This article is more than 1 year old

If my calculations are correct, when Google Chrome hits version 88, you're gonna see some serious... security

Manifest v3 plus JavaScript timer throttling, vuln fixes, FTP killed off, etc

Google on Tuesday announced the stable channel release of Chrome 88, which includes support for an extension platform revision known as Manifest v3.

Manifest v3 was announced in October, 2018, as part of a broad effort to overhaul the security of various Google products and services. The term refers to the manifest.json file, one of several files in a Chrome extension, through which the developer declares the APIs and permissions necessary for the extension to function.

Version 3 redefines the scope and capabilities of the APIs available to those creating extensions for Google's Chrome web browser.

"Manifest v3 is a new extension platform that makes Chrome extensions more secure, performant, and privacy respecting, by default," said Chrome developer advocate Pete LePage in a blog post. "For example, it disallows remotely hosted code, which helps Chrome Web Store reviewers better understand what risks an extension poses."

A scary monster

Why are fervid Googlers making ad-blocker-breaking changes to Chrome? Because they created a monster – and are fighting to secure it

READ MORE

There's little doubt Chrome extensions will benefit from better security, something that has been inadequate since the creation of the Chrome Web Store in 2010, then known as the Google Chrome Extensions Gallery. And the privacy improvements, such as more extensive disclosure requirements, are real. However, Google's claims about the performance benefit of Manifest v3 have been disputed.

Regardless, the platform adjustment comes at a cost: extensions developers will have less power to shape the browsing experience and users will have less capable tools. For example, the declarativeNetRequest API, introduced in Manifest v3 as replacement for the blocking version of the webRequest API – used to intercept and modify network requests – is considered to be less effective for content blocking than its predecessor.

Other capabilities, like background pages – through which extensions could run background processes – have been replaced with a more modern alternative called service workers that nonetheless lacks past capabilities and can only operate for 30 seconds.

Time to get coding

Chrome 88 adds several other features of interest to web developers. It implements a CSS property called aspect-ratio, which lets developers define an aspect ratio for page elements and assets rather than relying on automatic calculation from width or height parameters.

It also will throttle JavaScript timers as a way to curtail CPU usage and battery consumption on mobile devices.

Someone waving a red flag as a warning

What happens when a Chrome extension with 2m+ users changes hands, raises red flags, doesn't document updates? Let's find out

READ MORE

Google is doing so because it turns out websites use JavaScript timers for a variety of advertising and analytics functions, devouring mobile device battery life as a result. According to research conducted by the Chromium team, "At the median, throttling Javascript timers aggressively extends the battery life by almost 2 hours (28 per cent) for a user with many background tabs, when the foreground tab is about:blank." The Chromium team determined these processes are "often not valuable to the user when the page was backgrounded," so they're dialing them down.

Chrome 88 also introduces the ability to use Google Play Billing in Trusted Web Activity, a means for presenting web app content in Android apps. This will allow Progressive Web Apps opened from within an Android app to conduct Google Play digital transactions.

In addition, Chrome 88 adds: support for an Abort Signal in the addEventListener method, so listeners can be cancelled more easily; implements the ability to disable mouse acceleration in its Pointer Lock API, which is useful particularly for gaming; and alters the behavior of anchor tags with the target="_blank" attribute imply rel="no-opener" by default – an attribute that defends against tab-hijacking attacks.

Google hasn't specified when Manifest v2 support will be dropped but that will probably happen within a year or two. That means content-blocking extensions relying on v2 of the specification will, for now, still continue to work. If you use a filter, like uBlock Origin, that uses v2, it should be fine on version 88.

The Chrome 88 update also brings 36 security fixes, finally disabled FTP and Adobe Flash support for good after teasing it for so long, and blocks HTTP downloads of certain executable, media, and archive file types.

In an email to The Register, Jeff Johnson, who runs app development biz Lapcat Software, said he wasn't much concerned about Manifest v3 because he decided to leave the Chrome Web Store after Google deprecated Chrome Web Store Payments.

Asked whether he shared the view voiced by other extension developers that Google showed little interest in making the Chrome Web Store a viable platform for software businesses, Johnson said he felt the same way.

"Google didn't do anything to promote paid extensions," he said. "My revenue in the Chrome Web Store was never very high, and when Google deprecated their payment system, it simply wasn't worth it to me to implement my own system."

"In general it feels like Google used extensions as an asset in order to achieve browser market dominance, but once they achieved browser market dominance they no longer needed extensions, and started treating them as a liability rather than an asset," he said. ®

More about

TIP US OFF

Send us news


Other stories you might like