![]() What we can do as extension developers is to open-source all client code. To build trust, the source code of WebExtensions needs to be manually reviewed unfortunately, there is no existing tool to automate that. There is no silver bullet to protect against malicious extensions. This is correct, but it is a fallacy that removing blocking webRequest will solve the underlying problem WebExtensions retain access to sensitive information, for example, by using the content script API. ![]() The concern is that malicious extensions can use it to steal user data. Yet the argument that privacy can be further improved by removing blocking webRequest is questionable. Some of the changes in Manifest V3, like forbidding arbitrary code execution (loaded from the server), are reasonable - both from a security and privacy standpoint. Let's focus on the first two points, which are the most interesting. The last point in the list, compatibility is a result of replacing background scripts by service workers - a problem introduced with Manifest V3. The above means that developers can implement many common use cases, such as content blocking functionality, without requiring any host permissions. Compatibility: Does not work well with event-based background execution as it requires the service worker to be running to handle every request.Performance: Serializing & deserializing data across multiple process hops & the C++/JS boundary adds up.Privacy: This requires excessive access to user data, because extensions need to read each network request made for the user. ![]() This is because of issues with the blocking webRequest approach: Blocking webRequest approach The blocking version of the webRequest API is restricted to force-installed extensions in Manifest V3. In their Manifest V3 documentation, Google explains why they decided to remove blocking webRequest API: This is what we call Anti-Tracking, AI Tracking Protection or Dynamic Data-Driven Tracking protection. Additionally, at Ghostery traffic inspection is used to track the trackers we analyse them and neutralize leakage of unique identifiers. This functionality allows us to do the so called content blocking, utilised to block ads, trackers and other annoyances. The access to the network layer is for Ghostery the most critical feature of the current WebExtension platform.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |