Plans to tweak webRequest API could see popular privacy extensions fail
UPDATED Google is pushing ahead with controversial changes to Chrome that would see ad blocker extensions break – unless the user pays for its enterprise package.
The tech giant announced proposals to tweak the Chromium Extensions Platform back in January. The changes would result in ad blockers such as uMatrix and uBlock Origin no longer functioning.
After months of both users and developers voicing their concerns over the move, Google has backtracked slightly – allowing the blocking capabilities to continue working, but for paying clients only.
The previous proposal saw the current webRequest API replaced with declarativeNetRequest as the primary content-blocking API – meaning that these popular extensions built on webRequest will no longer work for all users.
Under new plans, enterprise members will still have access to the blocking capabilities of webRequest API.
A post from Chromium’s Simeon Vincent regarding the Manifest v3 draft (the specification that Google requires developers to adhere to) sheds more light on the update.
He wrote: “Chrome is deprecating the blocking capabilities of the webRequest API in Manifest V3, not the entire webRequest API (though blocking will still be available to enterprise deployments).
“Extensions with appropriate permissions can still observe network requests using the webRequest API. The webRequest API's ability to observe requests is foundational for extensions that modify their behavior based on the patterns they observe at runtime.”
The announcement that only paying customers can access the API, which was arguably buried in the update, was a source of contention across forums.
Not least Raymond Hill, creator of uBlock Origin, who addressed the news on GitHub.
He wrote: “The blocking ability of the webRequest API is still deprecated, and Google Chrome’s limited matching algorithm will be the only one possible, and with limits dictated by Google employees.
“It’s annoying that they keep saying “the webRequest API is not deprecated” as if developers have been worried about this – and as if they want to drown the real issue in a fabricated one nobody made.”
He also criticized Google’s claims that it will deprecate the blocking ability in order to increase speeds.
Hill said: “Web pages load slow because of bloat, not because of the blocking ability of the webRequest API – at least for well-crafted extensions.”
Further casualties
The changes will not only affect ad blockers but other widely-used blocking extensions such as NoScript, which only recently added support for Chrome.
Giorgio Maone, the script blocker’s author, said the plans will greatly affect the extension.
He told The Daily Swig: “It, of course, will affect NoScript as it is, even though I’ve got a Plan B to ensure things keep working when the change will be in effect.
“I will need to make pretty big changes and maintain separate code paths for Chrome and Firefox, which (beside being a lot of extra work) means that there will be more code to maintain, debug, and keep secure. Less code means more security.”
“Adblockers will be much more affected, though, because they rely on huge crowdsourced blacklisting rulesets and, among the things this change does, it limits the size of those rulesets.
“This is a lesser concern for NoScript, which adopts a whitelisting approach (essential to security) and therefore requires minimal rules based on user-specific customizations.”
He also contemplated a migration towards Firefox, adding that he hoped the less-popular browser will stage a “comeback”.
Maone said: “As of Google’s motivations, I’d prefer not to speculate, even though being targeted advertising and tracking their core business it’s very hard not to see a conflict of interest here.
“If they keep going that way, I’m confident and hopeful Firefox has a big chance for a comeback based on trust and respect of end-users’ rights to privacy and customization.”
A Google spokesperson told The Daily Swig: “Chrome supports the use and development of ad blockers. We’re actively working with the developer community to get feedback and iterate on the design of a privacy-preserving content filtering system that limits the amount of sensitive browser data shared with third parties.
“For managed environments like businesses, we offer administration features at no charge.”
This article has been updated to include comment from Google.