> If the idea is that these DNR rules require non-fast-trackable thorough reviews, but dynamically updating them will bypass those thorough reviews, than I am at a lost to understand the logic of treating them as requiring thorough review.
While they solve similar problems, these are different systems with different constraints.
* In order to allow something through the review process without close examination, you need to be sure it will not compromise end users. The block, allow, and allowAllRequests actions are known to present minimal risk to user's web browsing activities. The same cannot be said for redirecting requests or modifying a request's headers.
* Dynamic rule registration logic can be statically analyzed for risk assessment purposes. For example, say you're looking at two extensions that both have dynamic rules. Extension A only dynamically register block rules based on remote configuration. Extension B has <all_urls> and passed an arbitrary JSON object to the updateDynamicRules call. Personally, I'd be very concerned about what Extension B could do at the developer's behest, whether intentionally or if the dev's servers are compromised. IMO Extension B may even cross the line on what store policy permits.
* Expectations for extension's static content are different from an extension's dynamic operations. If an extension has code that explicitly does something nefarious and that passes review, the review process will be raked over the coals by commentators. If an extension's static contents are benign but a developer makes it do something nefarious at runtime, there is more understanding that this behavior may not have been visible to reviewers during the review process.
I'm sure there are more differences worth mentioning, but I need to run.
As a final parting thought, if safe rules and fast track review were already implemented and dynamic rules were being proposed today, I expect we'd be having conversations about whether or not devs should be able to register unsafe dynamic rules. I think there's a realistic possibility that we wouldn't allow it. Or if we did, that this capability would be gated by a new permission with a warning.
No one does at the moment. The deprecation is on hold, but Chrome has stated that they "will provide at least 6 months between a timeline announcement and any experiments deprecating MV2 features": https://developer.chrome.com/docs/extensions/migrating/mv2-s...
> I wonder if the main obstacle to (actual) cross-browser extensions isn't so much technical but rather political.
Normally when browser folk talk about "cross-browser extensions," we're not focusing on the distributable package so much as the source code. As you suggest, there are a variety of reasons that browsers aren't terribly interested in having a single authoritative distribution channel. For that matter, the packaging format is explicitly not something we intended to discuss in the WebExtensions Community Group[1]. While we diversity in how extensions are marketed and distributed, we want the actual code of the extensions to be as reusable as (reasonably) possible.
> the extension APIs are standardised enough that this is actually possible a lot of the time
A bit off topic, but as a co-chair of the WebExtensions Community Group[1] (WECG) I'm a bit touchy about the calling WebExtensions "standardized." A few years back the Browser Extensions Community Group[2] created a spec for WebExtensions, but it never reached a state that we'd normally refer to as a web standard. (Technically W3C community groups can only produce "Reports" and these documents are not on the standards track.[3])
FWIW, I'm very bullish about specifying and (hopefully) standardizing the WebExtensions platform. I'm especially excited about having a good chunk of dedicated time to sit with browser folks at TPAC 2023[4] and try to work out some open questions about where we're going and how we're going to get there.
> The biggest problem I found is that Chrome Manifest V3 requires background.service_worker (they removed background.scripts), while Firefox Manifest V3 requires background.scripts (they never implemented background.service_worker)
> I decided to keep two foo-manifest.json versions in a manifest/ subdirectory, and copy one to ../manifest.json depending on which browser I'm testing. It's a bit tedious. Not sure if a better solution exists.
Personally, I favor having a build step that produces the final manifest. The basic idea is that you have a common manifest.json + paired down browser-specific files that override the general settings as necessary. It's not a perfect solution, but I think it makes maintenance a bit easier.
> Absent security issues, what's the value of the last N releases of Chrome? How far do you have to go to get something of value that changed?
IMO something of value changes with every release. For example, in the most recent release (105) Chromium gained support for container queries and the :has() pseudo-class. Container queries allow web devs to change how styling is applied the contents of an element based on the size of the element itself. That's a major new tool for web developers & designers. 105 also supports the HTML Sanitizer API, which relieves the need to use libraries like DomPurify to protect against XSS attacks.
If you're interested in digging into what changes in each release, Chrome has a blog post series called New in Chrome[1] that summarizes changes. And to dive even further into changes, the Chrome Status[2] site allows you to filter platform feature changes by release milestone.
We discussed Chromium's current plan to support user scripts managers in Manifest V3 during our WebExtensions Community Group (WECG) session at TPAC[1] last week. The notes for that meeting haven't been merged yet, but there's an open PR[2] and when they are they will live here[3].
In short, the current plan in Chromium is to require end users and extension authors to opt into execution of arbitrary scripts via a Chromium UI setting and new permission, respectively. During the meeting Firefox folks raised some questions/concerns about this plan and it's probably best to try to align with them on next steps if possible.
And typing this out is making me realize we don't have a great tracking issue for this in the WECG repo. Just threw together a placeholder issue[4] to track discussion in this area.
If chunks of functionality are missing from MV3 with no available alternative, if the replacement is really at such an early stage of development like this, it would be silly not to delay mandatory adoption by another year or two. (Including requiring new extensions to be MV3 - from what I'm reading here, it sounds like you're really not ready for that and should undo it.) Please don't be another https://goomics.net/50/. It's so much worse when it happens externally in an ecosystem.
I appreciate you sharing these resources. I would also like to apologize if my original comment was unfairly critical of the Chrome/Chromium Team. I understand MV2->MV3 is a complex and challenging endeavor. I just hope nobody gets left behind!
