It’s completely okay to criticize Google for doing really controversial (to say the least) stuff like getting rid of blocking webRequest, but criticizing them for prohibiting inclusion of remote JS in the extension is simply bad work.

They could do a minimal fact check, remote JS was never allowed in Mozilla Addons store. A bit more research and they’ll learn that cosmetic filters updates do not require an extension update. A little bit more research and one can learn about the no-review-fast-track that Chrome WebStore plans to implement next year.

My understanding is that no-review-fast-track is only for extensions which changes in DNR rulesets are only about block/allow/allowAllRequests rules.

I don't see how comprehensive content blockers can push meaningful updates with only changes to block/allow/allowAllRequests rules and nothing else.

I personally like the fast track idea as we can use the CWS infra to distribute updates quickly, but this is not the only way.

Differential updates are also possible and if they’re implemented, you can keep a normal release cycle (6 weeks for instance).

It's not just about cosmetic rules, it's also about DNR rules other than block/allow/allowAllRequest: redirect=, removeparam=, csp=, etc.

If the idea is that these DNR rules require non-fast-trackable thorough reviews, but dynamically updating them will bypass those thorough reviews, than I am at a lost to understand the logic of treating them as requiring thorough review.

If these DNR rules are considered potentially harmful thus requiring thorough reviews, why would they be allowed to be downloaded from a remote server and dynamically created in the first place?

There is also the content scripts-based filters, which is something that change every day. This is where we diverge, I chose to go fully declarative because this way these content scripts are injected reliably in a timely manner by the MV3 API.

This is not the case when injecting in a event-driven manner since the extension's service worker may need to wake up, fully restore its current state, then by the time it's ready to inject the content scripts programmatically, it might be too late as the target webpage has already started to load.

I actually agree that for an MV3 ad blocker I’d better have a fully declarative default (emphasis on default), but I’d like to provide an option to grant more permissions and allow more rules. I’ll wait until declarative cosmetic rules become a thing before going this way though.

What I don’t like about your way is that it’s very difficult to use the MV3 version for filters development, filter list authors will have to re-build the extension every time they make any change to the underlying filters.

Maybe this is not a big problem though, we’ll only see it when MV3 becomes the only option and there will be more issue reports from its users.

> cosmetic filters updates do not require an extension update

Cosmetic meaning what exactly?

> remote JS was never allowed in Mozilla Addons store

I don't see any issues with ublock in firefox, so what's going on there?

> A little bit more research and one can learn about the no-review-fast-track that Chrome WebStore plans to implement next year.

That sounds like something that can and will randomly stop approving ad blocker updates more than once.

Filter lists are composed of two types of rules: “cosmetic” and “network”. Network rules define what needs to be done with web requests (block or redirect). In MV3 these rules should now be implemented via new declarative API.

Cosmetic rules is a very wide subset of ad blocking rules that define how a web page needs to be changed. These are implemented the old way.

> I don't see any issues with ublock in firefox, so what's going on there?

uBlock Origin does not use remote JS so yeah, what’s going on with the article is a good question.

What prevents a developer from using non-remote JS (code built into the extension) to tell the current web page to fetch remote JS from a server, and execute that? Obviously, web pages must be able to fetch remote JS, or the whole internet would break.

Google could delist such an extension from the Chrome Web Store. But Chrome (unlike Firefox, grr!) allows extension sideloading, so if I was UBlock Origin I would just say screw the Web Store, download from our website.

And then, once UBlock Origin can inject an unlimited amount of turing-complete Javascript onto the page, the sky is basically the limit... right?

Userscripts is a notable exception of this rule as in this case the user instructs the extension what JS to execute.

I'm also not sure if sideloaded extensions can receive automatic updates, but the much bigger problem is getting people used to sideloading unsigned extensions with full web site access: Tech support scammers will have a field day with that.

On platforms where sideloading is either impossible (iOS) or usual (Android), adblockers are completely inaffective. The gatekeepers simply don't allow them to exist. This is true even though the maker of iOS ostensibly (!) isn't ad supported.

> I'm also not sure if sideloaded extensions can receive automatic updates

They can't (at least without some external software), which is why the ability to load remote Javascript would be important. For less frequent updates, they could prompt the user.

They can't update the entire extension automatically, but should be able to get updated blocklists no problem.

I have used both browsers, and I find sideloading in Chrome to be completely painless. I use many sideloaded extensions in Chrome (mostly because I wanted to make small edits to existing extensions).

I guess I'm trying to figure out whether all this fuss is really a limitation of Manifest v3, or merely Chrome Web Store policy. If the latter, I don't see a problem as long as sideloading is possible, and I really hope UBlock Origin will just go that route.

Sideloading is the real freedom which everyone should rally around and protect. (I am extremely unhappy with Mozilla's approach to this, if you can't tell.)

There is. But you must be running firefox on Linux, on specific distribution (i.e. Debian or Fedora), built by that distribution and the extension has to be installed system-wide by root. Then the signature won't be enforced.

This remote JS stuff is a CWS policy.

(I appreciate you answering my questions!)

Other than that, you can probably really do everything you could do with the webRequest API, but the complexity of doing it essentially reduces to the halting problem: You'd have to statically analyze all Javascript loaded by the page and figure out if it's going to do any requests you don't want to happen and then rewrite these parts. Maybe there's clever things you could do by shimming all web APIs that can issue HTTP or other requests, but that also doesn't sound fun.

On the other hand, with an API that just gets to veto every outgoing request, you can trivially achieve the same goal.

Another area where in-page Javascript is limited compared to an extension is the same origin policy. A very fancy ad-blocking extension could e.g. run an image classification AI on third-party image resources and hide the ones that look like visually distracting, flashing etc. ads by default – in-page Javascript can't.

> Simple injected Javascript can't e.g. undo requests (from other scripts or just normal resources like third-party images)

But could you detect the request, see what element it loaded in, and then hide that element? Or is that much more complicated than I'm imagining?

Mozilla banned non-store extensions in their last Firefox for Android overhaul a few years ago and afaik does not plan to allow them again.

This is the reason why the anti-paywall extensions are all gone/DMCAed.

It's a massive power shift away from the user. No idea why Mozilla did that.

It's not the time to be sticking one's head in the sand. Google is dead to me once they push Manifest v3.

Will you be one of the ones 'giving Google a chance' once they play their hand next year?

Speculation like this is easy. I can also just speculate that the Ars has an agenda to slander Google. Expand that to a couple hundred words and you have an article. Now get people to read it and become angry. That's basically the sorry state of online journalism.

I have unsubscribed from Ars.

Edit: Chrome docs on the matter explaining the limitations (from sibling mlyle) https://developer.chrome.com/docs/extensions/migrating/impro...

There is userScripts API which allows injecting code as string, but it's impractical as in Chromium-based browsers this requires extra steps by the user to enable the API.[3] In Firefox, the documentation for this API has the following note[4]:

> When using Manifest V3 or higher, use scripting.registerContentScripts() to register scripts

* * *

[1] https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...

[2] https://github.com/uBlockOrigin/uBOL-home/tree/main/chromium...

[3] https://developer.chrome.com/docs/extensions/reference/userS... ("Availability Pending")

[4] https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...

That feature request being fixed would do nothing to enable updates without store review. And likewise the feature for doing updates of the ruleset without a store review already exists but is not used by UBOL.

So the link doesn't actually support your claim of it being a limitation of MV3. The link is just irrelevant.

The FAQ hints at why UBOL doens't make use of that feature, but doesn't actually state it outright.

From the issue: "In Manifest V3 remotely hosted code is no longer allowed."

Altought the parent was talking specifically about network requests, in which case you may be right and I missed it, but that's not the general problem. Blocking network requests is not sufficient for modern ad/tracking blocking and to be able to run effectively they need to inject scripts into the page, thus "remotely hosted code" is necessary, and the Chrome docs above says that it's not allowed.

I think the article is talking specifically about downloading and running scripts for working around a particular site dynamically, such as Youtube ad blockers.

That said, I don't know if this really is a technical block from e.g. adding a script tag to a YouTube page to pull in a third party resource. My impression was that it was blocking arbitrary scripts specifically within the extension context, and not in the browser context.

The article specifically mentions "filter lists" being subject to review time.

> All updates, even to benign things like a filtering list, will need to happen through full extension updates through the Chrome Web Store.

> Is a filtering list update, which is essentially just a list of websites, really something that needs to be limited by the "no remotely hosted code" policy?

> So since all filter list updates now need to go through the Chrome Web Store, how long does a review take?

Chrome explicitly recommends downloading remote configuration.

To me, this seems pretty clear: don't inject anything "executable" into a webpage except CSS.

It does look like you could maybe use a sandboxed iframe and ask it about page features and whether they should be blocked, and that this might be permitted.

CSS has arithmetic. It does not have iteration.

And even if it had full compute capabilities, the output is still just choosing CSS rules to apply.

Edit - would it be considered cheating to use:

Will you say the same things 5 years from now? Google needs to be kicked out of consideration for web standards. They keep treating it like they own it.

Ads are the new content.

The killer app for LLMs is generating new and innovative ads that are entertaining and feel like content.

Imagine fun games like "Avoid the Noid" (https://www.mobygames.com/game/1095/avoid-the-noid/), "Cool Spot" (https://en.wikipedia.org/wiki/Cool_Spot), and "McKids" (https://en.wikipedia.org/wiki/M.C._Kids), but with modern graphics and sound and promoting the most annoying brands and products.

Help people save money on their insurance by playing as the Geico lizard! Find out the dirt on used cars as the CarFax fox! Yesterday's annoying mascots are today's folk heroes.

and they will just look slow instead of actively targeting ad-blockers

Maybe I am cynical about the law, but I assume the only reason they don't block other networks is because it would be their same advertisers, and they would be furious enough to take action.

https://blog.chromium.org/2018/02/how-chromes-ad-filtering-w...

https://source.chromium.org/chromium/chromium/src/+/main:com...

https://source.chromium.org/chromium/chromium/src/+/main:com...

https://source.chromium.org/chromium/chromium/src/+/main:com...

Google are generally not coordinated well on anything, but this current war on adblockers is a notable exception. Consider the following 3 things all happening in the same time frame:

1. Youtube's rollout of detecting adblockers and updating their code a couple times a day to prevent you from running an adblocker

2. The manifest v3 standard

3. The Privacy Sandbox trash

They are using the dominant position of Youtube as video content platform (point 1), chrome/chromium (point 2) as a browser engine and their current dominant position in the ads market (point 3) to achieve a couple of goals. With the privacy sandbox, they force ads to go through their ecosystem, with the manifest v3 they deliver a big kick to the adblockers, and with Toutube, they are using one of their most successful platforms to further push their ads agenda.

To me, unskippable ads are going to:

- make me hate the brand that's wasting my time by advertising crap I don't need and making me watch it

- make me hate the platform on which this ad is played, especially knowing the platform jumped through specific hoops to make the ads unskippable for even the power users

The answer is legal antitrust lawsuits. Chrome has a near monopoly and Google is the largest advertising actor, banning ad blocking altogether risks giving ammunition to the inevitable antitrust lawsuits.

What they prefer to do instead is degrade their effectiveness step by step, it's way less risky for them.

Otherwise, abusing dominance in the phone app store market to benefit their (also dominant) ad surveillance business sounds very, very much like something the DMA could and should punish.

Also filters do not depend on extension updates at all, they are plain text files that can be updated at any time. Not to mention that they can contain “scriptlets”, which make them quite literally “remotely hosted code” and still allowed by MV3 (because they’re not raw JavaScript)

> We've covered this already. But we haven't talked about the other side of the equation: Ad block rules can't be updated quickly anymore. Today, ad blockers and privacy apps can ship filter list updates themselves, often using giant open-source community lists. Manifest V3 will stop this by limiting what Google describes "remotely hosted code." All updates, even to benign things like a filtering list, will need to happen through full extension updates through the Chrome Web Store. They will all be subject to Chrome Web Store reviews process, and that comes with a significant time delay.

If this is factually incorrect, it would absolutely warrant a correction to the article.

It is incorrect. MV3 definition updates go through an automated fast-track process for safe rules. See the presentation[1] and Q&A[2] at the recent Ad Blocking Summit.

I wouldn't hold my breath on a correction. Ron never corrects his articles, like when he confused the Privacy Sandbox with the Topics API a couple months ago[3].

[1] https://youtu.be/Vw1eIaRuy7w?t=24745

[2] https://youtu.be/Vw1eIaRuy7w?t=26552

[3] https://news.ycombinator.com/item?id=37427227

For now. Sounds like it would be to Google's advantage to play funny buggers with that though.

https://developer.chrome.com/docs/extensions/migrating/impro...

Looks factually correct-- though exactly how Google interprets rules will affect how limiting this is.

Addon sideloading is only possible on Firefox Developer edition (which I use, so it didn't bother me much).

It's probably just a coincidence...

Someone should really be doing a deep dive into this issue, because it's been going on for a long time, and is clearly anti-competitive. My guess is that they're really good at hiding this/making it look accidental rather than on purpose.

IDK if it’s better in iOS Chrome, but it’d be pretty damning if it is, since they necessarily use the same engine on that platform.

Only the hypocrite is really rotten to the core

Look how long the most of humanity stuck to Internet Explorer, even with Chrome literally stickied on the Google front page and IE's more dramatic drawbacks.

Edge in particular is kind of a bloated mess now. I used to prefer it over the Chromium fork of the week (Currently Thorium and Cromite), but now its just too spammy and slow. No one is switching to that.

Also I have extremely mixed feelings about Brave. Maybe even net negative.

Chrome surpassed IE usage within 4 years, so the answer is "not particularly long".

> IE's more dramatic drawbacks

Such as?

> its just too spammy and slow

Spammy yes, slow no.

> I have extremely mixed feelings about Brave. Maybe even net negative

Why?

post remote attestation they will if they want to use google services

If they have to view ads to use them, that becomes significantly less of a sure thing

I built Ublock latest 1.54.2 from source, and so far (apart from being manifest v2), it can easily go around Youtube's adblock detection with no problem.

I wonder if the delay in the 1.54.x release in Chrome Web Store has something to do with Google purposefully delaying updates.

If we had an alternative, this would be the time for an organized push to get people on it. But Mozilla has either become complacent or been quietly bought out behind the scenes and Firefox isn't really competitive anymore.

Sure, you can still use Firefox. I do, begrudgingly. But it's not good enough to convince people to switch. It hasn't been for a very long time which is why we're in this mess in the first place.

I expect nothing will change and everyone will suffer for it.

Maybe people will get offline more. The internet as a whole is becoming exponentially shittier as time goes on. How much longer before it's completely intolerable?

And I didn't say it was substandard, I said it wasn't good.

I find the UI to be bad. When you ask for customization, like disabling excess tabs from scrolling off the edge of the screen, forum users treat you like an idiot. Performance has always been worse, particularly on mobile. Session state is less reliable. WebUSB is missing. Microphone support is unreliable. Updates under Linux cause any link you click to softlock the browser with an error page until you manually restart. Linux support in general is very poor. Firefox recently fixed a bug with tooltip rendering that's been reported for what, 15 years?

Chrome has been better than Firefox for a very long time. That's why we all switched to chrome in the first place.

Now that chrome is the scourge of the internet, there's really just one alternative. Unless you count safari, but that's a different story.

We're in a bad situation and Mozilla isn't doing enough to make it better. They haven't been for a long, long time.

Show me pages that tank Firefox performance.

How many of them will have -webkit-* and other engine-exclusive markup/CSS?

Firefox updates every 6 weeks, just like Chrome.

What do you want in the devtools that Chrome has and Firefox doesn't?

I've been using Firefox for nearly two decades and aside from the WebExtensions and some UI changes, it's been solid.

I find most criticisms of Firefox on websites are lacking links and profiling data.

I'm not doing homework for you. Lots of pages don't render well in Firefox, it's a well known issue which is why it comes up in every thread about Firefox.

> Show me pages that tank Firefox performance.

Firefox in general performs poorly. Again, known long-term ongoing issue. Look at this thread where almost every top-level comment is sceptical that Firefox is even close to Chrome in performance: https://news.ycombinator.com/item?id=36770883

You can find ongoing performance benchmarks between Chrome and Firefox here, and it's not flattering for FF: https://arewefastyet.com

> How many of them will have -webkit-* and other engine-exclusive markup/CSS?

I don't care, at all. It's not my job, as a user, to debug performance problems.

> Firefox updates every 6 weeks, just like Chrome.

Ok? I didn't say anything about update cadence.

I don’t think many users will notice a factor of 2-3 in page render time, even if the benchmarks where firefox wins are all somehow not representative of real world use, but the chrome ones are.

As for pages that don’t render, I simply don’t see this problem at all. One bank I use refuses to let you log in if Linux appears in the user agent string, but that hits Chrome too. Do you have a single example?

The fact that they choose not to implement some apis because they're harmful to privacy doesn't seem to hurt me in any way.

Mozilla refusing to support webhid in any way: https://mozilla.github.io/standards-positions/#webhid

Chrome adding it to stable in 2021: https://developer.chrome.com/blog/new-in-chrome-89/

Not sure what little CSS features you mean, but I haven't found any mainstream websites that don't render properly in Firefox. It's possible that the website maintainers have to do extra work to get them working in Firefox, but regular users don't care about that.

I do recall some things missing from WebAudio and WebRTC, but in practice I'm not sure I've run into any issues with Firefox's implementations. And, again, if website maintainers are doing extra work to make things behave properly with Firefox, regular users aren't going to notice or care.

This is Google's attempt at our privacy thru Embrace, Engulf, and Extinguish strategy.

https://www.creativebloq.com/features/google-apis

The sad thing is, if FirefoxOS would still be a thing they wouldn't bat an eye.

Serious question, because I can't think of any.

https://pixelrepair.withgoogle.com/

Are 2 that pop in to my head

Not being compatible with those sites is definitely not the barrier to widespread adoption of Firefox.

The pixel repair site is an interesting example, but AFAIK, Pixel phones have about 2% of the US market share and this website is only useful to a small number of those users (those who encounter a serious error) and isn't something even those users would be using often. If I had to use this website and couldn't get my phone fixed another way, I could install and use Chrome (or I presume another Chromium browser) and use it for this single purpose. It would take me only a few minutes/hours(?) and then I'd be done with it. Why would a site like this keep me using Chrome permanently? I just can't imagine that.

Microsoft Teams (which I don't think many people use voluntarily) in particular breaks in stupid ways - and then in others if you spoof your user agent.

https://news.ycombinator.com/item?id=38430102

In short: It has zero respect for the user, so little that it regularly gaslit me into thinking I had agreed to things I did not.

They also signaled intent to simply merge the ripping out of MV2, so as soon as Chrome drops it, Edge will too.

I assume they are betting on most users not side loading them.

All this seems like a complete waste of time, if you want to "war on ad blockers" the why not just ban them from the store?

Why have a "war" at all?

Right now it's unclear to me how much Edge extensions are tied to the Chrome Store policies.

[1]: https://learn.microsoft.com/en-us/microsoft-edge/extensions-...

Like... sure, web browser UX isn't always the best, but by rejecting Firefox on the merits of optional addons, you're just saying that the convenience of how you prefer to interact with a browser is more important than your privacy and ability to block ads. Which is fair, I suppose, but let's call it what it is.

Meanwhile, we're back in the IE days: alternative browsers don't have enough market share to do much but accept whatever Google wants to do with the web.

Frankly I'm just tired of people making excuses for using a browser made by a company that is actively making the web worse and eroding our privacy, bit by bit.

>we're back in the IE days

Reminds me of when Asian banks still required IE activex well into 2010s and one had to keep IE around, which was easy since it comes with Windows. I can probably use get used to firefox for most of my use case, but have to keep chrome around for some sites.

I'm curious. Would you share which niche extensions?

https://chromewebstore.google.com/detail/auto-copy/bijpdibkl...

My use case, primarily for research/keeping up to date in my domain is auto copying 100s of articles curated through feedly/other sources that gets automatically appended to daily text document by clipboard watch from balabolka (text to speech program), with meta data comment of url/title and visible confirmation dialogue confirming successful text copy (no firefox addon does this after search), which balabolka also automatically read to me at 3x speed. Basically, everything I'm interesting in reading gets converted into a reasonably labelled/chaptered podcast and digest with searchable transcript. Chrome with combined with tab groups and extensions that sort/order/dedupes tabs by domain also streamlines the process. Combination of tab groups sorting behavior and ability auto label auto copied text cuts daily chore from to a fraction of the time it use to, which saves hours each week.

Google lens also very useful for OCRing text, or translating images of foreign language. I can also do that with powertoys, but it's more finicky and add extra steps, require hot keys to do efficiently vs on Chrome I can do most of it with just a mouse.

More discussion here:

https://news.ycombinator.com/item?id=38494451

You have to enter an email address to get a download link??? Also the homepage was laggy on firefox nightly for Android.

(What upsets me more is purposefully degrading the experience of FF users.)

As for third-party marketplaces, I couldn't say, but I'm aware of some work in that direction for Nixpkgs.

I run Chrome as little as possible. Sadly, there are a few places where it is the best still.

Since the Keystone saga I‘m not using Chrome anymore. Google Chrome can go the way of the dodo.

All of this put together means you really shouldn't trust Chrome extensions for anything important. If there's a security vulnerability in something like your password manager, the update is going to take days to reach your system.

On iPhone it's all WebKit. Apple doesn't (yet!) allow Firefox to use Gecko.

Pale Moon uses a fork of Gecko called Goanna.

SerenityOS has an independent browser in the works, and netsurf is still around.

There are options, but people have put most of their eggs into two baskets and now we're stuck with things looking mostly the same but some have antifeatures.

I want a browser with uBO's functionality simply built in. Fuck your extensions or other attempts to endrun, Google. Stop it at the source and build request filtering into browsers directly.

AFAIK, you cannot, on iPhone you're forced to use Safari (all other browsers forced by Apple to be reskins of Safari).

You don't need Chrome. You have Firefox.

Download Firefox now: https://www.mozilla.org

Addons for Firefox: https://addons.mozilla.org

Or the VMware console: https://bugzilla.mozilla.org/show_bug.cgi?id=1769175

There's probably a bunch of other web apps that exclusively support Chromium-based browsers, unfortunately.

Either way, whether you're using Chromium or Chrome, you're still entrenching Google's monopoly over the web.

Like the sibling said, the problem was IE's monopoly itself not the lack of more IE-based variants which wouldn't have helped at all, the same way how Chromium isn't helping counter Google's monopoly.

You don't have to compile Chromium to have a browser incompatible with the websites that people build for Chrome, you can just use Firefox or Safari or write your own browser if you want to have a web browser that won't be able to run Microsoft Teams.

While it was innovative, I would argue it's made the Web worse, given the impact of Javascript and surveillance on the Web.

Still limitations, but I joined a Teams meeting the day before this comment with my microphone and external cam, and participated fully, using Firefox on MacOS.

Yes, some client functionality is still missing (I didn't share a screen, for example), but both sides (MS and FF) appear to be making improvements.

also the Teams link describes ways to work around limitations with teams on a particular browser that does not support the teams web app, which is what the article says FF etc. does not support.

Way back before huddles were implemented it used to work. Then they broke it and now it's Chromelike-only.

honestly slowing down updates for adblockers sounds like a dangerous idea. sooner or later, someone will send you to court for an appstore monopoly, and sooner or later youll lose that case. in the meantime people lose interest in your ecosystem because of the increasingly predatory chicanery that makes their browsing experience suck. sending more eyes to firefox makes firefox better. eventually, better than even you.

This all smacks of "we've tried nothing and we're all out of ideas." Manifest V3 is dead on arrival if youre going to bury the average google user in an avalanche of unskippable ads and full screen GPU testers. nobody wants this modern hell, and you've everything in your power to reform or amend it to dial back the surveillance capitalism and hyper consumption.

A browser that cares about privacy would be both zero telemetry and ship with an ad/tracking blocker by default. Ideally you would also be able to pay for it to align incentives (vs a third party paying for your browser on your behalf).

Yes, I am also aware that Firefox has some technology (in the works?) that will do offline translation even. Cool.. except I still have yet to find a good, easy, fast, accurate translation feature for Firefox. There are some extensions, but none are as good.

Firefox finally sort of has it, but it's not that good. Often it won't believe you that the page is in another language, so you can't translate at all, even by trying to force it. The translations can be weird and miss parts of the page.

I'm sure it'll get better, though, and once it does, I can delete Chrome entirely.

- It's slow.

- Automatic language detection rarely works.

- It only supports a few languages.

- For many sites it breaks the page.