Sign up for our newsletter! →

HanByte

Understanding Google Chrome’s Manifest V3

Written By

View all posts
Google Chrome, Manifest V3, Hanabyte blog, hanabyte

Understanding Google Chrome’s Manifest V3

Google Chrome is a cross-platform web browser developed by Google in 2008 for accessing the World Wide Web and running Web-based applications and is currently dominating as the most popular web browser at 65.84% market share. Google Chrome extensions are one of the most beloved and implemented features of the browser that can be used to solve many use cases, add specialized features, and make the browser a better experience for users. Chrome extensions later introduced a permissions model to define what information and resources could be accessed by the extensions installed, and also provided sandboxed extensions in separate processes for additional security. The extension developer community–and the strong user base with millions of extensions downloaded daily–are all holding their breaths at the evolution of the Chromium browser infrastructure announced to come.

What’s new with V3

In 2018, Google outlined a plan for “Trustworthy Chrome Extensions, by default” as part of Manifest V3 in an attempt to refocus extension improvements to security, performance, and privacy. Manifest is an application programming interface (API) that governs how Chrome extensions interact with the browser. Currently, Chrome employs Manifest V2 which gives the browser information about the extension such as important files or capabilities of the extension.

Google’s plan to refocus involves limiting the extension platform to enable more performant extensions. Google claims “The specific course we’re steering focuses on improvements to security, performance, and privacy — while preserving or extending the capability of extensions and keeping a webby developer experience.” but the Electronic Frontier Foundation (EFF) contrasts Manifest V3 as “Deceitful and Threatening”. The EFF states that Manifest V3 “will restrict the capabilities of web extensions — especially those that are designed to monitor, modify, and compute alongside the conversation your browser has with the websites you visit.”

In Manifest V2, browser extensions use code in the cloud with the downloaded extension acting as a bridge between the code and the browser. The changes to Manifest V3 will require that all extensions contain all the code they are going to run to give Google the power to scan and detect potential risks as well as force the extension to request permission from Google for changes that can be made on the browser. Though banning remote code is a great idea for security, changing the guidance to break the functionality of third-party extensions isn’t in the developers’ or the users’ best interest; however it is important to know that Google is known as the world’s largest and leading advertising company with $168.44 billion revenue in 2021. 

Manifest V3’s biggest impact would be on ad blockers and other extensions that prevent websites from collecting and using data. Technology that blocks ads like TotalAdBlock, AdGuard, and uBlock Origin that prevent online ads from loading on pages that are visited and help protect from malvertising (malicious advertising that injects malicious code into digital ads) will be crippled with Chrome’s new API requirement.

Ad blockers work by denying specific categories of HTTP requests using a browser event listening API called webRequest. webRequest is used to observe traffic between the browser and the website and modify/block requests to certain domains on the fly. Google’s rationale is that the same API used to block requests to data collectors by trackers, malware, and ads can be used to hijack user’s login credentials or insert a botnet – the extensions have too much control. 

Under Manifest V3’s specification, the webRequest API would be completely replaced with declarativeNetRequest API which forces rules to be specified in advance about how traffic should be handled with a narrower set of actions. The declarativeNetRequest API would allow for a static limited list of 30,000 URLs to block which is a measly amount compared to the 300,000 dynamic filtering rules that uBlock Origin is installed with. Raymond Hill, creator of uBlock Origin, has published an experimental version that relies on Manifest V3 called “uBO Minus” in which Hill’s conclusion of the Chromium’s vision results in subpar content-blocking extensions. 

V3 and Beyond

The Manifest V3 timeline was scheduled to begin rolling out in January 2023 with the Chrome Web Store no longer allowing Manifest V2 extensions to be found by June 2023 in all channels. Fortunately, as of December 09, 2022, the timeline for Manifest V3 has been postponed with more updates on the Manifest V2 phase-out plan to be expected March 2023. Chrome users have been given more time, but it is probably in their best interest to find a different solution. 

Many security experts like the EFF and TechRepublic suggest jumping ship and migrating to a non-chromium browser. Other Chromium browsers that would be adopting Manifest V3 would include Microsoft Edge, Opera, and Vivaldi. Firefox and Safari have been the recommendation as Firefox has announced they would support Manifest V3 for compatibility, but would continue to support webRequest API and Manifest V2, allowing ad blockers to operate to their full potential. Apple Safari has introduced support for Manifest V3, but has not determined whether it would drop support for Manifest V2 because it has not supported webRequest blocking for years. Another solid solution would be to install Pi-hole – a Linux network level advertisement and Internet tracker blocking application that acts as a DNS sinkhole that would protect all devices (including smartphones) on the network. Since it can only block on the domain level, it cannot block first-party ads but would still be a viable solution for loyal Chromium users.