V3 not allowing remote code execution is actually a serious benefit. Of course, this does not negate the fact that V3 is mainly there to boost the ad ecosystem of Google, but I'd never want my screen casting extension to be mining bitcoin on the background. That said, I'm not sure how this is going to scale long term, given that it sometimes takes 2+ weeks for the web store review team to approve a genuine one-line change. Lack of RCE is only going to make this review backlog bigger.
>V3 not allowing remote code execution is actually a serious benefit.
This is Google Kool-Aid. When Google says "remote code", they mean _remote to google_. Your own script on your own drive is remote to google. Google is removing User from the User Agent.
Well, in this instance remote code actually means remote. In V3 one can no longer use the tabs.executeScript API [1] in which you could pass an arbitrary server rendered string.
V3 kills Userscripts (tampermonkey/violentmonkey). You will no longer be able to execute your own code written with your own hands&brain and stored on your own hard drive.
Disallowing remote code by default could be considered a benefit, but disallowing me from saying "I trust this one particular source of remote code; please let it execute" is most definitely not.
> With Manifest V2, it was possible to inject a "Referrer" HTTP header if necessary. With Manifest V3, it's no longer possible.
Not entirely sure of how this is true. A recent V3 extension I've built is able to inject both the "Referer" and "Origin" headers using a declarative net request ruleset:
Honestly I hope Google go through with this as it will direct people to Firefox so they can continue using ad-blockers like uBlock Origin.
I don't know how many will come but if Google wants to implode their plugin ecosystem in favour of more advertising, and if that action increases Firefox adoption (and thus a healthy browser ecosystem via competition) then I am for it.
It might be 1%, best case. Most people are just clueless and think loads of ads are normal. Talking to them about ad-blockers usually goes nowhere in my experience. They don't even know what browser they're using; they just click on the Chrome icon and think it's the "internet icon".
I think you are underestimating how annoying ads are. I was in a german forum today on my mobile phone and the ads jumped into view for a second and then jumped back out again while I was scrolling. I can't imagine that anyone puts up with this for long. I thought that most people would stay with inferior adblockers but it only takes a couple of such extremely annoying ads to make it through for you to start googling for an improvement.
>I think you are underestimating how annoying ads are.
I think you're underestimating just how much annoyance the general public will put up with. Look at how popular streaming services are, even though they're constantly removing content. I see people complain about it all the time, but they keep signing up for more services.
There's no need to convince them. Just install Firefox with uBlock Orign on their machine and set it as default. I guarantee they'll enjoy the new and improved web.
Can confirm. I helped my dad switch from a Chromebook to an M1 MacBook Air. He made the comment that it was like going from a moped to a Cadillac. I thought he was talking about how good the Mac is. But he was in fact talking about the fact that I had installed a default browser with ad-blockers.
Yeah. I install uBlock Origin on every browser I come across. Everybody tells me how much better the web is afterwards. Most of the time they can't even articulate why. I know why.
That's the problem: you have to do it for them, without even being asked. They aren't going to ask for it themselves, because they don't even understand that ads can be blocked. So the whole thing depends on these non-technical people having technical family members to do this stuff for them.
If ad blocking really became a significant problem, the next big change I suspect is server-side ad network integration for ad serving.
Architecturally, it is definitely possible to interleave ads from an ad network into your server's http3 response stream by doing server-side ad network integration. Only the measurement needs to be client-side and directly integrated with ad network, if at all.
The same underlying mechanism used for content security policy can be used for ensuring integrity of ad content even when not served directly by the ad network. So, any domain/url/path/extension/dom-id etc based ad blocking mechanism isn't going to work.
Very likely this will result in superior technical performance (latency and measurement), and superior ad performance (due to richer backend data integration and better ad selection). It is just a matter of time.
Quite possibly. Google and the other major players are reluctant to do that because it's much, much harder to do a server side integration solution without compromising user privacy by handing the third party owning that server a lot of intimate knowledge about the ads being served to a customer. Under the current system, your privacy is protected because the only place that integrates your browsing habits and the ads you're seeing is actually your browser.
I'm sure that such intimate server side integration will eventually result in legislative pushback for privacy protection, and the measure-countermeasure game will continue.
I do believe that Google doesn't want ads served through the site that's actually being visited, because it reduces Google's visibility into what's going on, which affects both Google's semi-legitimate interests, like being able to detect click fraud, and Google's total control over information that might be used for targeting.
I also believe that many of the sites don't want that, especially the smaller ones. It'd be more complicated for them to set up, and would mean they needed more bandwidth.
I do NOT believe that Google actually cares enough about user's privacy per se to do much about it. If that were the case, Google itself wouldn't collect about 95 percent of what it actually does collect.
> Google and the other major players are reluctant to do that because it's much, much harder to do a server side integration solution without compromising user privacy by handing the third party owning that server a lot of intimate knowledge about the ads being served to a customer.
They might be able to address this by flipping things around. Instead of the ad service providing ads to the content provider for the content provider to them embed in the content and server, have the content provider provide content to the ad service which then puts in the ads and serves the content.
Let's say content provider foo.com wants ads from Google. One way this could be done is for foo.com to organize their site so that any pages they want ads on come from content.foo.com. They would set content.foo.com to point to a server run by Google. That server would provide a way for foo.com to put their content there, with some mechanism for Google to do the ad integration and then serve the pages.
In the current status quo, there is a data détente that keeps either solution from happening: advertisers don't want to give third-party websites intimate knowledge of ads vended because they don't want to compromise user privacy (or more cynically: they don't want to give third-party sites so much info about what ads are run to what users that those sites cut out the middle-man and just broker adds to run for users directly). But third-party sites don't want to give intimate details of users of their site to ad companies for symmetrical reasons (Google has dipped its toe into social media before).
If the industry moves to a place where only server-injected ads are profitable, something will surely give here. The end result will be more large conglomerates knowing more about us than ever before, unfortunately.
> If ad blocking really became a significant problem, the next big change I suspect is server-side ad network integration for ad serving.
I'm surprised that's not already the case. Well, not that surprised, it's a business where at least one of sides is scum and server-side makes it a hell lot easier to cheat
The problem with server side ad insertion as you call it is the lack of accountability.
It gives way too much power to the publisher: they want the ad money and therefore have all the incentives to commit fraud.
At the moment, having the ad distributed by a third party and a ton of other third party JS in the browser allow all parties involved to cross check each other.
The bot problem would be way worse with server side.
We've been really lucky so far that most marketing departments don't seem to interact with the core codebase when it comes to injecting ads, they just get a Tag Manager and can inject as many ads as they like.
Yes, platforms like cloudflare worker can be used to inject personalized ads into html before it served to visitors. It's likely to be much cheaper than forgoing cache and process ads on your web server for every visitor.
I can see that happening and that could be a good way to remove all that JS nightmare and provide better visibility on perf impact, eventually improving overall user-experience.
In the meantime, someone will build adblocker undoing what has been done server-side. And if this is hard to detect, that will be based on training/model. Data integration will be subject to GDPR.
Sure, but if their was anything I was to believe was a tiny minority of users it would be opting out of telemetry. If they are under 10-20% they wont sway the end result enough to matter, and I really expect they are.
According to many ad networks today just using Firefox is "ad-blocking" because it is not Chrome and is missing Chrome features.
I know I'm satisfied with Firefox built-in Enhanced Tracking Protection, so I don't have an extension installed for "ad blocking", but my problem is not ads but ad trackers. I don't mind "non-personalized, non-targeted" ads and I welcome them in many cases, but I do mind ad trackers and I loathe any attempt at "personalized" ads.
(Though I don't have 0 extensions installed even then, I like Tree Tab Plus and Multi-Account Container. Multi-Account Container is of course another reason the ad networks believe I "block ads" even though I technically do not. It seems better for me that Google, Twitter, and Facebook accounts are never logged in at the same time in the same tab.)
> Mozilla has renewed its lucrative nine-figure deal with Google to ensure its search engine is the default in Firefox in the US and other parts of the world.
...
> Moz will likely pocket $400m to $450m a year between now and 2023 from the arrangement
...
> More than 90 per cent of Mozilla's funding comes from web search providers that pay for the right to be the default search engine in Firefox in their regions. According to the organization's latest financial figures, $430m of its 2018 total revenue of $451m came from those internet giants – primarily Google
Google may try to enforce MV3 on Firefox. 90% of Mozilla's income comes from Google and while Google needs this controlled opposition, they may lower their input to almost-suffocate Mozilla whenever they desire.
Firefox has already announced support for v3, even though it's not implementing the changes to WebRequest that is causing the most heartache, and they will continue to support v2.
They want to have puppet that makes it look like they're not a monopoly on the market. That doesn't really work if the puppet is so niche companies stop even supporting it
That doesn't make sense. If you can control the other person's moves directly like that, then you're clearly a monopoly already. Nobody actually has a choice.
Yeah no, modifying logic of a binary application as large and complex as modern web browsers is slightly more involved than the Discord frontend mods that essentially just tweak some CSS and or HTML and JavaScript.
This. I didn't mean to imply that Discord modding is as easy as Chrome modding. All I meant to say is that people are willing to mod Discord with random .exes so they'd do the same with Chrome.
What about all the people with Chromebooks? If they want to use Firefox, their choices are either doing all of their browsing inside of a container that's itself inside of a VM, taking apart the Chromebooks and removing the developer screw to be able to replace the OS, or buying new computers. I expect approximately 0% of them to do any of those things.
Something else, I meant most people use defaults and are not educated enough to rely on them finding firefox and using it, you have to market it to them.
I imagine you didn't take the time to understand Manifest v3 criticism.
Nobody claims they won't work at all, they'll just be crappier than they are now, which boils down to two reasons: Manifest v3 introduces limits to filter list size + pattern matching isn't as flexible.
And Firefox has stated multiple times so far that they're going to keep current content blocking APIs, meaning that once Manifest v3 rolls out, adblockers will work better than they will on Chromium-based browsers.
> Nobody claims they won't work at all, they'll just be crappier than they are now, which boils down to two reasons: Manifest v3 introduces limits to filter list size + pattern matching isn't as flexible.
Can you show this objectively through experiments or are you just assuming it won't be as good?
> they call it uBlock Origin Lite for a reason
Nowhere on that extension does it say it's any worse. It's a work in progress, it makes sense to call it something else. You're reaching and pressing your own assumptions as truths that have no backing.
> Many users of uBO will dislike the limitations of uBOL when compared to uBO.
If gorhill says it's inferior, I'm strongly inclined to say it's inferior. Obviously some form of blocking is possible, but degradation is degradation. (And assuming that anyone who disagrees with you must be ignorant is ... impolite.)
I think you're really overestimating Firefox's influence. Firefox has less than 4% browser share. Even less than Edge! This is also a change to Chromium itself and not just Chrome so even those Edge users will be affected
At the time, it was a common talking point that Firefox never got beyond 25% market share. I’m not sure why statcounter has questionable data for that period.
Here’s a Mozilla blog post from 2009 celebrating hitting 25%:
It rose because Internet Explorer sucked and us technical folks made our relatives switch along with ourselves.
Same story with Chrome: pre-Quantum, Firefox was getting pretty slow and Chrome was the new, fast kid on the block, so we changed browsers and dragged the tech-illiterate along.
It's time for this to happen again. The Chromium monopoly is bad for the open web, and now that Google has consolidated power, they're using it to push ads.
It's time we switch back to the only viable, truly open source alternative and drag all our acquaintances along.
>It's time we switch back to the only viable, truly open source alternative and drag all our acquaintances along.
I can tell you with absolute certainty it won't happen, at least so long as we're talking about Firefox as the alternative in this kind of manner, and here's why:
Both the Firefox and Chrome usurpations happened organically without too much ideological dogma getting tossed around. It just happened: IE6 sucked ass, Firefox was great, usurped. Firefox (read: Mozilla) became putrid after usurping the throne, Chrome was great(ish), usurper usurped. It was all ultimately just happenstance, the commons did commons things.
Contrast now, where Firefox is being thrown around by a select handful as the supposed returning saviour with dogmatic fervor. As a witness of the original usurpations, I will say this isn't what happened ~15 years ago and it is impossible to force something to become a thing.
Chrome will eventually be usurped, but it's probably not going to be Firefox and it's going to happen regardless whether anyone forces the issue or not.
Ad blockers need to make no attempt to function at all with MV3. They should maybe even go out of their way to not work. Any ad blocker installed on chrome should just bring up a message that said (not 100% truthfully) that ad blocking can't be made to work on Chrome, please go to Firefox to continue ad free browsing.
This will shift a lot of users. Especially the more technical ones who then tell their less tech savvy friends and when they go home for Thanksgiving they can just install Firefox on dad's computer so he stops falling for stupid scam ads.
This can work, and I think work pretty well. This does not mean that Firefox is the end all, be all. That hypothetical usurper browser you mention can still swoop in and scoop up the new Firefox users as well as the poor saps who stayed on Chrome.
Ideology, much less deception, is not how you convince the commons on something as mundane as a web browser. Firefox didn't usurp IE6 because it was FOSS, Firefox won because it was straight up better.
Likewise, any contender to Chrome today must demonstrate objective, practical superiority (and be honest about it). The commons don't know nor care what FOSS is, arguing FOSS to the commons is a fool's errand.
I appreciate gorhill, a trusted name, took the initiative to release a MV3 adblocker, because that simple act stopped fools like you who would readily deceive users to force an issue.
Also, pro tip: Deception doesn't last for long, and once it comes to light you are never regaining that lost trust and respect.
As long as the few people with the skills to make a (very watered down, thanks to Google) adblocker for mv3 don't. Then for the average user the statement "you can't block ads on Chrome" approximates to true.
If the hobbled ad blockers get made anyway then the effect pushing to Firefox will be lesser but still there. Especially since ad networks will not be able to restrain themselves from abusing the initial crack in the door and users find themselves staring at more and more ads.
15 years ago people were using PCs to surf the internet.
Now a huge portion of net traffic is mobile devices. Those are far more locked down. It is not as easy to install and use a new browser on IOS or Android devices.
People around here seem to forget that for a large number of internet users a phone or tablet is their primary interface.
I'm using Firefox on Android right now, including ublock. I just got it from the Play Store.
It might be trickier on iOS, but that's not a technical limitation and imo an antitrust case waiting to happen. We'll see if the Digital Markets Act forces their hand.
To be fair, the problem was predictable already in 2010, so switching to Chrome was a bad idea in the first place. I understood it for webdevs, Googles tools were a bit better very quickly, even if that was a domain for FF previously.
This is very true and I think it is often understated, the influence that we developers have over the spread of a certain trend or technology through the mechanism you described.
Now imagine if you're a company that have 50k or 100k developers on payroll. Even that alone will actually spread your influence if you indoctrinate them right, might be worth hiring them just to double down on that influence, even if you may not necessarily need them.
It is a little surprising it was only 30%. For a while their a significant portion of websites only worked on FF, and most said something like "designed for FF" at the bottom.
Author here, I just wanted to add that most of the "features" should be fixed by Google this month [1]. That leaves me approximately 2 months to finish the work and hope to make the transition in January \o/. This delay is a bit short though.
Gotta add _somewhere_ an introduction to what it actually is. I could figure it is _related_ to extensions, but what it _is and does_ is nowhere. Only empty buzzing like "It is an evolution of the extension platform that takes into consideration both the changing web landscape and the future of browser extensions."
Come on. There are clear security and privacy benefits. You might not like the trade-off but pretending that there are no benefits just tells me that you're being disingenuous and I can ignore your opinion.
The benefits exist if you treat the user like an absolute buffoon that can't handle installing extensions. If you really wanted to, just put a massive warning screen before installing extensions that require dangerous permissions.
I'm sure the future without MV2 will have users launching .exe files to mod Chrome which is much much worse (similar to what's going on with Discord and other Electron app mods).
I'm not into position commenting Manifest V2 vs V3 as I don't write extensions.
> The benefits exist if you treat the user like an absolute buffoon that can't handle installing extensions. If you really wanted to, just put a massive warning screen before installing extensions that require dangerous permissions.
But... what different is it than installing software? And "big scary warning" is what one of things Windows UAC brought you. It helps some folks, but otherwise it is "just push OK".
I like how Android/iOS handles - I can approve/reject specific permission upon request and only grant it while using app/this time only.
People who don't understand browsers (i.e. almost anyone) aren't buffoons, any more than people who can't change their car's oil are buffoons. They just don't understand this rapidly changing field and they have a day job.
> I'm sure the future without MV2 will have users launching .exe files to mod Chrome which is much much worse
Average internet (hence chrome user) don't even know what mod means. They don't care about ads (at least not enough to actively make any change). If the ads become too annoying they'll just skip the video or won't visit a website again and the people serving the ads know that.
> Average internet (hence chrome user) don't even know what mod means.
Which is even more problematic. Because they will literally click random exe people send to them. And also the reason Edge decides to default to reject random unpopular unsigned exe downloaded from internet.
So why don't we fork the chromium upstream code and only merge security patches? Imagine, all the web extension maintainers just started maintaining for the forked browser because it's the only one they can continue to support. This would surely destroy the chrome monopoly.
If you can find a very generous fund which can unconditionally grant you tens of millions of dollars every year, there might be a hope in your proposal. Ironically, the closest example was the Mozilla-Google deal because Google needs them to avoid antitrust charges. Also I'd like to mention that it would be quite hard to motivate talented engineers to work just on simple merging works.
I think what Google has done (accidentally or deliberately) is perfect: drown Mozilla in search-deal grant money to attract executives and manager types to do all sorts of vanity projects that lead to nowhere, so they can maintain their gimped "competitior" browser that lets them non-guilty of antitrust charges.
It's counter-intuitive, but a continuously running money hose sometimes seem to attract these types of people and corrupt an organization. Ironically Google itself internally has this problem, where its limitless advertising revenue is being absorbed to all these shiny projects which people never really care about maintaining and its sole purpose is to advanced people's careers inside the company...
> For Brave, I was always skeptical of them because of how they are tied to crypto stuff.
The crypto stuff is already disabled by default, so not sure why people complain about it so much when it's opt-in not opt-out.
Brave doesn't require you to invest your own money, their coin holds practical value. People who turn on Brave Rewards get free money that can be withdrawn. Sure it can't make you rich but the money is still a lot more than Chrome and other proprietary browsers ever gave you, imagine getting paid for receiving (not viewing or interacting) ads. Their model works and they give away 80% of their revenue back to the users, who else does that?
Every time I hear someone calling Brave's crypto a scam, I immediately point out the fact that they're an independent browser company that was able to find a viable business model that doesn't require them to sell their soul to Google like Mozilla.
Everybody keeps asking, "What if Mozilla found out a monetization strategy that would make them independent from Google and allow them to make their own decisions", well that's Brave! It's the first independent browser company that's able to earn money on their own without compromising user privacy. I don't like crypto either but I do believe what Brave is doing has value and BAT is definitely not a scam, it works and it works well.
If we are strictly concerned with the functionality of our tools, and not the ideology held by their creators, it is an option. For some people that might even be a plus, not everyone thinks the same way about these things.
The number of extension developers that also proficient C++ developers is probably tiny. From that pool, the number that's willing to commit time to fork Chromium is probably even more minuscule.
Manifest v3 will be pushed into Android and the Android Webview component and as such become the standard browser for a lot of people. Android makes it possible to change the Webview to something else but most people just leave it as is. Android also doesn't restrict browser choice like iOS does but most people still go with the last version of Chrome since that is what the device came with. With Firefox being led astray due to its activist CEO deeming it more important to use her position to promote identity politics and other destructive ideologies, Brave tainted by its shady crypto/currency ties and most other Blink-based forks - Bromide, Ungoogled Chromium et al - being marginal players at best and Safari being "the new IE" it is to be expected for Manifest v3 to become the default standard bar the rise of a viable alternative.
Where is the new Firefox, or maybe Ouroboros - the snake that eats its own tail in a perpetual cycle of birth, destruction and rebirth - is a better name? Where is the GNU browser engine, built to serve the user instead of its master?
Ah, yes, I see. Well, it won't for the reasons I stated here. I'll modify my reply to clearly state that I'm talking about Manifest v3 becoming the norm, not any fork of Blink.
Is the title a reference to:
"Now witness the power of this fully armed and operational battle station" from Emperor Palpatine?
Nice foreshadowing, the battle station did not "go poof" in that scene, though, like singlefile-lite does, thanks to manifest v3.
"Google says Manifest V3 is "one of the most significant shifts in the extensions platform since it launched a decade ago." The company claims that the more limited platform is meant to bring "enhancements in security, privacy, and performance.""
Big Tech is not exactly known for its honesty. If it does not also increase profits and/or decrease losses then there is no sense in pursuing it. There is literally nothing Google does that is not sold as being for the benefit of its data sources and ad targets, i.e., "users". Doing things that help lure in or retain the data sources and ad targets is not not the same as doing thing that actually benefit them. At best, what Google does is make compromises, but the announcements never acknowledge any compromise. Everything is a win for the data sources and ad targets. If we are to believe their rhetoric Google's interests and "users'" interests are always exactly the same. Impossible.
"Privacy groups like the Electronic Frontier Foundation (EFF) dispute this description and say that if Google really cared about the security of the extension store, it could just police the store more actively using actual humans instead of limiting the capabilities of all extensions."
As if anyone else, besides people obligated to support Google, would not "dispute this description". We do not know because those other people are never asked. None of them asked for an update. They have no choice in the matter. Ambivalence does equate to agreement.
It makes one wonder why does Google even bother to purportedly disclose the motivation or justification for an "update". No one has a choice to reject it. We never see any evaluations fo the source code changes. So-called "users" are not the stakeholders in this project.
"The EFF poked holes in most of Google's justifications for Manifest V3 changes, saying that malicious extensions are mostly interested in stealing data and that Manifest V3 only stops extensions from blocking data, not inspecting it, so Google isn't doing much to stop bad actors. The report says performance also isn't a valid excuse, citing a study showing that ad downloading and rendering degrades browser performance."
Tell us something we do not already know. Google's customers are not "users", they are advertisers. As such, statements about the advantages of an "update" really should relate to the advantanges for advertisers. Any other statements are just meant to lure in or retain the data sources and ad targets.
There are 135,000 extensions in the Chrome Web Store. If Google hired 1,000 people to vet the store (a staggering number), each person would have a portfolio of 100 extensions to care for.
* This extension is much less likely to consume all of my JavaScript resources when it malfunctions
* I, as the end user, can install this extension without fear that arbitrary code execution of code sourced from the web means the extension creator can change the extension to harvest my data later without anything changing in the Chrome Web Store to indicate this has happened
The bugs need to be fixed, but the benefits are for end users not developers.
Those benefits are like saying a benefit of having a flat tire is that you're way less likely to get a speeding ticket while you do. Or even better, like the benefits of the Sun going out that https://what-if.xkcd.com/49/ lists.
It's about tradeoffs. From where I sit (not running an ad blocker, but yes running several extensions on a corporate machine), the benefits outweigh the costs because while currently corporate IT has to allow-list every extension one-by-one, Mv3 allows them to have a policy where they trust the Chrome Web Store and allow us to install extensions as long as they don't demand XYZ permissions.
Edge is a Chromium fork now, and Microsoft has announced that they will be following Google's timeline for depreciating manifest v2, though it looks like their timeline hasn't been updated with the information from Google's latest timeline delay [1].
haha... with microsoft now touting "VPN", the same VPN nonsense BS that facebook did many years ago on mobile because they wanted to extract ALL the data, ALL the time for literally no cost and no benefit to users, this looks like yet another M$ BS.
I've commented this before in a different thread. It's time we, developers, truly switched to non-Chromium browsers. It's Firefox. The answer to all this is Firefox.
Firefox is a legitimate alternative, it works for >99% of the world's websites and is an actual alternative i.e. not a fork of Chromium. We need to support Firefox. I've been using it for nearly the last 5 years full-time and have never needed to open Chrome.
Do some Google websites perform worse on Firefox? Sure, but the entire reason that's because people don't use Firefox enough i.e. some websites are worse on Firefox. It's a cycle. People don't use Firefox enough, which is why some websites are not performant on Firefox and so on.
Firefox expanded and became famous because of a large amount of developers telling their families and friends that it's the better browser. Same was the case for Chrome. This needs to happen again.
As a side note, can someone at Mozilla please make it so that I can donate directly to Firefox? Is that not possible for some reason? If I knew that Mozilla wasn't going to spend my money on some stupid new idea, and it would directly to supporting Firefox development, I would defintely pay a subscription each month to Firefox, and feel like a lot of other people would too.
Until Mozilla actually directs its funds in improving the engineering of the browser itself instead of spending it on executives and managers, I'm not going to support them in any financial way.
I'm speaking this in a pragmatic rather than idealistic terms. Donations have no use when it doesn't go to developing the browser itself (which, to be honest is the most urgent issue right now. Users are having all sorts of performance and instability issues in major websites and switching to Chrome instead.)
The alternative was to keep going with the previous version of the app, which even supported installing extensions directly from an xpi. It's nice that they support an adblocker or two, but I need much more out of my browser than that.
"Technical reasons" doesn't really cut it. There are frequently technical reasons involved in making a bad decision. That's not a justification.
Donating money to millionaires won't fix the problem. Take a look who's been running the show. She's paid to make things worse. Pouring money into her lifestyle won't make FF better
Edit: FFS, guys. I am not against donations to mozilla. I am against sponsoring this person.
if his family can't accept "80% discount to market" then maybe he'll have better luck heading a corporation that he didn't oversee running itself into the ground
> As a side note, can someone at Mozilla please make it so that I can donate directly to Firefox? Is that not possible for some reason? If I knew that Mozilla wasn't going to spend my money on some stupid new idea, and it would directly to supporting Firefox development, I would defintely pay a subscription each month to Firefox, and feel like a lot of other people would too.
I don't see why so many people are against Mozilla using donations how they see fit. They need to diversify because relying on a single project, a free browser, in a single market segment which is saturated with free browsers, is a massive risk. Firefox's survival mostly hinges on Google's money, which of course Google have a massive interest in (they need a competitor to Chromium). However if that were to change, Firefox is going to struggle even more to keep up.
So, in my opinion, Mozilla need to diversify with alternative projects that could bring in money and reputation, and maybe even through integrations users for their other projects. To be able to do that, they need flexibility on how to spend the donations. To see what could happen if there are strict limits on what funds can be used for, check out Atlanta's MARTA system. They have to split incoming funds evenly between operational and capital expenditures budgets, which results in bullshit like them having the money for shiny new trains but not enough for basic repairs. Mozilla probably don't want to find themselves with tons of money for Firefox, but not enough to keep the lights on in general (legal, office, C-suite, other projects).
So I see where you're coming from, but it's just unrealistic.
It's funny you chose Rust, because at face value, ignoring how useful the language is, creating a programming language from scratch for a browser seems a bit overkill and a waste of money/focus.
So you should either trust Mozilla the organisation to spend funds wisely, or not. Forcing them to spend only on Firefox can still result in "waste" from a purist perspective (like a programming language) while at the same time massively constraining them.
And i quite like some of Mozilla's alternative projects. Pocket is cool and genuinely useful. Thunderbird could use some love but is pretty decent.
Pocket may be cool, but the way they forced it down everyone's collective throat was... bad.
They later bought the company, so now it's a kind-of-Mozilla product inside another Mozilla product, which doesn't sound nearly as egregious as it was at launch: a forced third-party browser extension that couldn't be meaningfully disabled.
> It's funny you chose Rust, because at face value, ignoring how useful the language is, creating a programming language from scratch for a browser seems a bit overkill and a waste of money/focus.
Rust was the right technical approach for this browser, given the existing technology and the problems they had to solve to update the rendering engine.
> I don't see why so many people are against Mozilla using donations how they see fit.
Because people donating to Mozilla are expecting that those funds are used for the browser and not a string of experiments that fail miserably. People rightfully feel betrayed and stop donating.
> Mozilla need to diversify
Exactly wrong. Mozilla needs to concentrate on the Browser and should cut off all excess expenses and useless experiments. The goal should be to minimize cost and thus reduce the reliance on Google money which should be replaced by pure donation money.
> I don't see why so many people are against Mozilla using donations how they see fit. They need to diversify because relying on a single project, a free browser, in a single market segment which is saturated with free browsers, is a massive risk.
It is entirely possible to implement a donation model that does work towards both. Simply allow users to determine what percentage of their donations goes to Firefox but set the max percentage to something like 90%.
Thanks for letting me know. I tried with Private Window but it's giving me "Enable Third-Party Cookies". I'll have to test on a Normal Window with plugins disabled.
I tried downloading Firefox on my phone and was greeted with... the inability to even set my home page to a URL of my choice? [1] I couldn't believe my eyes. Do they think this kind of thing will increase their market share?
Yup. It's another piece of software that hates its users. Another company where people are having meetings discussing the best methods to prevent their software's users from doing something with their own computers. Protecting users from their own preferences. Antiuser interfaces.
They are asking to set [some URL] as the homepage, that is, the equivalent of this setting -available on desktop Fx- https://imgur.com/a/flHTSNe
This makes it so that when you open Firefox initially or when you open a new tab, it loads the chosen URL instead of loading the about:newtab (the page where the shortcuts you mention can be found).
This setting was available in some -old, Fennec- versions but not currently.
Tree-style-tabs alone make firefox preferable. though their stupid mobile extension change dampened the ease to recommend it for mobile. (yes, I use nightly, and have a custom package, it's a garbage experience)
Oh god. I love that you said this. Absolutely. I have 3000 tabs open (exageratting but can't be too far off) and Tree Style Tabs saves my life. Along with Tridactyl, using the browser feels far more "powerful" than Chrome ever did to me.
Agree 100%. I would also pay for a browser that doesn't implement manifest v3 at all. If FF won't offer a paid version for some reason, why don't other people fork it and do it?
From the fact that there are so many government, university and bank websites that simply doesn't work with Firefox or anything other than non-chromium based. In fact, many explicitly say that the user needs to use Chrome for the best experience. You can of course ignore and say that these don't happen in your reality but you only need to take a look at Firefox forums or issues/bug threads to know that they are very real.
I see your dedication to this topic. While I commend you on it, I don't think you're ready to have a fair discussion on it. This is a topic that, unlike Civil Engineering, has way too much complexity and nuance. We don't like it, and we all wish it were better organised and standardised and simpler and just ... generally not so fraught with frustration. But it is what it is, and it's not like you and I can settle this debate with pithy comparisons to random subfields of Civil Engineering.
Does doing rocket assisted brain surgery sounds arrogant? It's a cry for help.
Software is infinitely more complex to civil engineering (this isn't a good thing). Because it can literally do almost anything.
In civil engineering you have a bridge from point A to point B over a river. Points are on such and such soil. It needs to support X amount of traffic and gets inspection/repair every Y days.
In software you have a bridge, but we also need it to launch a space shuttle, and it needs to work as an air ship. It goes from point A to point B but soil is periodically changed (sometimes it's diamond and sometimes gravel or marshmallow). Oh and river can sometimes turn to molten metal or solid oxygen.
Think of it however you'd like to. You're entitled to your opinion. But we're not saying these things from a place of arrogance.
I'm not claiming we're better that civil engineers, or that our job is harder. Maybe you're reading it that way, but I'm trying to assert that such a comparison cannot be made. It's neither easier nor harder, and it's both. The two endeavours are just not comparable.
Civil engineers work with real, physical, tangible things. Hardware, so to speak. We work with ... software. Soft. Ware. The modes are entirely different, and thus the universe of challenges. I wouldn't compare painting to songwriting, even if they're both art.
But if you go up to a painter and talk to them exclusively using songwriting analogies and when they tell you that doesn't make sense and you plug your fingers into your ears and yell "Arrogant!" in their face ... well, you're entitled to you opinions and apples are still not the same things as oranges.
Then use Chrome only when you are looking for memory leaks. FF's devtools are not worse than Chrome, I'm used to Firefox and I find Chrome devtools hard to use. For example, the CPU profiler is much better, IMHO
I also prefer FF dev tools, even while FF was not my daily driver, I was still using its dev tools. I hate Chrome dev tools with that giant console window that takes up half of the space (even when you are not in the console tab) and even if you choose to close it, every now and then it will come back because somehow Chrome forgot your setting.
Yes, I hate this. It's also mapped to open on Esc when the devtools are focused, so if you're trying to get out of some context habitually with the Esc key it will open then too. That and the What's New tab drive me insane (you can disable What's New for a given profile, but my job involves running dev tools in incognito and guest profiles where it's always enabled).
Give them a chance. I was under the same impression until a couple of years ago. Now I think Firefox Developer Tools are far superior. But I can only speak for the Inspector/DOM/CSS related stuff. These are just great!
Firefox will follow Chrome with this. Over time they always tend to copy Chrome instead of going their own way, as much as their users complain. They similarly already moved away from XUL extensions in the past. I'm sure they will write a heart-breaking story about how supporting Manifest v3 extensions and removing WebRequest blocking is critical for safety and privacy on the web.
I use Firefox exclusively, on my computer and on my phone. I am also incresingly frustrated by the direction Mozilla has been going with it and have very little illusions left what their motivations are.
> Firefox is a legitimate alternative, it works for >99% of the world's websites
Which is useless if your bank shows you an empty page with a message that says they only support Chrome and Edge "for security reasons".
And Mozilla had many, many, many chances to endear themselves to developers. Their actions can best be summarized as they don't give a damn. It took them years to ship basic dev tools with Firefox. Then they wiped out an extension ecosystem that had been growing for more than a decade with the justification that they needed to get rid of technical debt. Meanwhile, Firefox still contains bloatware like Pocket. As for the privacy argument, Mozilla's track record on privacy is mixed at best, considering the many questionable choices they made in this regard in the past.
"The answer to all this" is not Firefox. Not the Firefox made by the Mozilla of 2022, anyway. If the Mozilla of 2004 could somehow be resurrected, perhaps they could turn Firefox into something that would indeed be "the answer to all this". At that point, developers wouldn't need encouragement to switch to Firefox. They'd do so simply because it would obviously be the better browser for them.
Wow that's crazy, I've used quite a few bank websites and never had that happen. Been using Firefox as a daily driver since it first released. I think that would make me question my bank more than my browser.
Not just banks, I believe certain government websites in some countries do it as well. /r/Firefox has hundreds of posts showing websites misbehaving in this way.
> Then they wiped out an extension ecosystem that had been growing for more than a decade with the justification that they needed to get rid of technical debt.
Do you have any proof that wasn't the case? From what I saw, XUL was invented to define UIs in XML but over time HTML became better than it for defining UIs.
And the great freedom XUL allowed made some optimizations impossible.
Basically xpcom and XUL can be treated in same way as gnome-shell.
XPCOM was a object model from the 90s and had several legacy issues. On top of that was XUL and XBL were obselete by improvements to web api and was badly mainatined. Like Gnome-shell, xul extentsion were monkey patching firefox internals. So firefox was limited on certain security and performance improvement. By removing old addons, firefox could start replacing the mess of the old subsystems. XBL was removed for example and xul I think still exist but a fraction of the former self. I don't think the can remove xpcom until they can port a 50% of firefox to rust though
Removing XPCOM is orthogonal to adding rust. In fact, if you search Bugzilla you fill find many references to deCOMtamination, which is about removing unnecessary XPCOM.
Firefox on Android has terrible scrolling latency/stutter for me and seemingly for a lot of people. On a 120hz screen, which chrome-based browsers can pull off fine, it's a real dealbreaker.
I use firefox nightly as it seems to be a bit better IMO in many regards than the "stable". Sure there are some releases which aren't great but thats why it is nightly.
I care and wasn't already there. I went from Firefox to Brave after the mobile extensions fiasco but, now, I'm coming back to Firefox because of v3 (Brave said they will not block v2, but due to the fact that they don't have their own store, you are forced to do installs from zip files, without auto update, which sucks).
I guess most tech people is already using pfblockerng or a pihole, so they are going to benefit from the better security of v3 plus using uBlock lite for cosmetic filtering.
Simple, they switched to the webextension API a few years ago as it makes development of extension across browsers much easier.
More directly put, developers would develop extensions for Chrome and more often than not would not bother with Firefox as the framework it used was different. By switching to the same framework for developing extensions it now means that it takes little to no effort for developers to also publish it for firefox.
Having said that, Firefox is providing compatibility with manifest v3 while at the same time not implementing some of the restrictions that are in place in the Chrome implementation.
> Simple, they switched to the webextension API a few years ago as it makes development of extension across browsers much easier.
Great idea to prioritize interop when the people who you're trying to interop with are gulping large chunks of your userbase. Very important to make sure that Firefox had parity with Chrome in extensions, the only area where Firefox previously had a massive advantage over Chrome.
> the only area where Firefox previously had a massive advantage over Chrome.
It didn't though, because the API was different a lot of extensions that appeal to a broader user base were not made available on firefox (anymore). Yes, the previous framework did allow other use cases more suitable for power users but those are a fraction of the total user base.
And in general it hugely simplified extension development. Instead of having to maintain various code paths for different browsers and accounting for slightly incompatible APIs this was no longer needed.
> More than 90 per cent of Mozilla's funding comes from web search providers that pay for the right to be the default search engine in Firefox in their regions. According to the organization's latest financial figures, $430m of its 2018 total revenue of $451m came from those internet giants – primarily Google
I have the strong feeling, that so many people like to watch ads. People like to watch ads more than the actual content. So chrome, egde and safari are and will be the people's browsers. Why even bother?
I think people are failing to understand that Google wants to start MV3 from a more secure and privacy protecting state and figure out how to incrementally add capabilities without compromising that.
Making the tradeoff of reducing your security / privacy / performance for more freedom is not the right call for most people. Extension authors have abused their freedom so it should be taken away.
Have you actually tried using uBlock Origin Lite or Adguard on MV3? I've used both and they have worked flawlessly. Currently I prefer Adguard because all websites are opted-in to cosmetic styling by default.
I can't, because MV3 is not in my version of Chromium yet. But I don't need to: I know exactly how MV3 works, I have experienced that approach on iOS and it barely works for the most simple kind of ad-tech. Calling it "flawless" sounds like outright FUD to me.
Devils advicate: I know hating on manifest V3 is popular. I know especially content-blockers (which I myself enjoy!) face issues with the new permissions model.
That said, I've ported an above moderately complex extension from manifest V2 to V3 and found the experience quite OK.
* The permission model is more clearly defined.
* Background-workers instead of background-pages makes for a more consistent API. IMO background-pages were always weird.
* Usage of obsolete APIs which may have "suddenly" failed in V2, now actually immediately causes runtime-failures in V3, making sure you've get all of them upgraded.
* You need to be explicit when doing "dangerous" things like injecting scripts. There's nothing accidental about this. This clearly improves security.
* Time taken? Roughly one work-day.
* No functionality lost.
Right now, as a developer, my only complain about V3 for this extension... That I no longer can have a single, consistent codebase for the Chrome and Firefox-versions, because Firefox doesn't yet support V3 in their regular end-user builds. But once they do, that problem will be solved too.
And as an end-user, I really feel this security-model makes extensions which can operate within the V3-constraints more trustworthy than similar extensions implemented using V2.
I really think it depends on the complexity of the extension and how much it leverages the background page.
> Background-workers instead of background-pages makes for a more consistent API. IMO background-pages were always weird.
True, but they also did provide developers with a few benefits. For starters having a complete DOM available allows for a lot of handy dandy functionality to be done in the background.
In the same sense it also meant having localstorage available in the backgroud. Which was actually very neat for caching purposes. Specifically if you care about privacy and people using your extension in incognito mode. With `"incognito": "split"` enabled it meant that cached data (so most likely the sort of data you don't want to leak between sessions) would remain seperated. This is no longer possible. You'd hope that the new session storage would work there, but no, for some reason that still ignores the fact that `"incognito": "split"` has been set and just leaks across sessions.
Timers no longer being a thing also makes some operations slightly more complex, even more so because alarms do have some funky behavior.
Ajax no longer being available sort of makes sense, but fetch isn't a drop in replacement as it does require a bit of boilerplate to make it work in a predictable manner. So it does require some effort there.
> Time taken? Roughly one work-day.
Eh, for relatively simple extensions I'd say that is accurate. But having done the conversion recently with an extension that does a bunch more and did rely on various background operations it took substantially more to get to there. It had a general positive impact on the code base in various areas but it was really more work than one workday, even more so when I include all planning and brainstorming.
Given that many extensions are open source projects where maintainers have limited time and where for many extensions there really isn't a benefit I fully understand some of the hate towards being forced to do the conversion.
My extension (excluding NPM-dependencies) counts in at around 20k lines of TypeScript + various other resources. I think that counts as above average.
Granted, the background-page/worker portion of it was not the dominant aspect, and thus had less rewrites required than if things had been the other way around.
That said, migrating to V3 was way less effort than I thought it would be. I'm not saying it will be so for all extensions, but it was for mine, and it may be for others as well.
Basically I'm just trying to provide some additional perspective here besides the usual content-blocker perspective which so far has gotten 100% of the narrative. Note I'm in no way dismissing that concern, but I think having the entire conversation framed around those extensions only does not correctly represent the huge variations found across the extension ecosystem.
Absolutely, I didn't reply to say you are wrong or anything in that regard. I basically wanted to give some additional perspective.
> I'm not saying it will be so for all extensions, but it was for mine, and it may be for others as well.
Yup, for many extensions it might be relatively painless. It was for a different extension where I just had to replace ancient ajax calls for fetch and move some functionality to the front into content_scripts.
At the same time it was a lot of work for the extension I mentioned in my previous comment. Which I might add is not an extension that has anything to do with content blocking which I agree does get a lot of attention.
But the truth is that there are also a number of extensions that made creative use of the current manifest construction. Those extensions no longer can offer the same functionality, have to rewrite a lot of code with no functional benefit or redo functionality in a way that degrades the user experience.
Even if for the majority of extensions migration is relatively painless it still leaves those extensions where it isn't and even those that can't be migrated due to how they work. They won't be a majority, but it still means that once the switch is done the ecosystem will be less diverse.
Thank you for adding some context to this that seems missing from all discussion I've seen so far.
Extensions have always had a dodgy security model, and given the nearly unprecedented access they have to our data and habits, it's important that this is being improved. Most users aren't going to be able to tell the difference between a good extension and a malicious one, and even developers who would like to think they can probably can't in many cases.
It sounds like security and performance are significantly improved, and these are both things that the tech community are usually big supporters of. But in this case it comes at the cost of some flexibility with ad-blocking, and if there's one thing we love more than security and performance, it's a chance to point the finger at big tech. There's a lot of nuance that has been lost from the ad-blocking discussion.
V3 not allowing remote code execution is actually a serious benefit. Of course, this does not negate the fact that V3 is mainly there to boost the ad ecosystem of Google, but I'd never want my screen casting extension to be mining bitcoin on the background. That said, I'm not sure how this is going to scale long term, given that it sometimes takes 2+ weeks for the web store review team to approve a genuine one-line change. Lack of RCE is only going to make this review backlog bigger.