[rlnorthcutt]

This seems like the same basic tech problem - how to balance uninformed user protections with advanced user capabilities.

The problem is browser extensions and the ability for bad actors to use malicious code to harm users. This is a real threat - how do you protect users from their own actions?

Putting aside the cynicism about Google's "true" motives and assuming the best intentions on their part... this still seems like an overly broad limitation without a good workaround.

Personally, I use as few extensions as possible, and I'm very particular about which ones. I'm sure most readers here are as well. So, for me (us?), this is a problem, especially if we also maintain extensions. But - what about my mom? She doesn't even know how to remove extensions, never mind review them for potential problems. We should not sacrifice the many (and encourage the bad actors) to ensure that the few have the access they want.

Why not put in settings that allow the user to allow extensions outside the bounds of MV3? Why not put a warning on the extension page that it "could be risky", or even hide those extensions entirely from the users who don't know to adjust their settings?

[wavemode]

Any claim that Chrome's decision is not entirely profit-focused needs to take into account that Firefox managed to adopt Manifest V3 without gutting the ability for adblockers to do their job.

Google needs to be very specific on this: what precise user-privacy-threatening functionality can an extension have in Firefox's implementation of MV3, that is not also possible in Chrome's? Because if there is actually none, then we have our answer right there.

[manonthewall]

This should be the top comment of this whole article.

[tyingq]

Cynically, because there are motivations behind MV3 that aren't related to privacy or security. I don't think it's tin-foil-hatting to assume Google has an internal plan to deal with ad blockers.

There's plenty of security/privacy issues that remain after MV3. It's somewhat telling that onBeforeRequest()'s synchronous blocking was the first thing MV3 went after.

[cherryteastain]

If it was about protecting the average user, they could simply put a big red button somewhere deep in the settings where an average user will never find it and create a pop-up saying "dont do this it's dangerous" if they try to flip it. Hell, even a command line flag would work.

It's ofc not about protecting the user, however.

[kelnos]

> We should not sacrifice the many

I don't see how forcing the many to have sub-standard ad-blocking software isn't a sacrifice of its own. Ads and tracking demonstrably harm user privacy.

We have two harms: rogue extensions siphoning off user data, and shitty ad networks eroding user privacy. I don't think we need to choose to solve only one or the other.

And it's not like MV3 really protects users from rogue extensions. It's pretty obvious it's a plan by Google to reduce the effectiveness of ad blockers; the alleged privacy improvements are an unproven excuse.

[jauntywundrkind]

The other big change of mv3 that gets no coverage but which is dear to me is that mv3 outlaws any kind of dynamic code. The whole app has to be statically defined. This makes it much easier to know what's running, since an extension can no longer go pull in extra code, but it greatly reduces what you can do as an extension too. Extensions have to have all behaviors predefined. I can't dial home & load my behaviors. Here's the issue, https://github.com/w3c/webextensions/issues/139

For a while it meant that userscripts didn't have any way to run. So Google introduced a new API for user scripting. But those extensions only run in "developer" mode. I'm guessing that means when devtools are open?

I agree a lot with your premise. It sure seems like Google is targeting everyone with these changes, but that better real affordances & escape hatches need to be builtin to not maim the lives of power users. It took a long long time to come up with a userscript solution, and it seems like an awful doesnt-work-for-me workaround (I use userscripts not to dev but to modify everyday experiences). Chrome just hasn't been taking their obligation to user agency seriously; they can't just start treating everyone as needing huge protective walls all at once.

[magicalist]

> For a while it meant that userscripts didn't have any way to run. So Google introduced a new API for user scripting. But those extensions only run in "developer" mode

I didn't notice that in the announcement of the new API, but that actually seems pretty reasonable for userscripts? It also seems to match what the GP was asking for:

> Why not put in settings that allow the user to allow extensions outside the bounds of MV3

[pvg]

I'm guessing that means when devtools are open?

No, it's a flag you turn on on the extensions settings screen (chrome://extensions/).

[dcow]

> We should not sacrifice the many (and encourage the bad actors) to ensure that the few have the access they want.

It's a false dichotomy. We don't need to sacrifice anybody. Require more consent or an advanced toggle to turn on the allegedly dangerous behavior.

[judge2020]

People have been clicking past permission prompts since their inception. So many people on Android are compromised by tutorials for "free vbucks" or "free gems" that ask them to install spyware/adware by bypassing Google Play and even Play Protect.

[cherryteastain]

The browser is not your nanny. You can also text your online banking credentials to scammers using an Android phone, but no one in their right mind suggests removing text message functionality from Android because of that.

[dcow]

So let’s get rid of apps and the play store! … … …

Unless we intend to regress to the mean, people must be educated on how to use powerful tools responsibly, and we must build powerful tools with effective safeguards.

[loup-vaillant]

> This is a real threat - how do you protect users from their own actions?

You fucking educate them.

I’m sick and tired of big tech treating people like children. Sure, in the short term perhaps consider putting fences and whatnot, but come on, general purpose computers are mainstream since at least 1995, we ought to have learned what they are by now.