> string-based code execution has been removed from extension APIs.
So will it just be impossible to have extensions like ViolentMonkey, TamperMonkey, GreaseMonkey, Stylus, etc. in Firefox as well as chrome? That wouldn't be as big of a problem if the browser had it's own way to add user scripts, but it doesn't. And making your own extension for little scripts isn't really viable either. Especially since firefox at least requires the extension to be signed to install permanently, and getting it signed is not only a pain, but may be a privacy problem if your userscript has something sensitive in it.
If you take away these extensions please at least give us a native way to add user scripts (and by all means put it behind a big scary warning that you shouldn't use untrusted scripts and you should only do it if you really know what you are doing).
Would a metacircular interpreter help, or does that not work? What if the entire document is replaced, is that possible? (Replacing the entire document might be necessary to fix some other things too, although I read the documentation for WebRequest, and it seems that security details cannot be modified, and that might make some things difficult, although adding a proxy with your own certificate might do.) Alternatively you could use developer edition if you want to write your own extensions, I think.
Still, it is too bad that you will need all of this mess just to get the computer to work.
Stylus likely won't be affected, as CSS isn't actually "code execution" and can be fully reduced to "make a <style> element and inject it into the page".
As for userscripts, those could be done in the same way, but this would reduce functionality and security.
As a developer of a browser supporting WebExtensionsAPI, the move to v3 is going to add so much complexity.
For developers, maintaining browser extensions across browsers with different support for WebExtensionsAPI is going to become a major PITA.
Even right now one can not submit a new Chrome extension unless it is v3 so that means that extensions codebases have to be branched out for Firefox and Chrome which was not the case before.
The hardest will be on the browser side of things. Supporting both v2 and v3 sides of an already extremely complex API (which is what we plan to do) will be causing a lot of issues.
The situation is not good. The lack of standard and unity does not help the web.
Actually I feel the pendulum has stopped a few months ago and is slowly starting to go back. Some major things in my world:
- I now only have one website I need to use that only works in Chrome.
- Devs seems to start to care
- LibreWolf is starting to give Mozilla a run for its money
- I'm optimistic that we will see some break through, sooner or later, where Chrome will be punished as hard as IE was: fines, regulations and a browser choice dialog for starters (but please folks, it can happen a lot faster if it it isn't just "that one weird loon", so do contact your local authorities and do complain about how Chrome has destroyed a thriving ecosystem. And if you work in Google, do ask tough questions.)
> Firefox no longer makes part of browser matrixes, and is mostly ignored by QA teams.
which is how a browser dies - when sites and apps stop checking whether they are complying with web standards using more than a single reference browser.
Hopefully, chrome becomes like the IE of old, and a new "chrome" comes along to rescue the web.
As far as I understand the move to V3 from Firefox means will be able to ship the same App for chrome and Firefox.
Firefox just supports some additional APIs which are essential for good AD blockers Google killed.
But if you don't need this additional API (or don't have the time to support them) you could just ignore them.
That is once the move to v3 fully succeeded.
> The situation is not good.
Yes the way Google turns Chrome into a de-facto standard sidestepping or force feeding normal standardization procedures is not good.
(Slightly over simplified:) Like the most common problem with running Firefox is that it's more strict with CORS related stuff, like the standard originally intended, but ups, Chrome had already implemented less strict checks and didn't want to brake any websites so that became part of the standard to (i.e. the more strict part became optional).
On the one hand it's good to remember Manifest v2 is from a long long time ago, before Web Extensions API was a glimmering in anyone's eye. It was simply the chrome extension api back then.
It was powerful & capable. But it wasnt a standard, other than that it was by far the highest potential most capable most interesting user-agency extension on the planet by a good measure.
What's so fucking twisted is that we're undergoing "standardization" in v3 at the exact same moment Google is radically rewriting & reshaping the api to be far far far less capable.
It's hard to see a single win from any of the changes. After achieving world dominating success, the very last moment before standardization these chums have repealed a huge swarth of changes, all untested & unproven. It's amateur hour, just a sas ahit show right before standardization. devlarativeNetRequesr has some ostensibly good & virtuous advatanges, but it was obviously shit & deeply insufficient in the most woefully obvious of ways. Eliminating dynamic code was tacked on as a pro-security gimmick that didnt even remotely take technical interest & possibity into concerns: oh whoops we accidentally blew up userscript extensions, sorry, but you're all safe now.
This whole thing deeply deeply walks the line between vicious & evil farce & accidnetal fuckwittery. I still tend to give these folks the benefit of a doubt, that they simply lacked vision & respect & understanding & werent actively sabotaging & neutering the web like it certainly looks like.
That all said, v3 is actually the first proposed standard, seemingly sabotaged & crippled that it may be. So when you say this, I think, no, alas, everyone is for the first time trying to join up, just, alas, it's for misbegotten quite-possibly-sabotaged greatly de-fanged trash:
> As a developer of a browser supporting WebExtensionsAPI, the move to v3 is going to add so much complexity.
> But it wasnt a standard, other than that it was by far the highest potential most capable most interesting user-agency extension on the planet by a good measure.
While the Chrome extension API was certainly the most wide-reaching at the time, it wasn't the most capable. I used to have a Firefox extension that made Win32 API calls. Mozilla ended up deciding it wasn't sustainable, I guess?
The extension API for Firefox was simply the entire internal api of the browser. Making it work cross process (everything was single process) was a huge pain and things were going to break depending on how you used the APIs. And the security considerations of accessing every api was a big issue.
On the other hand, Firebug could not have been created without it…
I very very very rarely try to declare someone's feature to be an anti-feature, but as a Linux user: the feature you proclaim is- distinctly & clearly- a huge antifeature I want kept far away from the web & it's extensions. What is a feature to you is a huge will not run anywhere else to me.
lack of standard is crippling but offshoots of factions defying the pecking order is a good thing. Giving options besides big G is a good thing. Unfortunately it means most projects starting for browsers will start with chromium based as the market share is mainly there.
I’m in the same boat and feel the same. It’s just not a great state of things for extension development, and yeah the separate Firefox and Chrome code in my codebase truly irks me.
No, for certain changes in Manifest V3 there is no way to polyfill the V2 API because the functionality is essentially removed/impossible to do now.
Also, other aspects (like switching from background pages to service workers) require a change in programming model (moving from simple variables to message passing/persistent storage) as your service worker can be killed off at any time.
> No, for certain changes in Manifest V3 there is no way to polyfill the V2 API because the functionality is essentially removed/impossible to do now.
But isn't the whole announcement about Firefox also going to support v3 (e.g. you only need to write for v3) except that it still allows some of the removed functionality _additionally_ to the v3 APIs Chrome has?
> Also, other aspects [..]
Yes, that will be a major change. But as far as I understand one you have to go through anyway if you want to support Chrome.
> But isn't the whole announcement about Firefox also going to support v3 (e.g. you only need to write for v3) except that it still allows some of the removed functionality _additionally_ to the v3 APIs Chrome has?
Right - maybe I misunderstood the previous commenter's question, but I thought they were asking if it would be possible to make a translation layer that would allow developers to seamlessly support Manifest V3 without changing their Manifest V2 code.
What you are saying is correct though - Manifest V3 code will be universally supported, with a few browsers (Firefox, and Brave I believe) also supporting some of the V2 APIs on top of that. But if you use those APIs it won't work in Chrome.
Yeah, didn't gorhill already say that uBlock Origin will never be ported to Manifest v3 due to how much he'd have to cripple it?
That means that very soon all Chrome (and Edge) users will no longer have uBlock Origin, and Firefox will be the only way to run it officially.
This could be a pretty decent value prop for Firefox (bigger than the random features Mozilla has been pushing recently IMO)... Although I'm sure the majority of less technical Chrome users will just switch to whatever gimped, Chrome-sanctioned declarativeNetRequest ad-blocking extensions spring up to fill the void.
> That means that very soon all Chrome (and Edge) users will no longer have uBlock Origin, and Firefox will be the only way to run it officially.
This sounds like a pro in my mind. I made the switch to Firefox soon after MV3 was announced. I don't regret it. I'm hoping more people follow in my footsteps and hopefully Chromium doesn't have such a stranglehold on web standards.
The typical answer I get when I say this is "but Firefox is too slow". I don't experience the issue, but that's pretty much always what I get told. No idea.
Firefox generally runs worse on Google properties like Youtube and Google Meet. I had to switch to Chrome because the performance was so poor and my last job used Meet as our conference tool.
While my experience is not the same (i use gmail, meet and youtube daily on Firefox with no issues), there's an easy solution to that - use Chrome for meet when you need to and use Firefox for all of your other browsing?
You describe it as an easy solution, but the easier solution is to just use one browser. Only one history record (which I use) and one set of plugins to maintain.
I've switched back to Firefox now that I no longer work somewhere that uses Google products.
I think New Meet performs a lot better in FF now, but Old Meet (with the gray action bar) had awful performance when I used it. The performance wasn't great in Chrome either, but it wasn't show-stoppingly slow like it was in FF.
I do that on mobile, I have a heavily locked-down Fennec F-Droid for random browsing but it's awful to use Google websites from it, so I keep Bromite around only for checking my old GMail / GDrive accounts (I've moved to other providers but they're useful backups). Doesn't make much sense to bother blocking Google Analytics and friends when I'm already using a Google website.
On desktop I don't have that problem, Librewolf works fine with Google websites for me, and I have a container set up for them.
At work we're on the MS stack so instead of Chrome I keep Edge as my other browser for Azure, Office, and Teams. I have to say, the vertical tab implementation from Edge is one of the best I've seen. Vivaldi's are fancier but they're not nearly as smooth, and Firefox's Tree-Style Tabs extension can't even compare.
It used to be true. But now firefox and chrome are pretty comparable. Although YMMV depending on the specific site. And sometimes it isn't because a chrome is inherently faster, but because a site has been heavily optimized targeting chrome, because chrome has more market share.
It's still true. They probably render websites and run JS at comparable speeds, but everything in the UI is snappier with Chrome. It just feels like every interaction with Firefox has 50ms more delay than Chrome.
> didn't gorhill already say that uBlock Origin will never be ported to Manifest v3 due to how much he'd have to cripple it?
I don't think that is up to date
I have a slight hope that gorhill will just remove the Chrome extension which might get users back to Firefox. It's next to useless with Manifest v3 and has been quite constricted for a while now when being used in Chrome [1].
> Ability to uncloak 3rd-party servers disguised as 1st-party through the use of CNAME record.
I always thought that would be the evolution of ads, but didn't realize it was already fairly widespread.
Maybe it's time for me to look at switching back to Firefox. I ditched them when they pushed so hard for DoH which looks a lot like ad delivery tech to me. I thought Microsoft would give users a good experience with Edge since they should be trying to gain market share, but that was totally wrong. It pushes Microsoft accounts and affiliated products super hard.
Does anyone have a recommendation for a plain, un-Googled, Chromium browser on Windows. I'd prefer something digitally signed and without extra features like Brave, etc. have.
The only pushback I saw on DoH was from network admins who want DoT so they can MITM/block it easily. Firefox lets you set the DoH endpoint anyways so you can run your own resolver (dnscrypt-proxy or whatever).
It caused a lot of problems for me, because of employees who complained that they couldn't reach anything on the internal network because firefox switched to using the default DoH instead of the system DNS. We configured the canary domain, but the heuristic for using that was pretty buggy in the beginning, and still isn't completely reliable. Sure we can tell them to disable DoH or change the DoH endpoint, but that's one more thing to worry about onboarding. And if you don't already have enterprise policies set up, then configuring that just for DoH is a huge pain.
I'm not sure what size your company is, but Mozilla adds/changes stuff in new releases fairly frequently so you may want to get on the policy train sooner rather than later if your size makes it sensible to do so.
The untouchable foreign databroker that is Google concerns me to a far greater degree than my heavily regulated and monitored ISP whose HQ is only a 30m bike-ride away here in the Netherlands.
Super late edit to add: Mozilla signed a contract with CF to put users' data under Mozilla's privacy policy instead of the one on the normal Cloudflare DoH service.
Do you trust your ISP or cloudflare more? In the US, I'd probably pick cloudflare too, but I'm happier with our local ISPs who are subject to GDPR and the US has been proven to be problematic in the privacy regard since the snowden leaks.
DoH does not prevent your ISP from seeing the IP addresses of the websites you visit. It only encrypts the requested url. It is not too difficult to figure out which IP addresses are from which websites and block or manipulate them.
Learned first hand when trying to visit adguard.com with DoH enabled at a relative's. Comcast's router blocked the website by recognizing adguard's unencrypted website IP address.
This seems so curious to me. "I was concerned some policy in Firefox looked a little like ad delivery, so I switched to a platform which is 100% ad delivery all the time."
But that aside, maybe Vivaldi is what you're looking for?
“ I ditched them when they pushed so hard for DoH which looks a lot like ad delivery tech to me. ”
Agree Mozilla’s move to enable this practically by default with just a slimy quick pop up message about privacy was weak
Setting the default resolvers to cloudflare was also weak.
They even presented the problem in a misleading way. How is centralizing DNS requests to a major provider like cloudflare improving privacy. Ohh because wink wink … Mozilla said that they got privacy “guarantees”. Your local ISP will no longer snoop but instead we will just sent all requests to one of the largest resolving services in the world.
> I always thought that would be the evolution of ads, but didn't realize it was already fairly widespread.
Once edge workers get cheap enough I wonder how we'll be able to stop ads at all. Everything but the bootstrap page could be randomized per user and all fronted by the same 1st-party website.
Think encrypt the real request needed into the url to the edge worker it de-crypts that payload and does the request. Everything except the content will look identical to the users computer.
One of the things that uBlock Origin does and Google is trying to kill is detecting and blocking ads based on content & display attributes, not just urls.
I use it on my work machine without an account, and there's no push that I could ever see. Seems about the same on that front as anything else, including Firefox. I also have a Firefox account. I do use a MS account on my personal Edge install.
and affiliated products super hard.
You would think this is a negative, but it opened my eyes and saved me a lot of money. In fact, Edge's shopping features were something I wish I had for years prior. I liked it enough that I went looking for best-in-class options, and ended up installing Honey. I now rely on both Honey and Edge's shopping features to save me money.
I would go so far as to say if I had to leave Edge and use a browser without Edge's shopping features, I'd be one of the features pulling me back to Edge.
Honey is a tracker you willingly install[1]. If that doesn't concern you, I can understand why the privacy features of Firefox aren't too appealing either.
I used Firefox for 19 years without wavering. Honey does require information for their services. It saves me hundreds of dollars which is very real to me. Do you use any Google products? I wouldn't cast stones from a glass house.
I keep Tor Browser installed at all times for best-in-class privacy alongside Edge. It blows away Firefox on that front.
If I wanted to make the tradeoffs for a more privacy-oriented daily browser, I wouldn't reach for Firefox in 2022. I'd use Brave.
The other day I tried to open Quick Assist to help my elderly father find out where his email was. Couldn't access it without signing in to a Microsoft account. That's not the exact situation you're referencing, but speaks to the length and breadth of the effort MS is undertaking to force you to log in to MS.
I've never used Quick Assist, first time I've heard of it actually. It looks like there's two versions, the preinstalled one and the MS Store version which the preinstalled version points you to. I've always used and recommended Teamviewer for this sort of stuff.
I can't say I fault MS on that one, but people will any way without thinking about it. They're providing a service. Teamviewer certainly requires an account.
> At browser launch, Firefox will wait for uBO to be up and ready before network requests are fired from already opened tab(s).
> This is not the case with Chromium-based browsers, i.e. tracker/advertisement payloads may find their way into already opened tabs before uBO is up and ready in Chromium-based browsers, while these are properly filtered in Firefox.
Wow. I did not know this. This seems like a huge bug/problem in Chromium if you care about blocking trackers.
uBlock Origin and other content blocker extensions have 10+ Million users each on Chrome, it'll be interesting to see what happens when they eventually to cease to function (June 2023). How will users react?
Hopefully, Mozilla won't be completely inept as to fail to position themselves to capture any users leaving Chrome over this.
10 million people is pretty damn tiny when compared to the 4 and some billion internet users out there, though. Even if 100% of them moved over, isn't it just fractions of a percentage point? Why would Google care at all?
10+ million was the number I gave because it's what the Chrome store reports, unfortunately for all extensions it doesn't report a number larger than that. I don't think it's possible to get an accurate number, it could be quite a bit larger.
I've seen some suggestions that the number of adblock users could be as high as 40% of all users but that's possibly an over estimation. It's also not clear how they are collecting that information.
If web sites get aggressive that declarativeNetRequest no longer works well, I could see the mass migrating off Google Chrome/Microsoft Edge to alternatives, including Mozilla Firefox.
Isn't it only something like 1 in 4 people who use ad-blockers in the first place? Of those, how many actually use uBlock Origin? Also, outside FF, aren't all noteworthy alternatives Chromium at this point?
I should have said the mass of ad-blockers users migrating instead of mass of users. Yes, only a percent of people use adblockers on desktop and even less people use them on mobile, which is the dominant source of traffic these days. It might move the needles of market shares for the alternate browsers.
No, we don't have any alternative to Chromium other than Firefox and Safari. But for the Chromium based browsers, Brave and Opera do have built-in adblocking independently of Manifest V3 [1]. Vivaldi claimed that they might maintain an alternate store [1]. So all three alternate browsers have the option to offer better level of ad-blocking to get more installs. Of course, they could also decide to monetize with an "Acceptable ads" program after they gain market shares.
This is why Mozilla, no matter what profoundly stupid shit they are up to (and there is a lot of stupid shit), retain me as a customer. I bet I'm not alone in that camp.
Literally just figured out how to get my browsing history piped into Grafana+Loki so that I have a single source of truth regarding my browsing history using a userscript that ignores CORS and just POSTs to Loki's API.
Apparently that's going away entirely now and there is no good way to stream browsing history anywhere if it's not tied to a browser maker's services (even if they are selfhosted a la Firefox Sync).
You can't even read from the browsers history database because browsers for some reason lock the entire database even while running in WAL mode (my original plan was to do something similar to litestream and just attach to the places.sqlite or History files and push the url to Loki, but that just doesn't work).
There are reasonable reasons to do this, but it really seems that it's just to curb user agency with their own data and devices.
> [...] to improve the isolation of data between different origins, cross-origin requests are no longer possible from content scripts, unless the destination website opts in via CORS.
If the server doesn't supply your target domain in the CORS header, the request should fail if my understanding is correct. If it is this would allow a website like YouTube to block SponsorBlock from loading it's data. There might be ways to bypass this but for me it's just a side project, so I haven't really looked too deep into it.
Loki and Grafana running locally on a server (raspberry pi 3B+), your preferred userscript extension plus a script that POSTs to Loki's API [1].
The post function:
function post_to_loki () {
const data = {"streams":[
{
"stream": {
"job":"browser",
"user_agent":Navigator.userAgent,
"nodename":"desktop",
},
"values":[
[Date.now()*1000000, {"location":window.location, "referrer":document.referrer}]
]
}]};
let control = GM_xmlhttpRequest({
"url": "https://loki.example.lan/loki/api/v1/push",
"method": "POST",
"headers": {"Content-Type": "application/json"},
"data": JSON.stringify(data)
});
}
Now whatever actually triggers the POST function is up to you (I ended up using [2]).
In Grafana, I have a few dashboards specific to the facets I want to see.
I have one for Dev stuff which tracks the latest 100 urls, the frequency count of websites, and a State Timeline of all the events. This filters specifically stackoverflow, MDN, any url contains "docs", github, and a few internal urls.
In an other dashboard I have a view of all the places I read online with similar panels to Dev, but with different filters.
Then I have a final dashboard which works solely on Google search queries, but instead of grabbing the search page's URL, I grab the search term from the page I actually clicked on which makes searches much more interesting.
By chance, have a repo of the full extension that you built out? I'm playing around w/ it, but having issues w/ even getting the `pageURLCheckTimer` to do a console.log("asda") at a fixed interval.
>Unfortunately, that power has also been used to harm users in a variety of ways
it's all so tiresome
the long term goal for Google, Apple and Microsoft is no extensions at all. it is painfully obvious about the vision these companies have for the future of personal computing.
I know full well why does Mozilla do its competitors' bidding, but it does piss me off to no end to read their bullshit rationale for doing it. in 2032, we'll be reading about the removal of the address bar being a doubleplusgood thing. more security! less inequity!
As an extension developer, I see a catastrophe coming for extensions in Chromium browsers. I don't think users are going to be prepared for the slaughter. You're going to lose a ton of extensions, and many others will be hobbled by manifest v3.
Firefox and Safari should be ok at least in the immediate future. I doubt Apple is going to announce next month at WWDC that v2 extensions will be dead in September 2022, even before Chrome kills them in 2023.
v3 is not even ready yet. There are still major bugs and missing features, which Mozilla's blog post alludes to. I'm postponing the migration myself as long as possible.
Firefox went through this before with the migration to WebExtensions in 2015. (That's when I stopped maintaining an extension that I no longer cared about.) I guess it's Chrome's turn now?
I expect, though, that users won't mind as much? I run very few extensions these days, due to the security risk, not wanting to vet extension authors, and not wanting to pay attention to the security implications of updates due to things like author changes.
Do you think there's a chance that Chrome will delay their timetable? My company's extensions are affected by this, and it's a total nightmare. I can't believe Chrome is forcing us off v2 before v3 is ready for primetime.
What's really frustrating is that users don't realize how much work goes into just keeping your head above water in the Chrome Webstore. They think that they shouldn't have to pay (or pay much) for an extension because it seems so simple. But they don't understand that complying with Google's ever-shifting rules means you can't ever get that comfortable.
What's the uBlock Origin equivalent for Safari? Every time I think about switching to 'the better browser on my Mac' I find there is no such replacement.
There's no equivalent for Safari. There are a number of Safari content blockers, but the API is strictly limited. It's somewhat similar to declarativeNetRequest in Chrome manifest v3.
I know this is probably driven by Apple's opposition to anything that looks like dynamic code execution in extensions, but it seems weird for a company that's not completely dependent on ads the way Google is.
I find 1Blocker is sufficient, even if it’s not as flexible as ublock origin. I like that Safari’s content blockers are designed to make it easier to trust them (e.g. you don’t have to trust that they don’t send your browsing history to a server, because they cannot make network requests)
I use 1Blocker which is good enough for most browsing. I've tried one-man side projects like Wipr but I suppose they can't compete with an organization.
That said, uBlock Origin is definitely more exhaustive since it has a lot of contributors that will write custom rules for even obscure spammy websites, so shady websites are the main reason I do reach for uBlock Origin.
Also an Edge user, and I quite like it. If it loses uBlock Origin though, and if you still want a Chromium-based browser as I do/will because I tired of Firefox never being quite as fast as Chrome, that would leave Brave as the best option.
Fully open source like FF, built-in adblocking that's dependent on Manifest-nothing.
It would aid communication if Mozilla would denote the maintained support for blocking `WebRequest` in the version number. Unfortunately `manifest_version` is a number, not a string, but I guess naming it 4 would clarify things plenty by annoying the standards process just enough.
> WebRequest ... provides a level of power and flexibility that is critical to enabling advanced privacy and content blocking features. Unfortunately, that power has also been used to harm users in a variety of ways.
What are the risks to users? How does Mozilla mitigate them?
> Mozilla will maintain support for blocking WebRequest in MV3. To maximize compatibility with other browsers, we will also ship support for declarativeNetRequest.
The manifest.json file of an extension has a key "manifest_version" which for many years had the value of 2. You set the value of "manifest_version" to 3 to signify to the browser that your extension adopts the new API.
The name is very meaningful to extension developers. To others, perhaps not.
In this case, you can think of it as the API surface exposed to Chrome/FF extensions, or akin to the iOS version/Android API Level - it fundamentally affects what an extension can Do
> Mozilla will maintain support for blocking WebRequest in MV3. To maximize compatibility with other browsers, we will also ship support for declarativeNetRequest.
That means uBlock Origin will continue to work on Firefox !
> Mozilla will maintain support for blocking WebRequest in MV3. To maximize compatibility with other browsers, we will also ship support for declarativeNetRequest. We will continue to work with content blockers and other key consumers of this API to identify current and future alternatives where appropriate. Content blocking is one of the most important use cases for extensions, and we are committed to ensuring that Firefox users have access to the best privacy tools available.
This is 100% the right thing to do: let extensions use the more powerful API, while also providing the more neutered version for extensions that may not need to use the legacy version, or are designed around Chrome instead of Firefox.
There's been a fair bit of confusion regarding Mozilla and Manifest V3, but I'm glad this (somewhat) clears it up.
If ublock origin stops working on Edge and Chrome I will switch to Firefox. Firefox is a horrible browser, but I don't see any choice at this point. Have you tried to browse the internet without ublock??
Brave is my 2nd choice to Edge and it's adblocking isn't dependent on manifest versions. I would consider a good adblocker alternative though like AdGuard. I love that one on iOS. They do a great job. I can't say I miss uBlock Origin there.
Is there anything actually wrong with Firefox besides just being kind of sluggish on heavy pages these days? All the web features that matter are available and have been for years...
I used Firefox religiously for 19 years straight until last August. I moved to Edge. I never liked Chrome but did want its speed as you refer to there.
If Edge loses uBlock Origin, I'll definitely try alternatives first.. but I wouldn't go back to FF. I did a review of all browsers last summer and came to liking Edge the most, then Brave as my second choice. Part of my ranking methodology was how big of a vendor was supporting each browser, as I've seen some value in that now that browsers are critical. That metric really hurt Vivaldi, Opera etc. Brave only came out on top because it's the only fully open-sourced browser other than Firefox. The built-in adblocking that's not dependent on outside support may win it a lot of new users soon though, including me.
There's no such thing. There's Firefox, Chrome and Safari (and since you're using Edge, I doubt you're a macOS user). Everything else is Chrome with a different paint job. Once Google drops support for v2, everyone will. Maybe Microsoft has the engineering power to support it, but they have no reason to, and Opera might want to, but doesn't have the funding required.
Firefox is slow, but it's not that slow.
<philosophical>I'll take the extra second of loading time for GMail any day over contributing to the harmful browser monoculture</philosophical>
I meant alternatives to uBlock Origin. AdGuard is quite good on my iPhone and it must be very restricted.
If V3 really is Armageddon as everyone is saying, then I have my new browser lined up. It's Brave. And it already has a suitable adblocker built-in. It's the no brainer solution here.
A friend of mine is a macOS user and he loves Edge. There's a native Apple Silicon build and it works well.
Here they defend the decision to adopt WebExtensions even though they're now reduced to chasing Chrome's whims. But maybe all the disruption and pain can be justified because there has been a flood of cross-platform plugins that were previously unavailable in Firefox. I don't have any data but my sense is that there are a lot fewer extensions than their used to be. There is definitely less plugin innovation happening since, as with most Google APIs, it is less powerful, less transparent, more locked down. There is also the question of differentiation, what is Firefox's value if it is but another Chrome clone?
It's a superset of Chrome's functionality. E.g. https://github.com/w3c/webextensions/issues/134. The Web Extension API in Firefox is generally a lot bigger than Chrome's, so there's plenty of differentiation and I wouldn't call it a clone.
Different tech companies, that are also major browser manufacturers, have a radically different vision of what the web should be and how it should be consumed.
The file itself is not the issue. It's just that Chrome uses it to introduce breaking changes. That is all. They could have dropped support for APIs at any time like they did before, but decided to group all of these changes together under a single umbrella.
If "the web" in this case means "several incompatible standards I have to adopt to work on all likely users' browsers," I won't miss that web.
If "the web" means "There are a few standards different implementations conform to, and if I adopt those standards I'm compatible with those implementations," I don't see it dead in the adoption of MV3.
Murdering userscript extensions & dynamic code is such a sad thing to declare a win. There's so much FUD being used to scare the web into accepting so many sad new limits. I detest this technical fearocracy.
What do you mean when referring to userscript extensions and dynamic code?
The latter I think refers to being able to execute code that is fetched at runtime? That certainly makes things a lot easier for developers, but I don't quite see what limits that imposes for users?
There's a range of different ways to author & uses for dynamic code.
In terms of use cases, downloaded on the fly code is definitely one example. Userscript engines like Greasemonkey, VioletMonkey, & TamperMonkey are all alao on the chopping block, which also allow user-edited code as well as downloaded code.
There's also a huge range of uses for dynamic code in general. Data stores & engines will optimize performance by using the Function constructor[1]. Cant do that anymore: basic, sensible, multi-decade long optimizations are now off the table. Being able to use eval() to dynamically generate a complex expression- no longer allowed.
It's bitterly ironic that Apple's prohibition against interpretters (a type of dynamic code) has held their platform back from allowing interesting things to run on iOS. Chrome's real rendering & js engines are blocked there. Because Apple says it's too unsafe to trust programs to do anything not statically defined, that only code that can all be fully read & understand is ok. Now here's Google & then Mozilla, bringing the exact same prohibitions against dynamic code to the web. At it's deepest heart. It's so ugly, so hypocritical, & so menacing & massive a threat to possibility, to extensions that can grow & develop.
Long hope, but a deep one: I very much hope one day (far away) a semantic-web like world wide web might emerge, but if this sick knee-capping happens the browser will never be a viable place for user agency- which must be a dynamic & growable organic thingh never be tenable as a place where user agency can grow & flourish. Extensions are amazing, but if they're restricted to single-purpose little timmicks, unflexible static predefined capabilities, Google will have insured that the only thriving systems the world will get will be inside the data center. These restrictions mortally cripple user-agency, that which is most special & most dear about the web & what set it apart from conventional software applications.
The basic problem is that the average non-technical user lacks the knowledge that these policies exist, much less their deleterious effects. This is the problem with some of the valid points RMS has been raising for decades. Look at dragnet surveillance- ask the average person who Snowden is.
Unfortunately I don't see that changing, especially since you can see the same dynamic in (nearly?) every other industry. The industry engages in widespread practices, sometimes legitimized by corrupt laws via regulatory capture, that harm our society and everyone is too busy trying to put food on the table to notice.
Ignorance is by far the best breeding ground for FUD.
Tech has gone so radically anti personal computing, exists mostly in modern mainframes (data-centers) once again. There's so little hope for good when so much of computing is so very very far away, when technics have all so swiftly effervesced up into the cloud.
That’s very idealistic that you think “justice” is what the US has in mind for him. If you haven’t noticed from the Assange case, the US fed gov’t rewrites the laws and creates its own definition of justice to try its best to murder anyone who exposes its crimes.
If the US was interested in “justice” for Snowden it would have awarded him a Congressional medal of honor instead of hunting and trying to prosecute him.
The truth already came out the day his material was released. He’s been isolated from his country, culture, family, everything he knows and loves and has to fear every day will be the day the US figures out a way to kill him or bargain with Russia to hand him over to death/lifetime imprisonment via a kangaroo court. He hasn’t sacrificed enough?
He’s one of the few patriots. The traitors are the ones working for and especially managing these unconstitutional illegal programs that continue to this day.
We don't have a kangaroo court waiting for him. This sacrificial lamb has easy street waiting for his crimes compared to Navalny. Navalny still returned home without fear, and may lose his life for it. Yet his spirit, unlike Snowden's, will live forever and cannot be killed. That's a hero vs a coward. Navalny inspires me, an American.
Equating the US and Russian justice system is hilarious. We could kill any traitor, anywhere we so chose to kill one. He's safe and running from justice in Russia, but he's not safe from the blade. The government chooses to spare him. Never underestimate the long arm of Uncle Sam.
I for one, think it's best that his true character is revealed through his self-imposed exile. He's too selfish to come home and bring attention to his cause. He's all about himself, and he hasn't suffered a lick, yet. He has spent a lot of time running though. And don't call him that. He's not American.
Benedict Arnold died in England, hated by both the Americans and English. Even the British who benefitted from him didn't respect a man who would betray his own people.
Wrong. He had a nice life in Hawaii with a big paycheck. If he was all about himself he wouldn't have done what he did, his life would have been far easier.
The proof that it's a kangaroo court is that he's being charged in the first place when what he did wasn't a crime.
I can tell that you like to live in your own reality. He violated the Espionage Act. He is a foreign agent, he won't say but supposedly now has Russian citizenship. Quite the patriot, seeking shelter in one of the least free and most oppressive European nations he could find. He harmed the US and the UK, and assisted China and Russia.
I realize you want to make that coward & villain out to be a freedom fighter, but I already provided a real freedom fighter. The comparison is stark.
William Wallace didn't hide in Paris or Berlin. Neither did the modern day Wallace in Navalny. They stood in their homeland like men. Snowden? Good for a laugh, and will go down in history as such. He was just a boy who ended up harming, and outright turning on the nation he was supposedly liberating, then hid from the consequences.
It's odd and suspicious that you have so much hate and vitriol for Snowden while the silence is deafening on the highly illegal, democracy-destroying programs he exposed. He should be protected as a whistleblower, not prosecuted under the Espionage Act. He exposed crimes by the US govt whose severity and scale are hard to overstate. That should be your concern, not where he lives, that's an irrelevant diversion from the real topic. Snowden as a person doesn't matter, at all, 0%, the only thing that matters in this discussion are the crimes he exposed. Or how about James Clapper not being in prison after he lied about these programs under oath in front of Congress.
Why change the subject constantly? I was responding to-
ask the average person who Snowden is
And I told you who Snowden is. A coward, and a traitor to his former nation and people.
He's easily exposed by looking at his actions. I have no position stated here on your various rabbit holes of whistleblower vs espionage, etc. I'm not a Constitutional scholar as you believe you are. What I can assure you, the ACLU and others would be more in front of abuse of power than you or some nerd here could ever pretend to be. Should he return "home" to show his courage, to follow through in his beliefs like actual national heroes have done throughout history.
He harmed US and UK national security. He won't admit it (why would he, he won't even face justice in the "nation he loves") but they believe he handed over his harmful material to the Russians and Chinese for their protection. The guy is a Benedict Arnold, a scumbag, no matter how you slice it. Just because you like part of the information he exposed on surveillance doesn't change the rest, nor what the whole of his actions have revealed about his intentions and character. You've been duped by a false prophet.
It's not changing the subject. The point of that statement was that most people are completely unaware of these issues. People shouldn't know who Snowden is because of his personality they should know him because of the information he revealed. You seem obsessed with him as a person for some reason.
> I'm not a Constitutional scholar
You don't have to be a constitutional scholar to understand that recording everything everyone is saying all the time is a violation of the 4th amendment. By your logic, only scholars are able to have legitimate opinions on the crimes of the government, no matter how plain and obvious they are. It's a good thing your philosophy wasn't held by the millions of people whose pressure and marches got the 13th amendment passed, almost none of them constitutional scholars.
> the ACLU and others would be more in front of abuse of power than you
They are in front, apparently you don't realize that the security state is more powerful than the ACLU. They've constructed secret courts (FISA) with secret laws written with words with secret interpretations, all designed to make these criminal programs legally impenetrable. The EFF has been suing over these problems for years, and took several years to even get a court to recognize its standing.
> you or some nerd here could ever pretend to be
And what is the point of this derogatory disrespectful statement? That because the ACLU exists, technologists that understand the mechanics of these abuses better than anyone should shut up and leave it the "scholars"?
> He harmed US and UK national security... they believe he handed over his harmful material to the Russians and Chinese
He handed over his evidence of US crimes to journalists who published it. If his goal was to hand over secrets to foreign governments he wouldn't have had it published in the news. Your evidence-free conspiracy theory isn't logical.
> Just because you like part of the information he exposed
Like it? He exposed some of the most heinous crimes of the US govt, who would like it? You apparently have no problem with these programs, which have already chilled free speech and protest against the government, because (I guess?) you're not "a scholar" and therefore unable to recognize crime when it's in your face, and because the citizens shouldn't be concerned about being the victims of crime or standing up for ourselves because the ACLU exists (???)
The points you're making are increasingly illogical.
> You've been duped
Duped by black and white evidence that even the government concedes was real? How does that work?
You missed the point. I'm not qualifying the information released, I'm qualifying his treason. I'm not commenting on the constitutionality of mass surveillance. He went about it the wrong way, then ran like a coward and hid like chicken little.
Of course Snowden isn't going to admit he handed over intel to the Russians or Chinese, but it's most likely he did. Hence he's safe from justice today, right. Believe more in your hero though. I like my heroes to have an ounce of manhood and bravery like Russia's Navalny. Edward wouldn't have 1/1000th the struggle that man has faced. We could poison him, give him cancer, anything. He's not safe. He's just blessed to have been a traitor of America, rather than a totalitarian society like the one he resides in now.
And yes, I do consider the ACLU more qualified to handle any potential US gov't abuses of Snowden. There won't be any. He's just a traitor and a coward in hiding. Hiding behind the same cheap rhetoric here about "unfairness". Yet he trusts the Russian system. You can't make this stuff up. But here you are.
If you wouldn't mind, please explain the right way. He went to his superiors first, was told to shut up and go back to work. Even when he released the black and white evidence, James Clapper stood in front of Congress and lied about the programs under oath.
> ran like a coward and hid
Not before, but after you're in his shoes, where you have US intelligence trying to figure out how to rendition you to a CIA blacksite and have you unpersoned and murdered, you can judge his wish to stay alive.
If he was a coward, he would have ignored the crimes the government was paying him to participate in like all the other people he worked with at the NSA.
> it's most likely he did
I'd argue the opposite. If his goal was to ferret intelligence to foreign countries he wouldn't have released anything to the press, the two actions are completely at odds.
> I like my heroes to have an ounce of manhood and bravery
He risked his life, and gave up everything he had, to expose these crimes to try and help his countrymen. That's enough manhood and bravery for me.
> I do consider the ACLU more qualified to handle any potential US gov't abuses of Snowden
The government is abusing Snowden without help from the ACLU right this moment by seeking his prosecution. You seem to have a very mistaken impression of the power of the ACLU.
> He's just a traitor
He literally did nothing to justify that label. The only traitors in this story are the people working for the NSA participating in these crimes against the American people.
> Yet he trusts the Russian system. You can't make this stuff up. But here you are.
You have strong opinions yet are uninformed. Snowden is in Russia because that's where he was during a flight layover at the moment the US State Department canceled his passport making it impossible for him to leave the country. If you're so angry he's in Russia (why would you care?) you can thank the US State Department.
The ACLU point was that they would watch for any injustice with a more astute mind and eye than you or anyone else here has. I don't think you have to worry about alerting HN about Edward's unfair treatment at the hands of the US government. I think there are coalitions of lawyers that will be releasing press statements if something were wrong. There won't be. It's all excuses to enable a criminal to continue his run on the lam.
The right way is however you feel is best, without running from the consequences under the justice system. I already said it a few times here, look to real patriots. George Washington, William Wallace, Alexei Navalny. Some had worse ends than others, all stood their ground till the end in what they believed. All men whose spirit will burn in the hearts of men forever.
I know Snowden's story. His passport doesn't bar him from returning home, and he's not helpless in Russia. He can leave, he chooses to stay. He either has or is still seeking a Russian passport which says it all. Forgoes American justice for Russian servitude. There's your personal hero. The boat sailed on that guy, your depiction of him sounds like someone years ago before he engaged in a full speed sprint from justice. He has exposed himself for what he is. Just accept that the story continued to evolve on him and people see it.
And the good news: the US will treat him fairly, and won't assassinate him. We could, easily. He ran from the world's longest standing democracy.
Bad news: he's a Russian. That government poisons you just for speaking in public. Most people there wouldn't dare speak their views outside of their kitchen table. Irony for your "freedom fighter" will be given they despise traitors so when he pushes the wrong button, they murder him.
What you seem to be missing is the fact that Snowden shouldn't be being prosecuted at all. He should be protected by the Whistleblower Protection Act. He shouldn't be "hiding" or "running" or whatever you'd like to call it because there shouldn't be anything to run or hide from. The second the evidence he presented was looked into the DOJ should have immediately dropped any charges against him, he should have been pardoned to protect him from any future prosecution, and he should have been awarded the medal of honor.
You're starting from this flawed premise that he needs to "face the music for his crimes" which is just completely fallacious. I couldn't care less what country he's in, again not the point. The point is the US doubled down on its crimes by not only committing them but illegally trying to prosecute someone who exposed them. For whatever reason or axe you have to grind you refuse to recognize any of that.
Again, Constitutional scholar. I don't buy any of this. I wouldn't want him to face injustice either. I don't buy it that this guy is innocent and blameless. He needs to face an open and free trial here in the USA. Let's have it out. Everyone will be heard. It'll likely be on CourtTV for you. No need for conspiracy theories and excuses for him. Let's see the freedom fighter nut up.
It does matter what country he's in, all of these circumstances are suggestive of one thing or another. No reason to stick the head in the sand. I have no axe to grind. I'm just an average person calling this guy out as I see him. I wanted to present an unpopular viewpoint on him on HN that isn't heard often, or one that people are scared of saying out loud in fear of the aimless mob tarring and feathering them for. I simply don't care, I'll speak out every time, and I'm always willing to bear any cross required for it, unlike Eddy.
if you see snowden as a traitor (someone who violated the trust bestowed on him by his government)
would you also consider that when the government did the illegal things we now know to its own citizens, that the government is also a traitor (having violated the trust bestowed on it by its citizens)?
it's a two way street, is it not? by your definition all whistleblowers who take personal risks for the common good are traitors.
Honestly, Mozilla's approach here is sound: they create a potential competitive edge by not removing the existing APIs, betting that the good outweighs the harm.
No, Mozilla is imposing the same brand new restriction against dynamic code (eval, Function[1]) as Google & has no affordances to allow this sometimes performance-critical & creatively necessary set of capabilities. Extensions can no longer grow & evolve, turning back multiple deacdes of possibility.
Hey, look on the bright side. Within a decade or so, the "open" web will have completely stagnated, and all new content will be squirreled away in closed-source, non-searchable private domains like Discord. So you won't even care that your web browser sucks
You point out only the weak, sad dynamic code & ignore the enormously speedy & optimizing dynamic code. Shame. Have at least some nuance or balance in your decry-al.
What would you use the function constructor for that's worth the security implications of it existing? The majority of programming languages get along fine without such a mechanism. Why should we have it in our browser extensions?
JS has always been special & excellent because it allows multiphase programming. That one coild just add more code has been unique versus the world of statuc languages, where maybe youcd have some tool to generate stubs for Thrift or gRPC, then compule that in to your program. Which works ok, if and only if you know ahead of time what schemas you might need. Im these cases, you have to give up on stub code & start using more interprtted systems.
Everything you say is laced with doubt & scorn & skepticism. I just cant imagine living in such a world where each system had to know fully well ahead of time each type of data it might want to interact with, might have to have that precompiled & baked in. That's a shitty miserable world that looks like the hell JS plucked us out of. By being a flexible, dynamic language that could load in routines & change it's behavior over time. Screw that dark hell world.we crawled out of, screw systems that cant ever become more, & screw the fearmongering shit show V3 foisted upon us by removing really really important flexibilities of the language.
> I just cant imagine living in such a world where each system had to know fully well ahead of time each type of data it might want to interact with, might have to have that precompiled & baked in
At the level of a browser extension (which, operating outside the per-page security sandbox, has wide latitude to observe and manipulate the user's experience and interactions with the web), the new way of thinking is that such forward-declared constraint should be the prerequisite for the security-conscious extension.
By all means, change your behavior over time... By the process of pushing new versions of the extension, which can be statically analyzed, and forward-declaring the permissions you need to accomplish your tasks. Anything else is asking the user to trust a stranger (both to not be malicious and to not be inept).
> That's a shitty miserable world that looks like the hell JS plucked us out of
JS plucked us out of one hell and put us, initially, into another where any old website could fake a query to get your bank account data or steal your password. We've been digging out of that hell ever since, and this is another step in that process.
> By all means, change your behavior over time... By the process of pushing new versions of the extension, which can be statically analyzed, and forward-declaring the permissions you need to accomplish your tasks.
A ridiculous proposition on the web. User agency ought be able to grow & expand the wider the set of data they encounter. To propose that each new type of data encountered requires a new version of the extension is a farce.
All for weak & vague & unspecified fears. Be afraid user! You need this restriction, anything else would be dangerous to you! It's been uncompromising stances, offering no middle ground, no opt-out, disregarding all valid cases. Fearocracy. Security concerns are ruling with fear & absolutism. With no public evidence no escape hatches no real accountability. This is degrading.
> All for weak & vague & unspecified fears. Be afraid user!
I wouldn't say "afraid," but "cautious" and "skeptical" are good attitudes to have regarding extensions with global permissions that can execute arbitrary JavaScript that originates from a source other than the signed files in the manifest directory, yes.
So will it just be impossible to have extensions like ViolentMonkey, TamperMonkey, GreaseMonkey, Stylus, etc. in Firefox as well as chrome? That wouldn't be as big of a problem if the browser had it's own way to add user scripts, but it doesn't. And making your own extension for little scripts isn't really viable either. Especially since firefox at least requires the extension to be signed to install permanently, and getting it signed is not only a pain, but may be a privacy problem if your userscript has something sensitive in it.
If you take away these extensions please at least give us a native way to add user scripts (and by all means put it behind a big scary warning that you shouldn't use untrusted scripts and you should only do it if you really know what you are doing).