Google says Chrome extension changes aren’t killing ad blockers, just improving security

Credit: ID 134067214 © Firuz Buksayev | Dreamstime.com

Google has spoken out about its changes to Chromium extension behavior in response to growing concern that it could hobble ad-blocking services that harm Google’s ad business. 

The concerns centre on a Chromium application programming interface (API) known as webRequest that is being deprecated and replaced by another API called Declarative Net Request that could prevent Chrome ad-blocker extensions from intercepting network requests, in turn reducing their capability to block ads. 

The proposal to deprecate the Chromium webRequest API was outlined in a proposal for the Chrome Extensions program called Manifest V3, first released publicly in October. 

Google’s latest update to the plan was in May in the face of criticism from users and ad blocker extension developers. 

Google’s developer advocate for Chrome Extensions, Simeon Vincent, said at the time it would generally prevent the API for ad blocking, but still allow its use for that purpose in enterprise deployments. Instead of the webRequest API, Google suggested a more restrictive Declarative Net Request API for Chrome.       

The move is foremost controversial because of Google’s business model and its incentives to limit online ad blockers. But this month developers of smaller Chromium-based browsers, including Opera, Brave and Vivaldi, said they planned to continue supporting the old webRequest API in their browsers. Some of the browsers have built-in ad blockers. Microsoft’s stance on the Edge browser, which is being rebuilt on a Chromium code base, is not known.    

In a message to followers of the Chrome Developers Twitter account today, Google said that “Chrome isn’t killing ad blockers – we’re making them safer.”

“Content blockers are built on extension features that share too much data with the extension. Let's change that!”

“There’s been a lot of confusion and misconception around both the motivations and implications of this change, including speculation that these changes were designed to prevent or weaken ad blockers,” said Vincent today in a blogpost.  

“This is absolutely not the goal. In fact, this change is meant to give developers a way to create safer and more performant ad blockers,” he continued. 

Google has couched its decision in security and privacy terms, arguing that its plan “to replace the blocking Web Request API with the Declarative Net Request API” is about improving user privacy because the former in Chrome “sends all the data in a network request to the listening extension - including any sensitive data contained in that request like personal photos or emails.”

Google says the Web Request API gives an extension the ability to “typically have access to read and manipulate everything a user does on the web.”

Vincent also says the Web Request API has been abused to access user credentials, accounts and personal info. 

“Since January 2018, 42% of malicious extensions use the Web Request API,” he said. 

Additionally, there are supposed performance costs, impacting page load times. 

Raymond Hill, the developer of uBlock Origin and uMatrix, one of the extensions that would be impacted by Google’s changes, has argued that the performance costs are due to “bloat” in Chrome rather than the API itself. 

Vincent said there are “significant” performance costs on Chrome due to the webRequest API. 

Read more: Firefox takes the hammer to a favorite tool for online marketers: cross-site tracking

“In most cases, these costs are not from the evaluation of the extension script processing events, but rather from everything else coordinating the script. That overall performance impact can be very large, even for an extension written as performantly as possible where the JavaScript execution time is negligible.”

Vincent added that using the Declarative Net Request API Chrome doesn’t expose sensitive data to the extension yet still allows an extension to block content, such as ads. The supposed improvements “will make extensions significantly more viable on resource-constrained platforms”, he said, suggesting better performance on Android devices versus Windows 10 devices that use Chrome. 

Vincent confirmed that enterprise, schools, and businesses all still have the blocking version of the Web Request API for managed extensions. 

Manifest V3 though “is still very much in design and development”, according to Google, and open to change.    

One concern of switching to the new system is that Chrome currently imposes a limit of 30,000 rules, while some ad blockers use over 75,000 rules. 

Vincent said that Google is planning to "change the rule limit from maximum of 30k rules per extension to a global maximum of 150k rules."

   

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
CSO WANTED
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags GooglechromeChrome extensionad-blocker

More about GoogleMicrosoftOriginTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts