to unsatisfactory audit process

So make one that isn't incompetent? That's not really a counterargument to the general idea.

42. yjftsjthsd-h ◴[12 Oct 24 06:31 UTC] No.41816936{7}[source]
> Those extensions used the same API that ad blockers used, but for malicious purposes.

Sounds like an obvious chance to flag the extension for further review, and probably a warning on the user side.

> So, you would support removing that API?

Of course not; that's throwing out the baby with the bath water. This brings us back to the "further review" thing; there's plenty of precedent for a platform having API surface that only a smaller subset of apps/extensions are allowed to use, because the features it exposes are legitimately needed for some things but it could be abused so it gets flagged and you have to write a detailed explanation for why your thing really needs this permission and then the reviewers can look at it particularly closely.

> Well, that’s what they did for MV3 and implemented an API just for ad blocking.

And then for bonus points they hobbled it so that it couldn't be used to make as good of ad blockers, which is why the whole thing is not okay.

43. igornadj ◴[12 Oct 24 07:16 UTC] No.41817087[source]
Yeah the zapper is indispensable. Being able to filter content on platforms by the words in post titles is one of the best ways to not be exposed to toxic content.

Never leaving your subscriptions (never using the algorithm recommended feed) is not a solution because of second-hand toxicity, e.g. political posts in meme subreddits in an election year.

If anyone knows of a solution that works in Manifest V3 I'd love to hear it!

replies(1): >>41825611 #
44. SoftTalker ◴[12 Oct 24 15:43 UTC] No.41819924{5}[source]
Why should I need an adblocker app from some third party to which I have to grant full control over my browser? Apple would be enormously popular if they included one by default. Perhaps as an option you could disable. I don't know why all browsers don't do this (well, I know why Chrome doesn't).

Browsers are selected by users, they should have no obligation to show ads.

Brave is the only one doing this right AFAIK.

Almost all the problems with tracking and buying and selling user profiles would end if browsers just didn't show ads.

45. igornadj ◴[13 Oct 24 06:14 UTC] No.41825611{3}[source]
Found something, a drop-in replacement.

AdGuard AdBlocker (MV3 Beta): https://chromewebstore.google.com/detail/adguard-adblocker-m...

Copy and pasting the ublock custom filters into AdGuard seems to work.