There is growing division over how much leeway browsers should allow for ad-blocking — and Chrome and Firefox have found themselves on opposite sides of the battle.
The breach revolves around a feature called Web Request, which is commonly used in ad blockers and is crucial for any system that appears to be blocking a wholesaler of domains. Google has long been concerned about Web Request’s security and has been working to remove it from the most recent extension standard, called Manifest V3 or MV3 for short. But in a recent blog post, Mozilla made it clear that Firefox will retain support for Web Request, leaving the door open to the most advanced forms of ad-blocking.
Google’s strategy has been roundly criticized by privacy advocates – the Electronic Frontier Foundation has been an outspoken opponent – but the search company is unconvinced. While Firefox has a much smaller share of the desktop market than Chrome, it could be an opportunity for Mozilla’s product to really define itself. For Google, however, sticking to MV3 will have a huge impact on the overall role of ad blocking on the modern web.
Understanding Manifest V3
The changes in Manifest V3 are part of a planned revision of the Chrome browser extension manifest file specification, which defines the permissions, capabilities, and system resources that each extension can use.
Under the currently active specification – Manifest V2 – browser extensions can use an API function called Web Request to observe traffic between the browser and a website and to modify or block requests to certain domains. The example Google provides for developers shows an extension script that would block the browser from sending traffic to “evil.com”:
The Web Request feature is powerful and flexible and can be used for both good and bad purposes. Ad blocking extensions use the feature to block inbound and outbound traffic between certain domains and a user’s browser. Specifically, they block domains that load ads and prevent information from being sent from the browser to one of the thousands of tracking domains that collect data about Internet users. But the same feature can be maliciously used to hijack users’ login credentials or insert additional ads into web pages, which has been the reason Google changed its behavior in Manifest V3.
Under the new specification, the blocking version of the Web Request API has been removed and replaced with an API called Declarative Net Request. Rather than checking all the data in a network request, the new API forces extension makers to specify rules in advance about how certain types of traffic should be handled, allowing the extension to perform a more limited set of actions when a rule is triggered. Apparently this won’t be a problem for some extensions: Adblock Plus, one of the most popular ad blockers, is in favor of the MV3 changes – although it’s worth noting that the extension has a financial relationship with Google. However, others may be more severely affected.
Google has presented the changes as a privacy, security and performance benefit, but critics see it as a calculated effort to mitigate the impact of ad blocking on a business funded almost entirely by ads. (In its SEC filings, Google consistently cites “new and existing technologies that block online ads” as a risk factor that can affect revenue.)
But the makers of some ad-blocking and privacy-protecting extensions have said the change will undermine the effectiveness of their products. In particular, Jean-Paul Schmetz, CEO of the privacy-focused browser extension Ghostery, focused on Google’s imposition of the MV3 standard in light of the company’s recent privacy protection statements:
“While Google is surfacing a ‘privacy by design’ message, it still claims a monopoly over the entire ecosystem by suppressing digital privacy companies that are already working to put users back in control of their data,” Schmetz said. The edge by email.
The Ghostery extension is a good example of a product that would be severely affected by Google’s changes. In addition to blocking ad content, the extension analyzes communication between a website and a user’s browser to look for data that could inadvertently identify a unique site visitor and replaces it with generic data before network traffic leaves the browser. This will require the ability to modify web traffic on the fly and as such will be severely limited by the MV3 restrictions, the developers say.
Ad blocking developers are also concerned because the impact of those changes extends well beyond the Chrome browser. The MV3 specification is part of the Chromium project, an open-source web browser created by Google that forms the basis of not only Chrome, but also Microsoft Edge, the privacy-focused Brave, lightweight browser Opera, and many others. Because Chromium underpins these projects, browsers that depend on them will eventually also have to migrate to the MV3 extension format, and extensions for those browsers will no longer be able to block ads with Web Request.
Mozilla pushes back
As the primary developer of Chromium, Google exercises a tremendous amount of power over what browser extensions can and cannot do. This differentiates browsers not based on Chromium, especially Firefox and Safari, as they have the opportunity to take a different approach to extension design and are now in a position to differentiate themselves with a more permissive approach. of ad blocking.
For compatibility reasons, Mozilla will still use most of the Manifest V3 specification in Firefox, so extensions can be ported from Chrome with minimal changes. Crucially, though, Firefox will continue to support Web Request blocking after Google phases it out, allowing the most advanced anti-tracking ad blockers to function normally.
In justifying that decision, Mozilla has been clear by recognizing that privacy is a core value for people who use its products, as Chief Security Officer Marshall Erwin told me. The edge.
“We know that content blocking is important to Firefox users and we want to make sure they have access to the best privacy tools available,” Erwin said. “In Firefox, we block tracking by default, but still let ads load in the browser. If users want to go the extra mile to completely block ads, we think it’s important to enable them to do so.”
As for Google’s claims about the security benefits of its MV3 changes, Erwin said immediate security gains from preventing web request blocking were “not obvious” — especially since other non-blocking features of Web Request were retained — and did not appear to be the case. significantly reduce the risk of data breaches.
Either way, Google seems to be on track. Despite the flurry of criticism from ad blocker developers, Google spokesperson Scott Westover told: The edge that the company supported blocking and was only intended to limit the type of data certain extensions could collect.
“We’re pleased to see Mozilla support Manifest V3, which aims to make extensions more secure for everyone,” Westover said. “Chrome supports and will continue to support ad blockers. We are changing the way network request blocking works as we are making fundamental changes to the way extensions work to improve the security and privacy features of our extension platform.”
Google has heard positive feedback about the changes from many content-blocking extension developers, Westover said, noting The edge praise from the makers of Adblock Plus.
It’s possible that Firefox’s stance on ad-blocking will encourage more users to switch to the browser, which is currently estimated to account for less than 8 percent of the desktop browser market, compared to Chrome’s 67 percent. Once Manifest V2 support ends in June 2023, functionality changes will become more apparent to Chromium-based browser users. Until then, Mozilla will patiently advocate for privacy, even if you sometimes have to search deeply for it in a specialized blog.