[yegor]

As a proxy extension developer, this is absolutely maddening. We're forced to choose between auth-less open proxies (bad), or baking in a wacky authentication scheme through a side channel (also bad). MV3 drops in 2.5 months, and will leave tens of millions of proxy extension users unable to use products they paid money for.

This is all on top of the many other issues with MV3 that Google is pushing under the guise of "improving performance".

[progval]

Does your extension work on Firefox? If yes, have you considered explaining the situation to your users to encourage them to move to Firefox?

[lmm]

Firefox has a much worse history than Chrome when it comes to breaking extensions.

[Caspy7]

They also have a much longer history than Chrome.

Kinda glad they disallowed the extensions that had near unfettered access to browser internals.

[yoasif_]

Context for the curious: https://yoric.github.io/post/why-did-mozilla-remove-xul-addo...

[_aizw]

Like what? I can't imagine firefox has done anything worse then MV3.

[roblabla]

Oh, I don't know, maybe breaking literally all of their extension with the deprecation of XUL?

I'm a happy firefox user, and I'm pretty sure it was the right choice IMO, as firefox is certainly much more stable and fast now than it was before. But it was certainly a very, very rough process and left some very popular extensions broken without alternatives for months and even years before the necessary APIs were added to webextensions to bring them back.

[reciprocity]

"Breaking all of their extensions with the depreciation of XUL" is one interpretation, another one is that it was needed (of course it was the correct choice!) and there wasn't going to be an easier approach than just ripping the band-aid off. It needed to be done, it's done, and now instead of discussing the larger picture, we're talking about XUL depreciation from Firefox which happened in 2018. So what's your point?

[rasz]

V3 will improve performance of ads division.

[yegor]

Where is EU when you need them with their anti-trust litigation. Google is pulling a 2000s Microsoft.

[naikrovek]

Google have been doing this for 10+ years and people are only now starting to see it, it seems.

the Microsoft antitrust trial original verdict was reached in 1999 by the way (appeals kept it alive a bit longer, though, into 2001). you are probably referring to the 1990s Microsoft, I imagine.

[eastendguy]

There is an easy alternative: Use Firefox

[cute_boi]

these days many website don't work in firefox. And the worst thing is you never know it was firefox that was causing problem. Last time I tried to login verizon it didn't work. Same with many website I can't remember on top of my head.

I still can't leave firefox due to multi containers tho :(

[jogu]

I've found that many times when a site doesn't work in Firefox it's actually extensions causing issues rather than Firefox itself. That being said, there are still compatibility issues from time to time!

[Smar]

I've also seen sites that do not work in Chrome.

[naikrovek]

that doesn't fix the problem, though.

[erklik]

Doesn't it? Product A is bad, thus use Product B. That's how most of my problems with different products are solved.

[esperent]

What if product B is also bad?

And there's also a product C, D, E but when you check them out you realize they are essentially clones of product A?

[fungi]

no bc they are leveraging monopoly in search to advantage their other products and undermine competition.

im a relatively happy firefox user, but at this point to say mozilla significantly mitigates googles monopoly is as plausible as when microsoft claimed that BeOS somehow mitigated theirs.

[staticassertion]

Doubtful. I suspect that Google Adsense ads will continue to be blocked post-V3.

[SquareWheel]

You're correct. MV3 blockers work fine against Adsense, as expected.

[rasz]

Blocking is detectable. uB doesnt block, it shims its own version of js.

[staticassertion]

I'm not sure what you mean.

[CodesInChaos]

If you block third party javascript files (e.g. google analytics) other code required for the website to function correctly might fail, since it relies on that third party javascript. So uBlock doesn't block certain javascript files, and instead replaces them by its own version which contains dummy functions that avoid those errors.

[staticassertion]

OK that doesn't have to do with blocking Google AdSense ads nor does it have to do with proxying so I'm kind of confused.

[aftbit]

Have any of the Chromium forks committed to maintain MV2 into the future? Having functioning extensions while maintaining the other features that people like from the browser could help pull some marketshare from Google Chrome. Probably just dreaming though...

[Caspy7]

None that I'm aware of but Firefox has committed to maintaining the more powerful MV2 content blocking APIs that Google is removing.

[TedDoesntTalk]

Brave has committed to MV2 but they will need their own store first because the chrome web store is kicking out MV2 extensions. So far, they don’t have their own store.

[yoasif_]

They have explicitly not committed: https://twitter.com/BrendanEich/status/1534905779630661633

> We could fork them back in at higher maintenance cost. No point in speculating — I don’t write checks of unknown amount and sign them, and Google looks likely to keep V2 support for a year (thanks be to “enterprise”).

[cyber_kinetist]

Vivaldi has previously promised to find an alternative for v3, but they left it in vague words and haven’t announced an update for this yet. https://vivaldi.com/blog/chromium-ad-blockers-choice/

[djfobbz]

I checked out both of your sites Windscribe.com and ControlD.com...I will be signing up as a paid customer! Thank you for you this.

[yegor]

Nice, thanks! If you have any question you can always email me at my HN username @ either domain.

[TedDoesntTalk]

This also breaks proxy authentication in very popular extensions like FoxyProxy.

[londons_explore]

Is there really nowhere else to store Auth information in a synchronous datastore?

For example it looks like you could use a lambda function with the Auth info pre-bound...

[oefrha]

One big thing about MV3 is that background script, persistent or not, is no more. You have a web worker that can start afresh at any point, outside your control. So variables assigned asynchronously outside your event handler (which must be registered synchronously at the top level) scope don’t work reliably.

[quotemstr]

Could you run an auth-free proxy on localhost that in turn forwards traffic to a remote proxy that does require auth? You could have your intermediate proxy expose a local interface for configuration.

[olso]

This is one of possible solutions, but requires a native app to be installed. Extension would no longer be standalone.

[iLoveOncall]

If there is one group of people I will never feel bad for, it's the VPN / proxy vendors.

They've been doing false advertising for years on every channel, making consumers pay for absolutely useless products.

[preinheimer]

There's absolutely terrible players in the space.

We're also in the space, I don't think we're selling useless products, or falsely advertising.

Our customers use our proxy servers to test applications that use your IP address to show you localized content (IP Location, GeoIP, etc). We're in 80+ countries 250+ locations globally.

Being able to switch your location with a browser plugin makes it just a few clicks, and _much_ faster than switching VPN endpoints. You also get to proxy just your browser traffic (or even just traffic against a few specific domains) rather than all the traffic on your machine. So your Spotify/Slack/Outlook connections can all run normally, and you're only proxying the site you want to test from somewhere else.

This change is terrible for us. Especially so because users flipping around between different proxies is a major use case. A user needing to re-enter their credentials for each unique proxy server is much worse than just once.

[altdataseller]

How are you planning to adapt to the change?

[_aizw]

There are many legitimate use cases of VPN's. Also there are many VPN companies that don't do false advertising such as Windscribe, mullvad or iVPN.

[iLoveOncall]

> There are many legitimate use cases of VPN's

Yes of course, but that probably represents less than 10% of the customers (I'm being extremely generous on purpose, it's probably 0.1%) of your usual NordVPN and co.

> don't do false advertising such as Windscribe

"Stop tracking and browse privately" and "block annoying advertisers from stalking you online" proves you wrong. VPNs don't stop trackers.

> don't do false advertising such as Mullvad

"Evade hackers and trackers". Sure.

> don't do false advertising such as iVPN

Hey looks good actually, they indeed don't claim to block trackers or anything else, just change your IP / geolocation.

[_aizw]

> Yes of course, but that probably represents less than 10% of the customers.

Lol how did you come up with 10%? Did you just make it up?

> VPNs don't stop trackers.

Windscribe (and other VPN's) can block trackers. https://blog.windscribe.com/how-r-o-b-e-r-t-works-76d6274460...

[sebzim4500]

A huge portion of VPN users do it to get around geo-blocking, which has not been falsely advertised.

[TedDoesntTalk]

> Hey looks good actually, they indeed don't claim to block trackers or anything else, just change your IP / geolocation

Add FoxyProxy to that list of no false advertising, please

[scoopertrooper]

VPNs are quite useful in the UK. A fair number of sites are blocked by ISPs for various reasons.

[iLoveOncall]

I'm in the UK, almost all the blocked sites are unblocked just by changing DNS servers. No need to give all your data to a ~middleman~ man in the middle for that.

[altdataseller]

Why will auth-less open proxies be bad?

[_aizw]

VPN providers won't be able to verify if a user paid for the service.

[TedDoesntTalk]

Not just VPN providers or other paid services. Open proxies on the internet are bad for everyone.

[ajross]

Authorization and access control are different problems. You can use ssh to create a auth-free SOCKS5 pipe, for example (lots of us do this every day), but that's not an "open proxy" because it's e.g. listening on ::1 or on the internal network interface, etc...

[_aizw]

What are the other issues with open proxies?

[TedDoesntTalk]

They are usually hosted by malware installed on a vulnerable system. And if they are SOCKS proxies (vs http proxies), then they can send send spam using the IP address of the infected device.

[miohtama]

Cyberattacks use open proxies to amplify the attack/hide their source.

[fomine3]

Good old user:pass@ won't work?

[dotproto]

A couple hours ago I added a comment to the bug to describe our current plans[1]. TL:DR; you'll be able to use webRequest.onAuthRequired in MV3.

[1]: https://bugs.chromium.org/p/chromium/issues/detail?id=113549...