[HN Gopher] Google Chrome browser privacy plan investigated in UK
___________________________________________________________________
Google Chrome browser privacy plan investigated in UK
Author : chrischapman
Score : 161 points
Date : 2021-01-08 12:48 UTC (10 hours ago)
(HTM) web link (www.bbc.co.uk)
(TXT) w3m dump (www.bbc.co.uk)
| cm2187 wrote:
| Do you need to ban third party cookies? I would have thought that
| limiting the scope of third party cookies to the primary site
| visited would be sufficient to prevent tracking across websites
| (save for browser fingerprinting).
| iamacyborg wrote:
| Third party cookies are often made first party through CNAME
| records, so those are problematic, too.
| ejj28 wrote:
| I'm very skeptical about this, as it seems like Google's just
| trying to pull another AMP and take control of how advertisers
| are able to advertise, and since they're a major player in the ad
| business that should be a big no no.
|
| No user-agent strings is interesting to me, to me they seem like
| a minor concern privacy-wise, and doesn't a large portion of the
| web use them to maintain compatibility between browsers, detect
| your OS for downloads, and etc?
| roblabla wrote:
| User-agent, in my experience, is mostly _misused_ as an attempt
| for compatibility, but it really shouldn 't be used that way.
| The proper way to do cross-browser compat is feature testing,
| as browsers keep adding more features. Google until recently
| was distributing a different, inferior (at least IMO) version
| of Google Search to Android Firefox users, based on user-agent.
|
| To detect the OS for download, either JS will have to be used,
| or the new granular Client Hints[0], specifically User-Agent
| Client Hints[1]. You can use Sec-CH-UA-Platform and Sec-CH-UA-
| Arch to figure out the OS and CPU Architecture of the client.
| However, browsers may refuse to honor this, depending on the
| privacy budget.
|
| Seeing User-Agent go away will be a net positive for web
| compatibility. That it also improves privacy is just a nice-to-
| have.
|
| [0]: https://developer.mozilla.org/en-
| US/docs/Glossary/Client_hin...
|
| [1]: https://wicg.github.io/ua-client-hints/
| nebulous1 wrote:
| You may find this interesting: https://amiunique.org/
| potench wrote:
| I didn't see it mentioned but a common use case for 3rd party
| cookies is correlating session data across your own multiple
| domains (if your company owns multiple domains). Publishing
| companies typically own multiple domains/verticals and can
| increase ad revenue / seo / traffic quality by linking properties
| together. It's important to be niche as a site (verticalization)
| but also broad as a publishing operation (own many verticals and
| shift your marketing spend daily).
|
| Anyways, google has been writing a spec for "first party sets" to
| help replace the use of a 3rd party cookie to connect domains you
| own. https://github.com/privacycg/first-party-sets
|
| I believe this will need to be implemented before Chrome moves
| aggressively against 3rd party cookies.
| afrcnc wrote:
| Am I the only one reading this as "some less tech-savvy
| advertisers can't adapt and are now lawyering their way around?"
|
| Cause it sure looks like so. If I remember correctly, other
| browsers have also removed support for 3rd party cookies too
| toper-centage wrote:
| I couldn't care less in the adtech industry collapsed
| overnight, even if that meant I lose my job, but what's
| happening with Google and Facebook trying to push for privacy
| regulations is effectively raising the bar for competition and
| new comers.
| gregasquith wrote:
| A lot of advertisers didn't care when Safari etc. did it, such
| is the scale Chrome has - they just stopped targeting users not
| using Chrome. Now it's affecting everyone there's an outcry
| afrcnc wrote:
| "affecting" isn't the word I'd use there.
|
| "protecting" would be better
| gregasquith wrote:
| 100% agreed!
| ScoopWitch wrote:
| agree at the point it seems like marketing monopoly
| acvny wrote:
| These sentences summarise it all:
|
| "Google will effectively control how websites can monetise and
| operate their business,"
|
| "This means that any business that buys or sells advertising will
| be reliant on Google for a part of the process, whether they like
| it or not."
| trendywebz9 wrote:
| 100% agreed.
| pixelpoet wrote:
| I very much wish someone would investigate this "legitimate
| interest" crap that I have to always turn off now (one by one
| usually).
|
| Find me just _one_ person who is legimitately interested in these
| "legitimate interest" tracking things.
| hardlianotion wrote:
| I occasionally read these, but I am still not clear in what the
| difference between these permissions I am about to deny and the
| others.
| Digit-Al wrote:
| Ugh. Tell me about it. I tried reading the GDPR stuff regarding
| legitimate interest but couldn't work out how it was relevant
| to what they are doing. It appears to be just two different
| switches for the same thing with one switch defaulting to off
| and the other to on. At least a lot of places do allow you to
| "object all", but it's just another thing you have to remember
| to select.
|
| Super annoying!
| Tepix wrote:
| The article says:
|
| _[Google] wants to replace [3rd party cookies] with new tools
| that give advertisers more limited, anonymised information such
| as how many users visited a promoted product 's page after seeing
| a relevant ad - but not tie this information to individual
| users._
|
| Here's the Chromium page about the "Privacy Sandbox":
|
| https://www.chromium.org/Home/chromium-privacy/privacy-sandb...
|
| Quote:
|
| _We believe ... the web's users can access that information
| freely because the content creators can fund themselves through
| online advertising. That advertising is vastly more valuable to
| publishers and advertisers and more engaging and less annoying to
| users when it is relevant to the user._
|
| In other words, they still want to know as much as possible about
| the users.
| gregasquith wrote:
| There are various proposals they are working under the umbrella
| of the Privacy Sandbox project, couple of key ones here:
|
| https://github.com/google/ads-privacy/tree/master/proposals/...
|
| https://github.com/WICG/turtledove
| philliphaydon wrote:
| It sounds like a good thing but I just can't trust Google to
| not be evil and give themselves more of a monopoly.
|
| They prob want to replace cookies with something that gives
| them the same functionality but not have to deal with cookie
| policies in the EU.
| pdpi wrote:
| There are no cookie policies in the EU. What we do have is a
| policy around personal data and identifying users, and
| cookies are mentioned in passing as a particular way this is
| achieved in practice.
| lmkg wrote:
| There are cookie policies in the EU. GDPR covers personal
| data, of which cookies can be one particular way. The
| ePrivacy Directive is a separate law, modified but not
| repealed by GDPR, which addresses cookie data. The
| difference and interaction between those two laws ends up
| being extremely significant.
| pdpi wrote:
| Every single instance of the word "cookie" in the
| ePrivacy Directive[1] is qualified with either a "for
| instance" or with "or similar devices".
|
| 1. https://eur-lex.europa.eu/legal-
| content/EN/TXT/PDF/?uri=CELE...
| lmkg wrote:
| My point is that cookies have additional regulations
| beyond just being personal data covered by GDPR. You are
| correct that cookie-equivalents are similarly regulated
| (including most fingerprinting techniques!). But they're
| not just a special case of GDPR.
|
| Most importantly, the ePD applies to cookies _even when
| they are not personal data_. Your post made it sound like
| the _only_ concern is identifying users via cookies. That
| is not the case. Non-identifying cookies would not incur
| obligations under GDPR, but they do incur obligations
| under the ePD.
| gnud wrote:
| Well, the cookie policies in the EU are sort of weird, but
| they're not from the GDPR, but from an older directive,
| 2009/136/EC, the "cookie law". And this directive only uses
| the word once, in the parenthetical "(such as certain types
| of cookies)".
|
| Even if you replace cookies with something else (localstorage
| or whatever), you're still on the hook for all the rules both
| here and in the GDPR with regards to personal information and
| informed consent.
|
| Remember that the 'cookie law' says
|
| > Exceptions to the obligationto provide information and
| offer the right to refuse should be limited to those
| situations where the technical storage or access is strictly
| necessary for the legitimate purpose of enabling the use of a
| specific service explicitly requested by the subscriber or
| user.
|
| So you don't need a cookie banner for a login session cookie,
| or a cookie that stores preferences the user actively
| selected. But you _do_ need a cookie banner, and a way to opt
| out, for all kinds of user tracking, both first- and third-
| party.
|
| Of course, IANAL. Just angry at advertisers for muddying up
| this issue.
| HPsquared wrote:
| If they become a monopoly by simply providing the best
| service available, who is harmed? To me it looks like "won't
| someone please think of the poor advertisers"
| thewebcount wrote:
| Anyone who wants to avoid their services. I don't care if
| they provide a better experience on the web. I don't wish
| to do business with them because I don't trust them. No
| matter how good their experience, I want to use someone
| else.
| raxxorrax wrote:
| I often hear that but I don't think this is good at all. To
| be honest I am not subjected to a lot of ads today, but I
| don't want personalized ads because it always means the
| advertiser has incentive to collect info on me. Ads aren't
| worth that, not even close.
|
| You might think otherwise, but for these cases I think there
| should be opt-in mechanisms instead of the assumption what
| people want. If they are that off with their ads...
| lmkg wrote:
| This isn't exactly a mystery. Google _is_ doing this. Several
| of the pieces are already in place.
|
| If you log into a Google account in Chrome, you log into
| _Chrome itself_ with that Google account. Then Google tools
| can use your account as an identity signal. This is already
| available as a feature in Google Ads and Google Analytics.
| The name of the feature is "Google Signals" - they've posted
| documentation on how it works and what it does.
|
| This identity signal works cross-domain and cross-device.
| Google is working to kill off other identity signals with
| those capabilities that would be available to competitors,
| such as third-party cookies. (This is also why I believe them
| when they say they're actively working against browser
| fingerprinting.)
| zaroth wrote:
| This is a very good reason in and of itself to stop using
| Chrome. What you're describing is a very real attack by
| Google through a kind of regulatory capture on any possible
| competitor.
|
| Basically, the only tracking solution that becomes viable
| is their own.
| capableweb wrote:
| Google for some owns the full pipeline of websites, from
| where the website is being served from (Google AMP), scripts
| where the website does client side stuff (Tag Manager +
| Analytics), to the browser that reads it (Google Chrome /
| Chromium) and in some cases even the OS (Chrome OS).
|
| Is not hard to imagine that they are getting rid of Cookies
| because they now have other ways of getting the data, and
| getting rid of Cookies would make things harder for
| competitors that don't own the full pipeline.
|
| Even with that, I'm sure that the engineers working on
| Chromium/Google Chrome are being told that they are removing
| Cookies for the greater good and don't have insights into the
| longer pipeline that we're now seeing the middle off.
| vermilingua wrote:
| Don't forget, they often control the domain registration,
| have had huge influence in the formation of the languages
| sites are written in, in some cases the languages the
| _server_ is written in, even the backbone and last mile
| delivery of those bits to the user, etc.
|
| Most of that can be leveraged by google to replace cookies.
| Lio wrote:
| There seems to be a real conflict in interests between Google,
| effectively a surveillance company, setting new standards for
| user privacy.
|
| It's not the targetted advertising I object to it's the tracking.
|
| I don't want Google to solely access to all my personal data
| which they then use to provide anonymised information to others.
|
| I want to have enough control to stop Google tracking me in the
| first place rather than anonymising things after the fact.
|
| Something like Brave's approach to BATs is what I'd like to see
| them adopt.
| arexxbifs wrote:
| That part is just smoke and mirrors, of course. They don't give
| a crap about that and "privacy" is becoming yet another
| marketing buzzword that rarely stands up to scrutiny but is
| very convenient to hit your opponents over the head with.
|
| Google just wants a monopoly on advertising.
| kyrra wrote:
| Googler opinions are my own.
|
| I'd disagree. There is a trend in HN comments to remind
| people that a company is a collection of people. Google is a
| collection of people. There are those of us who care deeply
| about privacy at Google.
|
| First: it's interesting talking with googlers or reading
| their thoughts on how Google does ads and data collection.
| Many people definitely feel the same way as commenters on HN
| feel. Lots of people are torn on the fact that ads lets us
| build lots of other cool products for people. I would say
| this helps motivate other teams, like cloud, do you find
| other revenue sources for the company so you don't have to be
| as dated collection focused.
|
| Second: I have seen googlers fight the privacy of users even
| within my division (payments). Many of us want to do right by
| our users, and be as privacy focused as we are capable given
| our constraints. We also know there is a general thought that
| Google is data collection focused, and one slip up will cause
| a big drama out on the internet and in the news (Google would
| likely receive more scrutiny here than some other companies).
| This helps remind us that we need to treat user data as best
| we can and minimize what we do collect.
| CivBase wrote:
| > There is a trend in HN comments to remind people that a
| company is a collection of people. Google is a collection
| of people. There are those of us who care deeply about
| privacy at Google.
|
| It sounds like there is little overlap between Google's
| employees and the people who make and influence major
| decisions for Google. Wasn't that recently given as one of
| the major justifications for unionization?
| arexxbifs wrote:
| > Google is a collection of people. (...) Many of us want
| to do right by our users, and be as privacy focused as we
| are capable given our constraints.
|
| When push comes to shove, Google _isn't_ a collection of
| people - it's a legal entity with the sole purpose of
| turning an ever-increasing profit.
|
| The best way to ensure privacy is to not track users across
| the web. Hence, if Google was interested in privacy, that's
| what Google would do - not add extra "anonymized" tracking
| features.
| stiray wrote:
| I am sorry but this seems like a conflict of interest.
|
| Googlers are earning most of their paycheck from spying on
| people. This is a fact. And everything about google is
| moving into direction of earning even more - stock owners
| demand it and based on infinite hunger for more revenue,
| this is a lost fight. Whatever you do, from within the
| Alphabet, it is lost game.
|
| Now some fraction of those that are not aware of reality
| might be really fighting for user privacy but your fight is
| like biting a hand that feeds you. And this is observed as
| crazy at best. If you want to talk the talk and walk the
| walk, stop helping them and allow to have public image that
| they deserve instead of defending them based on some
| strange minority that is clueless where they work.
|
| Or if you want it differently, it is like selling weapons
| to Central Africa and then saying "Weapons dont kill,
| people do.". Sure. True. But you are making it more
| efficient.
|
| Now we will probably move to the part "someone else will do
| it instead". This is the part of having moral and this
| makes a difference between someone who has it and someone
| who is searching for apologies.
| lima wrote:
| > _Googlers are earning most of their paycheck from
| spying on people. This is a fact._
|
| This a popular misconception about Google. They don't
| _need_ to spy on people. You 're the product, but you
| don't pay with data (except for basic demographics) - you
| pay with _attention_.
| throwaway2245 wrote:
| > There is a trend in HN comments to remind people that a
| company is a collection of people.
|
| A company isn't really that, though: a company employs a
| collection of people to do the work desired by its owners.
|
| Since Google is not an employee-owned company, it's not
| obvious that a group of employees have effective power in
| this matter.
| shrimp_emoji wrote:
| It's the same game theory behind dictatorship. In this
| case, the dictator can simply be an abstract profit
| motive, and its lust for blood tomorrow could always
| overrun today's principled moderation (especially once it
| begins to starve, which it will since all organizations,
| no matter how Ozymandian and grand, somehow crumble
| eventually).
|
| The best foundation for good outcomes is to not trust a
| company and to reject its control to begin with.
| MaxBarraclough wrote:
| > There seems to be a real conflict in interests between
| Google, effectively a surveillance company, setting new
| standards for user privacy.
|
| Related to this: Google has a lot of influence regarding web
| standards.
| chrischapman wrote:
| Hidden measures are the essence of surveillance capitalism.
| What's needed is personal choice and transparency. And yes, I
| agree. I want to be in control of my consent too. The thing I
| think we're missing is the _informed_ in informed consent that
| legislation requires. These measures just help to keep us in
| the dark.
| m463 wrote:
| I think the real conflict of interest is when other services
| are layered on top of google.
|
| For instance, you cannot make an appointment with the
| California DMV without using google services. Just accessing
| the website will try to log you into google.
| nwellnhof wrote:
| > I want to have enough control to stop Google tracking me in
| the first place rather than anonymising things after the fact.
|
| Google's proposals actually anonymize data before being sent to
| Google or any other ad network. But this only works by moving
| parts of the ad infrastructure into your browser. Do you really
| want your browser run machine learning algorithms to assign you
| to a cohort (see FLoC), or have ad auctions take place on your
| device (see TURTLE-DOV)?
| hp77 wrote:
| for anyone looking to read more on FLoC ->
| https://github.com/WICG/floc
|
| and TURTLE-DOV -> https://github.com/WICG/turtledove
|
| Thanks OP for mentioning these.
| nickhalfasleep wrote:
| Absolutely nothing about fraud in these. Interesting,
| considering who or what would validate that these actions
| are occurring in front of an actual user.
| jefftk wrote:
| See https://web.dev/trust-tokens/
|
| (Disclosure: I work on ads a Google, speaking only for
| myself)
| jka wrote:
| Thanks for the link, and also thanks to the ancestor
| commentors for sharing more information.
|
| Although I understand that the revenue and reality of
| marketing revenue is vast and in some ways unstoppable,
| this is quite a bit of complex and challenging
| engineering work which creates more surface area in
| browsers in return for privacy.
|
| It's probably worth it on the whole, as long as it's done
| carefully, but for someone who cares a bit about
| simplicity, efficiency and being able to comprehend
| what's happening: will there be an opportunity just to
| disable targeting advertising (and thus the code paths
| and logic associated with it all)?
|
| (I'll try to reason about this and work it out myself
| from the documentation; I do already see that there's a
| "Disable Ad Interest Groups", but I don't know if that's
| quite it, yet)
| Sandra56 wrote:
| zxczxczxcxzc
| Sandra56 wrote:
| I get paid over $87 per hour working from home with 2 kids at
| home. I never thought I'd be able to do it but my best friend
| earns over 10k a month doing this and she convinced me to try.
| The potential with this is endless. Heres what I've been
| doing,..............__Www.Workapp2.Com
| ricardo81 wrote:
| The last CMA report[0] concluded[1] that Google's dominant
| position in search and advertising was partly due to how their
| extensive tracking enables them to get a higher ROI per user,
| allowing them to outbid potential competitors for things such
| as becoming the default search engine on Apple devices, further
| reinforcing their dominant position.
|
| I agree with you, if I type in a search term from location X,
| advertisers have enough targeting to serve me a relevant ad
| which I'm totally fine with.
|
| [0] https://www.gov.uk/cma-cases/online-platforms-and-digital-
| ad...
|
| [1] https://www.gov.uk/government/news/cma-lifts-the-lid-on-
| digi...
| tgragnato wrote:
| > which I'm totally fine with
|
| If there's an investigation it's because governments are
| starting to realise they are not totally fine with it.
|
| You may be, but it's off topic. The topic is the UK.
|
| Abuse of market position, free markets, monopolies,
| oligopolies, pools, trusts. Impoverishment of one nation's
| economy in favor of another, tax evasion, unfair business
| practices.
|
| Individuals don't care about these things, but governments
| do.
| dan-robertson wrote:
| Seeing your list, it does seem like things the government
| of the U.K. cares about but it's debatable whether they
| want more or less of these things.
| lima wrote:
| Tracking is much less useful than people believe (except for
| measurement of campaign success and retargeting).
|
| Google's search ads work so well because Google has very good
| and reliable demographic data (i.e. "personalization") and
| the users _literally them what they 're looking for_.
|
| None of that requires tracking.
| Xelbair wrote:
| >I agree with you, if I type in a search term from location
| X, advertisers have enough targeting to serve me a relevant
| ad which I'm totally fine with.
|
| i am not fine with that, because that's just a step from
| sellers offering a personalized prices for me, trying to
| squeeze everything out of me.
| ricardo81 wrote:
| I'm not sure what you mean.
|
| I was meaning to differentiate between a vanilla search vs
| tracking data augmenting the search/ad delivery process.
|
| Obviously the search term itself is used, and often
| location is required for queries such as "taxis near me".
| It's also essential for advertisers to know if you're in
| their geographical market.
|
| That's just my opinion on what kind of data is OK to share,
| the point was that no further information is generally
| needed. The CMA reports highlight the fact that insidious
| tracking and the subsequent ROI tends to cement the
| dominant position of those who use it.
| stiray wrote:
| > I'm not sure what you mean.
|
| He means this on a global scale:
| https://www.bbc.com/news/technology-18595347
|
| And they were (are) using only User-Agent. Now imagine
| that google calculates some "wealth" score back to online
| shops, insurance companies,...
| blindm wrote:
| The thing about Cookie-law and cookie privacy issues is: it
| assumes everyone has this centralized browsing session that they
| use for /all/ their browsing. There would be a good number of
| people who use incognito mode or private browsing mode. I don't
| know the stats, but I imagine a good chunk of people use
| incognito mode for NSFW surfing sessions. And whilst cookie
| banners are annoying, they are a small price to pay if it means
| you have the choice to wipe cookies after a browsing session.
|
| For me personally I use different browsers for different things,
| and if I don't want to be tracked and have browsing artifacts
| like cookies correlating data together and tracking me, I just go
| incognito and call it a day. Google's attempt to re-design how
| browsers work at this fundamental level is welcomed, but that
| means other browsers have to do the same, which I don't see
| happening. Firefox rarely copies Chrome features (or Chrome's
| anti-features).
| toper-centage wrote:
| As a user of tab containers and cookie auto deletion, cookie
| notices and sign up prompts are the bane of my existance. I
| audibly growl each time I open YouTube.
| thewebcount wrote:
| I simply can't use YouTube anymore directly. It's too
| annoying. Whenever I get a link, I just go right to youtube-
| dl and download the video because YouTube's interface is so
| awful.
| inops wrote:
| >Firefox rarely copies Chrome features (or Chrome's anti-
| features). In so far as web technology goes, it certainly does.
| Lots of half-baked, non-standard features get added to Chrome,
| sites start using them, and then Mozilla has to follow suit in
| order to maintain web compatibility.
| azalemeth wrote:
| I use incognito mode _almost exclusively_ for SFW content.
| Heck, I use at least five browsers, container tabs, private
| modes, etc, and have rotating external IP endpoints as well as
| using Duck Duck Go. I have a pihole, and OS level application
| firewalls.
|
| I've got a PhD and I find the lengths required to have some
| modicum of privacy on the internet truly insane, and at times,
| a little technologically annoying (especially when you have to
| debug which random script broke a particular page). The other
| trouble is of course apps: android is just a _dumpster fire_
| and every MS product causes an awful lot of blocklist entries
| to mobile.pipe.aria.microsoft.com.
|
| _Something_ new would be nice, but I fundamentally think that
| Google is the most conflicted company possible to deliver it.
| toyg wrote:
| The overwhelming majority of users run incognito/private mode
| only for porn and equivalent, to avoid leaving traces _on the
| machine_. The law should assume incognito mode does not exist,
| as a baseline.
|
| _> Firefox rarely copies Chrome's features_
|
| I hope this is sarcasm. Sadly, FF is effectively pushed by
| market forces to adopt most Chrome features, down to the
| extension mechanics. This has always been true for every
| player, to be fair, it just so happens that Chrome is the
| current reference.
| blindm wrote:
| > to avoid leaving traces on the machine
|
| Yes you may not leave traces or history on the machine, but
| cookies can be correlated to other activity. For example,
| when logged into a Google account, if the site uses Google
| Analytics and you are logged into Google, then Google can
| build a profile of you and target ads at you based on your
| activity.
|
| Also: Browsing artifacts may be left on a machine anyway due
| to swap (on Linux) or Windows' memory paging file. This is
| why I advocate for using something like TailsOS[0] if you
| don't want to leave a trace and be as anonymous as possible.
|
| Yes, TailsOS is a lot of overhead for most people, but worth
| it if you want your privacy real bad.
|
| [0] https://tails.boum.org/
| cookiengineer wrote:
| Remember the discussion about Manifest V3, eliminating webRequest
| API [1] which results in Adblockers being thrown out of the
| Chrome ecosystem?
|
| Guess what the state is, now, 1 year later ... the
| declarativeWebRequest API is still on hold; and it's not
| supported outside of Beta Channel, and there are no plans to move
| it to stable. [2] Its documentation still states the same as it
| did half a year ago:
|
| "Note: this API is currently on hold, without concrete plans to
| move to stable. Use the chrome.declarativeWebRequest API to
| intercept, block, or modify requests in-flight."
|
| ... which effectively means that there's no way to block or
| modify request/response headers in Manifest V3, which is
| essential for Adblockers because they tend to override the
| Content-Security-Policy and remove headers like "Cookie" or "Set-
| Cookie" etc.
|
| And now we have the Chrome Web Store moving ahead with the
| Manifest V3 rollout. [3]
|
| [1]
| https://developer.chrome.com/docs/extensions/reference/webRe...
|
| [2]
| https://developer.chrome.com/docs/extensions/reference/decla...
|
| [3] https://blog.chromium.org/2020/12/manifest-v3-now-
| available-...
| lima wrote:
| > _Remember the discussion about Manifest V3, eliminating
| webRequest API [1] which results in Adblockers being thrown out
| of the Chrome ecosystem?_
|
| The whole point of declarativeNetRequest is to make it safer
| and faster to use adblockers. The tradeoff is fewer rules and
| less expressivity. As someone who couldn't live without an
| adblocker, I appreciate it and look forward to it because it
| removes a massive security risk (image the carnage if one of
| the major adblocker extensions get compromised).
|
| Your citations do not support the claim that " _It 's only a
| matter of months before Adblockers won't work anymore._".
|
| There's plenty of reasons to not like Chrome, but this is not a
| justification for spreading FUD.
|
| In fact, the very blog post you cite states that " _There is
| not an exact date for removing support for Manifest V2
| extensions_ " and has a quote from the Adblock Plus team,
| praising the collaboration with Chromium.
| tristan957 wrote:
| Ahh yes, please go on and defend a billion-dollar company who
| has no reason to continue letting ad-blockers exist. If you
| are for taking away APIs that uBlock Origin needs to operate,
| you are on the wrong side of history and should re-evaluate
| your position. The lead dev of uBlock Origin can be trusted
| so much more than Google. You are the one spreading FUD here
| by claiming that the new API is so much better than the old
| one.
|
| Chrome is a shitty browser. Google is a shitty company. Stop
| defending shit.
| lima wrote:
| > _Chrome is a shitty browser. Google is a shitty company.
| Stop defending shit._
|
| > _You are the one spreading FUD here by claiming that the
| new API is so much better than the old one._
|
| This kind of language is not welcome here. Please have a
| look at the guidelines:
| https://news.ycombinator.com/newsguidelines.html
|
| I read the design documents and I'm convinced that the new
| API is a big improvement, and that the design decision was
| made in good faith and for technical, not political
| reasons.
|
| The uBlock Origin developer is very trustworthy, but
| there's so many things that can go wrong - like a
| workstation, repository, signing key or account compromise.
|
| It's a massive single point of failure. Anyone who can
| sneak malicious code into the extension has instant and
| unlimited access to millions of browsers and sensitive
| personal and company data.
|
| A project like Chrome has extensive processes and
| safeguards to prevent this kind of compromise, including
| strict code review. As far as I can tell, uBlock has no
| code review process[1]. We need to move away from such
| points of failure no matter how well-intentioned they are.
|
| [1]: https://github.com/gorhill/uBlock/commits/master
|
| The webRequest API also forces a lot of IPC overhead and
| serialization in the runtime, no matter how fast the
| extension itself is. uBlock is very, very fast - but it's
| still a lot slower than native code in the core.
|
| I'm _not_ against adblocking or in favor of stripping away
| adblocker features, but why not implement it right in the
| core of the browser, where it belongs? Chrome is open
| source, if Google doesn 't want to do it, another vendor or
| open source project most certainly could.
| cookiengineer wrote:
| > Your citations do not support the claim that "It's only a
| matter of months before Adblockers won't work anymore.".
|
| Yes, I agree. I removed that part of my statement.
|
| Still, the declarativeWebRequest API does not allow to filter
| out tracking-related headers from incoming responses or sent
| requests.
|
| I mean, you cannot declare the rules via the RequestMatcher
| and know what headers are going to be sent or received in
| advance, as the API expects full declaration of all protocol
| schemes and host suffixes; which is very bad if a website can
| pretty much do whatever it wants when it executes js code.
|
| > In fact, the very blog post you cite states that "There is
| not an exact date for removing support for Manifest V2
| extensions" and has a quote from the Adblock Plus team,
| praising the collaboration with Chromium.
|
| You know that eyeo GmbH were the ones with the "Acceptable
| Ads" initiative that are literally forcing websites to pay
| them money so that their ads continue to work, right?
| Personally, I would take their comment with a grain of salt.
|
| For their whitelisting-ads use case the API works; for the
| use case of uBlock Origin et al - it doesn't.
| lima wrote:
| > _I mean, you cannot declare the rules via the
| RequestMatcher and know what headers are going to be sent
| or received in advance, as the API expects full declaration
| of all protocol schemes and host suffixes; which is very
| bad if a website can pretty much do whatever it wants when
| it executes js code._
|
| Yes, but this is a good thing. This kind of intrusive logic
| with full access to view and modify request data does not
| belong in a Chrome extension that can be updated by a
| single account at a moment's notice through the store, with
| zero peer review (unlike changes to Chrome itself).
|
| This is much safer to implement in the browser core. If the
| declarativeNetRequest API is insufficiently expressive,
| then it needs to be improved to handle those use cases
| instead of sticking with the old way.
| cookiengineer wrote:
| > If the declarativeNetRequest API is insufficiently
| expressive, then it needs to be improved to handle those
| use cases instead of sticking with the old way.
|
| You're welcome to prove me wrong by implementing an Ad-
| Blocker that can override Content-Security-Policy by
| default; and incrementally allow to execute things.
|
| As Google continues the Manifest V3 rollout, their
| priorities seem to be not on that specific degradation of
| this featureset; and that was all I'm saying.
|
| I've been working on my own Extension for the last week
| [1], and I had to switch back to Manifest V2 because
| there was no way to create an Adblocker that's based on a
| concept that allows the user to select what should be
| executed; as the Content-Security-Policy header couldn't
| be set and malicious HTTP headers couldn't be filtered
| for all domains by default.
|
| You claim that the new API is a full replacement of the
| featureset, so rather than saying that I'd welcome a hint
| to some examples or other evidence I'm probably missing
| here.
|
| [1] https://github.com/tholian-network/stealthify
___________________________________________________________________
(page generated 2021-01-08 23:02 UTC)