Google has announced it will shut down Manifest V2 in June 2024 and move on to Manifest V3, the latest version of its Chrome extension specification that has faced criticism for putting limits on ad blockers. Roughly said, Manifest V2 and V3 are the rules that browser extension developers have to follow if they want their extensions to get accepted into the Google Play Store.
Manifest V2 is the old model. The Chrome Web Store no longer accepts Manifest V2 extensions, but browsers can still use them. For now. Manifest V3 is supported generally in Chrome 88 or later and will be the standard after the transition planned to take place in June 2024.
A popular type of browser extensions are ad blockers. Almost all these ad blockers work with block lists, which are long lists of domains, subdomains, and IP addresses that they filter out of your web traffic. These lists are commonly referred to as rulesets. One part of the transition will “improve” content filtering. And to be fair, Google has made some compromises when it comes to the version as it’s now in the planning, compared to what it originally planned to do.
- Originally, each extension could offer users a choice of 50 static rulesets, and 10 of these rulesets could be enabled simultaneously. This changes to 50 extensions simultaneously and 100 in total.
- Extensions could add up to 5,000 rules dynamically which encouraged using this functionality sparingly and made it easier for Google to detect abuse. Extensions can add rules dynamically to support more frequent updates and user-defined rules. But it comes with the risks of phishing or data theft because these “updates” are not checked during the Chrome Web Store review. For example, a redirect rule could be abused to inject affiliate links without consent. But Google has decided that
block
andallow
are not that easily abused so it will allow up to 30,000 rules to be added dynamically.
However, this is still far from enough to fully reach the potential of the best ad blockers we have now. And it’s not just the hard limits on filtering rulesets, there are a lot of other new limits on filtering. Items can’t be filtered based on the response headers or according to the URL in the address bar. Also, extension developers are limited in what regular expressions they can use, along with other technical limitations.
Even if this is not targeted at ad blockers specifically, it’s still a major change that makes blocking requests less flexible. But the bottom line result is that it limits the API that many ad blockers use, and replace it with a less capable one.
Google’s will tell you that by limiting extensions, the browser can be lighter on resources, and Google can protect your privacy from extension developers and calls it “a step in the direction of privacy, security, and performance.” The Electronic Frontier Foundation (EFF) however calls Manifest V3 deceitful and threatening.
“Manifest V3 is another example of the inherent conflict of interest that comes from Google controlling both the dominant web browser and one of the largest internet advertising networks.”
Under the new specifications, browser extensions that monitor and filter the web traffic between the browser and the website will have greatly reduced capabilities. This includes ad blockers and privacy-protective tracker blockers. No real surprise, considering Google has trackers installed on 75% of the top one million websites.
According to Firefox’s Add-on Operations Manager, most malicious extension that manage to get through the security review process, are usually interested in simply observing the conversation between your browser and whatever websites you visit. The malicious activity happens elsewhere, after the data has already been read. So in their mind, what would really help security is a more thorough review process, but that’s not something Google says it has plans for.
After looking at the arguments Google used to justify this transition, ArsTechnica came to the conclusion that there’s no justification for arbitrarily limiting the list of filter rules. It says once Manifest V3 happens, Chrome users will be limited to light ad blocker functionality while users will need to switch to Firefox or some other non-limited browser to get the full extension.
Nevertheless, Firefox said it will adopt Manifest V3 in the interest of cross-browser compatibility. And Chrome’s market share will certainly have influenced that decision as well.
Google Chrome Enterprise users with the “ExtensionManifestV2Availability” policy turned on will get an extra year of Manifest V2 compatibility.
If you want to help Malwarebytes get ready for the transition, you can test the beta version of Browser Guard for Manifest V3.
We don’t just report on privacy—we offer you the option to use it.
Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.