analysis Google has defended its pending Chrome work-in-progress updates on Wednesday, which will change the way that extensions filter out web advertising and other content.
The US technology titan insisted that its still murky version of the browser extension API, known as Manifesto v3, does not kill ad blockers and make them safer, but without providing evidence that extensions are blocking the ad specially pose a threat.
Instead, the Google extension team more generally argues that one aspect of a high-performance API is in particular the content filtering feature of
webRequestraises potential security and privacy issues. This interface is used by blockers to examine page content requests so they can remove unwanted content in real time.
However, it is suggested that this API will prohibit future extensions for you and me to prevent plug-ins from turning against their users to spy on them or manipulate page data.
However, Google will allow this feature to feature enterprise-managed extensions, "because of the deep integration that companies may have between their software suites and Chrome."
Google can not explain why corporate administrators who use Chrome are trusted to make their own security decisions, but ordinary users who use Chrome do not.
Devlin Cronin of the Chrome Extensions team and Simeon Vincent, proponents of Chrome Extensions, rushed to press reports in two blog posts – the El Reg Perhaps that has something to do with it – that manifest v3, as originally proposed, would significantly hinder, among other things, the content-blocking extensions.
"There was a lot of confusion and misunderstanding about the motivation and impact of this change, including the speculation that these changes were designed to prevent or weaken ad blocking," wrote Vincent. "This is definitely not the goal, and in fact this change should give developers the power to build safer and more powerful ad blockers."
Google is slightly subduing ad blocking – everyone else is less enthusiastic about paid corporate Chrome users
The security argument has some value, at least more than the entitlement to benefits that was denied in a February study and rejected by Raymond Hill, developer of uBlock Origin, in January: "Performance and privacy issues are with websites, not with uBO – So I'm not worried that privacy and efficiency are being highlighted as benefits of use
declarativeNetRequest is the intended replacement for
As a main source of friction, changes to the proposed
webRequest API, changes that control extensions to the more limited and secure
declarativeNetRequest and away from
webRequest, Certainly the power of
webRequest can be abused, and Vincent claims it was. "As of January 2018, 42 percent of the malicious extensions use the Web request API."
Since Google's stated goal is to make ad blocking safer, The registry Google asked if ad blocking was actually abused
webRequest, We did not hear back.
It would not be surprising if some did – many extensions claiming to be ad blockers generate revenue from the whitelist of ads, and it is difficult to distinguish trustworthy browser add-ons from parasitic ones. But the fact is that every extension can be used right now
webRequestwith user's permission and misuse of this user's trust.
And so it is fair to say that extensions could generally be made more secure. Google invests to support this. According to Cronin, "we have increased the number of engineering teams involved in the abuse of extensions by more than 300 percent and the number of examiners by over 400 percent."
The result is an 89 percent reduction in the number of malicious extension installations since 2018.
The Chrome Web Store currently blocks about 1,800 malicious extension uploads per month. However, according to Cronin, the review process can not capture all abuses, requiring platform changes and restrictions in the form of manifest v3.
Many developers of Chrome extensions welcome stricter security measures, but are not enthusiastic about the way Google has decided to do so.