In less than a year, Chrome’s Manifest V2 will no longer be supported (until June 2023), forcing extension developers to adapt to Manifest V3. The team behind Chrome talks about strengthening security, performance but also user privacy. However, according to publishers, Manifest V3 prevents ad blockers from doing their part in the browser.
The Electronic Frontier Foundation, a digital rights advocate, protested against its use: “Beware Chrome* users: Manifest V3 is misleading and threatening”. “According to Google, Manifest V3 will improve privacy, security and performance. We absolutely disagree. These changes won’t stop malicious extensions, but will slow down innovation, reduce extension capabilities, and hurt real-world performance.”
It should be noted that Mozilla Firefox has also decided to adopt Manifest V3, but with a different approach from that of Chrome.
In November 2019, Google began testing Manifest V3, the programming interface behind Chrome security blueprints. The following code shows supported manifest fields for extensions, with links to the page describing each field.
In November 2020, Google reported that “Manifest V3 represents one of the biggest changes to the extensions platform since its launch a decade ago. Extensions using MV3 will benefit from improvements in security, privacy and performance; they can also use more contemporary Open Web technologies adopted in MV3, such as Services Workers and Promises. Developers can update their extensions today to take advantage of these MV3 features; this will become mandatory as we phase out MV2 in the future”.
Extensions can modify the behavior of Chrome through the capabilities that Manifest v3 exposes. Among other things, Manifest v3 limits the number of “rules” that extensions can apply to a webpage as it loads. Rules are used, for example, to check whether a website element originates from an advertiser’s server and should therefore be blocked. Google announced the changes in 2018.
The reduction in the number of rules has drawn the ire of publishers of extensions like ad blocker uBlock Origin and tracker blocker Ghostery. They said the policy limits would prevent their extensions from running their full lists of actions to filter ads or block tracking. This could allow websites to bypass extensions – and the preferences of people who installed them.
Google has defended its technology and argued that giving extensions too much freedom invites abuse. The company claims to have listened to developers and modified Manifest v3 in response. For example, Google has relaxed the initially proposed rule limit and added a new mechanism to enforce certain rules. Eyeo, the developer of one of the widely used Adblock Plus extensions, said he was happy with Google’s Manifest V3 approach.
The change brought about by Manifest V3 will extend to all browsers, at the expense of ad blocking software, said Andrey Meshkov, co-founder and chief technology officer of AdGuard, an ad blocking extension.
“The main casualty of Manifest V3 is innovation,” Meshkov said in a statement. It used to be that ad blocker developers explored ideas like using artificial intelligence (AI) technology to improve their products. “It’s not so relevant anymore. Now Chrome, Safari and Edge dictate what can or cannot be blocked and how it should be done.”
The changes that will accompany Manifest V3
Among the planned changes, Google talks about the removal of the Web Request API which is replaced by another interface, named Declarative Net Request. It introduces a radical change: the impossibility for an extension to monitor all traffic. For security reasons, the new API requires extension designers to declare in advance how a certain type of traffic will be handled.
Of course, this change from Web Request to Declarative Net Request will bring a significant improvement in security, since the extensions will have limited rights on what circulates between the browser and the website. And this time inherently. Other important changes include the impossibility of accessing remote code – still for security reasons – or the replacement of persistent “background pages” by worker services, for significant performance gains.
Many extension behaviors linked to Manifest V2 will be made optional by V3, with a major benefit: stricter control by the validation locks, and especially by the user who will be able to prohibit certain behaviors.
Manifest V3, Google Chrome’s definitive basket of changes in the world of web browser extensions, was touted by its authors as “a step in the direction of privacy, security, and performance.” But we believe that these changes are a bad operation for users. We’ve said it since the announcement of Manifest V3, and continue to say it because its implementation is now imminent. Like FLoC and Privacy Sandbox before it, Manifest V3 is another example of the conflict of interest inherent in having Google control both the dominant web browser and one of the largest advertising networks on the Internet.
Manifest V3, or Mv3 for short, is downright detrimental to privacy efforts. This will limit the capabilities of web extensions, especially those designed to monitor, modify, and calculate alongside your browser’s conversation with the websites you visit. Under the new specs, extensions like these — like some privacy tracking blockers — will have significantly reduced capabilities. Google’s efforts to limit this access are concerning, especially since Google has installed trackers on 75% of the top one million websites.
Mv3 is also unlikely to do much for security. Firefox maintains the largest non-Chromium-based extension marketplace, and the company has said it will adopt Mv3 in the interest of cross-browser compatibility. Yet, at the AdBlocker Dev Summit 2020, Firefox’s add-on operations manager said of the extension security review process: “For malicious add-ons, we believe that for Firefox, it has been to a manageable level. ons are mainly interested in entering bad data, they can still do that with the current webRequest API which doesn’t block. In plain English, this means that when a malicious extension sneaks through the security review process, it’s usually interested in just observing the conversation between your browser and the websites you visit. Malicious activity occurs elsewhere, after the data has already been read. A more thorough review process could improve security, but Chrome hasn’t said it will. Instead, their solution is to restrict the capabilities of all extensions.
As for Chrome’s other justification for Mv3 — performance — a 2020 study by researchers at Princeton and the University of Chicago found that privacy extensions, the very ones that will be hampered by Mv3, improve actually browser performance.
Web browser extension development specifications may seem in the weeds, but the broader implications should matter to all internet citizens*: it’s another step towards Google defining how we come to live online. Considering Google has been the world’s largest advertising company for years, these new limitations are paternalistic and downright scary.
To give more credence to its words, the EFF shares the reflections of certain entities that espouse its point of view.
But don’t just take our word for it. Here are some thoughts from technologists, privacy advocates, and extension developers who share our concern about Manifest V3*:
A web browser is supposed to act on behalf of the user and respect the interests of the user. Unfortunately, Chrome now has a track record as a Google agent, not a user agent. It’s the only major web browser that lacks meaningful privacy protections by default, pushes users to link activity to a Google Account, and implements invasive new advertising features. Google’s latest changes will break Chrome’s privacy extensions, despite academic research showing that no changes are necessary. These user-unfriendly decisions are all directly attributable to Google’s oversight of the business model and made possible by its dominance of the desktop browser market.