Blocked under the supposed reason of privacy, but extensions can still see every request, and inject whatever javascript they want, exfiltrate your data, etc. Meaning the reason is pretty clearly not privacy.
I don’t see why Safari can’t block extensions from sending data to remote servers. Seems like a pretty basic thing, so we have more powerful tools and not the privacy risks
Browser extensions are becoming a notable security vulnerability, with many high profile extensions falling into the hands of (or being sold to!) bad actors. The arbitrary code execution method of ad blocking (e.g. uBlock) is very flexible but it means that without ongoing comprehensive code review using one puts you at risk if the extension ever changes hands or has a backdoor added.
Apple's method avoids this issue by never letting the extension see the page contents, it only provides match lists of what to block that the browser then enforces. Even if the extension became malicious it has no access to private data on the webpages it is ad blocking on.
But don't they keep the original webRequest api in a way where it does not block and where an extension can observer all the traffice, do all the spying, but just cannot block requests?
Yes, I get that the extension operates within the user's auth realm. But still it should not be able to access data you as a user cannot access. Maybe this is already enough to do damage though.
I presume it is because extensions might leak browsing data, which is especially undesirable for private browsing. You can whitelist individual extensions if you trust them, though.
The reason you don't get it is that taking away the functional part of onBeforeRequest() doesn't really help with privacy. Because extensions can, for example, still inject arbitrary javascript if those permissions are in the manifest.
What it really does is ensure that adblockers can't do heuristics, and instead have to rely solely on semi-static lists of urls. That's a nice outcome if you're a company that makes most of their money from ads.
There's not really a nice way to say that aloud though, so trying to make it sound it's a way of ensuring extensions honor privacy and security sounds better.
Extensions have a similar model to phone apps. They have a basic set of APIs available, and beyond that they have to ask for permission before they can use more. E.g. I have a Firefox addon called "t.co unmangler" that only has permission to access my data for twitter.com and can't read anything else. If an extension is compromised and tries to access more that it was allowed before, the browser will block it until I grant permissions.
Not sure what functionality their extension has, but this is pretty hard to avoid. To run javascript you can basically do whatever you want — so the browsers let users know that. I wish the security could be more fine grained, but I’m not sure that’s possible.
Edit: Looked at the extension and maybe it could limit itself to social network domains though.
It blocks *all* (non-monitored) extensions from running on *some* websites. What it should do is block *specific* extensions from running on *all* sites. The security justification doesn't align with what they actually did.
Yeah, the site-specific blocking seems... mostly dubious, possibly decent as a "this is a banking website - extensions are disabled by default, but you can click to enable them" thing. Right now it looks much more dubious than anything though.
But even in the very best case, it's yet another custom "premium support" feature either way, like the Public Suffix List. They should push for standards instead, these kinds of things are always leaky and sometimes dangerous.
Anyway. I just meant that extensions are not trustworthy just because they're installed. Malicious vectors exist, and protecting people from themselves / them understandably not being an up-to-date expert in all things tech by the millions-to-billions is largely a good thing.
It's not different. The current state of the browser extension ecosystem can cause and has caused massive data privacy violations; browser vendors are locking down previously open APIs to try and remediate that, breaking some functionality that developers want. Context:
Yeah, it's a catch-all permission that says the extension wants to examine the DOM and HTTP requests. Absolutely necessary for any browser-based ad blocking.
These API changes are actually perfectly reasonable. The new API lets extensions tell the browser what to do to the page in a declarative manner. This eliminates the need to pass private user data to the extension code and reduces the potential for abuse. This is a massive improvement compared to just letting random extensions see everything on the page.
uBlock Origin just happens to be so important and trusted by the community that it shouldn't be subjected to these restrictions. It's a special case.
This seems like massive spin. Their primary argument doesn’t wash. As far as I understand it the web request API will still exist and still allow extension developers to view all request data. They just won’t be able to block the request and change it (I.e block content from loading)
I would believe this more if Mv3 didn’t allow extensions to inspect all web requests programmatically, just not block them. Want to exfiltrate your users’ data to attack or track them? Fine. Want to block ads. No way!
reply