To avoid abuse, Google Chrome extensions must have a ” manifest ” file. As in Android, this file shows the permissions it wants, or needs, in order to function correctly. Thanks to it, users can know what each extension has or does not have access to, and it cannot access other unspecified parts, unless said manifest file is modified. With this, it is possible to offer the user more control over the extensions, as well as better privacy and security.
Since the extensions began to use this permission system, several versions have already passed. Google, in order to offer users the greatest possible privacy and security, is working on a new version of it, Manifest V3 . This version is intended to be as interesting as it is controversial, since, in addition to giving a new control of permissions, it limits several functions that, until now, were unlimited, and many of the extensions abused them.
This new manifesto was designed and proposed in 2019, along with Chrome 80 , although due to the large amount of criticism that came out, its implementation was postponed indefinitely. So far, since Google has finally implemented it within Chrome 88 “Beta” .
Changes introduced in the new Chrome Manifest V3
The first of the changes that this new manifest introduces is that, from now on, extensions will not be compatible with remotely hosted code . This has been one of the most exploited attack vectors, and is increasingly posing a risk to user security and privacy. Thus, from now on, the extensions will have more security in this regard.
Another important change is found directly in performance. The new extensions model replaces the background pages with new services, leading to much better declared APIs. And privacy is also improved by offering more optional permissions and making confidential permissions unalterable.
Where is the controversy of the new Manifest V3?
The main problem with this new version of the manifest is that Google decided to block the blocking of webRequest APIs . This blocking is used by many of the extensions that allow us to block content, such as online trackers. The developers of these extensions are forced to make use of an API known as ” declarativeNetRequest “, which greatly limits the amount of filtered data to just 30,000. And as if that were not enough, this new version of the manifest prevents blocking large elements, disabling the execution of JavaScript code on the webs or eliminating the headers of outgoing cookies, among other things.
Google reserves the ability to increase the declarativeNetRequest limit on demand. The problem is, that means that the company will have much more control over the extensions, and will be able to decide which ones may or may not work properly. If Google does not reconsider in this regard, many content blocking extensions, or others like Tampermonkey, could disappear.
What to do if an extension starts to malfunction
The new Manifest V3 will go live in January 2021, when Chrome 88 hits the stable branch. For a while this V3 will work together with V2 to avoid problems, but sooner or later V2 will be disabled. And if we have problems, the best solution is to find an alternative .
Some alternative web browsers, like Opera or Vivaldi, have said that, for now, they are not going to change the Manifest V2 of their browsers. Mozilla has also revealed that it has no intention, for now, to limit webRequests, and will continue to use Manifest V2 in its Firefox for a while. However, they will all end up, sooner or later, by making the leap to the new Manifest V3.