Most active commenters
  • tyingq(6)
  • kuhsaft(4)

←back to thread

"Begin disabling installed extensions still using Manifest V2 in Chrome stable"

(developer.chrome.com)
552 points freedomben | 14 comments | 11 Oct 24 14:20 UTC | HN request time: 1.768s | source | bottom
Show context
blakesterz ◴[11 Oct 24 14:36 UTC] No.41809847[source]
Has anyone been using the v3 compatible version of uBlock Origin? Have you noticed much of a difference? From what I read there isn't supposed to be much of a difference?
replies(8): >>41809855 #>>41809863 #>>41809873 #>>41809987 #>>41810060 #>>41810246 #>>41810440 #>>41812912 #
tyingq ◴[11 Oct 24 14:40 UTC] No.41809873[source]
Static list of uris versus live heuristics. So "much of a difference" depends a lot on what you browse. If your browsing is covered by the static list, yes...there's little difference.

Also, keep in mind advertisers are not unaware of all this movement. You don't think they'll try new tactics once they know everyone using chrome is now hobbled to solely static lists? That cloaking (or other approaches) won't then become really popular?

replies(1): >>41810029 #
1. fpoling ◴[11 Oct 24 14:55 UTC] No.41810029[source]
A lot of other ad blockers use static lists for years. The fact that they work tells that ad industry does not see the blockers as a problem that needs to be dealt with. It can also be that so far the increased cost of development of ads that are immune to simple static lists is not worth it.
replies(2): >>41810062 #>>41810095 #
2. tyingq ◴[11 Oct 24 14:58 UTC] No.41810062[source]
Right. Advertisers didn't bother with all these tactics because normal chrome users could download a plugin without any major hurdles to thwart it. Why drive people that wouldn't otherwise use an ad blocker to do so?

That's going away now. Now mostly everyone is vulnerable with the only recourse being pretty technical stuff, not just downloading a very popular plugin.

So advertisers will now be free to get more aggressive without much downside.

Edit: I do get that this sounds like conspiracy theory. But it really matches the Google boiling frogs approach. Removing the blocking onBeforeRequest, as one of the very first things in the manifest v3 spec was not a coincidence.

replies(2): >>41810962 #>>41812143 #
3. vlovich123 ◴[11 Oct 24 15:02 UTC] No.41810095[source]
I’ve noticed a huge number of websites have interstitials pop up asking you to remove your ad blocker. While some let you bypass it anyway some don’t. Clearly the websites themselves seem to care.
4. kuhsaft ◴[11 Oct 24 16:34 UTC] No.41810962[source]
onBeforeRequest was removed because it is a massive spyware and malware vector.

> I do get that this sounds like conspiracy theory.

> … was not a coincidence.

Could it be that it was coincidence? Do you have a solution for reducing extension malware without removing onBeforeRequest?

replies(2): >>41812139 #>>41812147 #
5. tyingq ◴[11 Oct 24 18:40 UTC] No.41812139{3}[source]
> onBeforeRequest was removed because it is a massive spyware and malware vector.

Yet you can still inject js right into the page. You just can't stop a page that was going to load from loading. They could have taken away the onBeforeRequest redirect capability and left just the onBeforeRequest cancel capability.

Not sure I've heard of any spyware/malware depending on just that cancel capability.

replies(1): >>41812211 #
6. fpoling ◴[11 Oct 24 18:41 UTC] No.41812143[source]
Even if Google did want to reduce effectiveness of ad blockers, doing that via removal of blocking webRequest API is a double-edged sword. It may push users to alternate browsers with more effective ad-blocking.

Besides, webRequest implementation in Chromium is a terrible collection of hacks on hacks. It is a good example how not to design or implement API. I will not be surprised if the removal of the API comes from a simple desire to remove that embarrassing code.

7. throwaway48476 ◴[11 Oct 24 18:41 UTC] No.41812147{3}[source]
I made a plugin for scraping using onBeforeRequest. It's very useful.
8. kuhsaft ◴[11 Oct 24 18:47 UTC] No.41812211{4}[source]
That uses a different manifest permission.

https://developer.chrome.com/blog/crx-scripting-api#breaking...

replies(1): >>41812785 #
9. tyingq ◴[11 Oct 24 19:35 UTC] No.41812785{5}[source]
That's remotely hosted code...also a problem, but you can inject code that's not remotely hosted.
replies(1): >>41812857 #
10. kuhsaft ◴[11 Oct 24 19:40 UTC] No.41812857{6}[source]
The point is that it’s a different permission.

https://news.ycombinator.com/item?id=41812416

If you are really privacy conscientious, ad blocking extensions should be able to exist without any access to web requests now.

replies(1): >>41812928 #
11. tyingq ◴[11 Oct 24 19:46 UTC] No.41812928{7}[source]
I feel like we're losing the plot here. Removing the cancel capability of onBeforeRequest didn't improve security much. It did, though, hobble ad blockers to just dealing with static lists if they want to prevent an ad from downloading in the first place.

Removing the onBeforeRequest redirect didn't add much security either, since you can just ask for permission B instead of permission A and just inject code. Though, ad blockers don't need that anyway.

replies(1): >>41813460 #
12. kuhsaft ◴[11 Oct 24 20:35 UTC] No.41813460{8}[source]
It’s insane to think that an extension with the ability to snoop on all your requests is more privacy oriented than one that can’t.

It’s insane to want extensions to snoop on all your requests in an attempt at more privacy.

replies(2): >>41814561 #>>41815862 #
13. tyingq ◴[11 Oct 24 22:40 UTC] No.41814561{9}[source]
Well, I would allow it for one specific extension that I feel does more good than harm for the capability. Call me insane.
14. Dylan16807 ◴[12 Oct 24 02:28 UTC] No.41815862{9}[source]
It only sounds insane because you're saying "want extensions to snoop" to describe "want extensions to run a function call locally".

It is a permission that could be used by a malicious extension to snoop, but that is far from the only use. Wanting the permission != wanting snooping.