Chrome 88’s Manifest V3 sets strict privacy rules for extension developers

The mid-January release of the Chrome 88 browser will include privacy and security measures that raised concerns among some developers during recent months of testing.

Google announced in a blog post that new restrictions incorporated in the Manifest V3 programming interface for its browsers will be imposed on extensions, including ceilings on the number of rules extensions can execute as a web page loads. Rules are critical to popular ad blocker extensions that allow users to limit intrusive and annoying pop-up ads.

Those ad blockers utilized an API that provided them with “access to potentially sensitive user data,” Google stated. Chrome 88 will now require the use of a more restrictive API that Google says will protect users’ privacy.

Chrome extensions are permitted to use up to 30,000 rules, which seems a quite hefty number, but considering popular ad blockers such as EasyList use 60,000 or more rules, the new limitations are likely to force many extension developers to either rethink their strategies or modify their capabilities.

The Chrome team, however, says it has heard developers’ concerns and tried to address them. The team says that a future browser iteration, Chrome 89, will raise the rules threshold to 300,000.

“We believe extensions must be trustworthy by default, which is why we’ve spent this year making extensions safer for everyone,” Google said in the blog post Wednesday. “After an extensive review of the concerns raised by content blockers and the community, we believe that a majority of those concerns have been resolved or will be resolved,” Microsoft said.

The new rules will affect other major browsers as well. Microsoft Edge, Opera and Vivaldi also use the Chromium open-source code and are expected to embrace Manifest V3 interface.

Manifest V3 will also bar the use of remotely hosted code. Google says malicious code downloaded after installation allowed ill-intentioned developers to bypass Google’s malware screening tools. The new restriction permits quicker and more thorough review of extension submissions, Google said.

The problem was a significant one: Google recently reported it blocks about 1,800 malicious uploads each month. Google has tripled the number of engineers assigned to detect extension violations and quadrupled the number tasked with reviewing apps.

Further changes will arrive later next year. The Chrome team says users will gain greater control over personal data collected by extensions. Extensions will be required to include a “Privacy practices” section in the Chrome Web store that lists data the extension would collect. Users will be permitted to opt in or out at the time of installation. In addition, extensions will no longer be permitted to update code via third-party sites. Rather, updates must be executed through the Chrome Web Store.

Not everyone is happy with Manifest V3, despite Google’s efforts at compromise.

“The main victim of Manifest V3 is innovation,” said Andrey Meshkov, co-founder and chief technology officer of the ad-blocker extension AdGuard. He said that his company and others sought to improve the efficiency of their products through AI, but that Manifest’s restrictions will curb their efforts.

“This is not that relevant anymore. Now Chrome, Safari and Edge dictate what can or cannot be blocked and how it should be done.”

The Chrome Web Store will begin accepting extensions adhering to Manifest V3 rules in mid-January. Users can experiment with Manifest V3 browsing with the Chrome 88 Beta, available now.

© 2020 Science X Network