> Google is planning to restrict modern ad blocking Chrome extensions to enterprise users only
> the software giant is not backing down: It says the only people that can use ad blockers following the change will be Google’s enterprise users.
> Google sent me a statement by email, which reads: "Chrome supports the use and development of ad blockers. We’re actively working with the developer community to get feedback and iterate on the design of a privacy-preserving content filtering system that limits the amount of sensitive browser data shared with third parties."
These can't all be true. Which is it?
The last one sounds weasel-wordy to me: it might be saying that they want to allow people to block targeted ads and see random ones instead, which is obviously not ad-blocking and would make "Chrome supports the use and development of ad blockers" a bald-faced lie.
They have implemented a system that works on rulesets similar to those used in AdBlock Plus (with whom Google has a business relationship). Rather than allow extensions to examine web requests they have to provide matching rules for the content to be blocked, and the browser engine will block requests that match those rules.
The implementation breaks the model of the most effective blockers like uBlock Origin, which are able to inspect every request and block it based on a much more comprehensive set of factors. The claim they are making is that allowing extensions to inspect web traffic makes them vulnerable to abuse by bad actors who can, for example, offer an innocuous extension then later turn it effectively into a keylogger. There are numerous better solutions to this problem that don't require breaking blockers like uBO, but this choice seems to tick a large number of boxes for decisions that benefit Google and their partners at the expense of their users. And the "Enterprise users" part (which really seems to belie the stated reasoning) was only abounded after it became clear that there was a backlash against this terrible decision.
Google isn't banning any ad blockers directly. They're just deprecating an API which many major ad blockers use, and the replacement API is different enough that those ad blockers can't be ported to it. They claim that the deprecation is about security and performance.
In particular, I don't think it's true that Google said "only people that can use ad blockers following the change will be Google’s enterprise users".
> They claim that the deprecation is about security
I mean, it kind of obviously is. Giving random extensions downloaded from the internet access to the URLs of every request ever made by the browser is a pretty insane security hole.
My impression is that other browsers (Safari) already removed this kind of API, or never had it in the first place.
As far as I can tell, they're not deprecating the API allowing extensions to snoop, only the piece that lets an extension say "don't process that request until I tell you it's okay". (In the design doc's terms, they're deprecating only the blocking version of webRequest.)
> Giving random extensions downloaded from the internet access to the URLs of every request ever made by the browser is a pretty insane security hole.
The observer APIs will still be enabled in V3 and extensions will still be able to access that list.
There is a valid case to be made that we should rethink the extension security model, but the V3 manifest doesn't address of any of its biggest problems. It's gimping the parts that enable you to block requests, but extensions will still be able to other spy on you the same way they already can today.
> the software giant is not backing down: It says the only people that can use ad blockers following the change will be Google’s enterprise users.
> Google sent me a statement by email, which reads: "Chrome supports the use and development of ad blockers. We’re actively working with the developer community to get feedback and iterate on the design of a privacy-preserving content filtering system that limits the amount of sensitive browser data shared with third parties."
These can't all be true. Which is it?
The last one sounds weasel-wordy to me: it might be saying that they want to allow people to block targeted ads and see random ones instead, which is obviously not ad-blocking and would make "Chrome supports the use and development of ad blockers" a bald-faced lie.