There’s a growing split over how much room browsers should leave for ad blocking — and Chrome and Firefox have ended up on opposite sides of the fight. Mozilla will let extensions use the most privacy-preserving blocking techniques on network traffic.
The rupture is centered on Web Request, commonly used in ad blockers and crucial for any system that looks to block off a domain wholesale.
Google has long had security concerns about Web Request and has worked to cut it out of the most recent extension standard, called Manifest V3, or MV3 for short. But, in a recent blog post, Mozilla made clear that Firefox will maintain support for Web Request, keeping the door open for the most sophisticated forms of ad blocking.
Privacy advocates have roundly criticized Google’s strategy — the Electronic Frontier Foundation has been a vocal opponent — but the search company hasn’t been swayed. Moreover, though Firefox has a far smaller share of the desktop marketplace than Chrome, it could be a chance for Mozilla’s product to define itself. For Google, though, sticking with MV3 will significantly impact the overall role of ad blocking on the modern web.
The changes in Manifest V3 are part of a planned overhaul to the specification for Chrome’s browser extension manifest file, which defines the permissions, capabilities, and system resources that any extension can use.
Under the currently active specification — Manifest V2 — browser extensions can use an API feature called Web Request to observe traffic between the browser and a website and modify or block requests to specific domains. The example Google provides for developers shows an extension script that would block the browser from sending traffic to “evil.com”:
The Web Request feature is powerful and flexible and can be used for good and bad purposes. For example, ad-blocking extensions use the part to block incoming and outgoing traffic between certain domains and a user’s browser.
In particular, they block domains that will load ads and stop information from being sent from the browser to any of the thousands of tracking domains that collect data on internet users. But the same feature can be used maliciously to hijack users’ login credentials or insert extra ads into web pages. So it has been Google’s rationale for changing its functions in Manifest V3.
Under the new specification, the blocking version of the Web Request API has been removed and replaced with an API called Declarative Net Request. Instead of monitoring all data in a network request, the new API forces extension makers to specify rules in advance about how certain types of traffic should be handled, with the extension able to perform a more narrow set of actions when a rule is triggered.
It won’t be a problem for some extensions: Adblock Plus, one of the most popular ad blockers, has come out in favor of the MV3 changes — though it’s worth noting that the extension has a financial relationship with Google. Others, however, may be more severely impacted.
Google has presented the changes as a benefit to privacy, security, and performance. Still, critics see it as a calculated effort to limit the impact of ad blocking on a company that is almost entirely funded by ads.
But the creators of some ad blocking and privacy-protecting extensions have said the change will undermine the effectiveness of their products. Jean-Paul Schmetz, CEO of the privacy-focused browser extension Ghostery, took particular aim at Google’s imposition of the MV3 standard in light of the company’s recent statements on protecting privacy:
“While Google is pushing a ‘privacy by design’ message on the surface, it’s still asserting a monopoly over the entire ecosystem by stifling digital privacy companies that are already working to give users back control of their data,” Schmetz stated.
The Ghostery extension is a prime example of a product that would be seriously affected by Google’s changes. Besides blocking ad content, the extension analyzes communications between a website and a user’s browser to look for data that could unintentionally identify a unique site visitor and replaces it with generic data before the network traffic leaves the browser. Doing this requires the ability to modify web traffic on the fly and, as such, will be severely curtailed by the MV3 restrictions, the developers say.
Ad blocker developers are also concerned because the impacts of those changes will reach far beyond the Chrome browser. The MV3 spec is part of the Chromium project, an open-source web browser created by Google that forms the basis of not only Chrome but also Microsoft Edge, the privacy-focused Brave, the lightweight browser Opera, and many others.
Since Chromium underpins these projects, browsers that depend on it will eventually have to migrate to the MV3 extension format, and extensions for those browsers will then no longer be able to do ad blocking using Web Request.
As the primary developer of Chromium, Google exerts a tremendous amount of power over what browser extensions can and can’t do. It sets apart browsers not based on Chromium — notably Firefox and Safari — because they have a chance to take a different approach to extension design and are now in a position to distinguish themselves with a more permissive approach to ad blocking.
For compatibility reasons, Mozilla will still use most of the Manifest V3 spec in Firefox, so extensions can be ported over from Chrome with minimal changes. But, crucially, Firefox will continue to support blocking through Web Request after Google phases it out, enabling the most sophisticated anti-tracking ad blockers to function as expected.
In justifying that decision, Mozilla has recognized that privacy is a core value for people who use its products, as chief security officer Marshall Erwin stated.
“We know content blocking is important to Firefox users and want to ensure they have access to the best privacy tools available,” Erwin said. “In Firefox, we block tracking by default but still allow advertisements to load in the browser. If users want to take the additional step to block ads entirely, we think it is important to enable them to do so.”
As for Google’s claims about the security benefits of its MV3 changes, Erwin said that immediate security gains from preventing Web Request blocking were “not obvious.” Especially since other non-blocking features of Web Request had been kept — and didn’t seem to make significant reductions in the likelihood of data leakage.
Regardless, Google seems to be holding a course. Despite the flurry of criticism from ad blocker developers, Google spokesperson Scott Westover stated that the company supported blocking and only intended to limit the data specific extensions could collect.
“We’re happy to see Mozilla supporting Manifest V3, which is intended to make extensions safer for everyone,” Westover said. “Chrome supports and will continue to support ad blockers. However, we are changing how network request blocking works because we are making foundational changes to how extensions work to improve our extensions platform’s security and privacy characteristics.”
Google has heard positive feedback about the changes from many contents blocking extension developers, Westover said to praise from the makers of Adblock Plus.
Firefox’s stance on ad blocking may encourage more users to switch to the browser, which is currently estimated to make up less than 8 percent of the desktop browser market compared to Chrome’s 67 percent.
Once Manifest V2 support ends in June 2023, changes in functionality will become more apparent to users of any Chromium-based browser. Until then, Mozilla will patiently make a privacy case, even if you sometimes have to look for it deep in a specialist blog.