Migrating to Manifest v3

(Andrey Vyrvich) #1

Chrome team is actively working on major changes proposed for their extension platform: https://docs.google.com/document/d/1nPu6Wy4LWR66EFLeYInl3NzzhHzc-qnk4w4PX-0XMw8/edit#

Should we expect same updates for Firefox?


(Caitlin Neiman) #2

Hey @avyrvich. We are watching Chrome’s proposals for manifest v3. We do anticipate that we will adopt some of their proposals to maintain compatibility, which we believe will benefit Firefox developers and users. However, we are not committing to implement all aspects of manifest v3, and in fact, we already depart from manifest v2 in several areas where we think it makes sense.

If we do decide to propose changes to our extension framework, we will announce them on the Add-ons Blog.


(Cwbussard) #3

More to the point:
As they currently stand, Google’s proposals for manifest v3 would utterly cripple ad-blocking and other content-blocking extensions. It’s becoming increasingly clear that this is Google’s intended goal, and their final manifest v3 will not meaningfully deviate from that course. If/when Google finalizes a manifest v3 that cripples ad-blocking/content-blocking extensions, will Mozilla follow suit? Can we get an official commitment that Firefox will be retaining the v2 API functions that robust ad-blocking/content-blocking depend upon? (Mostly the fully-featured, blocking version of webRequest, but also several other things.)


(Caitlin Neiman) #4

Like I mentioned earlier, we’re still monitoring Chrome’s manifest v3 proposals. Their recent post indicates that they are still iterating on some of the ideas they would like to implement, including changes that would impact content-blockers.

Regardless of what happens with Chrome’s manifest v3 proposals, we want to ensure that ad-blockers and other similarly powerful extensions that contribute to user safety and privacy remain part of Mozilla’s add-ons ecosystem while also making sure that users are not being exposed to extreme risks via malicious use of powerful APIs.


(Cwbussard) #5

I find this reply disappointing, to say the least.

Google’s recent post can best be described as “fiddling around the edges” without addressing any of the fundamental problems with the manifest v3 proposal. It’s not a serious attempt to address those problems, and that lack of seriousness is one of the things that has led many people, myself included, to be deeply suspicious that Google’s stated rationales are entirely pretextual; that crippling ad-blockers is an intended goal for manifest v3. Your apparent willingness to take Google’s transparent window dressing at face value is troubling.

The notion that the user must be protected from extensions misusing powerful APIs is fundamentally misguided. First and foremost, it’s a betrayal of the principle of USER CHOICE. When I, the user, choose to install, say, uBlock Origin, I’m making a free and knowing choice about what functionality I care most about and about whom I trust. I am choosing to trust Raymond Hill. I trust him far more than the people drafting manifest v3 at Google, and infinitely more than the people behind the deluge of ads and trackers that will surge past the neutered version of webRequest that Google is proposing. And, because I’ve chosen to trust him, I want him to have an API powerful enough to do what he needs to do to serve my interests as reflected in the free choice I have made. Manifest v3 – as originally proposed, as currently proposed, and in any form resembling what’s currently proposed – would take that choice away from the user. Second, neutering the API, thereby crippling legitimate extensions, is not a principled solution to the problem of rogue extensions. The principled solution to the problem of rogue extensions is to do a better job of vetting extensions before admitting them (or updates to them) to the add-ons shop. (E.g., extra vetting for popular extensions, extra vetting for extensions that use powerful APIs, going fully open source as a requirement for using powerful APIs, vetting of updates, requiring an extension that changes ownership/authorship to restart the vetting process from zero.) The bottom line is this: Respect user choice. Users should be free to choose the pair {powerful content blocking, risk of trusting extension author} over crippled content-blocking if that’s their free and knowing decision.

It’s no doubt clear that I don’t believe this is really about rogue extensions. But I’m willing to pretend for a moment that it is. If that’s really, truly the concern here, then I propose this: (a) Retain the powerful v2 API functions that ad-blocking/content-blocking extensions depend on. (b) Implement Google’s neutered v3 functions in parallel with the v2 functions. (c ) Any time a user attempts to install or update an extension that uses the v2 functions, present her or him with the biggest, scariest pop-up warning in the history of pop-up warnings. Have big, bold, underlined, flashing text explaining that the extension is requesting unusually extensive powers that would enable it to totally compromise the user’s security and privacy, and that the user should only continue of they completely trust the extension. Maybe even suggest they stop and do some research before making the trust decision. Make them type “I understand the risk” before enabling the OK button. There. The user retains freedom of choice, while being pointedly informed of the gravity of that choice. User choice, and also user responsibility – it’s not Mozilla’s fault if we’re dumb enough to trust a dodgy extension after that warning. At the same time, the obnoxious pop-up will drive all legitimate extensions that don’t need the more powerful API over to the neutered v3 functions, leaving behind a smaller pool of targets for extra vetting.

1 Like


Amen to the above post! Excellent suggestions as well. :+1:

Firefox is all about having the choice to improve one’s user experience with powerful add-ons, contrary to other browsers which seem to have different goals. I also use uBlock Origin and uMatrix with GREAT satisfaction. These add-ons increase my safety and privacy on the web and have enough credibility for me to give them the necessary API permissions. In the same league: NoScript, Privacy Badger etc.

But from @caitmuenster’s latest post I am confident that Firefox will divert from Chrome’s v3 manifest when necessary to preserve the abilities of our beloved add-ons, as it has done in the past. Preserving the editing/blocking features of the webrequest API seems crucial to me (not only for adblockers but for other powerful add-ons as well), with a decent warning if needed.