Google is planning to change the way extensions integrate with its Chrome browser. The company says that the changes are necessary for and motivated by a desire to crack down on malicious extensions, which undermine users’ privacy and security, as part of the company’s continued efforts to make extensions safer. The move also means that popular ad blocking extensions such as uBlock Origin and uMatrix will, according to their developer, no longer work.
The plans, called Manifest V3, are described in a public document. Google is proposing a number of changes to the way extensions work. The broad intent is to improve extension security, give users greater control over what extensions do and which sites they interact with, and make extension performance more robust. For example, extensions will no longer be able to load code from remote servers, so the extension that’s submitted to the Chrome Web store contains exactly the code that will be run in the browser. This prevents malicious actors from submitting an extension to the store that loads benign code during the submission and approval process but then switches to something malicious once the extension is published. In a bid to discourage extensions from asking for blanket access to every site, Manifest V3 also changes the permissions system, so universal access can no longer be demanded at extension install time.
The problem for ad blockers comes with an API called
webRequest. With the current
webRequest API, the browser asks the extension to examine each network request that the extension is interested in. The extension can then modify the request before it’s sent (for example, canceling requests to some domains, adding or removing cookies, or removing certain HTTP headers from the request). This provides an effective tool for ad blockers; they can examine each request that is made and choose to cancel those that are deemed to be for ads.