top | item 42511679

(no title)

olliej | 1 year ago

So there are multiple factors here - I used to work on browsers so have some experience here :D

First off, there are legitimate security concerns with the kind of functionality required for effective ad blocking given the immense work the ad industry (i.e google) have put into preventing purely static filters is also very powerful for exploitation. Those powers can (and have been) abused: the recent news about "Honey" replacing affiliate links so that they are getting paid for ads on peoples page, but also there have been numerous examples over the last year of extensions being sold and then having the extensions getting malware, crypto miners, etc.

Second, there are real performance problems - the non-JS filter rules are vastly more efficient, for memory usage, cpu usage, and load time (I recall people doing benchmarks a while ago, showing ad blocker extensions that actually slowed down page loads).

So those are the engineering arguments for not supporting this model of extension.

However, the engineers on the chrome team are not stupid, or malicious, and understand that the trade offs are something users want. But those engineers work for Google, and google is an advertising company.

So it does not matter what those engineers want, or think is better, if the company management says "you cannot block our revenue model" they do not have a choice. Well, they could quit, but that's basically it.

discuss

southernplaces7|1 year ago

Hard disagree. I've been using ublock across the board with Chrome and with absolutely no problems with malicious nonsense or even performance. These are real risks in a general sense, to be sure, but many extensions are run well enough to be relatively safe.

In any case, if such were Google's logic, they'd do more, or other things to mitigate said threats, which can also be extrapolated to any number of other widely used and permitted extensions, not conveniently remove a specific, well-run and widely trusted extension that conspicuously works at removing the firehose of utter garbage that they push at you through various parts of their platforms and on YouTube.

tyingq|1 year ago

There are some ways to abuse solely the ability to stop an inflight web request, and being able to see what url it was for.

But, that did require a specific permission.

And the permission/ability to inject arbitrary JavaScript into any page is still there. As are other abilities that can be abused.

Meaning, the security argument for removing blocking onBeforeRequest was always a diversion. It is not nearly the highest risk thing in the api.

denkmoon|1 year ago

Does MV3 do anything to stop the behaviour of Honey?

mehlmao|1 year ago

Please show me a real-world page that performs worse on Chrome with no extensions than on Chrome with Unlock Origin.

shiroiushi|1 year ago

That would be really easy (though it probably wouldn't be perceptible by humans, but you'd certainly see it if you look at actual CPU and memory usage): just look at some simple webpage that's only static HTML. uBO uses resources, so of course it's going to perform worse not having it there at all. And going through tens of thousands of filter rules isn't exactly a trivial task.

However, at some point, the resources saved (by blocking ads running JS) will outweigh the resources used by the ad-blocker. In typical modern web pages, that bar is probably pretty low, because there's SO much BS advertising and tracking.

dghlsakjg|1 year ago

> First off, there are legitimate security concerns with the kind of functionality required for effective ad blocking given the immense work the ad industry (i.e google) have put into preventing purely static filters is also very powerful for exploitation. Those powers can (and have been) abused: the recent news about "Honey" replacing affiliate links so that they are getting paid for ads on peoples page, but also there have been numerous examples over the last year of extensions being sold and then having the extensions getting malware, crypto miners, etc.

Who controls the accounts and the distribution for all chrome plugins? Who allows automatic updates with no security screening to all chrome plugins? Who charges developers a fee to participate in the chrome extensions store?