Analysis Google on Wednesday defended its pending work-in-progress updates to Chrome that will change the way extensions filter out web adverts and other content.
The US tech titan insisted that its still-hazy browser extension API revision, known as Manifest v3, won't kill ad blockers, and that it will make them safer... albeit without offering any evidence that ad-blocking extensions specifically represent a threat.
Instead, Google's extension team makes a more general claim that one aspect of a powerful API in particular, the content filtering capability of
webRequest, poses potential security and privacy problems. This interface is used by blockers to inspect requests for page content so they can kill off any unwanted stuff in real-time.
However, it is proposed that this API will in future be off-limits to extensions for the likes of you and me, to prevent plugins from turning against their users to spy on them or tamper with page data.
Yet Google will allow this capability to stand for enterprise-managed extensions "because of the deep integrations that enterprises may have between their software suites and Chrome."
Google fails to explain why enterprise administrators using Chrome can be trusted to make their own security decisions but ordinary folks using Chrome cannot.
In not one but two blog posts, Devlin Cronin, of the Chrome Extensions team, and Simeon Vincent, developer advocate for Chrome Extensions, pushed back against press reports – which El Reg may have had something to do with – that Manifest v3 as initially proposed would significantly hamper content-blocking extensions among others.
"There’s been a lot of confusion and misconception around both the motivations and implications of this change, including speculation that these changes were designed to prevent or weaken ad blockers," wrote Vincent. "This is absolutely not the goal. In fact, this change is meant to give developers a way to create safer and more performant ad blockers."
Google relents slightly in ad-blocker crackdown – for paid-up enterprise Chrome users, everyone else not so muchREAD MORE
The safety argument has some merit, more at least than the performance claim, which was disputed in a February study and dismissed by Raymond Hill, developer of uBlock Origin, in January: "Issues of performance and privacy lie with web sites, not uBO – so I don't feel concerned with the issues of privacy and efficiency being put forth as advantages of using
declarativeNetRequest is the intended replacement for
The primary source of friction has been proposed changes to the
webRequest API, changes that will steer extensions onto the more limited and safer
declarativeNetRequest and away from
webRequest. Certainly, the power of
webRequest can be abused, and Vincent claims it has been. "Since January 2018," he said, "42 per cent of malicious extensions use the Web Request API."
Since Google's stated goal is to make ad blockers safer, The Register asked Google whether any ad blockers have actually abused
webRequest. We've not heard back.
It wouldn't be surprising if some did – many extensions that claim to be ad blockers earn revenue from ad whitelisting, and it's difficult to distinguish trustworthy browser add-ons from parasitic ones. But the fact is any extension right now can use
webRequest, with the user's permission, and abuse that user's trust.
And that's why it's fair to say extensions in general could be made safer. To its credit, Google is making investments to help with that. As Cronin tells it, "we’ve increased the size of the engineering teams that work on extension abuse by over 300 per cent and the number of reviewers by over 400 per cent."
The result has been an 89 per cent reduction in the rate of malicious extension installations since 2018.
The Chrome Web Store currently blocks about 1,800 malicious extension uploads a month. However, Cronin says the review process can't catch all the abuse, so platform changes and limitations, in the form of Manifest v3, are necessary.
Many Chrome Extension developers welcome tighter security, but they're not thrilled with the way Google has decided to address it.