Bypassing Google's big anti-adblock update

> instead of learning Web standards, rather ships Chrome alongside their application

I am confused.

- The "shipping Chrome alongside their application" part seems to refer to Electron; but Electron is hardly guilty of what is described in the article.

- The "learning web standards" bit seems to impune web developers; but how are they guilty of the Chrome monopoly? If anything, they are guilty of shipping react apps instead of learning web standards; but react apps work equally well (or poorly) in all major browsers.

- Finally, how is Chrome incompatible with web standards? It is one of the best implementer of them.

Consumers never really pick products for ideological reasons, no matter how galling that is to ideologues

Chrome was made to fracture, and everything started with the aptly named “Atom” editor (they “invented” Electron).

Everybody choose convenience over efficiency and standards, because apparently nobody understood what “being lazy” actually is.

IE was far less user-hostile than Chrome.

Excuse me. If it's on MDN, I'm going to use it if it's useful for my app. Not my fault if not all browsers can keep up! Half JK. If I get user complaints I'll patch them for other browsers but I'm only one person so it's hard and I rely on user feedback. (Submit bug reports y'all)

Not everyone. Some of us used Firefox all along and didn't just go with the "default" invasive thing.

The main wrong lesson learned was to promote Chrome instead of Firefox (also in what many HN readers have been guilty of).

That's fundamentally a mischaracterization.

Everyone focused on short term gains. Optimizing for browser with 30% market share, backed by Google makes more sense than a browser with 20%. Repeat with 40% and 20% respectively. And so on, and so on.

There isn't a lesson to learn. It's just short term thinking.

Now Google has enough power and lacks scruples that would prevent it from exploiting.

> Don't listen to people, Firefox is perfectly good and most people wont see major differences.

I'm sorry, but this just isn't true. I used Firefox exclusively for about a year and had a website not work about once a month. This included my state's unemployment portal and a small business store.

When it happens, there's no indication of why. It's only because I'm technical I thought too try it in Chrome. My non-technical family isn't going navigate that.

Safari is also not adblocker friendly. Lots of other entrants to try though. Brave in particular is great!

We also need Google to stop showing annoying pop-ups every time someone goes to their homepage, Gmail, or any other site they own. They also need to stop promoting users on mobile to open links in Chrome, when the user doesn’t even have Chrome installed, and has chosen the “default browser” option 100 times already.

I’m so fed up with these nudges.

Webmasters who make their money on ads seem like the group least likely to do this.

Better yet, include some piece of code in your webpage that is dynamically loaded from e.g. EFF.org or mozilla.org.

That way, you give these organizations the power to nuke Chrome, one day.

This can also be seen as a kind of mutually assured destruction approach, to keep Google in check.

Because the author reported it. Personally I would have told the ublock origin developers instead of google.

Wow, that brings me back. I used to use Proxomitron before plugin ad blockers were a thing.

A gift to reduce global CO2 search emissions...

https://en.wikipedia.org/wiki/Proxomitron

https://www.proxomitron.info/

My wife was pissed when I installed an adblocker for her - turns out she likes the ads.

YouTube recently started showing ads through uBO in Firefox.

Our CTO was giving a hybrid presentation in a conference room on zoom, and his M3 Mac kept complaining of high memory usage. Chrome was rated at taking 60GB of memory.

No single consumer application should be taking over 60gb of memory.

Could this be a subjective experience? Is it reproducible on multiple machines? And have you tried it with a new profile?

Last time I used Edge (early this year), it asked me if I allowed to track me (the usual cookies message) when I opened a new tab, so while they still support Mv2, I'm not sure if it's the browser to use if you want some privacy and block ads.

Google doesn't exist in a vacuum. It's not written in the stars that Google must succeed. If Google's business model doesn't meet web users expectations then it's perfectly alright for Google to fail as a business. Businesses fail all the time.

Google is not special or different. Google can adapt or die.

Remember also that as Google has grown and captured more of the available attention and advertising dollars, other businesses that rely on attention and advertising such as free-to-air TV or print media have contracted and even failed. Google has shed no tears for them and, correspondingly, there's no need to shed tears for Google.

> Sounds great for you but how would that work if everyone would do the same?

I guess we would be free from companies such as Meta and Google? Where do I sign up?

You also seem to think that advertisement has no impact on alternative distribution methods. The fact that other viable options are scarce currently only shows that ad companies have a stranglehold on creative industries through their monopoly.

I sincerely hope that having produced a comment like that, you are not using ad blockers of any kind in any browser, including the reduced functionality Chrome uBlock Origin on manifest V3.

For me, ads broke the informal social contract between provider and end user years ago. Small, unobtrusive advertisements might've been okay, but ads eating an inordinate amount of my time and bandwidth, which exfiltrate my personal information, and which are served to me via SEO tricks and dark patterns are not okay. If sites want to ban me for not viewing their ads, fine. In the meantime, I won't lose any sleep over using my adblocker.

For you, if you are lecturing us on the moral imperative of viewing ads, then you better be viewing those ads yourself rather than only espousing cheap rhetoric.

Almost all content I consume is not funded by adverts, it’s funded by passion or subscription or donation.

Adverts have no positive effects for anyone other than the advertising firm. They cost the viewer more than the provide the advertiser

Running ad blockers for me is a matter of principle. The amount of tracking and telemetry that exists on the Internet is 1. massively invasive from a privacy perspective and 2. massively wasteful from an energy, bandwidth and time perspective.

If you have something worth selling, then sell it.

This is a comical view. If protection of downloadable material that someone wants you to pay for, is removed by an ad blocker, then that is broken by design. Make a website that is suitable to sell things, is the solution.

I principally agree with you. But in reality, the ad-funded model has failed. It failed a long time ago.

There were never any restrictions placed on it, so it became a self-sustaining downward spiral to the current state of things. When I see the internet without an ad-blocker it is completely unusable. Quite frankly, I would most likely stop using most of the internet altogether if I couldn't block ads.

So what is the alternative? Same as always: paid services. A service / platform can either work out a pricing model that works for people, or it shouldn't / can't exist in that form.

Some people will argue that they'd rather have ads and also content for free and that's fine. Maybe some people can tolerate them. I cannot. I find them to be as close to experiencing physical pain as possible. It's like pure mind-poison and I will bend over backwards to avoid ads.

I am waiting for the age of smart-glasses to begin so that I can filter out ads in real-life as well. I simply never, ever, under any circumstances want to see any advertising ever.

If I want a product or service, I'll go search for it. I don't need anything to be suggested to me. And this is just my battle-hardened mind. I daren't think of what ads do to un-developed, children's minds.

It should be the government's responsibility to severely restrict advertising until it nearly doesn't exist. But that's not the world we live in, so I have taken matters into my own hands.

I wouldn't mind if Google et al. went bankrupt. Only Youtube would be somewhat of a loss.

No, MV3 really isn’t more secure. MV3 still allows extensions to inspect your requests — it just doesn’t allow extensions to block them.

It’s almost comical how weak the security/privacy argument for MV3 is. Chrome could have developed a sandboxed web request inspection framework to prevent data exfiltration, but they didn’t even try. Instead they nerfed ad blockers without adding any security.

I wish I could browse the web kinda like this but minus the human:

Make Signal video call to someone in front of a laptop, provide verbal instructions on what to click on, read to my liking, and hang up to be connected with someone else next time.

(EFF’s Cover Your Tracks seems to suggest fresh private tabs w/iCloud Private Relay & AdGuard is ineffective. VMs/Cloud Desktops exist but there are apparently telltale signs when those are used, though not sure how easily linkable back to acting user. Human-in-the-loop proxy via encrypted video calls seems to solve _most_ things, except it’s stupid and would be really annoying even with an enthusiastic pool of volunteers. VM + TOR/I2P should be fine for almost anybody though I guess, just frustrated the simple commercial stuff is ostensibly partially privacy theater.)

One of the main goals of MV3 seems to be nullifying protection against tracking URLs. Most of the discussion about adblocking technically "still working" under MV3 misses this point. It doesn't matter if you're actually served ads or not, when when your underlying habits can still easily be collected from the combination of fingerprints and tracking URLs.

https://github.com/w3c/webextensions/issues/302

What I don't understand is why Google doesn't offer users the ability to add some extension ids into some whitelist to allow them using very sensitive permissions.

Force those extensions to have an prominent icon on the UI with a clear tooltip asking "did you install this yourself [No]" for easy removal, in case someone else did install it without you knowing.

There are so many ways to make this work, but they have zero interest in it.

I've started assuming bad intent after WEI, even though it was dropped.

I believe them. The restrictions are reasonable and appropriate for nearly everyone. Extensions are untrusted code that should have as little access as possible. If restrictions can be bypassed, that's a security bug that should be fixed because it directly affects users.

I also think uBlock Origin is so important and trusted it should not only be an exception to the whole thing but should also be given even more access in order to let it block things more effectively. It shouldn't even be a mere extension to begin with, it should be literally built into the browser as a core feature. The massive conflicts of interest are the only thing that prevent that. Can't trust ad companies to mantain ad blockers.

That's not really true. Youtube is the de-facto means through which a lot of companies and even governments communicate important information to the general public. It took the place of a lot of public broadcasting and documents supplied in paper form. This is highly annoying but hardly a choice on the part of the recipients.

They do it for free

Indeed.

Perhaps a hobbyist would code “MV2-capable” MV3 adblocker for the fun of it, forking UBO or something, as a proof-of-concept. How much time would anyone spend on its development and who would install it when the max runway’s a few days, weeks, or months?

Google isn't any less responsible just because somebody else also did something bad. Blame is not a zero-sum game

If we think your line of argument to the logical extreme, then being upset at at somebody who ratted out a Jewish hideout to Nazis would shift blame away from Hitler. That's obviously absurd. Both are bad people, and one being bad doesn't make the other less bad. And if one enables the other being more bad then that makes both of them worse, it doesn't magically shift blame from one to the other

> Maybe they'd even remove extensions that have (ab)used it from Chrome Web Store.

So now it's abuse to make the user's browser do what the user wants, for the user's benefit, to protect the user from, you know, actual abuse.

Sometimes you get $0, sometimes you get more. I would like to mention this stuff on my college applications, and even if I tried to gatekeep it, it'd eventually be patched. Not sure what your argument is here.

The author claims to be 8 years old in 2015. So that makes them still a teenager. It is pretty cool IMO.

Are you guys honestly arguing like the zero day industry would, for a vector that couldn’t be used by any ad blocking extension since Google has them under an electron microscope 24/7? To pick on a very young, enthusiastic programmer? What the hell??

Google would have found this bug if any extensions tried to rely on it and patched it instantly anyway.

The statement was: "Adblockers basically need webRequestBlocking to function properly. "

This is demonstrably false, ublock lite proves that adblockers can work without it.

Whether or not ublock lite is missing functionalities because of MV3 is irrelevant to the original statement that adblockers need webRequestBlocking.

> It is true though. Like, literally.

Doesn't seem true to me. If it's true, then why is uBlock Origin Lite functioning properly as an adblocker for me?

> Why do you think it is called Lite?

Because it's simpler and uses less resources. And they had to call it something different to distinguish it from uBlock Origin.

No, that's not true either. Updating rules is allowed. The restriction is about updating code.

If you think Braves just 'reskinned chrome' you've clearly not used it.

The 'crypto grifting' is something you can turn off completely, it's there as a way to make the browser sustainable without accepting payments from Google to make it the default search engine.

I'd argue its far more trustworthy than modern day Firefox/Mozilla, they're not exactly the second coming these days.

What makes Firefox more trustworthy?

Your favourite corporations commit all sorts of crimes (ethical and actual). But let’s remember that questionable thing Brave did for eternity.

"Because that's what it means to be a hacker."

Sure. But to me "hacking" this cat and mouse game is not very compelling. I feel like I've seen a thousand articles exactly like this over the years. This won't work in 4 months.

"It was patched in Chrome 118 by ..."

Or already?

>But I don't know how to make an adblocker, so I decided to report the issue to Google in August 2023. It was patched in Chrome 118 by checking whether extensions using opt_webViewInstanceId actually had WebView permissions. For the report, I netted a massive reward of $0. They decided it wasn't a security issue, and honestly, I agree, because it didn't give extensions access to data they didn't already have.

The effort to overcome the community's chance at discovering the workaround?

> except that for a majority of users, windows is where their applications are at - such as gaming, word processing, or some other thing.

Until you switch to linux you won't understand how inferior your windows setup always was.

It's hard for us to tell you what you are missing out on, you simply need to experience it.

I mostly game in a Windows 10 VM running on my Linux desktop computer. Single keypress to switch to Linux workspace.

This is not because Linux gaming is horrible broken, but rather it gives me a fully separate leisure desktop, and my main Linux desktop is work only.

It also gives me 100% compatibility, unlike wine.

> People who say "just switch" to linux hasn't done it for their family/friends.

When we say so here, we are telling you to switch.

Nobody should be forcing anything on friends/family.

I always suggest MacOS for friends/family for ease of support. I would never recommend Windows to anyone.

That's so much less true nowadays,

Web has become the default platform, where most people run most of their app/spend most of their time. Even Microsoft has had no choice but to embrace it, and Outlook (as in, the one from Microsoft office) is now a web first app (normal outlook is rebranded "classic" and we all know where this is heading, for better or worse). In a way, that makes switching OS much easier.

If you add to that that Windows itself is getting major visual overhauls from version to version (sometimes even within) it's not like sticking with it protects you from having to learn different UX paradigms and habits.

And regarding gaming, well, linux with Proton runs games faster than Windows nowadays, that's how little Microsoft cares about gamers/how good Valve is (depending on how you look at it), but the fact of the matter remains.

> (steamOS), which isn't available to a general PC

Most of its secret sauce is either in Proton or upstreamed into Wine, DXVK, SDL, etc. All available to a general PC.

Unless your focus is competitive online games, which often come with Windows-only anti-cheats, you've got a huge catalogue of great games playable on Linux distros. I did the switch about four months ago and I'm not missing Windows, the only pain point has been Nvidia drivers and I'll be solving that by switching vendors.

Proton is available for desktop Steam as well, just pick your distro and go.

You can always tell how much someone has tried Linux based on how they talk about it.

I disagree that that's the majority of users.

The majority of users either use only web applications, or web applications and Microsoft Office.

The true majority of users are on mobile.

Windows is only unreplaceable for gamers. Which is fine, because Windows is a toy anyway.

The day Linux will be used more than Windows, it will be in more trouble than Windows will.

Threat actors are attracted by the most used system.

Fedora Bazzite it's Steam OS. And with Flatpak and Lutris you can have that setup everywhere, but some distros optimize the setings and compilations for the desktop better than Others:

- Solus OS

- Fedora Bazzite

- Catchy OS

It's a oui-sequitur for sure.

I don’t know. Eventually you read enough of this stuff and you would rather the next breath be, take leadership on a real solution. To me it’s a “sequitur” to say, the biggest fuck you is to convince people to stop using Chrome, not to fix bugs for their extremely highly paid engineers for free.

Right back at you. If you think my comment is a non-sequitur, maybe you didn't read the article?

>In your Windows vs. Linux example, Linux just doesn't do a lot of things very well on the UI/UX side of things (e.g., window management, driver support, an out of the box experience).

That judgement confuses me a lot. Window management, drivers and out of the box experience has been much better in Linux for the last 10 years in my experience. Sure, there are some companies that don't ship drivers for Linux or the configuration software is not fully fledged. Window management has almost always been better in Linux, but of course depends on the WM. Windows innovated one nice feature in Vista (aero snap) which most desktop environments has implemented since.

If you install Fedora, Ubuntu or Linux Mint, what are you lacking from that out of the box experience? Generally no driver installation needed, and no cleaning up of bloatware.

I wasn't writing about consumers though. I was writing about "hackers" who might read this article and try this hack.

The point is you don't need to worry about manifest v3 interfering with ad blockers, because Brave has an ad blocker built into the browser. Also makes it a good Chromium-based option for mobile, since you can't install extensions on Chrome mobile at all.

https://brave.com/blog/brave-shields-manifest-v3/

I do turn off the wallet, VPN, AI and other bloat, but it's a minor inconvenience for a better browser.

Heh, funny, Twitch was the primary reason I installed Brave because it was being glitchy on Firefox (at the time years ago - no longer the case). I've never had trouble with Twitch on Brave.

You're personally unable to look at twitch on it?

From my experience (as a Brave user), using a User-Agent switching extension and setting it to Firefox for twitch.tv gets around that :)

Shields can be turned off right from the url bar as needed.

>Brendan Eich's hateful hands

LOL California Proposition 8 was pretty mainstream opinion back then. Maybe stop with the ex post facto persecution?

Really? I turned off the crypto buttons once several years ago and it’s been just fine since.

It's the top of the list because it works so well. I forget it's a different browser most of the time. I was able to turn off everything extraneous that I was concerned about. Brave is also Open Sourced.

I really don't care about crypto stuff. If you do, I can understand why that's a dealbreaker for you. But for me, it doesn't matter at all. I just turn the crypto features off and continue on my way.

The crypto part is an optional thing, which takes a split second to turn off - thats it. Once its off you are basically running chrome without the google call home, and with a built in adblocker unaffected by manifest v3.

It's also opensource so it's not like theres anything being hidden here.

Might as well edit and add some suggestions

Your comment is pretty meaningless without more specifics.

I switched to Firefox again back in 2017, I have 0 issues with it. If anything it's faster and less resources hungry than chrome in my usage. The extension ecosystem is now arguably better with MV3 being rolled out to chrome.

Probably the only annoying thing was learning where the buttons are in the devtools. They're all still there, just laid out differently. It took about a week to get to grips with that.

What exactly makes you say it's an awful browser?

I use Zen everyday and a love it! I am glad they chose Firefox as a base, otherwise I would have skipped it. Firefox is stable, I open it when I boot my PC which runs for weeks and never think anything about it. On topic of ad blocking, I think that there are more ways to anoy users using ad blockers today despite of which browser someone uses, with ad block detection and blocking access. If your browser is build by a ad company, expect these changes. For this reason I won't use these browsers

Weird, Firefox blows Chrome out of the water. What do you smoke?

> * infinite loop of Cloudflare verification * inferior performance compared to Chrome (page loading, large page scrolling) * subtle bugs (e.g. audio handling)

The first two are likely due to extensions rather than the core Firefox. I find at least as many cases where it’s faster, and it usually uses less memory. The third one has high variability - I’ve reported enough bugs against all of the major browsers not to trust any of them but these days there are a lot of web developers who only test on Chrome and half of the time I find what appears to be a bug in Safari or Firefox it’s really an unnecessary reliance on something Chrome specific.

I don't run into CAPTCHA loops with Firefox. Have you tried changing your user agent to pretend to be Firefox on Windows or Mac? I've heard Linux users are more likely to be interpreted as bots.

Probably wants to share state though (cookie jar, history, password manager, etc)

The bottom line is that Google invests more in Chrome than Mozilla can afford to invest in Ff, so the latter will likely never catch up in features or performance.