With the next version of Chrome, Google is moving ahead with a plan to improve privacy and security by reining in some abilities of extensions used to customize the browser. The move had angered some developers who expected earlier it would cripple ad blockers.
Manifest v3, the programming interface behind Google’s security plans, will arrive with Chrome 88 in mid-January, Google said Wednesday at the Chrome Dev Summit. Extensions using the earlier Manifest v2 will still work for at least a year.
Extensions can change Chrome’s behavior through abilities that Manifest v3 exposes. Among other things, Manifest v3 limits the number of “rules” that extensions may apply to a web page as it loads. Rules are used, for example, to check if a website element comes from an advertiser’s server and should therefore be blocked. Google announced the changes two years ago.
Reducing the number of rules allowed angered creators of extensions like the uBlock Origin ad blocker and the Ghostery tracking blocker. They said the rules limits will stop their extensions from running their full lists of actions to screen ads or block tracking. That could let websites bypass extensions — and the preferences of people who installed them.
Google has defended its technology and argues that granting extensions too much freedom invites abuse. The search giant says it’s listened to developers and modified Manifest v3 in response. For example, it loosened the originally proposed rule limit and added a new mechanism for applying some rules. Eyeo, the developer of one of the widely used Adblock Plus extension, said Tuesday it’s content with Google’s Manifest V3 approach.
The changes underscore how difficult it can be for Google to balance giving developers powerful tools and the need to thwart abuse. The balance is particularly difficult to strike given that Chrome is one of the tech industry’s biggest platforms. More than a billion people use the browser, Google has said, and it accounts for about 64% of web usage, according to analytics firm StatCounter.
“We believe extensions must be trustworthy by default, which is why we’ve spent this year making extensions safer for everyone,” Google said in a blog post.
AdGuard, Ghostery unhappy with Manifest V3
The shift brought on by Manifest V3 will spread to all browsers, to the detriment of ad blocking software, predicted Andrey Meshkov, co-founder and chief technology officer of AdGuard, an ad-blocking extension.
“The main victim of Manifest V3 is innovation,” Meshkov said in a statement Wednesday. Previously, ad blocker developers were exploring ideas like using artificial intelligence (AI) technology to improve their products. “This is not that relevant anymore. Now Chrome, Safari and Edge dictate what can or cannot be blocked and how it should be done.”
Ghostery is working to update its extension for Manifest V3 but would rather spend its time on “real privacy innovations,” President Jeremy Tillman said in a statement Wednesday. “We still have real misgivings that these changes have more to do with Google protecting its bottom line than it does with improving security for Chrome users.”
Google has incorporated feedback from ad blocker developers AdGuard and EasyList, the company said, and Meshkov credited the Chrome extensions team for being “eager to improve it.”
“One of our goals is to make it as easy as possible for developers to achieve their core use cases while needing less access to user data,” Google said in a statement.
The security risks of extensions are real. Google blocks more than 1,800 malicious extension uploads each month, it said in 2019.
uBlock Origin developers didn’t respond to a request for comment.
Microsoft Edge getting Manifest v3
The importance of the Chrome team’s choices are magnified by the fact that other browsers, including Microsoft Edge, Vivaldi, Opera and Brave, are built on its Chromium open-source foundation. Microsoft said it will embrace Manifest v3, too.
“After an extensive review of the concerns raised by content blockers and the community, we believe that a majority of those concerns have been resolved or will be resolved,” Microsoft said in an October blog post. “We recognize the value of content blocking extensions and appreciate the role they play in honoring user’s choice.”
Another Manifest v3 change is that extensions no longer may update their abilities by downloading code from third-party sites. The entire extension now must be distributed through the Chrome Web Store, a measure Google says improves security screens and speeds reviews.
Manifest v3 should eventually give Chrome users a better idea how extensions use their data and provide more control over how that happens, Google said.