Mozilla will let extensions use the most privacy-preserving blocking techniques on network traffic
There’s a growing split over how much room browsers should leave for ad blocking — and Chrome and Firefox have ended up on opposite sides of the fight.
The rupture centers on a feature called Web Request, commonly used in ad blockers and crucial for any system that looks to block off a domain wholesale. Google has long had security concerns about Web Request and has worked to cut it out of the most recent extension standard, called Manifest V3, or MV3 for short. But, in a recent blog post, Mozilla made clear that Firefox will maintain support for Web Request, keeping the door open for the most sophisticated forms of ad blocking.
Google’s strategy has been roundly criticized by privacy advocates — the Electronic Frontier Foundation has been a vocal opponent — but the search company hasn’t been swayed. Though Firefox has a far smaller share of the desktop marketplace than Chrome, it could be a chance for Mozilla’s product to really define itself. For Google though, sticking with MV3 will have a huge impact on the overall role of ad blocking on the modern web.
The changes in Manifest V3 are part of a planned overhaul to the specification for Chrome’s browser extension manifest file, which defines the permissions, capabilities, and system resources that any extension can use.
Under the currently active specification — Manifest V2 — browser extensions can use an API feature called Web Request to observe traffic between the browser and a website and to modify or block requests to certain domains. The example Google provides for developers shows an extension script that would block the browser from sending traffic to “evil.com”:
The Web Request feature is powerful and flexible, and it can be used for both good and bad purposes. Ad-blocking extensions use the feature to block incoming and outgoing traffic between certain domains and a user’s browser. In particular, they block domains that will load ads and stop information from being sent from the browser to any one of the thousands of tracking domains that collect data on internet users. But the same feature can be used maliciously to hijack users’ login credentials or insert extra ads into web pages, which has been Google’s rationale for changing how it functions in Manifest V3.
Under the new specification, the blocking version of the Web Request API has been removed and replaced with an API called Declarative Net Request. Instead of monitoring all data in a network request, the new API forces extension makers to specify rules in advance about how certain types of traffic should be handled, with the extension able to perform a more narrow set of actions when a rule is triggered. For some extensions, this apparently won’t be a problem: Adblock Plus, one of the most popular ad blockers, has come out in favor of the MV3 changes — though it’s worth noting that the extension has a financial relationship with Google. Others, however, may be more severely impacted.
Google has presented the changes as a benefit to privacy, security, and performance, but critics see it as a calculated effort to limit the impact of ad blocking on a company that is almost entirely funded by ads. (In its SEC filings, Google consistently cites “new and existing technologies that block ads online” as a risk factor that could affect revenue.)
But the creators of some ad blocking and privacy-protecting extensions have said the change will undermine the effectiveness of their products. Jean-Paul Schmetz, CEO of the privacy-focused browser extension Ghostery, took particular aim at Google’s imposition of the MV3 standard in light of the company’s recent statements on protecting privacy:
“While Google is pushing a ‘privacy by design’ message on the surface, it’s still asserting a monopoly over the entire ecosystem by stifling digital privacy companies that are already working to give users back control of their data,” Schmetz told The Verge by email.
The Ghostery extension is a prime example of a product that would be seriously affected by Google’s changes. Besides blocking ad content, the extension analyzes communications between a website and a user’s browser to look for data that could unintentionally identify a unique site visitor and replaces it with generic data before the network traffic leaves the browser. Doing this requires the ability to modify web traffic on the fly and, as such, will be severely curtailed by the MV3 restrictions, the developers say.
Ad blocker developers are also concerned because the impacts of those changes will reach far beyond the Chrome browser. The MV3 spec is part of the Chromium project, an open-source web browser created by Google that forms the basis of not only Chrome but also Microsoft Edge, the privacy-focused Brave, lightweight browser Opera, and many others. Since Chromium underpins these projects, browsers that depend on it will also eventually have to migrate to the MV3 extension format, and extensions for those browsers will then no longer be able to do ad blocking using Web Request.
As the primary developer of Chromium, Google exerts a huge amount of power over what browser extensions can and can’t do. This sets apart browsers that are not based on Chromium — notably Firefox and Safari — because they have a chance to take a different approach to extension design and are now in a position to distinguish themselves with a more permissive approach to ad blocking.
For compatibility reasons, Mozilla will still use most of the Manifest V3 spec in Firefox so that extensions can be ported over from Chrome with minimal changes. But, crucially, Firefox will continue to support blocking through Web Request after Google phases it out, enabling the most sophisticated anti-tracking ad blockers to function as normal.
In justifying that decision, Mozilla has been clear in recognizing that privacy is a core value for people who use its products, as chief security officer Marshall Erwin told The Verge.
“We know content blocking is important to Firefox users and want to ensure they have access to the best privacy tools available,” Erwin said. “In Firefox we block tracking by default but still allow advertisements to load in the browser. If users want to take the additional step to block ads entirely, we think it is important to enable them to do so.”
As for Google’s claims about the security benefits of its MV3 changes, Erwin said that immediate security gains from preventing Web Request blocking were “not obvious” — especially since other non-blocking features of Web Request had been kept — and didn’t seem to make significant reductions in the likelihood of data leakage.
Regardless, Google seems to be holding course. Despite the flurry of criticism from ad blocker developers, Google spokesperson Scott Westover told The Verge that the company did support blocking and only intended to limit the type of data certain extensions could collect.
“We’re happy to see Mozilla supporting Manifest V3, which is intended to make extensions safer for everyone,” Westover said. “Chrome supports and will continue to support ad blockers. We are changing how network request blocking works because we are making foundational changes to how extensions work in order to improve the security and privacy characteristics of our extensions platform.”
Google has heard positive feedback about the changes from many content blocking extension developers, Westover said, pointing The Verge to praise from the makers of Adblock Plus.
It’s possible that Firefox’s stance on ad blocking will encourage more users to switch to the browser, which is currently estimated to make up less than 8 percent of the desktop browser market compared to Chrome’s 67 percent. Once Manifest V2 support ends in June 2023, changes in functionality will become more apparent to users of any Chromium-based browser. Until then, Mozilla will be patiently making the case for privacy, even if sometimes you’ll have to look for it deep in a specialist blog.