What comes across is that Google is not collaborating with Mozilla over the Manifest v3 changes.
Instead of using and appreciating the engaged Firefox developer ecosystem we have PM conference rooms in Google mandating huge changes based on... well they've been shady so far about their choices on Manifest v3.
The other thing that keeps bugging me about this is -
We need a tiered App store for browsers. Part of the lockdown Google wants to do isn't wrong but its driven by having WAY too many bad actors and shoddy developers in their Chrome store.
If you have an opensource web extension, a reasonable community and with reproducible builds? You can use more powerful API versions.
If you are jrando bizplan #2000283 you get the kinda trusted tier.
Frankly if Debian had a web browser extension "store" with 20 things in it, I'd use that exclusively and turn off both the Chrome and the Firefox store 100%.
> Frankly if Debian had a web browser extension "store" with 20 things in it, I'd use that exclusively and turn off both the Chrome and the Firefox store 100%.
We kinda have one; the tiers are "the public app store" and "your enterprise's private collection of apps, whitelisted by GSuite policy on your GSuite users."
Things are in equilibrium because no big player is complaining; and no big players are complaining because they have all their needs met by just 1. getting custom extension builds from vendors, 2. signing them with their enterprise cert, 3. pushing them to some object store, and 4. telling GSuite to allow them (https://docs.google.com/document/d/1pT0ZSbGdrbGvuCsVD2jjxrw-...).
> we have PM conference rooms in Google mandating huge changes based on... well they've been shady so far about their choices on Manifest v3.
I'd like one of the PMs at Google working on this feature to engage in actual community discussion around this issue.
Google is not a monolithic corporation. Individual people are responsible for these decisions. These people are obligated to discuss why they are making these changes, else they deserve to be called out if they refuse to do so.
Is it too much to ask for these PMs to take some personal responsibility and engage in discussion for the far-reaching changes they are forcing upon society?
> Frankly if Debian had a web browser extension "store" with 20 things in it, I'd use that exclusively and turn off both the Chrome and the Firefox store 100%.
Yeah like the F-Droid [0] appstore ecosystem for Android.
> What comes across is that Google is not collaborating with Mozilla over the Manifest v3 changes.
Well… duh? Google will do whatever it wants with no regards to anyone else unless they're forced to do otherwise, and "the market" will not force them to do otherwise unless their very large browser majority falls. From the moment mozilla decided (/ was forced) to adopt chrome extensions they were bound to follow google's whims.
> In the absence of a true standard for browser extensions, maintaining compatibility with Chrome is important for Firefox developers and users.
About as close as Mozilla can come to outright saying, "Chrome is big enough and we're small enough that what they do _is_ the standard."
Still, it's encouraging to see that they're not removing the blocking API for now. I kind of hope this does push a few adblocker extensions to abandon Chrome.
I find it rather discouraging to hear they are not removing the blocking API for now. It's basically an empty statement, not reassurance. They still may or may not remove the API, they don't want to promise anything or show any commitment to users' needs and priorities.
What they should be saying is, "No, what Google is doing is Wrong with a capital WRONG and we're not going to accept their wishes in closing off what's left of the open Web."
But then they'd have to give up all their Google funding. And they're way too cowardly and corporate to do that.
> We have no immediate plans to remove blocking webRequest
> immediate
We know exactly what this kind of talk means. Don't blow smoke up our ass, Mozilla, just give it to use straight: We'll have `blocking webRequest` for as long as Google allows it.
And in case anyone from Mozilla is listening, this could well be existential for you. Right now, your pro-privacy stance is a principal factor in users choosing Firefox over Chrome.
Follow Google - and all its shady practices - and you will lose a large chunk of those users. Many of them, to use current terminology, are "key influencers": technically savvy people who advise family and friends what to do. Lose them and the outlook is, I suspect, pretty grim.
You're clever people. You'll know this. Google has a good few smart folk too (even if their motivation is questionable). It's easy to see this is difficult for you: Google is your primary funding source. Fail to comply with their wishes, and that funding might well disappear.
As has been noted in other threads, the tension between privacy principles and funding is a huge threat.
For the good of the open web, I desperately want a successful Mozilla, and a technically excellent Firefox at the forefront of a pro-privacy, anti-surveillance re-balancing of the internet.
I don't doubt the difficulty in filling a $300M funding hole. I'd gladly pay $30 per year for a pro-privacy Firefox. Another 9,999,999 is a tall order. On the other hand, you have c250M users...
This points to the disturbing truth of how incredibly complete Google's monopoly is: Even browsers not based on Chrome are strongly pushed to implement Chrome's platform changes anyways.
Chrome's June 2019 statement about Manifest v3 in which they tell us all how much they really care about users and this totes isn't to weaken ad blocking(which directly affects their revenue - that's just a coincidence - pinky promise!):
Here's an interesting thought experiment: what would it take to convince you that this change really is being made for performance and security reasons, and not to hurt ad blocking?
Given the level of cynicism directed at Google by the HN community, is it even possible for Chrome to lock down extension permissions in a way which wouldn't be seen as some sort of aggressive move against ad blocking? Keep in mind that secure, user-friendly permissions systems do have to be somewhat restrictive in order to be effective (see Android, iOS, etc), and that ad blocking extensions will necessarily be impacted as a result.
I hope the ad blockers completely abandon Chrome when this change gets pushed through, rather than attempting to work around it.
Google is using a slow-frog-boil approach to re-desensitize their users to ads, and it's working. The only thing that will work here is a big splash of cold water to the face.
Maybe Chrome losing all of its ad-blockers overnight will finally start making a dent.
Unfortunately the owners of the most popular adblocker have successfully created a revenue generating business out of adblocking and aren't about to abandon Chrome.
In the absence of a true standard for browser extensions, perhaps Mozilla should consider trying to form one by leading with a strong example instead of weakly implying that they will eventually probably cave to the monopolist.
It's also quite disappointing how there is seemingly no one from Mozilla here, engaging with us on this topic. Instead, the only communication we get is one-sided corporate speak, with no real ability to respond.
If anyone from Mozilla is reading, who do you think will spread Firefox among non-technical users if not the type of crowd that frequents HN?
> In the absence of a true standard for browser extensions, perhaps Mozilla should consider trying to form one by leading with a strong example instead of weakly implying that they will eventually probably cave to the monopolist.
That's exactly what they've tried to do. Firefox exposes a `chrome` namespace object to extensions which is intended to be more or less API compatible with what Chrome provides and added the `browser` namespace object where improvements to the base compatibility are added (e.g. switching from callback based APIs to Promise based APIs). See the bit from the wiki below and the link to the browserext spec:
> Mozilla has worked with Microsoft and Opera to implement browser extensions so that developers can write extensions that work across multiple browsers. The preliminary specification[1] matches what Google has implemented in Chrome so that extensions will work on Chrome, Edge, Opera and Firefox.[2]
> Cross-origin communication: In Manifest v3, content scripts will have the same permissions as the page they are injected in. We are planning to implement this change.
What will this mean for GM.xmlHttpRequest in userscripts? Adding content from several different sites with userscripts can be very powerful.
Was wondering about that too - but this seems to be just a Spectre defense, not a change in what extensions can do.
The change[1] only affects content scripts because they run in the same process as the website. You're still able to fetch arbitrary origins in a background page. So GM has to move the fetch to the background page, then send the content to the script via message passing.
Stylus (Stylish without the tracking) sure is a nice interface, but you don't really need an add-on for that functionality. Create "chrome/userContent.css" within your Firefox profile directory and populate it with something like:
Mozilla really needs to get that if they compete with Google on Google’s terms, they’re rapidly heading toward extinction.
Mozilla ought to be the browser for a private and usable web, but it seems they have occasional sneezes where you question what they’re doing (this, pocket in recent memory).
I'm extremely worried that once Google disables ad blockers in Chrome, websites will wholesale block any and all non-Chrome browsers. Be it through user agent sniffing, feature detection, or fingerprinting, Firefox simply won't work anymore.
The future of the web where Google is in complete control is straight up nightmare fuel. Microsoft in the early 2000s never scared me as much as the future we're headed into does.
This won't be IE versus Netscape since websites are no longer served as plain old HTML. They're messy, thick, and impenetrable javascript blobs--not documents. We're not arguing about websites simply not rendering correctly in the less popular browser. This is a battle for the absolute control over information distribution.
What do we do to prevent what's happening?
Google already shot down XHTML, which was rich with semantics. That was a web written for documents and tools that could query those documents for meaning.
Whatever Google has become needs to be dismantled. The ad company can't be the browser company and phone company. It's a perverse alignment of incentives.
perhaps a more optimistic take on "no immediate plans": there could eventually be an alternate standard for webrequest that addresses Chrome Devs' (perhaps legitimate) privacy concerns around most extensions being able to sniff, modify, and log all of your traffic on the entire web with a single, unobtrusive modal click. There is room to make the web platform more secure without stripping power from the user-agent, surely, or giving bad actors a trivial foothold. Frankly, my concerns around the webrequest API are numerous, the only reason IMO that Chrome isn't deprecating webrequest in Enterprise builds is for corporate spyware.
At the very least a new webrequest spec that is more ergonomic and
more safe than the webrequest API (without neuturing adblock) could show whether the emperor has no clothes, vis a vis "Google Adtech is directly influencing Chrome and web platform development" plots
It seems I'm in a minority here, but I was never comfortable installing any adblock extension because the existing request blocking API means that the extension would see all web traffic generated by me (including private URLs that are otherwise not known to anybody but me).
I personally feel that now with manifest 3, I can actually install adblockers since the newer APIs do not share all my web traffic with the extensions.
Can somebody explain why removing blocking API was overall a bad decision by Chrome?
I’d like to see this done along the lines of how iOS handles keyboards: allow full web request reading and modification, but only in a sandbox that is per-origin.
uBlock is open source, you can verify that the extension in your browser is the same that is published in the github repository.
The blocking API being removed is an issue because the replacement does not cover all use cases and severely limits what ad blockers can do to intercept filtered content.
Google is obviously aiming to boil the frog slowly and make ad blockers a such terrible experience that Chrome users will not use them.
A humble proposal: A build of firefox that initially differs from Mozillas in that
- it has a different default search engine selection that can be sold in the same way that Mozilla sells this same feature to google presently
- no ads on new tab page
- bundled with ublock origin
The goal being to increase the value of selling the search engine selection while decreasing the value of mozillas in effect siphoning off some of the value of mozillas primary revenue stream.
Such funds could be donated back to Mozilla or used to maintain a fork that doesn't ruin adblocking. Their choice.
[+] [-] WhatIsDukkha|6 years ago|reply
What comes across is that Google is not collaborating with Mozilla over the Manifest v3 changes.
Instead of using and appreciating the engaged Firefox developer ecosystem we have PM conference rooms in Google mandating huge changes based on... well they've been shady so far about their choices on Manifest v3.
The other thing that keeps bugging me about this is -
We need a tiered App store for browsers. Part of the lockdown Google wants to do isn't wrong but its driven by having WAY too many bad actors and shoddy developers in their Chrome store.
If you have an opensource web extension, a reasonable community and with reproducible builds? You can use more powerful API versions.
If you are jrando bizplan #2000283 you get the kinda trusted tier.
Frankly if Debian had a web browser extension "store" with 20 things in it, I'd use that exclusively and turn off both the Chrome and the Firefox store 100%.
[+] [-] beacker|6 years ago|reply
There are a handful of extensions for Firefox and Chrome in the Debian repositories: https://packages.debian.org/search?keywords=webext-&searchon...
[+] [-] derefr|6 years ago|reply
We kinda have one; the tiers are "the public app store" and "your enterprise's private collection of apps, whitelisted by GSuite policy on your GSuite users."
Things are in equilibrium because no big player is complaining; and no big players are complaining because they have all their needs met by just 1. getting custom extension builds from vendors, 2. signing them with their enterprise cert, 3. pushing them to some object store, and 4. telling GSuite to allow them (https://docs.google.com/document/d/1pT0ZSbGdrbGvuCsVD2jjxrw-...).
[+] [-] xvector|6 years ago|reply
I'd like one of the PMs at Google working on this feature to engage in actual community discussion around this issue.
Google is not a monolithic corporation. Individual people are responsible for these decisions. These people are obligated to discuss why they are making these changes, else they deserve to be called out if they refuse to do so.
Is it too much to ask for these PMs to take some personal responsibility and engage in discussion for the far-reaching changes they are forcing upon society?
[+] [-] unixhero|6 years ago|reply
Yeah like the F-Droid [0] appstore ecosystem for Android.
[0] - https://f-droid.org/
[+] [-] masklinn|6 years ago|reply
Well… duh? Google will do whatever it wants with no regards to anyone else unless they're forced to do otherwise, and "the market" will not force them to do otherwise unless their very large browser majority falls. From the moment mozilla decided (/ was forced) to adopt chrome extensions they were bound to follow google's whims.
[+] [-] danShumway|6 years ago|reply
About as close as Mozilla can come to outright saying, "Chrome is big enough and we're small enough that what they do _is_ the standard."
Still, it's encouraging to see that they're not removing the blocking API for now. I kind of hope this does push a few adblocker extensions to abandon Chrome.
[+] [-] zzzcpan|6 years ago|reply
[+] [-] Endy|6 years ago|reply
But then they'd have to give up all their Google funding. And they're way too cowardly and corporate to do that.
[+] [-] Ygg2|6 years ago|reply
Ha. As if that will ever happen. They'll probably just pivot to something else.
The reason Chrome can try to ditch ad blockers is that they are big enough, that your only choice is Chrome or GTFO.
[+] [-] Nicksil|6 years ago|reply
> immediate
We know exactly what this kind of talk means. Don't blow smoke up our ass, Mozilla, just give it to use straight: We'll have `blocking webRequest` for as long as Google allows it.
[+] [-] spinningslate|6 years ago|reply
Follow Google - and all its shady practices - and you will lose a large chunk of those users. Many of them, to use current terminology, are "key influencers": technically savvy people who advise family and friends what to do. Lose them and the outlook is, I suspect, pretty grim.
You're clever people. You'll know this. Google has a good few smart folk too (even if their motivation is questionable). It's easy to see this is difficult for you: Google is your primary funding source. Fail to comply with their wishes, and that funding might well disappear.
As has been noted in other threads, the tension between privacy principles and funding is a huge threat.
For the good of the open web, I desperately want a successful Mozilla, and a technically excellent Firefox at the forefront of a pro-privacy, anti-surveillance re-balancing of the internet.
I don't doubt the difficulty in filling a $300M funding hole. I'd gladly pay $30 per year for a pro-privacy Firefox. Another 9,999,999 is a tall order. On the other hand, you have c250M users...
[+] [-] ocdtrekkie|6 years ago|reply
[+] [-] badsectoracula|6 years ago|reply
[+] [-] chrisseaton|6 years ago|reply
[+] [-] purple_ducks|6 years ago|reply
https://blog.chromium.org/2019/06/web-request-and-declarativ...
[+] [-] Ajedi32|6 years ago|reply
Given the level of cynicism directed at Google by the HN community, is it even possible for Chrome to lock down extension permissions in a way which wouldn't be seen as some sort of aggressive move against ad blocking? Keep in mind that secure, user-friendly permissions systems do have to be somewhat restrictive in order to be effective (see Android, iOS, etc), and that ad blocking extensions will necessarily be impacted as a result.
[+] [-] ohazi|6 years ago|reply
Google is using a slow-frog-boil approach to re-desensitize their users to ads, and it's working. The only thing that will work here is a big splash of cold water to the face.
Maybe Chrome losing all of its ad-blockers overnight will finally start making a dent.
[+] [-] cptskippy|6 years ago|reply
[+] [-] hnaccy|6 years ago|reply
[+] [-] pvg|6 years ago|reply
[+] [-] feanaro|6 years ago|reply
It's also quite disappointing how there is seemingly no one from Mozilla here, engaging with us on this topic. Instead, the only communication we get is one-sided corporate speak, with no real ability to respond.
If anyone from Mozilla is reading, who do you think will spread Firefox among non-technical users if not the type of crowd that frequents HN?
[+] [-] chucksmash|6 years ago|reply
That's exactly what they've tried to do. Firefox exposes a `chrome` namespace object to extensions which is intended to be more or less API compatible with what Chrome provides and added the `browser` namespace object where improvements to the base compatibility are added (e.g. switching from callback based APIs to Promise based APIs). See the bit from the wiki below and the link to the browserext spec:
> Mozilla has worked with Microsoft and Opera to implement browser extensions so that developers can write extensions that work across multiple browsers. The preliminary specification[1] matches what Google has implemented in Chrome so that extensions will work on Chrome, Edge, Opera and Firefox.[2]
[1]: https://browserext.github.io/browserext/
[2]: https://wiki.mozilla.org/WebExtensions/Spec
[+] [-] muddi900|6 years ago|reply
[+] [-] sorenjan|6 years ago|reply
What will this mean for GM.xmlHttpRequest in userscripts? Adding content from several different sites with userscripts can be very powerful.
[+] [-] xg15|6 years ago|reply
The change[1] only affects content scripts because they run in the same process as the website. You're still able to fetch arbitrary origins in a background page. So GM has to move the fetch to the background page, then send the content to the script via message passing.
[1] https://www.chromium.org/Home/chromium-security/extension-co... .
[+] [-] input_sh|6 years ago|reply
[+] [-] SirensOfTitan|6 years ago|reply
Mozilla ought to be the browser for a private and usable web, but it seems they have occasional sneezes where you question what they’re doing (this, pocket in recent memory).
[+] [-] echelon|6 years ago|reply
The future of the web where Google is in complete control is straight up nightmare fuel. Microsoft in the early 2000s never scared me as much as the future we're headed into does.
This won't be IE versus Netscape since websites are no longer served as plain old HTML. They're messy, thick, and impenetrable javascript blobs--not documents. We're not arguing about websites simply not rendering correctly in the less popular browser. This is a battle for the absolute control over information distribution.
What do we do to prevent what's happening?
Google already shot down XHTML, which was rich with semantics. That was a web written for documents and tools that could query those documents for meaning.
Whatever Google has become needs to be dismantled. The ad company can't be the browser company and phone company. It's a perverse alignment of incentives.
[+] [-] rrix2|6 years ago|reply
At the very least a new webrequest spec that is more ergonomic and more safe than the webrequest API (without neuturing adblock) could show whether the emperor has no clothes, vis a vis "Google Adtech is directly influencing Chrome and web platform development" plots
[+] [-] kup0|6 years ago|reply
[+] [-] levani|6 years ago|reply
[+] [-] phkahler|6 years ago|reply
On top of that, I'm not in favor of extensions doing anything to improve security - I want that in the base browser.
[+] [-] malicioususer11|6 years ago|reply
[deleted]
[+] [-] ryuukk_|6 years ago|reply
[deleted]
[+] [-] eh78ssxv2f|6 years ago|reply
I personally feel that now with manifest 3, I can actually install adblockers since the newer APIs do not share all my web traffic with the extensions.
Can somebody explain why removing blocking API was overall a bad decision by Chrome?
[+] [-] gorhill|6 years ago|reply
The webRequest API can observe the URLs you visit without needing blocking permission.
And so does the webNavigation API, the tabs API, history API, content scripts, possibly cookies API and whatever else does not come to my mind.
[+] [-] kuzimoto|6 years ago|reply
What's the point of an ad blocker if it doesn't block ads?
[+] [-] amluto|6 years ago|reply
[+] [-] zaarn|6 years ago|reply
The blocking API being removed is an issue because the replacement does not cover all use cases and severely limits what ad blockers can do to intercept filtered content.
Google is obviously aiming to boil the frog slowly and make ad blockers a such terrible experience that Chrome users will not use them.
[+] [-] michaelmrose|6 years ago|reply
- it has a different default search engine selection that can be sold in the same way that Mozilla sells this same feature to google presently
- no ads on new tab page
- bundled with ublock origin
The goal being to increase the value of selling the search engine selection while decreasing the value of mozillas in effect siphoning off some of the value of mozillas primary revenue stream.
Such funds could be donated back to Mozilla or used to maintain a fork that doesn't ruin adblocking. Their choice.