With the next version of Chrome, Google is moving ahead with a plan to improve privacy and security by reining in some abilities of extensions used to customize the browser. The move had angered some developers who expected earlier it would cripple ad blockers.
Manifest v3, the programming interface behind Google’s security plans, will arrive with Chrome 88 in mid-January, Google said Wednesday at the Chrome Dev Summit. Extensions using the earlier Manifest v2 will still work for at least a year.
Extensions can change Chrome’s behavior through abilities that Manifest v3 exposes. Among other things, Manifest v3 limits the number of “rules” that extensions may apply to a web page as it loads. Rules are used, for example, to check if a website element comes from an advertiser’s server and should therefore be blocked. Google announced the changes two years ago.
Reducing the number of rules allowed angered creators of extensions like the uBlock Origin ad blocker and the Ghostery tracking blocker. They said the rules limits will stop their extensions from running their full lists of actions to screen ads or block tracking. That could let websites bypass extensions — and the preferences of the people who installed them.
Google has defended its technology and argues that granting extensions too much freedom invites abuse. The search giant says it’s listened to developers and modified Manifest v3 in response. For example, it loosened the originally proposed rule limit and added a new mechanism for applying some rules. Eyeo, the developer of one of the , said Tuesday it’s content with Google’s Manifest V3 approach.
The changes underscore how difficult it can be for Google to balance giving developers powerful tools and the need to thwart abuse. The balance is particularly difficult to strike given that Chrome is one of the tech industry’s biggest platforms. More than a billion people use the browser, Google has said, and it accounts for about 64% of web usage, according to analytics firm StatCounter.
“We believe extensions must be trustworthy by default, which is why we’ve spent this year making extensions safer for everyone,” Google said in a blog post.
The company has incorporated feedback from ad blocker developers AdGuard and EasyList. “One of our goals is to make it as easy as possible for developers to achieve their core use cases while needing less access to user data,” the company said in a statement.
Extensions can pose a serious risk. Google blocks more than 1,800 malicious extension uploads each month, it said in 2019.
uBlock Origin and Ghostery developers didn’t immediately respond to a request for comment.
Microsoft Edge getting Manifest v3
The importance of the Chrome team’s choices are magnified by the fact that other browsers, including Microsoft Edge, Vivaldi, Opera and Brave, are built on its Chromium open-source foundation. Microsoft said it will embrace Manifest v3, too.
“After an extensive review of the concerns raised by content blockers and the community, we believe that a majority of those concerns have been resolved or will be resolved,” Microsoft said in an October blog post. “We recognize the value of content blocking extensions and appreciate the role they play in honoring user’s choice.”
Another Manifest v3 change is that extensions no longer may update their abilities by downloading code from third-party sites. The entire extension now must be distributed through the Chrome Web Store, a measure Google says improves security screens and speeds reviews.
Manifest v3 should eventually give Chrome users a better idea how extensions use their data and provide more control over how that happens, Google said.