←back to thread

Bypassing Google's big anti-adblock update

(0x44.xyz)
1034 points deryilz | 1 comments | 12 Jul 25 19:06 UTC | HN request time: 0.215s | source
Show context
krackers ◴[12 Jul 25 19:41 UTC] No.44544544[source]
>They decided it wasn't a security issue, and honestly, I agree, because it didn't give extensions access to data they didn't already have.

So they admit that MV3 isn't actually any more secure than MV2?

replies(4): >>44544732 #>>44547024 #>>44548392 #>>44548589 #
Neywiny ◴[12 Jul 25 20:07 UTC] No.44544732[source]
I'd be shocked if anyone actually believes them. This article starts with the obvious conflict of interest. Of course letting an extension know what websites you visit and what requests are made is an insecure lifestyle. But I still do it because I trust uBO more than I trust the ad companies and their data harvesters.
replies(6): >>44544764 #>>44544794 #>>44544922 #>>44546339 #>>44547722 #>>44548288 #
matheusmoreira ◴[12 Jul 25 20:12 UTC] No.44544764[source]
I believe them. The restrictions are reasonable and appropriate for nearly everyone. Extensions are untrusted code that should have as little access as possible. If restrictions can be bypassed, that's a security bug that should be fixed because it directly affects users.

I also think uBlock Origin is so important and trusted it should not only be an exception to the whole thing but should also be given even more access in order to let it block things more effectively. It shouldn't even be a mere extension to begin with, it should be literally built into the browser as a core feature. The massive conflicts of interest are the only thing that prevent that. Can't trust ad companies to mantain ad blockers.

replies(6): >>44544946 #>>44545186 #>>44545270 #>>44545513 #>>44546144 #>>44546298 #
1. sensanaty ◴[12 Jul 25 21:54 UTC] No.44545513[source]
I get what you mean and I think we align here, but I trust the uBlock team infinitely more than I trust Google to make my own extension decisions. I know there's a subset of regular users who fall for all manner of scam, but Manifest V3 doesn't even solve any of those issues, the majority of the same attack vectors that existed before still exist now, except useful tools like uBlock can no longer do anything since they got deliberately targeted.

Besides, there's ways of having powerful extensions WITH security, but this would obviously go against Google's data harvesting ad machine. The Firefox team has a handful of "trusted" extensions that they manually vet themselves on every update, and one of these is uBlock Origin. They get a little badge on the FF extension store marking them as Verified and Trusted, and unless Mozilla's engineers are completely incompetent, nobody has to worry about gorhill selling his soul out to Big Ad in exchange for breaking uBlock or infecting people's PCs or whatever.