Mozilla opens testing for Manifest v3 extensions in Firefox

Browser makers line up for Google's extension system but complaints persist


Mozilla on Wednesday launched a Developer Preview program to solicit feedback on Firefox extensions that implement Manifest v3, a Google-backed revision of browser extension architecture.

Mozilla last year said it intended to support MV3 in Firefox extensions, though with some differences. Its implementation of the WebExtensions API in Firefox has now incorporated enough of MV3 plumbing that developers can set the appropriate browser flags and experiment with MV3 extensions in Firefox v101, now in beta and due for release at the end of May.

Google Chrome is expected to stop supporting extensions created under the old MV2 specification in about a year, June 2023. And given Chrome's share of the browser market – about 64 per cent currently – extension developers will want to have updated their code by then and to have accounted for how MV3 works – or doesn't – in different browsers.

Google engineers conceived of MV3 back in 2018 to address supposed security, privacy, and performance issues arising from the MV2 Chrome extension architecture. Though advocacy groups, makers of privacy extensions, and rival browser vendors have challenged Google's justifications, the MV2 model did have demonstrable security and privacy problems.

So despite objections that MV3 "harms privacy, security, and innovation," the other major browser vendors – Apple, Microsoft, and Mozilla – have said they will support MV3 in some form. The result is likely to be that content blocking and privacy extensions become less capable, though the degree to which that is true, or whether it is at all, won't be known until the MV3 API gels.

Browsers mostly all in, with qualifications

MV3 is being implemented within Chromium, the open source browser code upon which Chrome is based, so other browsers built atop Chromium get Google's interpretation of the new API as part of the package. Microsoft Edge appears to be accepting MV3 as is, while Brave has committed to retaining support for important MV2 features like the blocking WebRequest API – used for observing and analyzing network traffic and intercepting, blocking, or modifying network requests in-flight.

Even Apple, fond of claiming the privacy high-ground over Google, has gotten with the program: MV3 support appeared in Safari 15.4 in March.

The broad browser maker support for MV3 can be attributed in part to the formation last June of a W3C WebExtensions Community Group (WECG). Therein, representatives of browser makers and extension developers have been trying to find common ground and minimize incompatibilities while preserving differences deemed critical for product differentiation.

Rob Wu, senior software engineer at Mozilla, explained in a blog post that Firefox will diverge from Chrome in several ways.

"One of the most controversial changes of Chrome’s MV3 approach is the removal of blocking webRequest, which provides a level of power and flexibility that is critical to enabling advanced privacy and content blocking features," he said. "Unfortunately, that power has also been used to harm users in a variety of ways."

Chrome has chosen to create a replacement API called declarativeNetRequest (DNR) which while safer than the blocking webRequest also lacks the ability to make content blocking decisions on the fly – filters for DNR have to be static, which makes privacy extensions that rely on this API less effective.

uBlock upset

Raymond Hill, creator of content blocking extension uBlock Origin, described how MV3 will make content blockers less able to innovate in a GitHub Issues post last December. He explained how he had implemented a feature in uBlock Origin as a result of discussions with the maintainers of filter lists (which are used in content blocking extensions to decide what to block).

"The DNR API does support domain= option, but it does not support entity, which is the ability to use a wildcard in place of the effective TLD, to avoid listing all domains belonging to an entity," he wrote. "I can count over 420 filters currently in the default filterset [that use] this feature, clearly a benefit to filter list maintainers. These filters would cease to exist in a DNR-based blocker."

The DNR APIs inability to handle a wildcard character means every domain to be blocked must be declared in advance – previously unknown tracking domains would be missed. As Google's DNR documentation puts it, "The webRequest API is more flexible as compared to the declarativeNetRequest API because it allows extensions to evaluate a request programmatically."

Practically speaking that means it's unlikely uBlock Origin will survive in its current form, at least for Chrome, once MV2 support vanishes next year. But that could prompt Chrome users to look for a browser that retains MV2 support – uBlock Origin is a must-have extension for many technically demanding users.

It's difficult, however, to determine what MV3 will ultimately allow because MV3 continues to evolve as a result of the back and forth between Google, other browser makers, and the developer community. The DNR API, for example, has gained limited support for dynamic rules – 5000 presently – that get evaluated at runtime rather than being pre-declared in the manifest file. And Chrome, criticized for failing to block CNAME manipulation, has implemented support for CNAME uncloaking and plans to expose this for extension developers through the DNR API.

If Google ultimately fails to respond to extension developers who want MV3 to be more capable, other vendors appear keen to step in.

Inside Mozilla's MV3 plans

Mozilla intends to keep webRequest for Firefox extensions, just as Brave has said it will do in its customized Chromium-based browser. (Strictly speaking, Google has not removed the blocking version of webRequest but has hidden it so it's only available to forced-install extensions under enterprise versions of Chrome. Once MV2 support ends next June, continuing support for webRequest could become impractical, at least for Chromium browsers, if Google decides to remove the webRequest code.)

"Mozilla will maintain support for blocking webRequest in MV3," said Wu. "To maximize compatibility with other browsers, we will also ship support for declarativeNetRequest. We will continue to work with content blockers and other key consumers of this API to identify current and future alternatives where appropriate. Content blocking is one of the most important use cases for extensions, and we are committed to ensuring that Firefox users have access to the best privacy tools available."

Mozilla also plans to support Event Pages, to handle use cases ill-suited to Background Service Workers, the MV3 replacement for persistent Background Pages, which MV2 extensions use to run code in the background. Event pages, like Service Workers, are designed for an event-driven environment (e.g. button gets pressed, something happens, then code stops) rather than a persistent process that's always running and consuming resources. But crafting extension code for starting and stopping tends to be more complicated than just loading resources and calling on them as needed.

Wu said he hopes Firefox extension developers will give MV3 a spin and that support for MV3 should reach Firefox users by the end of the year.

Extension devs not overjoyed

While the MV3 train has left the station, extension developers continue to be critical of Google for breaking the extension ecosystem.

It wasn't supposed to be that way, according to Google. "Our goal is not to break extensions," wrote Devlin Cronin, a software engineer on the Chrome team in 2019, in response to a bug report filed about the webRequest API. "We are working with extension developers to strive to keep this breakage to a minimum, while still advancing the platform to enhance security, privacy, and performance for all users."

Yet among those participating in Google's Chrome extensions forum, there's no shortage of complaints about broken code. Last month, a developer pointed out how badly Cronin's statement had aged.

"That statement is completely rotten by now," the developer wrote. "MV3 is a massive breakage to the point that ALL extensions require significant modifications in order to work under MV3. But worse, a significant percentage of them require major re-engineering."

"It's also clear by now, that the Extensions Team has been lying all along about the true reason for this massive breakage," the forum participant continued.

"What they are actually going after is an extensions platform that can work under Android, which forces lifetime constraints on all processes. This is why they removed the background page; they cannot guarantee under Android that the background page is persistent."

"So, their solution is simple, they want to force everybody to adopt the lifetime constraints of Android, even for extensions that don't make sense to be used in a mobile OS." ®


Other stories you might like

  • Makers of ad blockers and browser privacy extensions fear the end is near
    Overhaul of Chrome add-ons set for January, Google says it's for all our own good

    Special report Seven months from now, assuming all goes as planned, Google Chrome will drop support for its legacy extension platform, known as Manifest v2 (Mv2). This is significant if you use a browser extension to, for instance, filter out certain kinds of content and safeguard your privacy.

    Google's Chrome Web Store is supposed to stop accepting Mv2 extension submissions sometime this month. As of January 2023, Chrome will stop running extensions created using Mv2, with limited exceptions for enterprise versions of Chrome operating under corporate policy. And by June 2023, even enterprise versions of Chrome will prevent Mv2 extensions from running.

    The anticipated result will be fewer extensions and less innovation, according to several extension developers.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading

Biting the hand that feeds IT © 1998–2022