Hacker News new | past | comments | ask | show | jobs | submit login
Chrome Users Beware: Manifest V3 Is Deceitful and Threatening (2021) (eff.org)
441 points by tambourine_man on Nov 17, 2023 | hide | past | favorite | 202 comments



I don't mean to be a google apologist, but the changes basically align with Apple's browser/content APIs that they introduced in like 2016. Web extensions are a massive privacy and security hole that users unwittingly opt themselves into. I mean, the articles explains how dangerous extensions are:

> Manifest V3, or Mv3 for short, is outright harmful to privacy efforts. It will restrict the capabilities of web extensions—especially those that are designed to monitor, modify, and compute alongside the conversation your browser has with the websites you visit.

Yes. Exactly! That's the point - it restricts the ability for extensions to monitor, snoop, and steal content from every website you browse.


> but the changes basically align with Apple's browser/content APIs that they introduced in like 2016

This, but Apple's changes are just as bad and should be used as evidence of how this kind of restriction can go wrong, not how it can go right.

Adblocking capabilities on Safari are unarguably weaker than they are on Chrome and Firefox. People will occasionally get upset at me when I say this, but it's really not debatable, there is a reason why uBlock Origin is not on Safari. There is a reason why the best adblocking apps for Safari run as desktop applications and then communicate with an extension.

Safari has a ton of other great privacy features, but adblocking is not one of them. So when we talk about how Manifest V3 is going to harm adblockers, we have good reason to make that claim -- we can look at Safari and see how it played out when Safari did the same thing.

> That's the point - it restricts the ability for extensions to monitor, snoop, and steal content from every website you browse.

Most of the changes in Manifest V3 are actually pretty good, especially changes around the permission models. Active click is great, the optional permissions improvements are good.

I understand why people are phrasing this as "Manifest V3" because you need a name for it, but I hope it's not lost in this conversation that Firefox is also moving forward with its own implementation of Manifest V3 and it has the vast majority of the privacy improvements and almost none of the downsides.

Getting rid of blocking request handlers doesn't really improve privacy. Active tab permissions and optional runtime permissions improve privacy. When people talk about Manifest V3 being bad, what they usually mean is the extra restrictions Google has imposed on top of the privacy stuff; restrictions that do very little if anything to improve privacy (seriously, it is still trivial to spy on users using Chrome's Manifest V3 across all sites) but that cripple adblockers.

It's possible to get the privacy improvements without the downsides.


> There is a reason why the best adblocking apps for Safari run as desktop applications and then communicate with an extension.

This is the only supported model for web extensions under Safari. There are no pure JavaScript distributions, they must be in an app.


I'm not just talking about distribution (although you are correct to bring up that restriction, because it's also a kind of wild idea for extension security) -- I'm talking about just how much logic is fully moved outside of Safari.

Adguard was (I haven't checked in a while, maybe it still is) one of the more popular Safari content blockers for Mac, and it shipped with an Electron app -- and one that had to actually be running with a tray icon and everything at the same time as the browser.

This is not a model that any other browser maker should be trying to copy. I feel like if we're looking at browser adblockers and they're setting up system trays and system-level proxies just so they can do basic stuff like HTML rewriting, then that's not something the browser maker should be proud of. Congrats, people can't spy on your browser's web-traffic anymore, instead they have to MITM their entire computer.

It's possible to make something so restrictive that the end result is that people are actually less secure, because they're forced to compromise security at much lower levels in order to get that basic functionality back. Safari's current extension ecosystem is a great example of that.


> Yes. Exactly! That's the point - it restricts the ability for extensions to monitor, snoop, and steal content from every website you browse.

Does it though? The webRequest API still exists in MV3, but as read-only. So if you're interested in snooping everything you still can.

> That’s because Manifest V3 doesn’t change the observational APIs available to extensions. (For extension developers, that means Manifest V3 isn’t changing the observational parts of chrome.webRequest.) In other words, Manifest V3 will still allow extensions to observe the same data as before, including what URLs users visit and the contents of pages users visit.[1]

[1] https://www.eff.org/deeplinks/2019/07/googles-plans-chrome-e...


With Manifest v3, you can get adblocking without having to trust your adblocker extension, like on Safari. That's a significant benefit.

You can still opt into having your data stolen, but now it's no longer a requirement for adblocking.


Or, you could use Firefox and you could have both APIs available to you and you could choose whether you wanted strong adblocking or fewer extension permissions.

Manifest V3 doesn't get rid of the permissions that allow an extension to spy on you.

Yes, you can choose not to install extensions that use those permissions (although the current webextension permissions system is chock-full of holes and Manifest V3 still has many of those holes). But you can already make that choice. You can go to Firefox and install Ublock Origin Lite right now today if you want to make that choice: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin...

It's available on both Chrome and Firefox and you can install it and only grant it the blocking permission and nothing else.

Removing the blocking web request API in Manifest V3 does nothing to improve security. It doesn't offer you new choices, it just removes your choice to use a more powerful adblocker if you need one.


> Manifest V3 doesn't get rid of the permissions that allow an extension to spy on you.

Yes, but extensions have to go through review to be in supported channels, and review will absolutely look at over-entitlement of submitted extensions.


> Yes, but extensions have to go through review to be in supported channels, and review will absolutely look at over-entitlement of submitted extensions.

Okay, then Google can use that same review process for apps that request access to the blocking API. If you've decided to trust the review process to ferret out unneeded permissions, then copying Firefox's model and having a `blocking` permission should be fine.

Either way, removing blocking webRequests isn't improving anyone's privacy. The same review process is required that would have been required before, and the same kind of spying is possible when that review process fails.


I trust gorhill a lot more than I trust Apple or Google!


Except then, like safari, the size of your blocklist is limited by what the browser allows. Manifest V3 versions of extensions like uBlock Origin will be less effective at blocking ads and trackers.


What if you trust your extensions more than the websites you visit? You will have a few extensions and hundreds or thousands of websites.


It's very difficult for users to make these decisions in an informed way, for either websites or extensions. The browser highly distrusts websites by default and doesn't give users many options to change that. Plus most people have some notion of how trustworthy 'the internet' is and act accordingly.

This isn't the case for extensions and I think it's become clear over the years it can't be fixed with various trust knobs so they're left with fiddling with the capabilities/trying to fix the overly permissive design.


The call is coming from inside the house, though. The problem here is largely one of perverse incentives. The fact that Microsoft and Google both offer web browsers AND benefit from spying on people USING web browsers means that I automatically distrust 100% of whatever they're trying to do with browsers and/or web standards.

I feel like the real solution here is simply to pop up a big scary warning whenever you try to install an extension that says: "Hey, this extension will be able to read and/or modify your internet traffic. It could steal your bank account information. Are you really sure you trust the developer of this thing that much?".

Or, you could make two tiers of extensions, where one tier is the "harmless" tier that can't actually do anything with requests and responses or modify the DOM, and the other is the "advanced" tier that displays the big scary warning above.

But, honestly, that should be about it. There are a few things we need to remember for some context, IMO:

* 99% (made up number) of web users don't install extensions, anyway. This is more true the less savvy the person is. * A web browser isn't going to stop the user from downloading virus.exe or from installing SpyBrowserMaxx.app on their computers, so how much effort is really reasonable to try to prevent users from installing bad extensions? * Hindering good extensions, like uBlockOrigin, actively HARMS the privacy and security of browser users.

Let's not be tricked into giving up our own ability to fight against tracking and spying for the mythical Grandma who installs browser extensions from sketchy side-channels (is that even possible anymore in either Chrome or Firefox?).


The old "but think of the old people argument" used to remove our ownership of our devices and freedom to do what we want.

Either it is my device that I own and I can make decisions for or it isn't, and if it doesn't belong to me then who does it belong to?


Inter-networked connectivity made this style ownership model untenable though since the 90s - the amount of harm an application can do now that it can receive remote instructions and siphon off data has increased.

Hence software publication tied to real-world identity, sandboxing to reduce access to local sensitive data, entitlements to enumerate needs for local capabilities and a review process both to restrict unnecessary entitlements and put additional non-technically-enforceable restrictions on software.

Maybe if GDPR-like regulations were not laxly enforced or non-existent, the platforms would need to do less policing themselves.


This is extremely patronizing to users.


'users' is an extremely broad category. I don't think there's a one size fits all solution. There's probably some hundred million users who can, on average, make good decisions about extensions. There's also hundreds of millions of users who are children or are otherwise unable to make good decisions about extensions. Google, corporations in general, will force a 1 size fits all solution even when it doesn't, because it is cheaper/more profitable.


It is not a user’s expectation of responsibility - they aren’t going to track that an extension’s automatic update turned it from a coupon clipper to a surveillance engine. If we make this the user’s responsibility, there would be immense harm.


Maybe then auto-updating is the problem here. Why can't users have the agency to decide if they want to update or not? I know Microsoft/Google for one spearheaded the whole It's For Your Own Good movement, but opting out should at least be an option...


How am I supposed to understand whether extensions are stealing my data?

I've made browser extensions and I find it difficult to make an informed decision!


Even more, what if you trust uBO more than Google Chrome?


I do, that’s why I use firefox.


Browsers are massive privacy and security holes that users opt themselves into. My browser, with manifest v2 web extensions installed, is arguably more private and secure than your browser without them.


Apologies for the late reply but let's assume we take what you say on face value, there is still a laundry list of limitations that the developer of uBlock Origin have outlined two years ago that the developers of MV3 have flat out refused to address - abritrary limits in terms of the number of filters, talking about regressions, Google flat out refusing to provide extensions for Chrome for Android not to mention when you try the MV3 version of the ad blockers they're a pale shadow of their former self - uBlock Origin Lite block ads but pop up windows still appear but with the message that it has been blocked (telling me after the window open kind of defeats the purpose of it in the first place), then I tried AdGuard which lets through huge numbers of ads etc. basically it is a crippled experience and the only one who benefits is Google's ad division.


The changes are great. I want those restrictions applied to 99% of all extensions. It's just that uBlock Origin is so important and trusted it should be an exception.


You could have a robust permissions models that disallows it by default, but Google would never want that.


It is at most as dangerous, probably less, as any other software I install on my computer. Why should I be allowed to install arbitrary PC software but not extensions?


Guess what they're going to come for next?

Tangentially, I remember how utterly disgusted I was when I first started seeing people on Reddit chastising others for rooting their Android phones. They'd keep saying that it's a "security risk" for me to have root... on MY device. I can feel my blood pressure rising just from typing that...


Why should I be allowed to install arbitrary PC software but not extensions?

Well, we know Apple's answer to that...


But it also restricts everyone's ability to write and use extensions that give better privacy on the internet.

The existence of malicious extensions is worth having that ability.


Awesome! So I can turn that off if I'm confident about a particular extension, right?

No? OK so it's just another land grab taking more from users and giving it to Google. The enshitification continues, and apparently we should thank Google for the privilege.


The end game for ad blocking is a neural network inspecting the final rendered webpage frame before it's displayed to the user and painting over it to cover the ads.


Web integrity DRM will make sure the ads are actually delivered to your display device. You may need to have this NN ad blocker in your smart glasses and paint over the ads there.


The user will refuse to use such a device. Just like Chrome can't block ad-blockers despite massive financial incentives, because there would be massive user uproar.

Your average user doesn't try to copy movies, which is why DRM is accepted in Netflix.


We are already there with Android, almost. Can't root it or my bank and work apps stop working. My bank's app once warned me of some app installed on my device which can be "harmful". Won't take long before they deny me access until I uninstall the "harmful" apps.


Nobody I know wants to root their phone. Me neither.

Again, same market pressure, a useful actually used feature will never be removed because people will not buy the device.

Most people don't care about replaceable batteries, headphone jacks or rooting.

In fact not allowing rooting is net benefit for the vast majority because it prevents spyware being installed on the device by a controlling partner, ...


That's not truly how it works except in some very narrow, literal, sense.

The reality is that people in the developed world need to carry smart phones. It's expected in order to be a functioning member of society. My kid's school has an app that does messaging and notifications, my kid's after-school group has a different app that does likewise, etc. A few weeks ago, I was expected to "sign" a waiver for an activity by clicking a link in an email... while I was AT THE PLACE IN QUESTION. Since I didn't happen to bring a laptop to this activity, I pulled out my smart phone to do it.

So, when my phone breaks, I have no choice but to buy another one. It doesn't have to be a new model, of course. But, if they all collectively move toward removing features that I'd prefer to have (like removable batteries) or start adding things that I DON'T want, I'm still going to buy it because I more-or-less have to.

So, it's not that people don't care or actually prefer the way things are going. It's that they feel like they have no choice.

Again, I understand that they/we LITERALLY have a choice. We're not going to die if we don't buy a smart phone. But, it's not as simple as "they bought the thing, so they must approve of all of it."


It's about what the majority wants - thinner waterproof phones instead of a removable battery.

You are not forced by the evil companies, you are forced by market pressure from the majority of consumers.

Not even Apple was able to resist consumer pressure, they famously yielded and made a big screen phone.


> You are not forced by the evil companies, you are forced by market pressure from the majority of consumers.

It can be both.

If Apple decided to do something moderately annoying to their phones without considering any user/customer feedback, it wouldn't drastically affect sales.

There's a limit, of course. If they're too hostile, too quickly, then people will buy Android phones instead. But, if it's just a little bit worse for the end user, customers will keep buying iPhones.

Why? Because of vendor lock-in. Why do you think companies have been trying to lock us in to their product ecosystems since the dawn of market economics? It's certainly not to make it EASIER for their customers to "vote with their wallets."

For example, I'd be willing to bet good money that Microsoft didn't start putting ads and shit into Windows 10 or whatever because it really thought that Windows users would just LOVE that. I also bet they didn't decide to re-enable settings during updates that users disabled because the majority of Windows users wanted to have to periodically reapply settings changes that they made...

> Not even Apple was able to resist consumer pressure, they famously yielded and made a big screen phone.

I don't know the internals of what goes on at Apple, but both the small size and the "no-stylus" convictions seemed to be due to Steve Jobs. And I'll note that both, the bigger size phones and the iPad stylus came out at least a couple years after he died. So, it's not obvious to me that Apple would have yielded on those with Jobs at the helm.


Where is my iPhone 14 mini, then?


People want a small phone, but if the mini costs like 10 android phones, they might just get an android phone.


Ok, but this mentality means you are buying into a narrative of a platform which is locked down not directly for your benefit or when it matters to you, but instead as an indirect side effect of building a platform catered to developers of apps like the banking app who then have complete control to make the call on when this matters and what they consider to be invalid... and so I just need to make sure that you understand, in the context of this thread on ad blocking, that by expressing this opinion, you are also, in practice, saying you think people blocking ads shouldn't be allowed (whether the mechanism is that developers move content from the web into apps you must install or the web fully supports the same level of drm as the app platform).


No, that's not my position.

My position is freedom. To create locked-down devices. Or open ones. And freedom for consumers to buy which kind they want. You are taking a position that you know what's best for consumers. That's quite presumptuous.

For most consumers a locked device is in their interest because it protects them from malware and data loss.


> Again, same market pressure, a useful actually used feature will never be removed because people will not buy the device.

When all devices are the same, you have no choice.


For curiosity's sake, what app was it? Can apps regularly get a list of other installed apps?


People will just stop using Android if they aren't able to block ads. Simple as.


So the end game is the analog hole but for ads?


Seems so. Until they will beam the ads directly to our brains through NeuralLink.


The adblocking brain implant will be the most cyberpunk invention ever.


The thing is, not having adblock on chrome would make it unusable for work-related searches. Unless I'm on page 2 or something, I have trouble finding man pages/relevant Api documentation, and all the first results, while useful (especially when I have to do frontend stuff) are absolutely unusable without ublock, even the not terrible websites.

That'll mean I'll either drop Google search and directly search SO/reddit and have quicklinks for manpages and other documentation (maybe with GPT help to parse that), or I'll drop chrome at work (i really, really can't work without an ad blocker.).


Hi, Privacy Badger dev and coauthor of a bunch of EFF posts about MV3. Here are some thoughts.

We wrote the following call to action a couple of years ago in https://www.eff.org/deeplinks/2021/12/googles-manifest-v3-st...

> Google needs to cancel moving to service workers, restore blocking webRequest, and halt Manifest V2 deprecation until all regressions in functionality are addressed.

To their credit, Google did halt MV2 deprecation. They fixed bugs, filled in functionality gaps (examples: userScripts API, the Offscreen API cludge), and made a number of improvements to DNR, their limited-by-design replacement for the powerful and flexible webRequest API. Google also relaxed their initial, entirely unreasonable service worker lifetime requirements.

So where are we now with service workers and DNR?

The requirement to base extensions on service workers adds complexity and headaches to developers, but because of various policy changes and workarounds, it is no longer the issue it was two years ago. Google put in a lot of effort to make service workers kind of work for extensions. I think the end result is it's now harder to make a browser extension, but service workers are no longer a deal breaker.

However, blocking webRequest is still mostly gone, unavailable outside of a specific proxy authentication use case, and DNR is still not an acceptable replacement.

There are still outstanding functionality gaps such as https://github.com/w3c/webextensions/issues/302, which is interesting in that much of the tracking that privacy extensions are no longer able to properly handle is by Google!

But more importantly, DNR is fundamentally not an adequate replacement for webRequest.

As we wrote in https://www.eff.org/deeplinks/2021/12/googles-manifest-v3-st...

> [R]emoving blocking webRequest won’t stop abusive extensions, but will harm privacy and security extensions. If Manifest V3 is merely a step on the way towards a more "safe" (i.e., limited) extensions experience, what will Manifest V4 look like? If the answer is fewer, less-powerful APIs in service of “safety”, users will ultimately suffer. The universe of possible extensions will be limited to what Google explicitly chooses to allow, and creative developers will find they lack the tools to innovate. Meanwhile, extensions that defend user privacy and safety against various threats on the Web will be stuck in the past, unable to adapt as the threats evolve.

The gist is that we now all depend on Google to keep evolving the API to keep up with advertisers and trackers. Google is a massive advertising company. Chrome extensions already had one "lost decade", where nothing much happened until the Manifest V3 proposal.

It's just not a good idea to let Google hold the keys to anti-tracking tech.


Chrome Users Beware: Chrome is one of the tools that Google uses to maintain and extend its control over the web. You're empowering them to do shady things that aren't to your (or most people's) benefit.



(2021)

EFF had a slew of articles about the evils of MV3 2019 - 2021. Since then, nothing. Has subsequent development proven them wrong - or right? I don't really follow this space closely other than as a user of chrome extensions (in Vivaldi).



2021. A bit dated. Firefox had adopted Manifest V3 too (or at least is compatible with it)


As I understand, Firefox left in the ability to block via the webRequest API, which is one of the biggest points of contention here.


Correct. Absent Google's more harmful changes, most of Manifest V3 is actually pretty great and I'm looking forward to broader support rolling out in Firefox. I have a couple of private extensions I maintain that use both Manifest V3 and the blocking webRequest permission in Firefox, and it works great.

They wouldn't be possible to build in Chrome.


Helpful info thanks


Now all firefox has to do is nothing. Keep V2 extensions and chrome will bleed users once their adblockers stop blocking ads. I invite chrome to accelerate their timeline aggressively.


If Google does actually force through changes that meaningfully degrade adblocking effectiveness in Chrome, that could ironically be just the thing to motivate a critical mass of users to migrate to Firefox/some other alternative.

Firefox won when it was significantly better than IE in ways that lots of people actually cared about (it had tabs). Then Chrome won when it was significantly than Firefox in ways lots of people cared about (it was fast and if a tab crashed the whole browser didn’t crash with it).

For a long time, no browser has been significantly better than Chrome in ways lots of people care about. I don’t know if Manifest v3 is as bad as everyone says, but if it is, that might open up a big enough point of difference.


> Then Chrome won when it was significantly than Firefox in ways lots of people cared about (it was fast and if a tab crashed the whole browser didn’t crash with it).

Firefox shill here. I believe Chrome won because 1) Firefox had long been struggling with RAM consumption and stability 2) Chrome's onboarding was closer to effortless 3) It was relentlessly marketed/placed to saturation.

Chrome had it's own RAM issues but #3 outweighed that. Any lock-in Chrome now has is due to A) #3, B) a better sync process that's integrated with Gmail and C) better corporate deployment (Gmail+Chrome).

I've had my corp customers on Chrome over Firefox by about 4 to 1. I'm not happy about that but I have to prioritize their experience.

However, Firefox has drastically improved in stability (as has Chrome). Chrome is getting less friendly. Where syncing isn't used, I see paths to swap users over the next year or so.


I agree that Chrome’s lock-in now is around syncing/integration. And, of course, the marketing.

Firefox is now totally competitive on speed/stability. But it’s not a significantly better browsing experience, which is what it would need to be in order to overcome inertia and get people to switch.

PS: My memory is that Firefox’s RAM issues were pretty awful when Chrome launched (if you had many tabs open it was only a matter of time until the browser crashed). Chrome was a significant improvement in that regard (and Google’s reputation was very good at the time, which probably helped).


> I believe Chrome won because

4) Chrome was faster, more responsive, and more stable than Firefox since its inception. Firefox reached parity *9* years later, with Firefox Quantum.


Anyone complaining about libre software's ability to pay them is in the wrong part of the culture. Paying someone for labor is a capitalist thing and completely beside the point.

Human societies are deliberately designed to disincentivize volunteering or doing anything without getting profiting. These cultures promote the idea that people are only worth what's in their bank account.

So why should people start paying money for things when it's the fault of the developers for choosing to give away their time and work?

I write that as someone who has FOSS projects. If you want to be paid, don't write code or deliver support until you get the paycheck.


Humans aren't really built for communism on a large scale either. We are tribal, capitalism gets around that with incentive and greedy individual reward for doing something that generates social improvement at scale (nation-state) level--trade, commerce, interaction, communication. Communism, Marxism will never provide that. You either have to use the carrot (capitalism) or the stick (despotism) at scale to get results. Communism (real communism) fails beyond a few hundred (may only tens) of souls, again we didn't evolve for that,


There are more than two economic systems, and none of them are natural or aligned with humanity's nature. That's something capitalists tell themselves to feel better about the level of exploitation needed to create a 1% class.

So, is exploitation and lying and theft part of our nature? Capitalism only rewards sociopathic behavior. It cannot be prosocial.


I don't know why Google is hard at work adding Chrome to killedbygoogle.com, but I welcome it.


I would welcome it too, but it's never going to happen. The masses just don't care enough to change their habits, especially when there's any friction to switching. It's why tactics like MS's aggressive edge pushing actually work to some degree.


Agree completely. Additionally, there is a massive Chromebook user base (with the default Chrome browser) that basically has a chokehold on the K12 education space. Conjecture: I think this gets students used to the model of Chrome + Google Docs that they carry forward to their computing use/experience for the future.


Sounds similar to religious indoctrination of the young and absorbent. Get em while they're young is the maxim.

If they actually focused on bettering their web services they wouldn't need to hold reign over web browsers.

This actually shows that they know themselves their products could not stand up in a real free market.


Internet Explorer had 95% market share in 2004, with much of the same sentiment.


But then for 5 years they refused to implement any new feature in a time of massive web innovation.

Chrome is not repeating that mistake, most new web APIs come from them.


I hate to say it, but there hasn't been a significant change in browser market share since 2018.

https://gs.statcounter.com/browser-market-share

Chrome continues to have a massive lead over any other browser. The only exception is if we look exclusively at the US mobile market, where Safari has a narrow lead; though I'm sure that's because it's enforced by Apple rather than chosen by users. Worldwide across all devices, Chrome and Chromium based browsers have sat comfortably around 80% market share for the better half of the last decade and there's no sign of that changing.


You don't think it will change when your aunt comes to you asking why the adblocking you installed for her isn't working anymore?


No because most people - my aunt almost certainly included - still don't use ad blockers.


Google simply can’t be trusted on this point.

They’re way to conflicted and financially motivated to do the wrong thing for the user

They keep talking about privacy and security threats. Google is the threat here


I found this interesting. On both the Chrome blog and this EFF post, there is a quote from AdGuard CTO Andrey Meshkov. One of the quotes is favorable/neutral toward Google, while the other is more negative. It sounds like Meshkov may have changed his opinion.

Google blog ( https://developer.chrome.com/blog/resuming-the-transition-to... )

"As always, migrating to a new platform is a large undertaking, but we're very hopeful..."

EFF blog ( https://www.eff.org/deeplinks/2021/12/chrome-users-beware-ma... ) - sourced from AdGuard blog ( https://adguard.com/en/blog/manifestv3-timeline.html )

"Nearly all browser extensions as you know them today will be affected in some way..."


It's natural for Google in their public communication to quote positive stuff and not quote anything critical. Recently I tried to explain the current state of MV3 objectively: https://adguard.com/en/blog/chrome-manifest-v3-where-we-stan...

But yes, my opinion about MV3 did improve with time. Briefly: it is not ideal, DNR is not a full replacement for the blocking webRequest, but their work for the last several years made me hope that they can compensate for what we're losing by other platform improvements.

edit: grammar


What if, and hear me out, all that effort went into MV2?


MV3 is basically MV2 with one tectonic change: replacing persistent background pages with ephemeral service workers. So a large part of this effort actually DID go into MV2.

There's a better question: what if instead of investing huge amount of times into DNR they put it somewhere else? For instance, into providing better tools for extensions to persist their state so that we didn't have to rewrite the extensions from scratch to make them work with the new service workers model? I think it would've been much much much better. Unfortunately, that's how hindsight works.


MV3 now brings "offscreen documents" and persistent service workers.


> MV3 now brings "offscreen documents"

Yeah, at first I thought of using offscreen documents as a replacement, but it appears that:

1. They're not persistent too.

2. They have a different purpose, they're supposed to be used as a temporary crutch that gives access to DOM features for the time until it's brought to service workers.

> persistent service workers

You're right to write it in cursive, there're ways to prolong the lifetime of a service worker, but they're not persistent anyways. All in all, the only reliable way to live with service worker is to rewrite extensions in a way that allows them to very quickly initialize after the service worker is brought back to life. For some extensions it's easy, for some it's quite a complicated task.

edit: formatting


I have it on good authority (Chrome Devrel) that the method described here https://developer.chrome.com/docs/extensions/migrating/to-se... is no longer limited to only managed devices for enterprise or education.


Here’s what I heard: they are okay with such a workaround for now because they realize how hard it is to adapt to the new model, but in the future they’d prefer to see extensions adapt and be able to quickly reinit.


Was wondering the exact date of the quote used by Google but could not find it.

Looking at Adguard recent publication https://adguard.com/en/blog/afds-2023-recap.html it seems more in line than the one from 2021. But still they end with :

>Despite the fact that the Chrome devs spend considerable resources on fixing the MV3, and the dynamic is definitely positive, there are still many questions left.

Edit: for a technical listing of what is not possible with v3 : https://github.com/uBlockOrigin/uBOL-home/wiki/Frequently-as...


Keep in mind that adguard's main product is a desktop version that effectively mitm's all traffic so they can block requests or locally inject JS & CSS directly into the page without needing browser extensions (which is admittedly pretty clever, but I don't like the local proxy approach). Purely from a business perspective, MV3 is actually good for them because it means that this desktop approach becomes the only viable option for full-control over the request lifecycle.


At this point, is there still any good reasons to use Chrome?

A few years ago some new web apps only supported Chrome, like they only supported IE a few years before, but today I haven't had to use Chrome for months.

I might just have been lucky but I don't know. Does anyone else?


> At this point, is there still any good reasons to use Chrome?

I use Firefox for everything... except work.

At work we have Google Suite, Google Meet, etm and these do not work as well, as consistently, or with the same features in Firefox.

A specific example, if you have a 1080p webcam you can use this in Firefox and https://webcamtests.com/ will reveal that I have a 1920x1080 FHD webcam @ 50fps ... all good, but Google Meet will only allow 1080p webcams in Chrome.

That's a rich feature example, but even things like Docs behaves subtly differently and a little more rich and fluidly in Chrome.

What this means is that I segment my life by browser, Firefox is my personal life, and I treat Chrome as my work sandbox.


Just use the slightly lower resolution.

Btw, in 2020 Google was caught red handed shipping broken code to firefox to make it look like broken/slow. Everytime that happens, just open support tickets with your IT dept. That is the only wining move. Otherwise you are just a fool being pushed around :(


I've come to see this as a feature, not an issue (I accept this as my "punishment" for refusing to install Zoom's app, and instead use it through my browser). Frankly I don't care all that much about what people see on the other side of my webcam. They're universally crap quality anyway. If I really needed decent camera quality for a video call, I'd use my phone, and a dedicated video conferencing app.

(Sure, if you've specifically bought an external webcam so you can have high-quality video chats, that's another story. But I don't think all that many people do that.)

Outside of the webcam issue, I've never had any problems using any of the GSuite webapss with Firefox.


We use Google Suite too, and I have no problems with 100% Firefox usage there too. I can't say anything about things like the resolution of your webcam, but I don't know, it all just works here.


One that I feel is underappreciated is the inline translation of whatever website you are browsing.

I don't speak well the language of the country I currently live in and Chrome really helps. I haven't really found a comparable feature or add-on in other browsers.

I'd switch to Firefox in a heartbeat if it offered a decent version of this.



Note that it supports fewer languages for automatic translation, but all the translation happens client-side, which is super cool.


And several more languages to be added soon have already been announced: Russian, Farsi, Icelandic, Norwegian, Ukrainian and Dutch. So there's probably much more to come.


https://addons.mozilla.org/en-US/firefox/addon/linguist-tran...

Includes offline translation. I very rarely need this, so I can’t speak about the quality, though.


I use Translate Web Pages daily.

https://github.com/FilipePS/Traduzir-paginas-web


On top of the integrated support for this in Firefox as of recently (that a sibling mentions), Mozilla has offered an extension for this for quite a while now.


I need to use chrome for maybe 2 websites per year on mobile which give me infinite loading spinners on Firefox.

One website on desktop, which I only use chrome (actually edge but I consider them to be the same thing) for because the developers don't take bug reports seriously unless it's Chromium based


I've never had a Chrome based browser installed on my 7 year old Macbook, no problems here.


Security. The Chrome security team(and other Google security teams like Project Zero) is top notch. Mozilla can't really compete in this field, unfortunately, Google can afford to and does invest more into browser security.


But if (! - I am not sure on that, yet) v3 is preventing ad-blockers from working the attack surface is that much larger using Chrome.


v3 is no preventing adblockers, it changes the way they'll have to be implemented(they'll be less powerful than before).


Reducing functionality is preventing adblocking, which is overwhelmingly the primary action of adblockers.

Thus it is fair to state they are preventing adblockers.


>Thus it is fair to state they are preventing adblockers

No it's not fair to say that. The same way it's not fair to say Apple is preventing adblocking in Safari even if the current state of adblocking there RIGHT NOW is exactly how manifest v3 Chrome will be(using declarativeNetRequest)


But, they are, right? They aren't preventing ALL ad blockers, but they aren't even merely preventing theoretical ad blockers: they are blocking concrete ad blockers that people have built and would actively use.

If there is a checkpoint at an event which seems to be turning away cars it doesn't matter if other cars are also getting through: the way we use the relevant phrasing allows us to say that "they are turning away cars" as that is a bit ambiguous as to why or how many.


We're entered the backwards compatibity discussion teritory, not sure what to think about it to be honest.


But you do not need to discuss that. Rather suppose ad-blockers are working less effectively under v3, leading to additional ads being shown. That would increase the attack surface.

If ad-blockers really will be less effective under v3 remains to be seen. But do you think it is an unreasonable perspective, given the technical limitation?


Given that the reasons behind Google breaking backward compatibility are obviously primarily because they want to weaken ad blocking, I think it's perfectly reasonable to talk about this.


This is all semantics. Ad blockers on Safari are less effective than what you can get on Chrome/Firefox right now. Google is trying to make adblockers on Chrome less effective as well.


Are they? I use 1Blocker with Safari on all my devices, and don’t remember the last time I saw an ad.

Not saying this to defend MV3. The ad blocking situation for Safari isn’t dire, though.


There's no difference here. Adblockers need to continually update their blocklists; if a hard limit is put on blocklist length, then the adblocker's job is being prevented.


to ensure that you are mainly compromised by google and not by their competitors :-).


I've tried different browsers, more so these past few years, and always end up back with Ungoogled Chromium. It seemingly uses half of the memory of Firefox.


I use it for the dev tools only. I remember when Safari used the WebKit dev tools and I had one browser to do everything I needed. Those were the days. Then Apple decided to release some terrible new thing with way less features and much worse interface that’s better at integrating with the iPhone when plugged in, but useless otherwise.


I use it to watch youtube, because youtube on FF causes way higher cpu load and battery drain on my windows laptop.


Brave is sufficient on phone, smart tv, and desktop for me.


I use Safari and Edge. I haven't noticed anything that doesn't work on those.


Edge uses the same engine as Chrome, so that at least is not surprising.


It's faster than Firefox.

Also it integrates better with Google services.


I’d agree that Google Chrome was noticeably faster than Firefox up until around a decade ago. However, I haven’t noticed it to be any faster since then. What makes web browsing faster for me is the use of web extensions that disable the downloading of unnecessary resources and/or the execution of pointless Javascript, e.g., NoScript, uMatrix, uBlock, Privacy Badger, etc – the same extensions that will have their abilities greatly reduced by Manifest v3.


How is it faster than Firefox in a meaningful way? Is this even still true for the people who insist on keeping hundreds of tabs open at a time?


My experience is the opposite, Firefox feels quite lighter, Chrome tends to use more resources and feels bloated.


Me too and I don't really understand why. On Windows, pressing F12 to open Dev Tools takes a good five seconds in Edge but takes fractions of a second in Firefox. And page renders feel faster, although apparently they actually aren't in controlled experiments.

Maybe one of the extensions I typically use in both works differently in Firefox.


I'm on Linux, and Firefox's performance is still behind Chromium. Mozilla only recently enabled hardware acceleration. There are benchmarks in which Firefox beats Chrome (https://arewefastyet.com/linux64/benchmarks/overview?numDays... has an overview) but in general Chrome is faster.

On Windows and macOS Firefox is a bit more competitive, but important benchmarks such as JetStream and Speedometer still have Firefox easily beat (note the inverted score axes).

That doesn't mean Firefox is slow per se, it just means Chromium (and WebKit) are faster.

On Android I use Firefox for its addon support, but the UI is notably more glitchy and buggy than Chrome's.


> JetStream and Speedometer

If a website uses enough JS for that to matter, it's a problem on all browsers


These web apps are quite usable on Chrome and useless lag fests on Firefox.

Do I prefer the modern "let's ship a JS renderer with every webpage" approach? No, definitely not. Unfortunately, quite a few web applications and websites u visit disagree with me.

There's also a perceptable difference in terms of browser responsiveness outside the page itself. Firefox seems to take longer to process UI input in my experience, for reasons I don't entirely get. There's a slight but visible delay before the page starts rendering that Chrome doesn't have, and that small delay adds up when you're working in web UIs fir a significant part of the day.


Strange, on Linux I've found Firefox to be just as fast as Chrome. Granted, I've had all the hardware accel stuff force-enabled for years now, with no issues (on Intel iGPUs), so maybe that's why I haven't noticed any slowness.


It is, Firefox is tangibly slow for me on mac.

Rendering/JS performance seems reasonable nowadays, but the UI has weird skips and freezes fairly often.


At least on mobile, Firefox is so unresponsive it's a complete nonstarter on a slower phone. Chrome is fine.


This is the opposite of my experience on android. Firefox with uBlock Origin is the only way to get some sites to load in any reasonable timeframe. The difference can be measured in 10s of seconds, and is more noticeable with worse hardware.


Seems fine on mine.

You speaking anecdotally or do you have data?


Yeah, it's slow to the point of being completely unusable on my phone.


What's the point of even using the web if you don't have an ad blocker in your browser?


I mainly use the parts of the web that doesn't require one.


Have you used it recently, or just years ago? It definitely used to be very slow, but since ~2 years ago it's very good, and my go to browser (my phone is not high end, by the way)


I give it a spin every few months. Then I uninstall it because it's still irredeemably unresponsive.


I haven't noticed any speed differences between Chrome and Firefox for quite some time now (Linux here, so maybe it's different on Windows or macOS).

And I haven't found the Google services integration to be all that deep or interesting to matter. In fact, I'd found the opposite to be true: it's gotten in the way. Having the browser log into your Google Account directly has led to some confusing behavior, especially when signing into a second account via some webapp, which sometimes changes how the browser is signed in.

Regardless, I think we all would be better off with a bit less integration of Google services in our lives.


This seems like the same basic tech problem - how to balance uninformed user protections with advanced user capabilities.

The problem is browser extensions and the ability for bad actors to use malicious code to harm users. This is a real threat - how do you protect users from their own actions?

Putting aside the cynicism about Google's "true" motives and assuming the best intentions on their part... this still seems like an overly broad limitation without a good workaround.

Personally, I use as few extensions as possible, and I'm very particular about which ones. I'm sure most readers here are as well. So, for me (us?), this is a problem, especially if we also maintain extensions. But - what about my mom? She doesn't even know how to remove extensions, never mind review them for potential problems. We should not sacrifice the many (and encourage the bad actors) to ensure that the few have the access they want.

Why not put in settings that allow the user to allow extensions outside the bounds of MV3? Why not put a warning on the extension page that it "could be risky", or even hide those extensions entirely from the users who don't know to adjust their settings?


Any claim that Chrome's decision is not entirely profit-focused needs to take into account that Firefox managed to adopt Manifest V3 without gutting the ability for adblockers to do their job.

Google needs to be very specific on this: what precise user-privacy-threatening functionality can an extension have in Firefox's implementation of MV3, that is not also possible in Chrome's? Because if there is actually none, then we have our answer right there.


This should be the top comment of this whole article.


Cynically, because there are motivations behind MV3 that aren't related to privacy or security. I don't think it's tin-foil-hatting to assume Google has an internal plan to deal with ad blockers.

There's plenty of security/privacy issues that remain after MV3. It's somewhat telling that onBeforeRequest()'s synchronous blocking was the first thing MV3 went after.


If it was about protecting the average user, they could simply put a big red button somewhere deep in the settings where an average user will never find it and create a pop-up saying "dont do this it's dangerous" if they try to flip it. Hell, even a command line flag would work.

It's ofc not about protecting the user, however.


> We should not sacrifice the many

I don't see how forcing the many to have sub-standard ad-blocking software isn't a sacrifice of its own. Ads and tracking demonstrably harm user privacy.

We have two harms: rogue extensions siphoning off user data, and shitty ad networks eroding user privacy. I don't think we need to choose to solve only one or the other.

And it's not like MV3 really protects users from rogue extensions. It's pretty obvious it's a plan by Google to reduce the effectiveness of ad blockers; the alleged privacy improvements are an unproven excuse.


The other big change of mv3 that gets no coverage but which is dear to me is that mv3 outlaws any kind of dynamic code. The whole app has to be statically defined. This makes it much easier to know what's running, since an extension can no longer go pull in extra code, but it greatly reduces what you can do as an extension too. Extensions have to have all behaviors predefined. I can't dial home & load my behaviors. Here's the issue, https://github.com/w3c/webextensions/issues/139

For a while it meant that userscripts didn't have any way to run. So Google introduced a new API for user scripting. But those extensions only run in "developer" mode. I'm guessing that means when devtools are open?

I agree a lot with your premise. It sure seems like Google is targeting everyone with these changes, but that better real affordances & escape hatches need to be builtin to not maim the lives of power users. It took a long long time to come up with a userscript solution, and it seems like an awful doesnt-work-for-me workaround (I use userscripts not to dev but to modify everyday experiences). Chrome just hasn't been taking their obligation to user agency seriously; they can't just start treating everyone as needing huge protective walls all at once.


> For a while it meant that userscripts didn't have any way to run. So Google introduced a new API for user scripting. But those extensions only run in "developer" mode

I didn't notice that in the announcement of the new API, but that actually seems pretty reasonable for userscripts? It also seems to match what the GP was asking for:

> Why not put in settings that allow the user to allow extensions outside the bounds of MV3


I'm guessing that means when devtools are open?

No, it's a flag you turn on on the extensions settings screen (chrome://extensions/).


> We should not sacrifice the many (and encourage the bad actors) to ensure that the few have the access they want.

It's a false dichotomy. We don't need to sacrifice anybody. Require more consent or an advanced toggle to turn on the allegedly dangerous behavior.


People have been clicking past permission prompts since their inception. So many people on Android are compromised by tutorials for "free vbucks" or "free gems" that ask them to install spyware/adware by bypassing Google Play and even Play Protect.


The browser is not your nanny. You can also text your online banking credentials to scammers using an Android phone, but no one in their right mind suggests removing text message functionality from Android because of that.


So let’s get rid of apps and the play store! … … …

Unless we intend to regress to the mean, people must be educated on how to use powerful tools responsibly, and we must build powerful tools with effective safeguards.


> This is a real threat - how do you protect users from their own actions?

You fucking educate them.

I’m sick and tired of big tech treating people like children. Sure, in the short term perhaps consider putting fences and whatnot, but come on, general purpose computers are mainstream since at least 1995, we ought to have learned what they are by now.


Look, this is the most obvious advice ever but everbody needs to hear it: don't use a web browser made by the world's biggest fucking internet advertising company.


I have an extension with a few hundred users (Reddit Slideshow) that's going to need to be updated in a way that will reduce privacy. Manifest V3 prevents some of the things I need to do for it to make network requests. The only solution is to deploy a central proxy that can make these requests and funnel all client requests through that proxy. Theoretically I could use that proxy to track my users. At the moment I do no tracking whatsoever. I'm sure its going to cause a bunch of users to uninstall no matter how much I promise I won't track them.

A very popular extension, Hoverzoom, does the same things I need to do so its author will need the same solution, or severely limit its functionality. ...and I doubt the author will be able to support a proxy service with the volume it would get.


You don't understand, V3 is very important to enhance user privacy. Details about how it will decrease user privacy must fall to the wayside in favor of the important goal of increasing user privacy.

And the secondary effects of it also nerfing adblockers is completely unrelated. It's about user privacy.


There is no change in privacy. Under v2 you could intercept and modify requests within the client. Under v3, you can only do that via a proxy. It’s the same lack of privacy. You always had to trust the extension author to not be malicious.

V3 only makes it obvious both to users and to the site being requested that there is a man in the middle.


Newspeak. Bravo.


Privacy AND safety. Think of the child safety.


Can you use an iframe in an offscreen document?


Nope, I need to set/change headers.


Remember when Microsoft had to unbundle IE from Windows (the dominate OS of the time) because it gave them too much of a competitive advantage. Google has a dominate position in:

- The browser

- The search engine

- The Ad network

- The device operating system

- Email communications

Plus more money than god to buy dominance where they don't own it. When is it too much control over the primary means of gathering and distributing information in the modern world.

It feels like their current power position even dwarfs MS's at the start of the browser wars.

Nobody gives a rat's ass about the customer anymore because the customer has nowhere else to go.


I switched to uBlock Origin Lite as soon as it was available and I haven't seen a single ad. It works fine.

And now I have one less thing to worry about - my adblocker extension getting compromised through a supply chain attack.


It works fine on sites that mostly don't do anything to bypass adblockers. It technically can't work fine on sites that do it. Restricting what the adblocker can do will also affect the way they mitigate adblocker avoidance in the future.


+1. I prefer to use uBlock Origin Lite, even on Firefox.

The ambient permissions that uBlock Origin requires on all sites is too risky.


On the other hand, I trust uBlock Origin's developer with my privacy a hell of a lot more than I trust Google. I might even say I trust him more than I trust Mozilla these days.


I trust the developer too, but the developer isn't the only person you must trust when you accept wide ambient permissions. You must also trust the entire supply chain.

I see it as good hygiene to remove wide ambient permissions.


What obvious astroturfing.

The Lite version is worse than the original in every way.


I don't think its astroturfing, but if it is I have used it and I'm pretty sure I'm not an astroturfer!

I used the lite version while using chromium for a little while and it worked ok for me.

The issue I had with it wasn't that it didn't effectively block ads, it's that you can't block arbitrary elements with the zapper (afaik). I use the element zapper to block non-ad related things sometimes.

For me, I'm torn on whether the extra security is worth this limitation or not, and so far I have went back to using the normal ublock, and I have went back to using firefox because chromium crashed fairly often when using the wayland renderer.

There is some way you can grant ublock lite more permissions on specific sites, I'm not sure what this does, and I don't think it brings back the element zapper, but it would be cool if it did.


They'll do anything to weaken user's ability to ensure their privacy and block ads it seems.


This might be the final straw that motivates me to start deGoogling my online activities.


I don't understand the negative comments towards Chrome. Doesn't adblockers on Safari work the same as V3?


Yes, and they suck compared to what's possible in Firefox. The history matters too, because Safari extensions were always extremely limited, while this change is an intentional downgrade for what's possible in Chrome.


In addition to what the sibling said, I think at this point we mostly acknowledge (even if we don't accept) that Apple treats their users like children. Apple Always Knows Best, and that means users don't actually get to choose how they use their devices. So this isn't surprising, and it's been the case since forever.


I am upset for the common users of Chrome. This change is awful for them.

But any Chrome users here? Any Chrome users reading this comment? You knew, or should have known, that Google is a snake. You willfully chose to use a browser developed by an advertising company. You've known Firefox was an alternative but you willfully chose not to use it because you placed mild convenience ("Ooooh but chrome is milliseconds faster") before your freedom. You get what you fucking deserve.


Yes, Chrome user here. I'm sure I'm not the only one, but who wants to raise their hand when surrounded by a mob out for blood? It's just a web browser, I don't think the aggressive and violent language is necessary. What, exactly, do I "fucking deserve"?


> What, exactly, do I "fucking deserve"?

It's just not a good idea to let Google hold the keys to anti-tracking tech.

https://news.ycombinator.com/item?id=38303956


Firefox is also implementing manifest v3, as per article.

I think this should push people towards DNS level blocking (I use nextdns, personally)


yes but:

"What are we doing differently in Firefox? WebRequest

One of the most controversial changes of Chrome’s MV3 approach is the removal of blocking WebRequest, which provides a level of power and flexibility that is critical to enabling advanced privacy and content blocking features. Unfortunately, that power has also been used to harm users in a variety of ways. Chrome’s solution in MV3 was to define a more narrowly scoped API (declarativeNetRequest) as a replacement. However, this will limit the capabilities of certain types of privacy extensions without adequate replacement.

Mozilla will maintain support for blocking WebRequest in MV3. To maximize compatibility with other browsers, we will also ship support for declarativeNetRequest. We will continue to work with content blockers and other key consumers of this API to identify current and future alternatives where appropriate. Content blocking is one of the most important use cases for extensions, and we are committed to ensuring that Firefox users have access to the best privacy tools available."

https://blog.mozilla.org/addons/2022/05/18/manifest-v3-in-fi...


Just like they promised to reimplement replacements for XUL extensions almost a decade ago. Still waiting for feature parity.


This event still pisses me off. WebExtensions are straight worse than the XUL we had before.

I wish Mozilla would stand up for their vision of the Web instead of being Google's controlled opposition.


Excellent, thank you


firefox always copies chrome so they will drop it eventually. Telemetry will say "few people use it" so some asshole(s) will remove it.


at this point people use firefox to access to the full power of ublock origins, and that's not gonna change. trust me bro :)


"Is this an out of season april fool's joke?" Seriously, are you trying to kid me?


Firefox is implementing it for compatibility with Chrome extensions, but crucially it's not removing support for the old manifest format.


DNS-level blocking is very easy to circumvent.

Honestly, the reason most ad-blocking works is because publishers haven't bothered with banning it. And that's because power is concentrated with Big Tech that makes a lot of profit already.

E.g., by blocking ads on YouTube, people are now surprised that there's no alternative left, and now Google can milk those users, too.


That won't work for ads and content being served from the same domain.

Isn't the ultimate answer in this arms race a web proxy?

I'm wondering about a two-part architecture. One part in the browser that can inspect the rendered page, and another part between the browser and the outside world, that can block individual elements. Basically re-implement the Web Request API as a web proxy.

For locked-down environments where you can't run a local proxy, the proxy could be an external service.


I just discovered that before I had uBlock Origin, I, apparently, was adding ad website domains to my /etc/hosts by hand :D (And forgot about it, just remembered that I copied my old disk to the one I have now in my laptop, but forgot to add it to fstab). Not a robust solution by any means, but very easy to implement.


Is DNS blocking effective because it’s hard to not use DNS at scale, or because advertisers don’t care about the very small portion of users using it?

I’m asking because it seems to be a flimsy defence, even if it’s currently working well.


I use a giant hosts file.

It makes me hate the work laptop where I can't use it, and any adblocker is just an inferior experience.


Hear, hear. I see so many people on HN complaining about ads and about how Google has a monopoly on search and does a bunch of shady things. And yet so many of them are Chrome users. I really don't think you have standing to complain about Google's practices when it comes to privacy or anti-competitiveness if you use Chrome. It's the height of hypocrisy.

And I say this as someone who still uses quite a few Google services. I've managed to get myself off GMail, but it's been a lot harder to ditch the office apps, and Photos.


Firefox still sucks though.


Firefox user here. It's pretty good.


A comment from 2010.


Elaborate


OK, I'm typing this comment on Firefox for Android BTW, so I keep trying to like it.

Here's my current annoyances:

– on Android, scrolling and performance is very poor on certain websites, on a high end phone; this including Mastodon, and my report was dismissed;

– on Android, the UI has issues detecting between light and dark modes at the system level; it has other obvious bugs, too, that are reported but remain unfixed;

– poor integration with the OS for player controls; both Android and desktop (macOS);

- unreliable HDR support; in macOS it works, but I sometimes get flicker, and it might get disabled if the viewport is small;

- poor battery life on macOS; this used to be true for Chromium as well, ans Safari is king obviously, but lately Chromium has an edge over Firefox;

– incompatibility with certain online apps, like MS Teams; in fairness they worked hard to fix Meetup at least;

– poor PWA support, no SSB; on both desktop and Android. I prefer PWAs to Electron variants: better sandboxing, use of browser extensions, often better memory use; see: https://howfuguismybrowser.dev/

– no customizable keyboard shortcuts and poor accessibility preventing OS-level solutions; in macOS I can set shortcuts for Chrome, for various Tab actions, like Pin Tab or Close Others. And Brave/Vivaldi have customization built into their settings;

— poor extensions security: for LanguageTool or Google Translate I'd like the "Click to Enable" option or the ability to disable by default or enable per-hostname;

– unusable profiles – in Chrome different profiles have different history and extensions, so for security purposes they are above Firefox's containers; I actually don't get the point of Containers at all, being useful only for logging into multiple AWS accounts, otherwise they have no privacy or security benefits;

---

Firefox does have certain advantages. They aren't enough to keep me using it, though. But in the interest of fairness:

+ History sync actually works;

+ DNS-Over-HTTPS works with fallback to system;

+ Tree-style-tabs;

+ Better bookmark management;

+ Reader view (Android & desktop);

+ Ctrl+Tab;

+ Non-admin upgrades;

+ uBlock Origin;

+ Total Cookie Protection;

+ Android: multiple search engines;

+ Android: Open in app;

+ Android: Dark reader / uBlock Origin / other extensions;


> – unusable profiles – in Chrome different profiles have different history and extensions, so for security purposes they are above Firefox's containers; I actually don't get the point of Containers at all, being useful only for logging into multiple AWS accounts, otherwise they have no privacy or security benefits;

FF has those kinds of profiles too, if you want to you can start it once using the ProfileManager from the command line, (un-)check the box asking if you want to always default to the last profile used or instead always start FF in the ProfileManager UI from now on, so you can choose on each startup. These profiles are completely separated as well, have their own histories, bookmarks, cookie jars, extensions etc.

FF's Containers on the other hand are a less heavy-handed approach, by staying in the same profile, having the same bookmarks, extensions and history but fully separating the cookie jars, enabling you to have (just as an example) Facebook in its own little world, everything else outside that container and/or in their own specific containers, unable to cross-contaminate (to track you) with third-party cookies and the like.

Basically, profiles and containers are entirely different levels of sandboxing.


This is precisely what I'm ranting about. At this point, the Facebook container is privacy theatre.

You don't need a Facebook container, at least since “Total Cookie Protection”. Which itself it's just a better way to “disable 3rd party cookies”, that doesn't break websites, although Firefox's isolation goes beyond just cookies.

https://blog.mozilla.org/en/products/firefox/firefox-rolls-o...

And Firefox isn't the only one that does it, although it may be the best. But Safari, Brave Browser and even Chrome have deployed similar protections. See for instance: https://brave.com/privacy-updates/7-ephemeral-storage/


How is it theatre? Do Firefox's containers not actually isolate Facebook from the rest of your browsing? I don't really understand your gripe.


I'm pretty sure I spoke plainly:

> You don't need a Facebook container, at least since “Total Cookie Protection”.

It's theater because it does nothing in addition to what Firefox already does without use of containers.

But keep installing that add-on if it makes you feel good.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: