Proxy Chrome extensions are not going to be usable in MV3
bugs.chromium.orgI keep seeing sentences like "MV3 is approaching", "when MV3 drops in x months", but the reality is that MV3 is already here and affecting extensions!
New extensions that use MV2 have been prevented from being added to the store since last January [1] and this has already affected some extensions which, as a result, have to be installed manually [2][3]
The time to switch to Firefox is right now.
[1] https://developer.chrome.com/docs/extensions/mv2/
[2] https://github.com/libredirect/libredirect/issues/45#issueco...
The time to switch was yesterday, really. Google controls Chromium (don't kid yourself that it doesn't) and Google's business is ads.
They are fundamentally misaligned with your interests on the net.
Manifest V2 deprecation is likely going to break extensions that inject userscripts, like Tampermonkey [0] and SurfingKeys [1]. The Chrome team has been rather unhelpful. They've promised to add support for power-user tools like these in MV3:
dotproto from the Chrome team commented on May 27 [2]:
> @mon-jai, the short answer is no, I don't have any updates to share. That said, I'll reaffirm that we plan to support userscript managers in Maniest V3 before the Manifest V2 deprecation.
But the deprecation is approaching and the Chrome team hasn't released any more information about this AFAIK. These extensions are going to require large refactors to support MV3 and they can't meaningfully start until the Chrome team elucidates how script injection will work. With MV2 deprecation coming so soon, I worry there won't be enough time.
[0]: Manifest V3: examine the effects · Issue #644 · Tampermonkey/tampermonkey: https://github.com/Tampermonkey/tampermonkey/issues/644
[1]: Migrate to Manifest V3 · Issue #1821 · brookhong/Surfingkeys - https://github.com/brookhong/Surfingkeys/issues/1821
[2]: https://github.com/Tampermonkey/tampermonkey/issues/644#issu...
Hey, I'm that Simeon/dotproto guy!
We discussed Chromium's current plan to support user scripts managers in Manifest V3 during our WebExtensions Community Group (WECG) session at TPAC[1] last week. The notes for that meeting haven't been merged yet, but there's an open PR[2] and when they are they will live here[3].
In short, the current plan in Chromium is to require end users and extension authors to opt into execution of arbitrary scripts via a Chromium UI setting and new permission, respectively. During the meeting Firefox folks raised some questions/concerns about this plan and it's probably best to try to align with them on next steps if possible.
And typing this out is making me realize we don't have a great tracking issue for this in the WECG repo. Just threw together a placeholder issue[4] to track discussion in this area.
[1]: https://www.w3.org/events/meetings/7bbba4a3-8305-45cd-a998-6...
[2]: https://github.com/w3c/webextensions/pull/277
[3]: https://github.com/w3c/webextensions/blob/main/_minutes/2022...
If chunks of functionality are missing from MV3 with no available alternative, if the replacement is really at such an early stage of development like this, it would be silly not to delay mandatory adoption by another year or two. (Including requiring new extensions to be MV3 - from what I'm reading here, it sounds like you're really not ready for that and should undo it.) Please don't be another https://goomics.net/50/. It's so much worse when it happens externally in an ecosystem.
I appreciate you sharing these resources. I would also like to apologize if my original comment was unfairly critical of the Chrome/Chromium Team. I understand MV2->MV3 is a complex and challenging endeavor. I just hope nobody gets left behind!
As a proxy extension developer, this is absolutely maddening. We're forced to choose between auth-less open proxies (bad), or baking in a wacky authentication scheme through a side channel (also bad). MV3 drops in 2.5 months, and will leave tens of millions of proxy extension users unable to use products they paid money for.
This is all on top of the many other issues with MV3 that Google is pushing under the guise of "improving performance".
Does your extension work on Firefox? If yes, have you considered explaining the situation to your users to encourage them to move to Firefox?
Firefox has a much worse history than Chrome when it comes to breaking extensions.
They also have a much longer history than Chrome.
Kinda glad they disallowed the extensions that had near unfettered access to browser internals.
Context for the curious: https://yoric.github.io/post/why-did-mozilla-remove-xul-addo...
Like what? I can't imagine firefox has done anything worse then MV3.
Oh, I don't know, maybe breaking literally all of their extension with the deprecation of XUL?
I'm a happy firefox user, and I'm pretty sure it was the right choice IMO, as firefox is certainly much more stable and fast now than it was before. But it was certainly a very, very rough process and left some very popular extensions broken without alternatives for months and even years before the necessary APIs were added to webextensions to bring them back.
"Breaking all of their extensions with the depreciation of XUL" is one interpretation, another one is that it was needed (of course it was the correct choice!) and there wasn't going to be an easier approach than just ripping the band-aid off. It needed to be done, it's done, and now instead of discussing the larger picture, we're talking about XUL depreciation from Firefox which happened in 2018. So what's your point?
V3 will improve performance of ads division.
Where is EU when you need them with their anti-trust litigation. Google is pulling a 2000s Microsoft.
Google have been doing this for 10+ years and people are only now starting to see it, it seems.
the Microsoft antitrust trial original verdict was reached in 1999 by the way (appeals kept it alive a bit longer, though, into 2001). you are probably referring to the 1990s Microsoft, I imagine.
There is an easy alternative: Use Firefox
these days many website don't work in firefox. And the worst thing is you never know it was firefox that was causing problem. Last time I tried to login verizon it didn't work. Same with many website I can't remember on top of my head.
I still can't leave firefox due to multi containers tho :(
I've found that many times when a site doesn't work in Firefox it's actually extensions causing issues rather than Firefox itself. That being said, there are still compatibility issues from time to time!
I've also seen sites that do not work in Chrome.
that doesn't fix the problem, though.
Doesn't it? Product A is bad, thus use Product B. That's how most of my problems with different products are solved.
What if product B is also bad?
And there's also a product C, D, E but when you check them out you realize they are essentially clones of product A?
Firefox is a legitimate alternative, it works for >99% of the world's websites and is an actual alternative i.e. not a clone of Chrome. I've been using it for nearly the last 5 years full-time and have never needed to open Chrome. I am not sure how one can pretend otherwise, so no, I don't think just saying it's "bad" and ignoring it as an alternative is viable.
Do some Google websites perform worse on Firefox? Sure, but the entire reason that's because people don't use Firefox enough i.e. some websites are worse on Firefox. You just go around and around. If the audience of HN is not able to make that sacrifice (not use some of the GOOG's website) then we deserve the monopoly of Chrome.
Other than that, I also think we need a third alternative for Browsers. Ladybird is in the news these days, and if you're a dev and care about this issue, we should all be contributing to it.
I agree about your clone comment ala Brave, and so on.
> If the audience of HN is not able to make that sacrifice (not use some of the GOOG's website) then we deserve the monopoly of Chrome.
The audience of HN is unlikely to make a difference here.
Besides, we are not some political party who all need to vote in one way together. Each person individually here makes their own choices.
Personally I think making my life harder with pointless sacrifices is not useful. I ask myself, am I making this sacrifice to make myself feel good, or because I actually think it can make a change? In this case, I don't think it would make any difference and it wouldn't make me feel good so there's no utility in using Firefox, for me.
This subject - browser monopoly, and related things like OS or app store monopoly - needs to be tackled with regulation, not personal sacrifices.
> The audience of HN is unlikely to make a difference here.
The audience of HN and devs in large, are the ones who've contributed to the monopoly of Chrome. Us only testing and creating applications for Chrome led to this.
I never said that people don't make their own choice. Of course they do. My point was that if we are going to complain about Chrome, then Firefox is a perfectly fine alternative and is currently the best way to change GOOG's ways is by voting with our feet.
Would regulation be nice? Sure. I doubt it's coming though so for the moment, our only alternative to not living in a ad-infested hellscape is to use Firefox.
no bc they are leveraging monopoly in search to advantage their other products and undermine competition.
im a relatively happy firefox user, but at this point to say mozilla significantly mitigates googles monopoly is as plausible as when microsoft claimed that BeOS somehow mitigated theirs.
Doubtful. I suspect that Google Adsense ads will continue to be blocked post-V3.
You're correct. MV3 blockers work fine against Adsense, as expected.
Blocking is detectable. uB doesnt block, it shims its own version of js.
I'm not sure what you mean.
If you block third party javascript files (e.g. google analytics) other code required for the website to function correctly might fail, since it relies on that third party javascript. So uBlock doesn't block certain javascript files, and instead replaces them by its own version which contains dummy functions that avoid those errors.
OK that doesn't have to do with blocking Google AdSense ads nor does it have to do with proxying so I'm kind of confused.
>OK that doesn't have to do with blocking Google AdSense ads nor does it have to do with proxying so I'm kind of confused.
When a website wants to load an ad, it uses javascript[0]. The website can call a function in the included javascript file and tell AdSense "hey load an ad". If you simply block the JS file the website can break due to trying to call functions that don't exist.
uBlock (supposedly, I haven't verified this) instead of blocking the JS instead replaces it with it's own version. That version just basically says "yeah sure cool" whenever the website tries to display an ad, but doesn't actually do anything.
Oh ok, it's just that AdSense and Google Analytics are two different things, although they can be used together.
Have any of the Chromium forks committed to maintain MV2 into the future? Having functioning extensions while maintaining the other features that people like from the browser could help pull some marketshare from Google Chrome. Probably just dreaming though...
None that I'm aware of but Firefox has committed to maintaining the more powerful MV2 content blocking APIs that Google is removing.
Brave has committed to MV2 but they will need their own store first because the chrome web store is kicking out MV2 extensions. So far, they don’t have their own store.
They have explicitly not committed: https://twitter.com/BrendanEich/status/1534905779630661633
> We could fork them back in at higher maintenance cost. No point in speculating — I don’t write checks of unknown amount and sign them, and Google looks likely to keep V2 support for a year (thanks be to “enterprise”).
Vivaldi has previously promised to find an alternative for v3, but they left it in vague words and haven’t announced an update for this yet. https://vivaldi.com/blog/chromium-ad-blockers-choice/
I checked out both of your sites Windscribe.com and ControlD.com...I will be signing up as a paid customer! Thank you for you this.
Nice, thanks! If you have any question you can always email me at my HN username @ either domain.
This also breaks proxy authentication in very popular extensions like FoxyProxy.
Is there really nowhere else to store Auth information in a synchronous datastore?
For example it looks like you could use a lambda function with the Auth info pre-bound...
One big thing about MV3 is that background script, persistent or not, is no more. You have a web worker that can start afresh at any point, outside your control. So variables assigned asynchronously outside your event handler (which must be registered synchronously at the top level) scope don’t work reliably.
Could you run an auth-free proxy on localhost that in turn forwards traffic to a remote proxy that does require auth? You could have your intermediate proxy expose a local interface for configuration.
This is one of possible solutions, but requires a native app to be installed. Extension would no longer be standalone.
If there is one group of people I will never feel bad for, it's the VPN / proxy vendors.
They've been doing false advertising for years on every channel, making consumers pay for absolutely useless products.
There's absolutely terrible players in the space.
We're also in the space, I don't think we're selling useless products, or falsely advertising.
Our customers use our proxy servers to test applications that use your IP address to show you localized content (IP Location, GeoIP, etc). We're in 80+ countries 250+ locations globally.
Being able to switch your location with a browser plugin makes it just a few clicks, and _much_ faster than switching VPN endpoints. You also get to proxy just your browser traffic (or even just traffic against a few specific domains) rather than all the traffic on your machine. So your Spotify/Slack/Outlook connections can all run normally, and you're only proxying the site you want to test from somewhere else.
This change is terrible for us. Especially so because users flipping around between different proxies is a major use case. A user needing to re-enter their credentials for each unique proxy server is much worse than just once.
How are you planning to adapt to the change?
There are many legitimate use cases of VPN's. Also there are many VPN companies that don't do false advertising such as Windscribe, mullvad or iVPN.
> There are many legitimate use cases of VPN's
Yes of course, but that probably represents less than 10% of the customers (I'm being extremely generous on purpose, it's probably 0.1%) of your usual NordVPN and co.
> don't do false advertising such as Windscribe
"Stop tracking and browse privately" and "block annoying advertisers from stalking you online" proves you wrong. VPNs don't stop trackers.
> don't do false advertising such as Mullvad
"Evade hackers and trackers". Sure.
> don't do false advertising such as iVPN
Hey looks good actually, they indeed don't claim to block trackers or anything else, just change your IP / geolocation.
> Yes of course, but that probably represents less than 10% of the customers.
Lol how did you come up with 10%? Did you just make it up?
> VPNs don't stop trackers.
Windscribe (and other VPN's) can block trackers. https://blog.windscribe.com/how-r-o-b-e-r-t-works-76d6274460...
A huge portion of VPN users do it to get around geo-blocking, which has not been falsely advertised.
> Hey looks good actually, they indeed don't claim to block trackers or anything else, just change your IP / geolocation
Add FoxyProxy to that list of no false advertising, please
VPNs are quite useful in the UK. A fair number of sites are blocked by ISPs for various reasons.
I'm in the UK, almost all the blocked sites are unblocked just by changing DNS servers. No need to give all your data to a ~middleman~ man in the middle for that.
Why will auth-less open proxies be bad?
VPN providers won't be able to verify if a user paid for the service.
Not just VPN providers or other paid services. Open proxies on the internet are bad for everyone.
Authorization and access control are different problems. You can use ssh to create a auth-free SOCKS5 pipe, for example (lots of us do this every day), but that's not an "open proxy" because it's e.g. listening on ::1 or on the internal network interface, etc...
What are the other issues with open proxies?
They are usually hosted by malware installed on a vulnerable system. And if they are SOCKS proxies (vs http proxies), then they can send send spam using the IP address of the infected device.
Cyberattacks use open proxies to amplify the attack/hide their source.
Good old user:pass@ won't work?
A couple hours ago I added a comment to the bug to describe our current plans[1]. TL:DR; you'll be able to use webRequest.onAuthRequired in MV3.
[1]: https://bugs.chromium.org/p/chromium/issues/detail?id=113549...
Looks like we caught someone's attention:
> I'm temporarily restricting comments to keep comments from turning into +1s while this is trending on Hacker News. If you have additional thoughts that you'd like to share with the Chromium team regarding this issue, please return in a few days to leave a comment (and apologies for the inconvenience).
> As a Chromium contributor that shares information about our progress on extensions issues, I sincerely apologize to extensions developers affected by this issue and the broader community for not sharing an update until now. I'm currently working on a "known issues" document for Manifest V3 that touches on several outstanding issues (including this one), but given the attention on this issue now, I'll quickly share our current thinking on this issue.
> We have always intended to provide support for this functionality in Manifest V3 (for both user-installed and force-installed extensions), and have been iterating on different possible approaches. Our tentative plan (which is not yet finalized) is that the Manifest V3 version of this capability will require extensions to request a new permission scoped to intercepting authentication requests, but will otherwise allow extensions to handle these requests in a similar manner to how they do in Manifest V2.
> The permission string and end user facing warning string have not been finalized yet. Also, we have not yet finalized how this new permission will interact with other permission grants, but extensions that currently have the webRequest permission and broad host permissions will likely not require an additional grant for this permission.
> Finally, I want to note that before we can pursue this capability, we first need to resolve issue 1024211 (now formally marked as a blocker). We are actively working on 1024211 and aim to resolve both that issue and this one before January 2023.
https://bugs.chromium.org/p/chromium/issues/detail?id=113549...
What's really maddening is that it's the first comment from Google on that issue for over a year, despite numerous pleas of extension developers to provide guidance as the clock is ticking down.
Chromium team has not commented on this bug with 650+ stars (within top 10 https://bugs.chromium.org/p/chromium/issues/list?sort=-stars... issues) in months
And after they specifically said:
>Sorry no updates yet. Please star the bug if you wish to see this fixed sooner.
Okay Google, we've starred the bug. Please fix now.
I think this is the real story here. Google pretends to be listening to real-world use-cases and user feedback and developing Chromium in the open, but at the end of the day, some manager has decided the millions of people using these extensions aren’t worth supporting, and that’s the end of the conversation.
opensource coming from Google, Amazon, Microsoft, OpenAI or even recent garbage coming from RedHat is just a nice facade. It's broken, it's locked to a platform, often no compiling instructions or out of date by 3 years with multiple bug reports. It's just a marketing move that came from Google early 00s' and then was widely adopted by MS: "Microsoft <3 OpenSouce - Contribute Here (for us for free, we can't be bothered to fix this TOP 10 bug or update documentation)".
It's not really any different for Firefox though is it? In fact it's not really any different for any big open source project. Someone ultimately has the power to decide what features to develop and nothing forces them to listen to their users.
Look at things like Firefox's Pocket integration, or like all of Gnome.
It's not about support, it's a money issue. Adblocking doesn't generate money, so out it goes.
But we are talking about proxy extensions, not ad block extensions.
">Sorry no updates yet. Please star the bug if you wish to see this fixed sooner."
Translation: my manager is blocking this; please star this so have a better chance of changing his mind.
Chromium team replied as of 10 minutes ago to that thread (thanks to HN exposure):
"I'm temporarily restricting comments to keep comments from turning into +1s while this is trending on Hacker News. If you have additional thoughts that you'd like to share with the Chromium team regarding this issue, please return in a few days to leave a comment (and apologies for the inconvenience)."
"As a Chromium contributor that shares information about our progress on extensions issues, I sincerely apologize to extensions developers affected by this issue and the broader community for not sharing an update until now. I'm currently working on a "known issues" document for Manifest V3 that touches on several outstanding issues (including this one), but given the attention on this issue now, I'll quickly share our current thinking on this issue."
"We have always intended to provide support for this functionality in Manifest V3 (for both user-installed and force-installed extensions), and have been iterating on different possible approaches. Our tentative plan (which is not yet finalized) is that the Manifest V3 version of this capability will require extensions to request a new permission scoped to intercepting authentication requests, but will otherwise allow extensions to handle these requests in a similar manner to how they do in Manifest V2."
"The permission string and end user facing warning string have not been finalized yet. Also, we have not yet finalized how this new permission will interact with other permission grants, but extensions that currently have the webRequest permission and broad host permissions will likely not require an additional grant for this permission."
"Finally, I want to note that before we can pursue this capability, we first need to resolve issue 1024211 (now formally marked as a blocker). We are actively working on 1024211 and aim to resolve both that issue and this one before January 2023."
Ohh that's nice. So we're gonna get a fix last week of December, and will have to dev around a new API in a few days, test everything, and release it to millions of users hoping for the best.
Man, Google sucks.
So, they should also delay blocking of MV 2 if they aren't gonna give time to other developers. But nah, chromium team just wanted to block the comments so they don't get bad PR. Google is such a shame these days.
It's cases such as these invalidate the "they're not acting with malice". Thousands of google employees see this stuff, and are clearly being told they can't talk about it.
You haven't applied Hanlon's Razor properly. They're just coordinating incompetence that they find beneficial, not being malicious.
If you are coordinating the incompetence then you are malicious even if the incompetent are not.
Someone in authority said or inferred some version of "don't talk about this, don't get involved". That's malicious.
I think it's more likely that no one wanted to take ownership of it, so no one did.
Sufficiently weaponized incompetence is indistinguishable from malice.
The act of weaponizing incompetence is itself malicious.
Once upon a time many years ago, Chrome was marginally better than Firefox.
That time has long since passed.
I know, I switched from Firefox to Chrome and used it for a couple of years, but Firefox got better and Chrome got worse, so I've been back on Firefox for many years again now.
If Chrome doesn't do what you want or what you like, use Firefox. It does everything Chrome does, and more.
I like Firefox and am a loyal, long term user - used it before quantum kind of loyal - but it is by far the least efficient browser on macOS with M1. In my rough personal testing Brave (based on chromium) is significantly more energy efficient, getting me up to 30% more battery time. I'm not sure why, but it's making it harder and harder to justify sticking with FF.
Bizarre. To me firefox looks like it's falling apart at the seams.
Here's a new profile, just default zoom set to 150% (ublock origin installed system-wide)
https://i.imgur.com/Z3MO8sr.png
https://i.imgur.com/hgscGrb.png
https://i.imgur.com/07QI1IU.png
https://i.imgur.com/owZm12J.png
What is even going on?
Not sure what you are frustrated with (can't read minds), but in my testing, the zoom setting you showed doesn't affect browser chrome, just web pages. Not sure why the rest of your chrome seems oversized, but you may be experiencing a bug. I'd report it.
You can't read minds, that's why I posted screenshots.
Surely you can see the difference between the font sizes for the ublock origin popup, and the enormous fonts on the settings page.
It's totally broken?
That looks expected to me. The zoom setting controls web page zoom.
I give up.
Amusing response.
In any case, I checked out Chromium, and the equivalent setting is labeled "Page zoom" and affects extension popovers as well. As far as I know, extension popovers are not web pages, so your expectation (and Chromium's behavior) seem to be a bug - either in the settings UI, or in the way the zoom setting affects extension popovers.
I just looked at all of those images and I'm not sure what point you're making? The links you shared look about how I would expect them to look at 150% zoom.
Are you saying it has unusual default settings, and that 150% zoom is one of them? For what it's worth in my experience of installing Firefox which are probably done half dozen times in the past year or so on various devices, I haven't experienced anything like this.
Is this a joke?
The only things correctly sized are the page and the hamburger menu.
Do you not see the oversized tab-bar, the tiny icons on the tab-bar and address bar, the tiny ublock origin dialog, and the huge settings page?
I see all of those things, and none of them look unusual. Contrary to your claim, the tab part is not appear oversized but rather a normal size, contrary to your claim the icons also look a normal size, the address bar looks normal size and ublock origin looks the normal size and the settings page looks more or less normal.
It's hard to understand what you think is unusual. Everything in the browser is displayed normally. The page is different because you used a different zoom, and it zoomed the way Page is normally do.
Are you suggesting that the browser tab bar and settings pages should also grow or shrink if you zoom in or out on a particular web page inside of a tab?
I think you're not fully appreciating how unclear you're being with all of this.
I don't see what is so hard to understand.
I run a 150dpi screen.
What the problem with running a "96dpi" application on a 150dpi screen?
The text is overall too small.
What text?
Literally all the text in the entire application is too small.
What do I want?
I want to make the text bigger, so I have an easier time reading it.
Is there an application that does what I want?
Yes, Chrome does what I want.
What does Chrome do?
I set the default zoom level to 150% and it makes all the text bigger.
What text does it make bigger?
It makes all the text bigger, and the icons too.
What's the problem with Firefox?
I set the zoom level to 150% and some of the text is fine, some of it is way too small, some of it gigantic.
Why is that a problem?
I have a hard time reading text that's either too small or too big.
What's the problem with the tab bar?
It's too tall.
What's the problem with the icons?
They're too small!
This is just a you problem?
Surely fucking not. Surely I am not the only person running a web browser above 96dpi (on x11).
Is this a X11 problem?
No, Chrome works fine.
Is this a really complicated problem?
No, making fonts the correct size for comfortable reading isn't complicated.
It's telling that the last action from a google employee on the list was ... removing themselves from the notification list.
Don't worry these same chromium team will remove MV2 in name of security or performance. Modern software development by Google ...
I thought they were pushing it when they announced MV3, which would purposely can ad blockers. But this would finally put the nail to this coffin.
Now I'm even more curious to see how badly Chromium bangles this migration to V3.
I'm also curious as to why big internet advocacy organizations such as the EFF [0] have been quiet on this move.
--
Edit: It appears the EFF has spoken out about this a couple of times.
[0] https://www.eff.org/deeplinks/2021/12/googles-manifest-v3-st...
MV3 sucks and all, but why do you need an extension to set up proxy settings? Is this in lieu of a whole-device VPN?
Yes
I don't know the full scope of consequences and Google's reasoning for this, but I'm going to guess it's either done under the false pretenses of improving performance, or improving security. Could there possibly be a positive outlook for improving ad revenue as well?
Time to settle with Firefox.
2 years without a reply, maybe it's a feature.
Could they be afraid of a surge in proxy Adblock extensions since they are trying to cripple the local ones?
A proxy extension requires rewriting arbitrary requests on the fly, which is removed from V3 as a general capability.
> A proxy extension requires rewriting arbitrary requests on the fly
That is completely incorrect. A proxy extension routes requests through a proxy server. It does not rewrite anything.
OK and presumably it does that by taking a request for an address A and rewriting part of it so that it actually goes to B with some additional headers to indicate how to forward it.
edit: Apparently I've hit my HN rate limit so I can't reply! Thanks Dang.
As for the proxying, obviously something has to rewrite the address that the request is going to. Depending on the type of proxy (ex: HTTP CONNECT) you may also have an x-forwarded-by header set. It sounds like Chrome never allowed you to do this manually, cool TIL.
I mean, you are just completely wrong. It does not rewrite the request. It does not change headers. There is an API that allows the extension to set a proxy server destination:
https://developer.chrome.com/docs/extensions/reference/proxy...
And that API does not change the request, either. That is not how proxying works.
Are proxy extensions just a hook to set the http_proxy?
I always have a hard time with chrome. because where firefox has a config area to set the proxy chrome wants to use an environment variable. so do these proxy extensions fill this missing config gap?
Yes. I can do a per page proxy with extensions which is helpful when doing debugging / mitm.
It looks like they did this on purpose, otherwise they won't ignore such an important issue.
Can someone ELI5 what are proxy extensions? What are they supposed to do?
I use a HTTP/HTTPS proxy in Chrome (and Firefox) to work remotely and access internal things from my work network. The proxy I use has very nice features to allow "auto switching", meaning based on an regex I can use the proxy or go direct. The rules are ordered any way you want them.
The proxy we all use at work is SwitchyOmega. Been using it for years and it's fantastic.
FoxyProxy is another popular one with millions of users.
It's extremely frustrating how Google is ignoring this issue. So much for developer relations.
This type of decision has fully cemented that Google is an advertising company. Every decision they make is to benefit advertisers regardless of how it affects users and developers.
How does this decision benefit advertisers? Honest question.
It greatly restricts how effective ad blockers can be.
Proxy extensions are not the same as adblockers.
Maybe the entire Manifest V3 concept is "Gish Gallop" applied to software design. Create so much of a bag of questionable features that people are just trying to keep up with the nonsense, and hopefully it keeps us divided and unable to actually able to mount a solid response to their (not really buried) real goal, which is to stab at the ad-blocker industry.
It would be interesting to consider their business values on proxies too; while on the abstract level, it dilutes tracking data quality (I don't really live inside a data centre in Stockholm?!), it might improve the value of their more broadly aggregated data (we've seen this user's fingerprint elsewhere, so we can give you a more accurate location than Geo-IP lookup does)
It is used as such by many people, for example those who cannot install a system proxy.
Last time I tried to use onAuthRequired in Chrome I found that it was already broken in some contexts. I think it's pretty clear that Google is on track to phase out extensions completely within the next decade.
Not trying to throw ML at the wall, but could it be used for this problem (considering all other options seem to be failing)?
As far as I understand, after MV3, ad blockers won't be able to use a long list of ads to remove them.
How about using a simple ML algorithm to detect whether the request is a genuine one or an advertisement? I am sure that getting training data wouldn't be too hard (all the ad lists that will get useless after MV3 are good data).
I don't make chrome extensions so I don't completely know how MV3 will cripple ad blockers.
Any feedback would be appreciated!
The point of the change is to go from allowing extensions unfettered access to read, rewrite and exfiltrate everything you request, to forcing them to declare upfront what they will block.
Sure, there are still going to be some work arounds that still allow extensions to read and change what a user sees, but anyone looking at this honestly can see what the intention is.
Throwing ML at this problem doesn't make sense at all as reading and then rewriting requests is exactly what Google doesn't want extensions doing anymore.
btw just like there were enterprise-hacks for Windows v7 to keep it going, manifest v2 will still work if users can be taught to turn on "managed mode" in their Chrome
extends v2 from January 2023 EOL until June 2023
January 2023
Chrome stops running Manifest V2 extensions
Enterprise policy can let Manifest V2 extensions run on Chrome deployments within the organization.
June 2023
Manifest V2 extensions no longer function in Chrome even with the use of enterprise policyThe issue seems to be specifically about authentication of proxies. Something I could never find a good extension for in the past.
What I ended up doing and found to be better is to connect to the proxy over a wireguard IP. I can recommend this solution to individuals and people who don't need granular authentication.
So.. Chrome is too big to fork. Then why don't we make a bare-bones OSS no-DRM browser with only a subset of JS and CSS and promote at the same time an old-school webring of 'virtous' websites.
If it catches on (and it could since it'd be free and fast), maybe some big sites would evolve to advertise themselves as 'virtous'.
I don't get it, Firefox already exists and is a complete OSS reimplementation of everything Chrome does (and works better imo). Only thing to do is convince sites to test more on Firefox. This strategy worked last time around.
I've been using Firefox forever but the problem is - it's now too big. Because it's - like you mention - following Chrome. To stay relevant, FF implements all the bloat Chrome churns out. Even worse, it's tempted to follow Chromes' extension manifest to stay compatible.
So I meant it looks like a lost battle. And it may be better to reboot to a smaller, nifter browser that a small team/community can handle.
edit: and of course cut all ties with Google financing.
Firefox may work great for many people, but it certainly doesn't for me. I finally gave up completely on it late last year.
Firefox gives up 40-60% of the performance of Chrome on my platform, using common browser benchmarks. I don't see Firefox as a substitute good for Chrome. It has much worse performance, worse security, and lacks features I want. Its performance is equivalent to using Chrome on an 8-year-old CPU. The only thing it has going for it is being perceived as counter-cultural, despite the fact that it is 100% funded by Google.
Your claim is that you suffer a _40 to 60_% performance impact by using Firefox from Chrome? Would you like to try that again? I see egregious comments like this of Firefox every so often and I always have to wonder if the last time people making these remarks actually used Firefox was in the pre-Quantum era (assuming one charitable interpretation). To claim that its performance is equivalent to using Chrome on a CPU from 2013 is disingenuous at best.
Firefox is not just perceived as 'counter-cultural', its importance lies in the fact that not using Chrome and similar browsers is also a vote not to support a browser monoculture online.
I invite you to try Safari, Chrome, and Firefox on an Apple Silicon CPU right now. Firefox is the slowest of these by a HUGE margin.
Not only the slowest, it also uses the most energy of all browsers on Mac. Scrolling the old Reddit spikes the CPU to 10x more than Brave.
Something like Ladybird? https://github.com/SerenityOS/ladybird
I think it wants to implement all of JS eventually though.
ES6 why not. But the whole Web API is crazy. Bluetooth ? Barcode ? Geolocation ? What the hell. Let's go back to a documents web.it wants to implement all of JSAlso small JS engines already exist, like QuickJS.
dillo.org
More recently, Ladybird, which was discussed last week: https://news.ycombinator.com/item?id=32809126
Does anyone know when MV3 will be released, or when this will start to impact a large # of users?
MV2 will be disabled by default Chrome in January 2023, and the flag to reenable it will be removed in June
Google’s own top 10 extensions with over 10 million users is still on MV2.
Finally, chromium people have spoken https://bugs.chromium.org/p/chromium/issues/detail?id=113549...
Does this mean that (non-open-proxy) VPNs will no longer be usable on a per-Chrome-profile basis? So one would need to either route all traffic through a VPN at the OS level, or none at all?
You can still authenticate via basic auth popup, but you can’t automate it (UX friendly). There are some workarounds mentioned in the bug comments, but they are workarounds with their own issues.
Does this impact VPN extensions like Hola VPN ?
Hola essentially puts you in a botnet (Luminati/Bright Data), you shouldn't use it.
Yeah, I know :) I just want to know if it affects them, because I hope it does :)
Has someone tried to fix this themselves yet?
may aggressive antitrust legislation compromise their core business and collapse their stock price
I don't want to pile on here but everyone who used Chromium while pretending they weren't supporting google's Chrome monopoly, pretending Chromium was something else, are getting the only outcome that was possible. It was entirely predictable from the start and if you play stupid games you win stupid prizes.
It's not like no one was making warnings about this.
And every time there's a bunch of replies about how great Brave is, and everyone should just use that... Chromium wrapper.
To be honest, I don’t understand why people keep acting like Google has control over Chrome(ium) with some iron fist. It’s dual open license. Microsoft is contributing so many patches that they have a decent amount of sway over it already. If Google ever truly steps over the line, Microsoft will just fork it and everyone will swap their upstream to Microsoft-Chromium..
I don't think Microsoft has any incentives to protect users.
Mozilla only has themselves to blame.
I'm going to repost a previous comment here.
> https://news.ycombinator.com/item?id=32741481
> I used to refuse Chromium for the Same reason.
> But honestly it already happened, Firefox is already irrelevant.
> Mozilla is mis-managed organization that is funded to avoid anti-trust investigations, they dont fully push for privacy because they are afraid of google, do out of touch changes, and focus on political advocacy.
> Compare that to brave, which builds its own independent search engine, ad network, and has privacy by default in its products.
>There is no hope that Mozilla and Firefox will change the status-quo anytime soon, Firefox is losing users at crazy rate, and Mozilla is absolutely failing to do anything to change Firefox's destiny towards irrelevance.
> Brave is almost everything Mozilla should've been.
> Actually do what they sey, no hidden google analytics in their products, no unique ID for each installer downloaded, push for privacy by default and independence from big tech, not being shy from google, because they are their only income.
> I would argue, that if Mozilla wants to turn its course around with their "limited resources" it should drop gecko, and anything irrelevant to the users experience.
> Fork Chromium, the best web engine out there by a mile, and remove any anti-privacy / anticompetitive code, while still taking advantage of the huge development resources directed to chromium from many parties, and maybe Mozilla can also influence Chromium's development.
> Start pushing privacy by default, its the reason brave is gaining users at such a rapid pace, its a browser I recommend to everyone, as just by installing it they already are much more private than with chrome.
> What matters is the users experience, its why brave is growing
I'm out of the loop. I've been using FF for years without any issues across multiple OSes and devices. I plan to continue doing that. I simply don't understand the negative sentiment I see about it, it's served me very well.
The negative sentiment is advertising for brave (an advertising company) to get people to switch to their ad delivery software.
Yeah, when someone disagrees with your opinion, he paid to do so.
Brave ads aren't even enabled by default.
Exactly. Perfect example, thank you.
Brave has publicly declared support for Manifest v2 in perpetuity, no? They even seem to be pondering how to distribute v2 extensions post-sunset in Google Chrome[0]
https://twitter.com/BrendanEich/status/1534893414579249152
> Brave will support uBO and uMatrix so long as Google doesn’t remove underlying V2 code paths (which seem to be needed for Chrome for enterprise support, so should stay in the Chromium open source). Will Google Chrome Web Store really kick them out over V2? We will host if needed.
https://twitter.com/BrendanEich/status/1534905779630661633
> > I’d be interested to hear a plan for Brave on what will happen if upstream removes the code paths needed for pre-v3 ad blockers.
> We could fork them back in at higher maintenance cost. No point in speculating — I don’t write checks of unknown amount and sign them, and Google looks likely to keep V2 support for a year (thanks be to “enterprise”).
I see my misunderstanding, they're specifically maintaining the webRequest interface
> I see my misunderstanding, they're specifically maintaining the webRequest interface
They aren't specifically maintaining anything. Brave's CEO doesn't "write checks of unknown amount[s] and sign them".
I think you're thinking of Firefox.
Maintaining out-of-tree patches for a project as large and quickly-changing as Chromium will be a lot of work. I know someone who worked on Amazon's Silk browser team and they had an engineer (rotation) working working full-time to keep their Chromium fork up to date within Google's upstream. Brave doesn't have nearly the resources that Amazon does.
Yea you've seen it tried in projects like Waterfox and Palemoon and it eventually becomes too much to deal with. (Following the old Firefox addons system that is)
Yeah it's clear that was never going to work -- the whole point of dropping the old addons was making big architectural changes that weren't possible with the old APIs. You can't merge the new architectural changes and the old APIs without running into the issues they were trying to avoid by removing the old APIs in the first place.
There are few projects and companies that do exactly that, including CEF open source project. Perhaps they should join forces and make a joint OpenChromium project.
Someone warned years ago that proxy extensions would no longer be feasible on Chromium? I must have missed that message.
> Someone warned years ago that <insert extremely specific thing>
No, the gp said:
> while pretending they weren't supporting google's Chrome monopoly
Monopoly means Google's interests will be served rather than the user's. This means taking away things that are of value to users / users losing control over features / etc. Like proxy extensions, yes.
Not that explicitly, but many warned about Google abusing their power if it started hitting their profits.
I'm more interested why it isn't possible to just fork the thing and maintain a version that's plugin enabled. Isn't Chromium completely open source?
Especially for Brave, Vivaldi, Opera, etc.
The amount of work it would take to fork Chromium and maintain a working secure browser with MV2 hooks into the browser internals would be so large that you'd need a dedicated team whose job it is to constantly backport upstream Chromium changes and ensure they still work with the old MV2 subsystem. That would take a lot of time and money.
Well you don't need to implement every stupid thing big G thinks should be in it, just the really critical stuff. Even if you freeze all features right now you'll probably still have a better renderer than gecko for 5 years into the future.
I mean right now I bet a lot of people will simply not update to MV3 and continue using the last known MV2 build into perpetuity until certs break or something else. I sure intend to.
Backporting from an entity that is hostile towards MV2 makes me suspect that Google isn't going to play ball and make maintaining an MV2-compatible Chromium fork easy.
>Isn't Chromium completely open source?
No, especially not if you want to watch videos, the DRM plugin is a binary blob that only Google approved browsers get to run.
Then there are all the Google services that will break in unexpected ways in your browser, sometimes just because your user agent isn't identical to Chromes if past reports from Firefox users are any indication. Basically expect to be shit on by the biggest internet giant around at ever possible corner.
Firefox supports all DRM content I have come across, clearly there are ways to implement DRM that don't involve Google.
Depends on the browser and platform. WideVine support on Firefox for Linux is limited, one of the biggest effects of this is that some video platforms refuse to serve up high definition video to Firefox users on Linux. Netflix, for example, will only allow you to watch video at 720p on Firefox for Linux. The existing WideVine support comes directly from Google.
Chrome and Firefox on Windows is also limited to 720p so it's on par. https://help.netflix.com/en/node/23931
Open Addons an Themes, click on Plugins, by default you should see a line that says "Widevine Content Decryption Module provided by Google Inc." . Note the Google Inc. .
Fair, and I didn't know that or had forgotten it, but I think Firefox is still relevant to the parent's comment, and the context of the topic:
> No, especially not if you want to watch videos, the DRM plugin is a binary blob that only Google approved browsers get to run.
So it might be better to say that you don't need to be locked into Google's browser (or a fork of its OS base) in order to consume a wide variety of online content, and you can thus avoid this issue with Chrome extensions entirely. And at least with Firefox it is just a plugin, so presumably could be replaced with a binary blob from someone else if Google's influence became worrisome enough (and I do wonder, isn't it already worrisome enough??).
I mean, if the DRM wasn't a blob it would be open source. Andnif it were open source it wouldn't be DRM...
It could be controlled by a third party that isn't trying to dominate the browser market. And Google already caused issues years ago when it side loaded that plugin on open source distros and initially refused to provide an option to disable this behavior in chromium.
It's possible to have DRM that's open source using cryptography.
Secure DRM requires that your device have keys that are burned-in that you can't access. It's impossible to have an open implementation of a non-broken DRM system.
In addition to what others said, forks are not allowed to use Google services such as Chrome Sync or Translate.
Developer effort.
Don't underestimate the power of spite.
Spite is at times my main source of motivation, and still leaves me physically uncapable of following the rate of breakage of upstream Firefox (i.e. I cant keep my patches up to date), which I'm assuming it's actually a more sensible upstream when compared with Google.
I actually think not - the few third party gecko browsers abandoned ship to webkit/blink/chromium over the years
And the stupid prize is what? You might have to use a different browser? Doesn't seem that serious to me.
The stupid prize is that by the time you decide it's time to use a different browser, Firefox and Safari have been rendered totally unusable by developers only targeting Chrome because that's all they have to do.
I use firefox every day without issue.
I use it every day as my primary browser, but there's definitely been an increase in applications that will not work except on Chrome. It's not text content that's ever the issue, it's SaaS products.
It's your anecdote vs. mine, but this is not my experience. I find that Chrome is better for Google Meet (not surprising.) Other than that FF is fine. In the last 4-5 years have become increasingly similar and easy to support as a developer.
And then you realize all the web sites are optimized for chrome and you have problems using other browsers
google maps is the only site that just didn't work
Out of the ones that you use, maybe (I've actually never had a problem with Google Maps). There are several applications that I have to use for work that either don't work on Firefox or have limited functionality, Slack being one of them (huddles only work in Chromium or in the Electron app).
And it was just a YouTube bug that killed EdgeHTML
As long as there is a different browser, of course.
And what would that different browser be? Aside from Firefox, which has become essentially unusable to me.