Google’s Proposed Chrome Changes Would Cripple Ad Blockers, Other Extensions

This site may earn affiliate commissions from the links on this page. Terms of use.

Google has proposed a series of changes to Chrome that, if adopted in their current form, could cripple how ad blocking works within Chromium-based browsers. The impact of the changes wouldn’t be limited to ad blocking — other projects like NoScript and a wide range of other extensions would, according to their authors, also be impacted.

Google’s proposed changes, detailed in its Manifest V3 document, would make significant changes to how extensions fundamentally work within Chrome. Extensions, for example, will no longer be permitted to load code from remote servers or to automatically apply to all sites (users will have an option to choose to run extensions on specific sites or on every site). But the biggest problems appear to be with Google’s plans to deprecate or limit the use of its webRequest API. As Ars Technica details, webRequest allows extensions to evaluate each network request that the extension is intended to monitor and to make decisions about what happens to it. Requests can be modified in-flight to change how the browser behaves in a wide variety of scenarios. Ad blockers, script blockers, and a number of various privacy-oriented extensions rely on this capability.

Google wants to replace webRequest with a new API, declarativeNetRequest. Using the old webRequest API requires that the browser ask the extension how content should be handled. The new API instead requires that the extension declare to the browser what it can do and how it does it. The problem is, the new API has a fraction of the capability of the old one. Extensions are also currently hard-limited to a constraint of 30,000 items to be filtered. As Ars notes, the current version of uBlock Origin ships with 90,000 filters by default and supports up to 500,000.

uBlock-Screenshot

The advanced functionality of extensions like uBlock isn’t possible under the new rules.

Thus far, feedback from actual extension developers has been unilaterally negative. The hard-coded limit on blocked or redirected URLs has been criticized by almost everyone in the Google Chromium development thread. Anti-phishing and anti-malware extension developers are also concerned because the new rules require that extension data be stored in plaintext, whereas some security-related extensions store information in hashed form.

While there have been reports that AdBlock Plus will have an easier time functioning under these rules than extensions like uBlock Origin, one of the authors of that extension argues that even ABP will be harmed, noting that the declarativeNetRequest API “only covers the same limited subset of filter capabilities implemented in Adblock Plus that it does in uBlock Origin.” Instead of being able to implement powerful, custom rulesets, he argues that extensions would now be limited to “providing filter rules.” This would fundamentally limit the ability of extension developers to respond quickly to website efforts to bypass their work. Security extension developers also raised these concerns, noting that the new API disallows updating content-blocking lists in real time. This alone makes it impossible for security extensions to provide fast updates.

Google’s responses, thus far, have been fairly limited. The company has been stressing that the webRequest API will be sticking around in some capacity since declarativeNetRequest can’t handle everything. It’s still evaluating the contexts in which webRequest will be allowed to function, however.

Google’s claim that these changes will improve security and performance have been met with a gimlet eye overall. Several developers have pointed out that the performance impact of running uBlock or other ad blockers on websites is so large, any performance gains Google gets from adopting a faster API will be completely subsumed by the sharp limits on the amount of content those extensions are actually able to block. Speeding up page loads by 20 percent may not mean much if you’re loading 3-5x more data relative to using an ad blocker. Security extension authors have also argued that the security risk to breaking their own products is larger than the sum total of the improvements Google is hoping to gain.

For now, Manifest V3 remains a draft document. If Google decides to implement the current version of the standard, Firefox may see a sudden uptick in adoption. It’s now the only major cross-platform browser in active development that isn’t based on Chromium.

Now Read:

Former Mozilla CEO’s Brave browser blocks ads by default — but substitutes its own

Bravser

Over the last year, ad blockers, ad blocking, and malvertising — malicious advertising served by ad networks — have all been major news. Mozilla’s former CEO, Brandon Eich, has launched a new browser, dubbed Brave, he claims will solve the problem. Unlike Chrome, Edge, or Firefox, Brave is configured by default to block harmful ads, limit cookie-based tracking, and eliminate tracking pixels.

Bravabilities

Mandatory HTTPS and less tracking? Good.

Brave is designed to block so-called “programmatic advertising,” or ads purchased by digital networks, as opposed to deals and content negotiated by humans. In theory, programmatic ad buying increases efficiency and improves results, since the ads are now purchased and bid on by machines with incredibly sophisticated algorithms rather than by fragile meatbags. In practice, as we covered recently, these systems are easily exploited and are sometimes used to distribute malicious code.

Brave: Less a block and more a substitution

Here’s the catch with Brave, though. While Brave’s marketing makes much of blocking malicious advertising, it doesn’t prevent ads from being shown — it just changes what you see. Here’s how Eich describes the system:

Brave browsers block everything: initial signaling/analytics scripts that start the programmatic advertising “dirty pipe”, impression-tracking pixels, and ad-click confirmation signals. By default Brave will insert ads only in a few standard-sized spaces. We find those spaces via a cloud robot (so users don’t have to suffer, even a few canaries per screen size-profile, with ad delays and battery draining). We will target ads based on browser-side intent signals phrased in a standard vocabulary, and without a persistent user id or highly re-identifiable cookie.

Instead of seeing whatever ads a publisher has placed on their site, you’ll see Brave’s targeted ads. Brave still uses programmatic advertising, but will partner with specific ad networks that theoretically have better security practices. Brave will return 55% of ad revenue to publishers and give 15% of it to the browsers’ users. Another 15% of the ad revenue goes to the ad network, and Brave presumably keeps the last 15% for itself.

It’s an interesting concept, particularly the part where users receive a cut of the proceeds — but it’s not clear how meaningfully different this approach would be. As we discussed earlier this month, the very nature of programmatic advertising makes it difficult to perform security checks and guarantees. Brave undercuts the ability of websites to control their own digital experiences. While I understand that many users might view that as a good thing, it’s yet another example of a company trying to siphon control and revenue away from the company actually producing the content. There’s a saying: “If all your traffic comes from Facebook, it’s not your traffic.” The same concept applies to Brave and the idea of monetizing the browser in this fashion.

Eich has raised roughly $2.5 million in angel investor funding thus far, and the CEO claims he needs a stable user base of roughly seven million users to prove the system actually works. Right now, there’s no Brave binary executable you can download — the program just hit version 0.7, and you’ll need to be able to compile it if you want to test-drive it. The program is accepting applications for beta testing, but there’s currently a waiting list.

As an experiment, I’d be curious to see how Brave plays out. But I’m not thrilled about the idea of a browser that substitutes its own ads for what’s supposed to be on a page. We’ve seen third-party utilities do this for years — almost always with terrible results. Ad injections like this often harm page formatting or cause rendering issues, and while Eich has pledged to be a good citizen with minimal ads, there’s no guarantee that Brave’s “one-size fits all” advertising system would be sufficient to actually maintain a site.

Ad networks also have little reason to cooperate with the Web browser. From the ad company’s perspective, they’re buying space on a website, then paying Brave again to display the content that should’ve been shown in the first place.

Former Mozilla CEO’s Brave browser blocks ads by default — but substitutes its own

Over the last year, ad blockers, ad blocking, and malvertising — malicious advertising served by ad networks — have all been major news. Mozilla’s former CEO, Brandon Eich, has launched a new browser, dubbed Brave, he claims will solve the problem. Unlike Chrome, Edge, or Firefox, Brave is configured by default to block harmful ads, limit cookie-based tracking, and eliminate tracking pixels.

Bravabilities

Mandatory HTTPS and less tracking? Good.

Brave is designed to block so-called “programmatic advertising,” or ads purchased by digital networks, as opposed to deals and content negotiated by humans. In theory, programmatic ad buying increases efficiency and improves results, since the ads are now purchased and bid on by machines with incredibly sophisticated algorithms rather than by fragile meatbags. In practice, as we covered recently, these systems are easily exploited and are sometimes used to distribute malicious code.

Brave: Less a block and more a substitution

Here’s the catch with Brave, though. While Brave’s marketing makes much of blocking malicious advertising, it doesn’t prevent ads from being shown — it just changes what you see. Here’s how Eich describes the system:

Brave browsers block everything: initial signaling/analytics scripts that start the programmatic advertising “dirty pipe”, impression-tracking pixels, and ad-click confirmation signals. By default Brave will insert ads only in a few standard-sized spaces. We find those spaces via a cloud robot (so users don’t have to suffer, even a few canaries per screen size-profile, with ad delays and battery draining). We will target ads based on browser-side intent signals phrased in a standard vocabulary, and without a persistent user id or highly re-identifiable cookie.

Instead of seeing whatever ads a publisher has placed on their site, you’ll see Brave’s targeted ads. Brave still uses programmatic advertising, but will partner with specific ad networks that theoretically have better security practices. Brave will return 55% of ad revenue to publishers and give 15% of it to the browsers’ users. Another 15% of the ad revenue goes to the ad network, and Brave presumably keeps the last 15% for itself.

It’s an interesting concept, particularly the part where users receive a cut of the proceeds — but it’s not clear how meaningfully different this approach would be. As we discussed earlier this month, the very nature of programmatic advertising makes it difficult to perform security checks and guarantees. Brave undercuts the ability of websites to control their own digital experiences. While I understand that many users might view that as a good thing, it’s yet another example of a company trying to siphon control and revenue away from the company actually producing the content. There’s a saying: “If all your traffic comes from Facebook, it’s not your traffic.” The same concept applies to Brave and the idea of monetizing the browser in this fashion.

Eich has raised roughly $2.5 million in angel investor funding thus far, and the CEO claims he needs a stable user base of roughly seven million users to prove the system actually works. Right now, there’s no Brave binary executable you can download — the program just hit version 0.7, and you’ll need to be able to compile it if you want to test-drive it. The program is accepting applications for beta testing, but there’s currently a waiting list.

As an experiment, I’d be curious to see how Brave plays out. But I’m not thrilled about the idea of a browser that substitutes its own ads for what’s supposed to be on a page. We’ve seen third-party utilities do this for years — almost always with terrible results. Ad injections like this often harm page formatting or cause rendering issues, and while Eich has pledged to be a good citizen with minimal ads, there’s no guarantee that Brave’s “one-size fits all” advertising system would be sufficient to actually maintain a site.

Ad networks also have little reason to cooperate with the Web browser. From the ad company’s perspective, they’re buying space on a website, then paying Brave again to display the content that should’ve been shown in the first place.

Former Mozilla CEO’s Brave browser blocks ads by default — but substitutes its own

Over the last year, ad blockers, ad blocking, and malvertising — malicious advertising served by ad networks — have all been major news. Mozilla’s former CEO, Brandon Eich, has launched a new browser, dubbed Brave, he claims will solve the problem. Unlike Chrome, Edge, or Firefox, Brave is configured by default to block harmful ads, limit cookie-based tracking, and eliminate tracking pixels.

Bravabilities

Mandatory HTTPS and less tracking? Good.

Brave is designed to block so-called “programmatic advertising,” or ads purchased by digital networks, as opposed to deals and content negotiated by humans. In theory, programmatic ad buying increases efficiency and improves results, since the ads are now purchased and bid on by machines with incredibly sophisticated algorithms rather than by fragile meatbags. In practice, as we covered recently, these systems are easily exploited and are sometimes used to distribute malicious code.

Brave: Less a block and more a substitution

Here’s the catch with Brave, though. While Brave’s marketing makes much of blocking malicious advertising, it doesn’t prevent ads from being shown — it just changes what you see. Here’s how Eich describes the system:

Brave browsers block everything: initial signaling/analytics scripts that start the programmatic advertising “dirty pipe”, impression-tracking pixels, and ad-click confirmation signals. By default Brave will insert ads only in a few standard-sized spaces. We find those spaces via a cloud robot (so users don’t have to suffer, even a few canaries per screen size-profile, with ad delays and battery draining). We will target ads based on browser-side intent signals phrased in a standard vocabulary, and without a persistent user id or highly re-identifiable cookie.

Instead of seeing whatever ads a publisher has placed on their site, you’ll see Brave’s targeted ads. Brave still uses programmatic advertising, but will partner with specific ad networks that theoretically have better security practices. Brave will return 55% of ad revenue to publishers and give 15% of it to the browsers’ users. Another 15% of the ad revenue goes to the ad network, and Brave presumably keeps the last 15% for itself.

It’s an interesting concept, particularly the part where users receive a cut of the proceeds — but it’s not clear how meaningfully different this approach would be. As we discussed earlier this month, the very nature of programmatic advertising makes it difficult to perform security checks and guarantees. Brave undercuts the ability of websites to control their own digital experiences. While I understand that many users might view that as a good thing, it’s yet another example of a company trying to siphon control and revenue away from the company actually producing the content. There’s a saying: “If all your traffic comes from Facebook, it’s not your traffic.” The same concept applies to Brave and the idea of monetizing the browser in this fashion.

Eich has raised roughly $2.5 million in angel investor funding thus far, and the CEO claims he needs a stable user base of roughly seven million users to prove the system actually works. Right now, there’s no Brave binary executable you can download — the program just hit version 0.7, and you’ll need to be able to compile it if you want to test-drive it. The program is accepting applications for beta testing, but there’s currently a waiting list.

As an experiment, I’d be curious to see how Brave plays out. But I’m not thrilled about the idea of a browser that substitutes its own ads for what’s supposed to be on a page. We’ve seen third-party utilities do this for years — almost always with terrible results. Ad injections like this often harm page formatting or cause rendering issues, and while Eich has pledged to be a good citizen with minimal ads, there’s no guarantee that Brave’s “one-size fits all” advertising system would be sufficient to actually maintain a site.

Ad networks also have little reason to cooperate with the Web browser. From the ad company’s perspective, they’re buying space on a website, then paying Brave again to display the content that should’ve been shown in the first place.