Privacybadger: Will the proposed Manifest V3 changes to Chrome break Privacy Badger?

Created on 23 Jan 2019  路  7Comments  路  Source: EFForg/privacybadger

https://www.theregister.co.uk/2019/01/22/google_chrome_browser_ad_content_block_change/

Chrome high priority question task
Source
picture zikalify
👍4

Most helpful comment

An overview of the Manifest V3 proposal's impact upon Privacy Badger

Privacy Badger is a browser extension that automatically learns to block invisible trackers.

Instead of keeping lists of what to block, Privacy Badger learns by watching which domains appear to be tracking you as you browse the Web. Privacy Badger sends the Do Not Track signal with your browsing. If trackers ignore your wishes, your Badger will learn to block them. Privacy Badger starts blocking once it sees the same tracker on three different websites.

The Manifest V3 proposal thoroughly breaks this description. It appears that Privacy Badger will no longer be able to dynamically learn to block trackers, report what it blocked on a page, block cookies from being set or sent, strip referrer headers, nor properly support EFF's Do Not Track policy.

If you remove what makes Privacy Badger unique, replacing it with basic list-based blocking, what are you left with?

Replacing persistent background pages with ServiceWorkers

A non-persistent event-driven background page does not work well for extensions that need to keep ephemeral state.

  • Privacy Badger maintains per-tab data that includes things like which third-party domains were detected and/or blocked on the page.
  • It may be possible to continuously save and restore state from storage as a workaround, but this runs counter to the stated performance goals of moving away from persistent background pages. It seems that persistent background pages are a much better fit for certain (stateful) types of extensions.
  • As Privacy Badger requires the webRequest API (more on this below), a persistent background page is required as per Chrome extension docs:
>The webRequest API is incompatible with non-persistent background pages.

There are likely other issues (will a ServiceWorker background page support functioning in Incognito contexts, which is essential for privacy and security extensions?), but they are eclipsed by the fundamental mistake of trying to shoehorn stateful extensions into an exclusively event driven model.

Restricting origin access / Manifest Host Permission Specification

Making users confirm extension access (host_permissions) does not seem to make sense for general-purpose content blocking (adblocker/privacy/security) extensions. Outside of edge cases (for example, a Facebook.com-specific extension), content blockers need access across all URLs. Redundantly prompting users for permission to run these scripts (on top of the existing notification users see when initially installing Privacy Badger) will be unhelpful and confusing.

As Chrome extension docs for permissions state:

Use required permissions when they are needed for your extension鈥檚 basic functionality.

Dynamic Content Scripts

Many of Privacy Badger's content scripts need to run on all pages in order to do things like detect localStorage-based tracking and canvas fingerprinting, or deny JavaScript access to cookies and localStorage to "yellowlisted" third-party domains.

It would be great to finally have dynamic, before-anything-else injection of content scripts (https://crbug.com/478183). However, as per the host_permissions note above, it doesn't make sense to make users have to re-confirm this access via permission dialogs.

WebRequest

Removing "blocking" (synchronous request/response interception) from webRequest will break core Privacy Badger functionality.

The declarativeNetRequest API is an entirely inadequate replacement as it supports onBeforeRequest blocking and redirection only (not header/body inspection or modification), and seems to support (a limited number of) hardcoded rules only.

  • Privacy Badger needs to dynamically create rules.
  • Privacy Badger's rules interact with each other. A request that would be blocked may be overriden to "cookie-blocked" instead by the user, or it may be registered as a DNT-compliant domain and thus allowed.
  • Rules need to be further qualified by things like whether the request/response domain is third-party to the top-level document.
  • Privacy Badger needs to report what it did (blocked, etc.) on a page.
  • Privacy Badger needs to be able to modify content headers (block cookies, strip referrers, perhaps modify ETag headers, ...).
  • Privacy Badger would benefit from being able to modify response bodies like WebExtensions can in Firefox. The webRequest API should be gaining, not losing functionality.
  • Privacy Badger needs to encourage privacy-respecting ads by continuing to enforce the EFF Do Not Track policy. This means Privacy Badger needs to continue being able to check blocked domains for declarations of DNT compliance.

The above is not meant to be an exhaustive list. The point is that it is a fundamental mistake to try to shoehorn all content intercepting extensions into the limited-by-design declarative model.

picture ghostwords on 29 Jan 2019
👍46

All 7 comments

It's not entirely clear yet, but at this point it seems that the changes proposed in the Manifest V3 document are made to support basic list-based blockers only. It's not clear how Manifest V3 would allow for more complex extensions like uBlock Origin, uMatrix, or Privacy Badger. I would like to learn more about this situation from Chromium developers.

ghostwords picture ghostwords on 23 Jan 2019

Devlin writes:

Our goal is not to break extensions. We are working with extension developers to strive to keep this breakage to a minimum, while still advancing the platform to enhance security, privacy, and performance for all users.
...
The most helpful feedback for us is the exact cases that this would impact, their importance, and the reasons they are impossible through either the declarative API or through other extension APIs.

ghostwords picture ghostwords on 28 Jan 2019

An overview of the Manifest V3 proposal's impact upon Privacy Badger

Privacy Badger is a browser extension that automatically learns to block invisible trackers.

Instead of keeping lists of what to block, Privacy Badger learns by watching which domains appear to be tracking you as you browse the Web. Privacy Badger sends the Do Not Track signal with your browsing. If trackers ignore your wishes, your Badger will learn to block them. Privacy Badger starts blocking once it sees the same tracker on three different websites.

The Manifest V3 proposal thoroughly breaks this description. It appears that Privacy Badger will no longer be able to dynamically learn to block trackers, report what it blocked on a page, block cookies from being set or sent, strip referrer headers, nor properly support EFF's Do Not Track policy.

If you remove what makes Privacy Badger unique, replacing it with basic list-based blocking, what are you left with?

Replacing persistent background pages with ServiceWorkers

A non-persistent event-driven background page does not work well for extensions that need to keep ephemeral state.

  • Privacy Badger maintains per-tab data that includes things like which third-party domains were detected and/or blocked on the page.
  • It may be possible to continuously save and restore state from storage as a workaround, but this runs counter to the stated performance goals of moving away from persistent background pages. It seems that persistent background pages are a much better fit for certain (stateful) types of extensions.
  • As Privacy Badger requires the webRequest API (more on this below), a persistent background page is required as per Chrome extension docs:
>The webRequest API is incompatible with non-persistent background pages.

There are likely other issues (will a ServiceWorker background page support functioning in Incognito contexts, which is essential for privacy and security extensions?), but they are eclipsed by the fundamental mistake of trying to shoehorn stateful extensions into an exclusively event driven model.

Restricting origin access / Manifest Host Permission Specification

Making users confirm extension access (host_permissions) does not seem to make sense for general-purpose content blocking (adblocker/privacy/security) extensions. Outside of edge cases (for example, a Facebook.com-specific extension), content blockers need access across all URLs. Redundantly prompting users for permission to run these scripts (on top of the existing notification users see when initially installing Privacy Badger) will be unhelpful and confusing.

As Chrome extension docs for permissions state:

Use required permissions when they are needed for your extension鈥檚 basic functionality.

Dynamic Content Scripts

Many of Privacy Badger's content scripts need to run on all pages in order to do things like detect localStorage-based tracking and canvas fingerprinting, or deny JavaScript access to cookies and localStorage to "yellowlisted" third-party domains.

It would be great to finally have dynamic, before-anything-else injection of content scripts (https://crbug.com/478183). However, as per the host_permissions note above, it doesn't make sense to make users have to re-confirm this access via permission dialogs.

WebRequest

Removing "blocking" (synchronous request/response interception) from webRequest will break core Privacy Badger functionality.

The declarativeNetRequest API is an entirely inadequate replacement as it supports onBeforeRequest blocking and redirection only (not header/body inspection or modification), and seems to support (a limited number of) hardcoded rules only.

  • Privacy Badger needs to dynamically create rules.
  • Privacy Badger's rules interact with each other. A request that would be blocked may be overriden to "cookie-blocked" instead by the user, or it may be registered as a DNT-compliant domain and thus allowed.
  • Rules need to be further qualified by things like whether the request/response domain is third-party to the top-level document.
  • Privacy Badger needs to report what it did (blocked, etc.) on a page.
  • Privacy Badger needs to be able to modify content headers (block cookies, strip referrers, perhaps modify ETag headers, ...).
  • Privacy Badger would benefit from being able to modify response bodies like WebExtensions can in Firefox. The webRequest API should be gaining, not losing functionality.
  • Privacy Badger needs to encourage privacy-respecting ads by continuing to enforce the EFF Do Not Track policy. This means Privacy Badger needs to continue being able to check blocked domains for declarations of DNT compliance.

The above is not meant to be an exhaustive list. The point is that it is a fundamental mistake to try to shoehorn all content intercepting extensions into the limited-by-design declarative model.

ghostwords picture ghostwords on 29 Jan 2019
👍46

It looks like Google might be backtracking on this:

https://www.zdnet.com/article/google-backtracks-on-chrome-modifications-that-would-have-crippled-ad-blockers/

https://groups.google.com/a/chromium.org/forum/#!topic/chromium-extensions/WcZ42Iqon_M

Jab2870 picture Jab2870 on 21 Feb 2019

Related: Eloston/ungoogled-chromium#706.

pipboy96 picture pipboy96 on 17 Mar 2019

鈿狅笍 UPDATE: Blocking capabilities of webRequest are still being deprecated, see https://github.com/uBlockOrigin/uBlock-issues/issues/338#issuecomment-495936668 (original post deleted) and commentary by @gorhill: https://github.com/uBlockOrigin/uBlock-issues/issues/338#issuecomment-496009417.

Thanks @Giltyhub for update!

pipboy96 picture pipboy96 on 1 Jun 2019

See the issue in HTTPS Everywhere's repository for statements recently made by browser vendors: https://github.com/EFForg/https-everywhere/issues/17268.

pipboy96 picture pipboy96 on 7 Sep 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

apehex picture apehex  路  4Comments
iamlukeallen picture iamlukeallen  路  5Comments
cowlicks picture cowlicks  路  4Comments
tophtophtoph64 picture tophtophtoph64  路  4Comments
BlackRabbit22 picture BlackRabbit22  路  5Comments