Firefox and Chrome go beyond ad blocking extensions

There is a growing division over how much space browsers should provide for ad blocking – and Chrome and Firefox have ended up on opposite sides of the battle.

The breach centers on a feature called Web Request, often used in ad blockers and essential to any system that appears to be blocking a domain wholesaler. Google has long had security concerns about Web Request and has been working to cut it out of the latest expansion standard, called Manifest V3, or MV3 for short. But in a recent blog post, Mozilla made it clear that Firefox will maintain support for Web Request, keeping the door open for the most sophisticated forms of ad blocking.

Google’s strategy has been heavily criticized by privacy advocates – the Electronic Frontier Foundation has been a vocal opponent – but the search engine has not been affected. Although Firefox has a far smaller share of the desktop market than Chrome, there may be a chance for Mozilla’s product to truly define itself. For Google, however, sticking to MV3 will have a huge impact on the overall role of ad blocking on the modern web.

Understanding Manifesto V3

The changes to Manifest V3 are part of a planned overhaul of the Chrome browser extension manifest file specification, which defines the permissions, properties, and system resources that any extension can use.

Under the current active specification – Manifest V2 – browser extensions can use an API feature called Web Request to observe traffic between the browser and a website and to modify or block requests to certain domains. The example Google gives developers shows an extension script that will block the browser from sending traffic to “evil.com”:

The Web Request feature is powerful and flexible, and can be used for both good and bad purposes. Ad blocking extensions use the feature to block incoming and outgoing traffic between specific domains and a user’s browser. In particular, it blocks the domains that will load ads and stop information from being sent from the browser to one of the thousands of tracking domains that collect data about Internet users. But the same feature can be used maliciously to hijack users’ login information or place additional ads on web pages, which has been Google’s rationale for changing how it works in Manifest V3.

Under the new specification, the blocking version of the Web Request API has been removed and replaced with an API called Declarative Net Request. Instead of monitoring all data in a network request, the new API forces extension manufacturers to specify rules in advance on how certain types of traffic should be handled, with the extension able to perform a narrower set of actions when a rule is triggered. For some extensions, this will apparently not be a problem: Adblock Plus, one of the most popular ad blockers, has gone out in favor of the MV3 changes – although it’s worth noting that the extension has a financial relationship with Google. Others, however, may be more severely affected.

Google has presented the changes as a benefit to privacy, security and performance, but critics see it as a calculated effort to limit the impact of ad blocking on a company that is almost exclusively funded by ads. (In its SEC records, Google consistently cites “new and existing technologies that block online ads” as a risk factor that could affect revenue.)

But the creators of some ad blocking and privacy extensions have said the change will undermine the effectiveness of their products. Jean-Paul Schmetz, CEO of the Ghostery privacy-focused browser extension, specifically targeted Google’s introduction of the MV3 standard in light of the company’s recent privacy statements:

“While Google is pushing a ‘privacy by design’ message on the surface, it still claims a monopoly over the entire ecosystem by stifling digital privacy companies that are already working to give users back control of their data,” Schmetz said. The Verge by e-mail.

The Ghostery extension is a great example of a product that will be severely affected by Google’s changes. In addition to blocking ad content, the extension analyzes communications between a site and a user’s browser to look for data that may inadvertently identify a unique visitor to the site and replaces it with generic data before network traffic leaves the browser. Doing this requires the ability to modify network traffic on the go and as such will be severely limited by the MV3 restrictions, the developers say.

Ad blocking developers are also concerned because the effects of these changes will extend far beyond the Chrome browser. The MV3 specification is part of the Chromium project, an open source browser created by Google that forms the basis of not only Chrome but also Microsoft Edge, the privacy-focused Brave, the lightweight Opera and many others. Since Chromium supports these projects, browsers that rely on it will also have to migrate to the MV3 extension format, and extensions for these browsers will then no longer be able to block advertising using Web Request.

Mozilla pushes back

As the primary developer of Chromium, Google exercises a tremendous amount of power over what browser extensions can and cannot do. This distinguishes non-Chromium-based browsers – especially Firefox and Safari – because they have a chance to take a different approach to extension design and are now in a position to stand out with a more permissive approach to ad blocking.

For compatibility reasons, Mozilla will continue to use most of the Manifest V3 specification in Firefox, so that extensions can be transferred from Chrome with minimal changes. But, crucially, Firefox will continue to support blocking through Web Request after Google phases out, so that the most sophisticated anti-tracking ad blockers can function normally.

By justifying this decision, Mozilla has been clear in recognizing that privacy is a core value for people who use their products, as Security Chief Marshall Erwin said. The Verge.

“We know that content blocking is important for Firefox users and we want to make sure they have access to the best available privacy tools,” said Erwin. “In Firefox, we block tracking by default, but still allow ads to load in the browser. If users want to take the extra step to block ads completely, we think it’s important to let them do so.”

Regarding Google’s claims about the security benefits of the MV3 changes, Erwin said that immediate security gains from preventing web request blocking were “not obvious” – especially since other non-blocking features in the web request had been retained – and did not appear to be significant. reductions in the probability of data leakage.

In any case, it seems that Google is holding its course. Despite the flow of criticism from ad blocking developers, Google spokesman Scott Westover said The Verge that the company supported blocking and only intended to limit the type of data certain extensions could collect.

“We are pleased to see that Mozilla supports Manifesto V3, which is intended to make extensions safer for everyone,” said Westover. “Chrome supports and will continue to support ad blockers. We change how network request blocking works because we make fundamental changes to how extensions work to improve the security and privacy of our extension platform.”

Google has heard positive feedback about the changes from many developers of content blocking extensions, Westover said, pointing out The Verge to the praise of the creators of Adblock Plus.

Firefox’s attitude toward ad blocking may encourage more users to switch to the browser, which is currently estimated to make up less than 8 percent of the computer browser market compared to Chrome’s 67 percent. As soon as Manifest V2 support ends in June 2023, changes in functionality will become clearer to users of any Chromium-based browser. Until then, Mozilla will patiently argue for privacy, even if you sometimes have to look for it deep in a specialist blog.