Bypassing Google's big anti-adblock update
854 comments
·July 12, 2025al_borland
pjmlp
A monopoly achieved thanks to everyone that forgot about IE lesson, and instead of learning Web standards, rather ships Chrome alongside their application.
azangru
> instead of learning Web standards, rather ships Chrome alongside their application
I am confused.
- The "shipping Chrome alongside their application" part seems to refer to Electron; but Electron is hardly guilty of what is described in the article.
- The "learning web standards" bit seems to impune web developers; but how are they guilty of the Chrome monopoly? If anything, they are guilty of shipping react apps instead of learning web standards; but react apps work equally well (or poorly) in all major browsers.
- Finally, how is Chrome incompatible with web standards? It is one of the best implementer of them.
quacksilver
Devs, particularly those with pressure to ship or who don't know better, unfortunately see 'it works in Chrome' as 'it works', even if it is a quirk of Chrome that causes it to work, or if they use Chrome related hacks that break compatibility with other browsers to get it to work in Chrome.
- Sometimes the standards don't define some exact behavior and it is left for the browser implementer to come up with. Chrome implements it one way and other browsers implement it the other way. Both are compatible with the standards.
- Sometimes the app contains errors, but certain permissive behaviors of Chrome mean it works ok and the app is shipped. The developers work around the guesses that Chrome makes and cobble the app together. (there may be a load of warnings in the console). Other browsers don't make the same guesses so the app is shipped in a state that it will only work on Chrome.
- Sometimes Chrome (or mobile Safari) specific APIs or functions are used as people don't know any better.
- Some security / WAF / anti-bot software relies on Chrome specific JavaScript quirks (that there may be no standards for) and thinks that the user using Firefox or another browser that isn't Chrome or iOS safari is a bot and blocks them.
In many ways, Chrome is the new IE, through no fault of Google or the authors of other browsers.
paulryanrogers
> how is Chrome incompatible with web standards? It is one of the best implementer of them.
They have so much market share that they control the standards bodies. The tail wags the dog.
pjmlp
Web features being pushed by Google via Chrome, aren't standards, unless everyone actually agrees they are worthy of becoming one.
Shipping Electron junk, strengthens Google and Chrome market presence, and the reference to Web standards, why bother when it is whatever Chrome is capable of.
Web devs with worthy skills of forgotten times, would rather use regular processes alongside the default system browser.
badgersnake
> how is Chrome incompatible with web standards? It is one of the best implementer of them.
Easy when they make Chrome do whatever they want and call it a living standard (whatever that is). There is no such thing as web standards now.
brookst
Consumers never really pick products for ideological reasons, no matter how galling that is to ideologues
rightbyte
You should block adds for practical reasons too though, not just for moral reasons.
I can't fathom how there are so many devs that don't use adblockers. It is so strange and when I look over their shoulders I get a shocking reminder how the web looks for them.
pjmlp
Except, many developers contributed to the actual situation.
The same excuse was given regarding IE.
johnnyanmac
I think ads go well past "ideaology". very few like ads, and they have only gotten more persistent over recent years.
pyrale
Oh no, instead consumers pick products because of advertising.
What an improvement.
imhoguy
But consumers pick products for convenience reasons and Chrome updates crossed PITA line. Even my "boomers" family switches to FF.
immibis
FYI, this is not downvoted because you're wrong. It's downvoted because you called everyone with a different opinion to you an ideologue.
bayindirh
Chrome was made to fracture, and everything started with the aptly named “Atom” editor (they “invented” Electron).
Everybody choose convenience over efficiency and standards, because apparently nobody understood what “being lazy” actually is.
pjmlp
Microsoft invented Electron, when Windows Active Desktop came to be.
Mozzilla also invented Electron, when XUL applications were a thing.
Both failed, as shipping regular processes with the default browser kept being used.
userbinator
IE was far less user-hostile than Chrome.
leptons
Only because Microsoft got slapped on the wrist way back when.
Google should get slapped too, and they might be headed that way...
https://www.npr.org/2025/04/20/nx-s1-5367750/google-breakup-...
Safari is also pretty user-hostile, which is why Apple is getting sued by the DOJ for purposely hobbling Safari while forbidding any other browser engine on IOS. They did this so that developers are forced to write native apps, which allows Apple to skim 30% off any purchase made through an app.
xdennis
> IE was far less user-hostile than Chrome.
What exactly do you mean by this?
IE was horrible to use which is why so many people switched to Firefox. It wasn't because of web standards.
IE didn't have tabs when every other browser moved to that.
IE didn't block pop ups when every other browser would do that.
8n4vidtmkvmk
Excuse me. If it's on MDN, I'm going to use it if it's useful for my app. Not my fault if not all browsers can keep up! Half JK. If I get user complaints I'll patch them for other browsers but I'm only one person so it's hard and I rely on user feedback. (Submit bug reports y'all)
jmb99
Why not only use features that are compatible with all browsers? You don’t need to use every bleeding edge feature to make a website.
carlosjobim
The issue is completely different if the users of an app or a website are customers. Then you have to make it work for them or you'll lose sales. If it's non-commercial project then it doesn't matter if it works with all browsers or not.
pjmlp
Welcome to Microsoft world of IE.
isaacremuant
Not everyone. Some of us used Firefox all along and didn't just go with the "default" invasive thing.
genman
The main wrong lesson learned was to promote Chrome instead of Firefox (also in what many HN readers have been guilty of).
Ygg2
That's fundamentally a mischaracterization.
Everyone focused on short term gains. Optimizing for browser with 30% market share, backed by Google makes more sense than a browser with 20%. Repeat with 40% and 20% respectively. And so on, and so on.
There isn't a lesson to learn. It's just short term thinking.
Now Google has enough power and lacks scruples that would prevent it from exploiting.
throw10920
> If people don’t agree with Google move, the only correct course of action is to ditch Chrome (and all Chromium browsers).
I disagree, on two fronts.
First, I think that the underlying root cause is a level lower - it's the fact that so much content on the web is funded via privacy-invasive and malware-laden advertisements, rather than direct payment.
Second, there are multiple valid things that you can do - you don't just have to pick one.
You can work on Manifest V2 bypasses and you can boycott Chrom{e,ium} and you can contact your representatives to ask them to craft regulation against this and you can promote/use financial models where you pay for stuff with money instead of eyeballs. All are useful! (especially because regulation is incredibly difficult to get write and takes a long time to build political will, draft, pass, and implement)
godelski
> ditch Chrome (and all Chromium browsers).
People should do this for many reasons. Monopolies are not good for anyone, including Google[0].For most people, that means installing Firefox or using Safari. There are others, but the space is small. Don't listen to people, Firefox is perfectly good and most people wont see major differences.
Truth is we like to complain. It's good to push things forward and find issues that need to be fixed, not nothing is perfect. For every complaint about Firefox there's another for Chrome. You can't just switch to Brave, Edge, Opera or some other color of Chrome. Things will feel different, but really it's easy to make mountains out of molehills. So what do you care more about?
[0] short term, yes. Long term no. Classic monopoly gets lazy and rests upon its laurels
healsdata
> Don't listen to people, Firefox is perfectly good and most people wont see major differences.
I'm sorry, but this just isn't true. I used Firefox exclusively for about a year and had a website not work about once a month. This included my state's unemployment portal and a small business store.
When it happens, there's no indication of why. It's only because I'm technical I thought too try it in Chrome. My non-technical family isn't going navigate that.
physPop
Safari is also not adblocker friendly. Lots of other entrants to try though. Brave in particular is great!
ale42
But Brave is a Chromium browser, which is out of scope according to the comment.
abandonliberty
Adguard works fine? How are they not friendly?
internet2000
Don't put this on the users. The blame is 50% on web developers, 25% on Mozilla for screwing the pooch, 25% on Google themselves for advertising it so strongly across their properties.
amelius
We need webmasters to nudge people away from Chrome. E.g. show an annoying popup on opening the page or add a small delay.
al_borland
We also need Google to stop showing annoying pop-ups every time someone goes to their homepage, Gmail, or any other site they own. They also need to stop promoting users on mobile to open links in Chrome, when the user doesn’t even have Chrome installed, and has chosen the “default browser” option 100 times already.
I’m so fed up with these nudges.
kevincox
And most importantly these are anti-competitive. They are using Google's other markets to give them an unfair marketing advantage that other browsers do not have. Neither Firefox, Brave or anyone else can have these prompts on Android, Google Search. They are using an unfair advantage to take over the market against the common good.
p_j_w
Webmasters who make their money on ads seem like the group least likely to do this.
amelius
Better yet, include some piece of code in your webpage that is dynamically loaded from e.g. EFF.org or mozilla.org.
That way, you give these organizations the power to nuke Chrome, one day.
This can also be seen as a kind of mutually assured destruction approach, to keep Google in check.
Wowfunhappy
This wasn't really the point of the article, which in fact says the workaround was patched in Chrome 118.
irrational
Because the author reported it. Personally I would have told the ublock origin developers instead of google.
Wowfunhappy
To what end? So Google can see how it works and still patch it?
SarahC_
PROXOMITRON!
Local proxy filter that is like a Pi-hole, but locally!
It's OLD, and became obsolete when browser plugins were invented, but now more relevant than ever!
Because it's between the server and the client - it can do what it wants!
driverdan
Wow, that brings me back. I used to use Proxomitron before plugin ad blockers were a thing.
belter
A gift to reduce global CO2 search emissions...
miohtama
Most complainers are hypocrites who are complaining for the sake of complaining, too lazy to do anything and just come up with excuses to avoid this.
breve
The best bypass is to use Firefox. uBlock Origin works best in Firefox:
https://github.com/gorhill/uBlock/wiki/uBlock-Origin-works-b...
Aperocky
Never realized anything was happening as I was on Firefox, until I saw ads as my wife was browsing youtube despite installing ublock for her years ago.
madaxe_again
My wife was pissed when I installed an adblocker for her - turns out she likes the ads.
yonatan8070
I recently saw my GF's inbox, it's full of marketing emails, and when I told her she can unsubscribe or block them, she said she likes them as well.
TechDebtDevin
There was a podcast I was listening to this week, and they were discussing the purpose of marketing emails, and they came to the conclusion that they're for women who actually open all of them lol. It was half sarcasm and pretty funny, not trying to by misogynist or something
abbadadda
“Heavy sigh.”
thaumasiotes
YouTube recently started showing ads through uBO in Firefox.
djrj477dhsnv
On what platform? I've been using Firefox and uBO on Linux and Android for over a decade and never seen a YouTube ad.
bloudermilk
Switched (back) to Firefox from Chrome years ago and haven’t looked back. Between uBlock and Privacy Badger my web experience is pretty good despite the endless assault on end users.
norskeld
Speaking of 'works best in Firefox'... I mainly use Chrome (kinda have to), and it's practically impossible to use it for reviewing big GitHub PRs with many files changed (UI just freezes), but everything's perfectly fine in Firefox!
abustamam
Our CTO was giving a hybrid presentation in a conference room on zoom, and his M3 Mac kept complaining of high memory usage. Chrome was rated at taking 60GB of memory.
No single consumer application should be taking over 60gb of memory.
zelphirkalt
Could this be a subjective experience? Is it reproducible on multiple machines? And have you tried it with a new profile?
norskeld
Well, many people have complained about this very issue, and it was actually from this [1] discussion that I learned that Firefox handles big PRs just fine. No amount of jumping through hoops, including creating a new profile, helped to make it work in Chrome.
gavinray
I use Edge on both Win + Android, and uBlock Origin works perfectly on both.
throw123xz
Last time I used Edge (early this year), it asked me if I allowed to track me (the usual cookies message) when I opened a new tab, so while they still support Mv2, I'm not sure if it's the browser to use if you want some privacy and block ads.
aziaziazi
I can’t help seeing ad blockers as fairless content consumption, like choosing to download films, musics and books without paying the creator and the distributor (VOD, MOD, concerts, libraries…). Sounds great for you but how would that work if everyone would do the same?
Although we all be happy to se more competition, using an ad blocker on Google sites (and G-add financed-sites) have no positive effect for the competitors.
Don’t take me wrong, I hate Ads and Google methods but we can’t all rob the same store and hope there will be infinite food on the shelves and that the next store will benefit from that.
breve
Google doesn't exist in a vacuum. It's not written in the stars that Google must succeed. If Google's business model doesn't meet web users expectations then it's perfectly alright for Google to fail as a business. Businesses fail all the time.
Google is not special or different. Google can adapt or die.
Remember also that as Google has grown and captured more of the available attention and advertising dollars, other businesses that rely on attention and advertising such as free-to-air TV or print media have contracted and even failed. Google has shed no tears for them and, correspondingly, there's no need to shed tears for Google.
flkenosad
The other funny thing is Google could probably exist purely from its innovations. Its just too hard to convince the shareholders to give up on the safe and lucrative ad business.
pyrale
> Sounds great for you but how would that work if everyone would do the same?
I guess we would be free from companies such as Meta and Google? Where do I sign up?
You also seem to think that advertisement has no impact on alternative distribution methods. The fact that other viable options are scarce currently only shows that ad companies have a stranglehold on creative industries through their monopoly.
mercantile
I sincerely hope that having produced a comment like that, you are not using ad blockers of any kind in any browser, including the reduced functionality Chrome uBlock Origin on manifest V3.
For me, ads broke the informal social contract between provider and end user years ago. Small, unobtrusive advertisements might've been okay, but ads eating an inordinate amount of my time and bandwidth, which exfiltrate my personal information, and which are served to me via SEO tricks and dark patterns are not okay. If sites want to ban me for not viewing their ads, fine. In the meantime, I won't lose any sleep over using my adblocker.
For you, if you are lecturing us on the moral imperative of viewing ads, then you better be viewing those ads yourself rather than only espousing cheap rhetoric.
chgs
Almost all content I consume is not funded by adverts, it’s funded by passion or subscription or donation.
Adverts have no positive effects for anyone other than the advertising firm. They cost the viewer more than the provide the advertiser
null
tonyhb
if they’re not funded by adverts then you don’t need an ad blocker, right?
aetimmes
Running ad blockers for me is a matter of principle. The amount of tracking and telemetry that exists on the Internet is 1. massively invasive from a privacy perspective and 2. massively wasteful from an energy, bandwidth and time perspective.
If you have something worth selling, then sell it.
BolexNOLA
Adblocking is security
zelphirkalt
This is a comical view. If protection of downloadable material that someone wants you to pay for, is removed by an ad blocker, then that is broken by design. Make a website that is suitable to sell things, is the solution.
aziaziazi
This is a candide view: IRL store use RFID doors for a reason, and customers do pays indirectly for those doors.
However I’m not 100% sure to have understood your phrase so please tell me if I missed your point.
throwaway77385
I principally agree with you. But in reality, the ad-funded model has failed. It failed a long time ago.
There were never any restrictions placed on it, so it became a self-sustaining downward spiral to the current state of things. When I see the internet without an ad-blocker it is completely unusable. Quite frankly, I would most likely stop using most of the internet altogether if I couldn't block ads.
So what is the alternative? Same as always: paid services. A service / platform can either work out a pricing model that works for people, or it shouldn't / can't exist in that form.
Some people will argue that they'd rather have ads and also content for free and that's fine. Maybe some people can tolerate them. I cannot. I find them to be as close to experiencing physical pain as possible. It's like pure mind-poison and I will bend over backwards to avoid ads.
I am waiting for the age of smart-glasses to begin so that I can filter out ads in real-life as well. I simply never, ever, under any circumstances want to see any advertising ever.
If I want a product or service, I'll go search for it. I don't need anything to be suggested to me. And this is just my battle-hardened mind. I daren't think of what ads do to un-developed, children's minds.
It should be the government's responsibility to severely restrict advertising until it nearly doesn't exist. But that's not the world we live in, so I have taken matters into my own hands.
gpvos
I wouldn't mind if Google et al. went bankrupt. Only Youtube would be somewhat of a loss.
krackers
>They decided it wasn't a security issue, and honestly, I agree, because it didn't give extensions access to data they didn't already have.
So they admit that MV3 isn't actually any more secure than MV2?
Neywiny
I'd be shocked if anyone actually believes them. This article starts with the obvious conflict of interest. Of course letting an extension know what websites you visit and what requests are made is an insecure lifestyle. But I still do it because I trust uBO more than I trust the ad companies and their data harvesters.
amluto
No, MV3 really isn’t more secure. MV3 still allows extensions to inspect your requests — it just doesn’t allow extensions to block them.
It’s almost comical how weak the security/privacy argument for MV3 is. Chrome could have developed a sandboxed web request inspection framework to prevent data exfiltration, but they didn’t even try. Instead they nerfed ad blockers without adding any security.
mckravchyk
I remember that another comical argument was performance. Supposedly, having extensions run in the background all the time is bad. So it's better to constantly, completely re-initialize them whenever an event wakes them up.
cma
Plus Google first entered the browser game with a toolbar for Internet Explorer that's main featured was it blocked popup ads.
Barbing
I wish I could browse the web kinda like this but minus the human:
Make Signal video call to someone in front of a laptop, provide verbal instructions on what to click on, read to my liking, and hang up to be connected with someone else next time.
(EFF’s Cover Your Tracks seems to suggest fresh private tabs w/iCloud Private Relay & AdGuard is ineffective. VMs/Cloud Desktops exist but there are apparently telltale signs when those are used, though not sure how easily linkable back to acting user. Human-in-the-loop proxy via encrypted video calls seems to solve _most_ things, except it’s stupid and would be really annoying even with an enthusiastic pool of volunteers. VM + TOR/I2P should be fine for almost anybody though I guess, just frustrated the simple commercial stuff is ostensibly partially privacy theater.)
jowea
https://stallman.org/stallman-computing.html section "How I use the internet" ?
thaumasiotes
So... you want to use a shared VPN?
krackers
One of the main goals of MV3 seems to be nullifying protection against tracking URLs. Most of the discussion about adblocking technically "still working" under MV3 misses this point. It doesn't matter if you're actually served ads or not, when when your underlying habits can still easily be collected from the combination of fingerprints and tracking URLs.
LordDragonfang
> Most of the discussion about adblocking technically "still working" under MV3 misses this point.
Because it's a dishonest point. Ad blocking still works. All the same ads can still be removed from the page. Tracker blocking doesn't. This is still a huge problem for privacy. But while nearly everyone dislikes seeing ads that interrupt your content, people who actually care about tracking privacy are a much smaller group. The latter group are trying to smuggle concern for the latter issue by framing it as the more favorable issue to garner more support from the former.
qwertox
What I don't understand is why Google doesn't offer users the ability to add some extension ids into some whitelist to allow them using very sensitive permissions.
Force those extensions to have an prominent icon on the UI with a clear tooltip asking "did you install this yourself [No]" for easy removal, in case someone else did install it without you knowing.
There are so many ways to make this work, but they have zero interest in it.
cyberpunk
You really don’t understand why? Money.
frollogaston
I've started assuming bad intent after WEI, even though it was dropped.
matheusmoreira
I believe them. The restrictions are reasonable and appropriate for nearly everyone. Extensions are untrusted code that should have as little access as possible. If restrictions can be bypassed, that's a security bug that should be fixed because it directly affects users.
I also think uBlock Origin is so important and trusted it should not only be an exception to the whole thing but should also be given even more access in order to let it block things more effectively. It shouldn't even be a mere extension to begin with, it should be literally built into the browser as a core feature. The massive conflicts of interest are the only thing that prevent that. Can't trust ad companies to mantain ad blockers.
GeekyBear
> Extensions are untrusted code that should have as little access as possible.
It's entirely possible to manually vet extension code and extension updates in the same way that Mozilla does as part of their Firefox recommended extensions program.
> Firefox is committed to helping protect you against third-party software that may inadvertently compromise your data – or worse – breach your privacy with malicious intent. Before an extension receives Recommended status, it undergoes rigorous technical review by staff security experts.
https://support.mozilla.org/en-US/kb/recommended-extensions-...
Other factors taken into consideration:
Does the extension function at an exemplary level?
Does the extension offer an exceptional user experience?
Is the extension relevant to a general, international audience?
Is the extension actively developed?
jowea
Why am I not allowed to trust an extension just as much as I trust the platform it is running on? This is the same logic behind mobile OSes creators deciding what apps can do.
Barbing
Would that rip off the how-do-we-fund-the-web bandaid, forcing new solutions? Worry about the interim where some publishers would presumably cease to exist. And who would remain afloat—those with proprietary apps, as Zucky as they are, I’d guess…
UBO is absolutely incredibly important. Figure you might know more than me about how journalists and reviewers and the like can still earn a keep in a world with adblockers built in to every browser.
jwitthuhn
An extension I trust is by definition trusted code. What is trusted is for the user to decide, not the broswer developer.
sensanaty
I get what you mean and I think we align here, but I trust the uBlock team infinitely more than I trust Google to make my own extension decisions. I know there's a subset of regular users who fall for all manner of scam, but Manifest V3 doesn't even solve any of those issues, the majority of the same attack vectors that existed before still exist now, except useful tools like uBlock can no longer do anything since they got deliberately targeted.
Besides, there's ways of having powerful extensions WITH security, but this would obviously go against Google's data harvesting ad machine. The Firefox team has a handful of "trusted" extensions that they manually vet themselves on every update, and one of these is uBlock Origin. They get a little badge on the FF extension store marking them as Verified and Trusted, and unless Mozilla's engineers are completely incompetent, nobody has to worry about gorhill selling his soul out to Big Ad in exchange for breaking uBlock or infecting people's PCs or whatever.
encom
I trust ublock infinitely more than anything written by Google, a literal spyware company.
yard2010
This comment reads as if those villains have to provide explanations. Bitch they are Google they ask the questions. If they want they can pirate everything then sell it to make some cash, the stupid laws that we have to follow don't apply to them.
IMO those organizations should pay the taxes for all the people in the country they're being used at. This will create the best incentive for them to succeed.
bapak
The only security change is a policy one that did not need to be bundled with the rest: you can't load external code and run it in a privileged context like the background worker. However you can still load it into a frame and communicate with it.
jacquesm
It's less secure.
jacquesm
An adblocker is a firewall for your brain. Google should have no say over what I consume and when and with for instance youtube being pretty much unavoidable their monopoly position is abused by forcing you to pay for it. Doubly so because of the bait-and-switch, I'm fine with platforms that start off being ad supported, I'm not fine with platforms that become huge on piracy that are free to use by everybody and not an ad in sight and then when bought out suddenly you end up as a captive lemon to be squeezed.
paulryanrogers
Switching costs for consumers are pretty low. Though I'd agree that for producers, it is hard to compete anywhere else.
jacquesm
That's not really true. Youtube is the de-facto means through which a lot of companies and even governments communicate important information to the general public. It took the place of a lot of public broadcasting and documents supplied in paper form. This is highly annoying but hardly a choice on the part of the recipients.
throwaway73945
So OP got Google to patch a harmless "issue" that could've been used by addon devs to bypass MV3 restrictions. Hope it was worth the $0.
BomberFish
Said bypass would exist for maybe a day max before getting nuked from orbit by Google. If anything, there was a non-zero chance OP would've gotten paid and he took it. I don't blame him.
beeflet
They do it for free
StrLght
I don't agree with this conclusion. Google is fully responsible for MV3 and its' restrictions. There's no reason to shift blame away from them.
Let's do a thought experiment: if OP hasn't reported it, what do you think would happen then? Even if different ad blockers would find it later and use it, Google would have still removed this. Maybe they'd even remove extensions that have (ab)used it from Chrome Web Store.
Barbing
Indeed.
Perhaps a hobbyist would code “MV2-capable” MV3 adblocker for the fun of it, forking UBO or something, as a proof-of-concept. How much time would anyone spend on its development and who would install it when the max runway’s a few days, weeks, or months?
DALEK_77
It seems someone's already done it. It requires some extra setup, but I managed to get it working on my machine.
wongarsu
Google isn't any less responsible just because somebody else also did something bad. Blame is not a zero-sum game
If we think your line of argument to the logical extreme, then being upset at at somebody who ratted out a Jewish hideout to Nazis would shift blame away from Hitler. That's obviously absurd. Both are bad people, and one being bad doesn't make the other less bad. And if one enables the other being more bad then that makes both of them worse, it doesn't magically shift blame from one to the other
Hizonner
> Maybe they'd even remove extensions that have (ab)used it from Chrome Web Store.
So now it's abuse to make the user's browser do what the user wants, for the user's benefit, to protect the user from, you know, actual abuse.
StrLght
Well, I don't think so — hence the parenthesis. Although, I am pretty sure that's how Google looks at it, given all MV3 changes.
raincole
Really? You think Google is that dumb? As soon as any ad blocker that people actually use implements it, it'll be patched. It's not something you can exploit once and benefit from it forever.
antisthenes
Yeah, that was my take as well. OP did some free work for a megacorp and made the web a little bit worse, because "security, I guess" ?
Good job.
deryilz
Sometimes you get $0, sometimes you get more. I would like to mention this stuff on my college applications, and even if I tried to gatekeep it, it'd eventually be patched. Not sure what your argument is here.
sebmellen
Incredibly impressive to do this sort of work before applying to college!
mertd
The author claims to be 8 years old in 2015. So that makes them still a teenager. It is pretty cool IMO.
9dev
Are you guys honestly arguing like the zero day industry would, for a vector that couldn’t be used by any ad blocking extension since Google has them under an electron microscope 24/7? To pick on a very young, enthusiastic programmer? What the hell??
busymom0
Google would have found this bug if any extensions tried to rely on it and patched it instantly anyway.
crazygringo
> Adblockers basically need webRequestBlocking to function properly. Pretty convenient (cough cough) for a company that makes most of its revenue from ads to be removing that.
Why does this keep getting repeated? It's not true.
Anyone can use uBlock Origin Lite with Chrome, and manifest v3. It doesn't just work fine, it works great. I can't tell any difference from the old uBlock Origin in terms of blocking, but it's faster because now all the filtering is being done in C++ rather than JavaScript. Works on YouTube and everything.
I know there are some limits in place now with the max number of rules, but the limits seem to be plenty so far.
sgentle
It depends on how you interpret the word "properly". There are ads and adblocker-detection techniques that can't be blocked by MV3-style static filtering.
If "properly" means "can block all ads" then you're wrong. If it means "can block some ads" then you're right. If it means "can block most ads" then you're currently right, but likely to become wrong as adtech evolves around the new state of play.
Don't forget Chrome launched with built-in popup blocking. Now we just have popunders, in-page popups, back-button hijacking etc. Ads, uh... find a way.
zwaps
It is true though. Like, literally. Why do you think it is called Lite?
tredre3
The statement was: "Adblockers basically need webRequestBlocking to function properly. "
This is demonstrably false, ublock lite proves that adblockers can work without it.
Whether or not ublock lite is missing functionalities because of MV3 is irrelevant to the original statement that adblockers need webRequestBlocking.
StrLght
> This is demonstrably false, ublock lite proves that adblockers can work without it
uBO Lite is missing plenty of features: https://github.com/uBlockOrigin/uBOL-home/wiki/Frequently-as...
stavros
So your argument is that if an extension could block even a single ad with MV3, it means that ad blockers function properly in MV3? Do you not agree that "properly" means "having all the functionality they had with MV2"?
jwrallie
> Whether or not ublock lite is missing functionalities because of MV3 is irrelevant to the original statement that adblockers need webRequestBlocking.
It can be relevant depending of how you define properly. If it depends on any of those functionalities that are missing, then it’s relevant.
crazygringo
> It is true though. Like, literally.
Doesn't seem true to me. If it's true, then why is uBlock Origin Lite functioning properly as an adblocker for me?
> Why do you think it is called Lite?
Because it's simpler and uses less resources. And they had to call it something different to distinguish it from uBlock Origin.
rpdillon
One of the most frustrating things about these discussions is that it-works-on-my-machine effect. Anecdotal evidence is easily surpassed by a deeper understanding of the mechanisms that are changing. Here's what the author of uBlock Origin says about its capabilities in Manifest V3 versus Manifest V2.
> About "uBO Lite should be fine": It actually depends on the websites you visit. Not all filters supported by uBO can be converted to MV3 DNR rules, some websites may not be filtered as with uBO. A specific example in following tweet.
You can read about the specific differences in the FAQ:
https://github.com/uBlockOrigin/uBOL-home/wiki/Frequently-as...
My personal take is if you're a pretty unsophisticated user and you mostly don't actually interact with the add-ons at all, Manifest V3 will probably be fine.
If you understand how ads and tracking work and you are using advanced features of the extension to manage that, then Manifest V2 will be much, much better. Dynamic filters alone are a huge win.
rstat1
Its called Lite because it has tons of missing functionality from the not-Lite version that make the not-Lite version more effective as a content blocker.
krade
UBO Lite doesn't support cosmetic filters or custom rules.
consumer451
I believe that another change is that ad blockers cannot update as quickly now? If that is true, since ad blocking is a cat and mouse game, doesn't that make ad blocking with a delay less functional?
charcircuit
No, that's not true either. Updating rules is allowed. The restriction is about updating code.
consumer451
Hmmm, according to this post [0], ad blocking lists must now be updated via store updates. Is that not the case?
[0] https://old.reddit.com/r/uBlockOrigin/comments/17as8o8/the_r...
raydenvm
I suppose that switching to Brave will be one of the best solutions after all. They have already comment this in June: https://brave.com/blog/brave-shields-manifest-v3
barryvan
Or Firefox, which isn't just a reskinned Chrome...
esskay
If you think Braves just 'reskinned chrome' you've clearly not used it.
paulryanrogers
I've tried Brave a few times. Doesn't seem significantly different from Chrome. Chromium will likely still dominate future choices for web standards and Google will still control what implementations work on the biggest properties.
wejick
For just another chromium skin, I prefer vivaldi as it has more traditional offerings than brave. While having more customizable ui.
moffkalast
What makes Brave trustworthy enough for us to run our entire life through it? For me it's irreparably forever tainted by crypto grifting.
esskay
The 'crypto grifting' is something you can turn off completely, it's there as a way to make the browser sustainable without accepting payments from Google to make it the default search engine.
I'd argue its far more trustworthy than modern day Firefox/Mozilla, they're not exactly the second coming these days.
What makes Firefox more trustworthy?
mathgradthrow
the lack of cryptogrifting.
moffkalast
That's kind of like saying "yeah this is a mafia pizzeria but you can come eat at hours when the goons aren't there". Besides, why does Brave need that much funding? All they make is a Chromium wrapper, Google does all the work for them. They're not really an actual alternative in that sense, they just stuff it full of adblock, crypto, and god knows what. There was even a thing recently where it autoinstalled a VPN.
Yeah it's true that Mozilla's mostly financed from Google's anti-antitrust payments, but at least they actually made something of their own and have a trustworthy track record three decades long as a non-profit and Netscape before that.
pixxel
Your favourite corporations commit all sorts of crimes (ethical and actual). But let’s remember that questionable thing Brave did for eternity.
moffkalast
Non-profits get a tiny bit more leeway in my book. Brave is not one of them.
zulban
I don't "bypass" Chrome when they want to melt my brain with their business model, I use Firefox. I don't "bypass" Windows when they want to melt my brain with their business model, I use Linux. No idea why so many "hackers" doing "bypasses" can't instead take action that is simpler, long lasting, and easier. Do people need to jerked around 50 times for 20 years before realizing it will keep happening and their "bypasses" are just temporary bandaids?
mrcsharp
> No idea why so many "hackers" doing "bypasses" ....
Because that's what it means to be a hacker. Yes, installing Firefox is simpler (and I'm a Firefox user) but I respect the effort to overcome Google's measures in disallowing certain addons.
zulban
"Because that's what it means to be a hacker."
Sure. But to me "hacking" this cat and mouse game is not very compelling. I feel like I've seen a thousand articles exactly like this over the years. This won't work in 4 months.
"It was patched in Chrome 118 by ..."
Or already?
whatshisface
>But I don't know how to make an adblocker, so I decided to report the issue to Google in August 2023. It was patched in Chrome 118 by checking whether extensions using opt_webViewInstanceId actually had WebView permissions. For the report, I netted a massive reward of $0. They decided it wasn't a security issue, and honestly, I agree, because it didn't give extensions access to data they didn't already have.
The effort to overcome the community's chance at discovering the workaround?
chmod775
It was never going to last long enough anyways, being sure to get patched as soon as any adblocker uses it.
It's however still interesting in the sense that it might be fairly trivial to change, so chances are the next adblockers are going to ship executable that wrap chrome, modifying something like that at launch, allowing their extension to make use of it.
Obviously Google is going to hate it when random popular extensions start nagging users to download and install "companion" software in order to work, since that will train users to not think twice about these things and bypasses legitimate security efforts.
But Google made their own bed - and that of their users. Now they all get to lie in it together.
mrcsharp
The blog post shows clear effort that falls under the "hacker" umbrella. That I respect.
The author informing google of the exploit was not the complaint of the parent comment which I took issue with.
null
chii
> use Linux
except that for a majority of users, windows is where their applications are at - such as gaming, word processing, or some other thing. Sure there are replacements (somewhat) for each of those categories, but they are not direct replacements, and require a cost of some kind (retraining, or a substitute quality). This is esp. true for gaming, and it's only recent that gaming has made some inroads via the steam deck (steamOS), which isn't available to a general PC (only handheld PCs with AMD processors iirc).
People who say "just switch" to linux hasn't done it for their family/friends.
0points
> except that for a majority of users, windows is where their applications are at - such as gaming, word processing, or some other thing.
Until you switch to linux you won't understand how inferior your windows setup always was.
It's hard for us to tell you what you are missing out on, you simply need to experience it.
I mostly game in a Windows 10 VM running on my Linux desktop computer. Single keypress to switch to Linux workspace.
This is not because Linux gaming is horrible broken, but rather it gives me a fully separate leisure desktop, and my main Linux desktop is work only.
It also gives me 100% compatibility, unlike wine.
> People who say "just switch" to linux hasn't done it for their family/friends.
When we say so here, we are telling you to switch.
Nobody should be forcing anything on friends/family.
I always suggest MacOS for friends/family for ease of support. I would never recommend Windows to anyone.
Xss3
Many popular games have anticheats that prevent vm use.
herodoturtle
> I mostly game in a Windows 10 VM running on my Linux desktop computer. Single keypress to switch to Linux workspace.
Apologies for hopping on this thread with off topic question, but would you mind describing your setup?
I haven’t tried this in years, but last time I did I had trouble getting pass-through to some of my hardware, in particular my nvidia card.
Agree with your approach 100%!
tzs
> I mostly game in a Windows 10 VM running on my Linux desktop computer. Single keypress to switch to Linux workspace.
> This is not because Linux gaming is horrible broken, but rather it gives me a fully separate leisure desktop, and my main Linux desktop is work only.
> It also gives me 100% compatibility, unlike wine.
You would get a fully separate leisure desktop if you were running Linux in that VM so it sounds like you are running Windows in the VM because Linux gaming is not adequate.
unfitted2545
Of course it depends on what you're playing, but VM gaming is not 100% compatible, lots of anti cheats will ban VM users and it's a cat and mouse game to not get detected.
ozyschmozy
Can you comment more on your VM setup? Can it utilize the GPU properly? Any performance or compatibility issues with running windows in a VM? Etc.
ezst
That's so much less true nowadays,
Web has become the default platform, where most people run most of their app/spend most of their time. Even Microsoft has had no choice but to embrace it, and Outlook (as in, the one from Microsoft office) is now a web first app (normal outlook is rebranded "classic" and we all know where this is heading, for better or worse). In a way, that makes switching OS much easier.
If you add to that that Windows itself is getting major visual overhauls from version to version (sometimes even within) it's not like sticking with it protects you from having to learn different UX paradigms and habits.
And regarding gaming, well, linux with Proton runs games faster than Windows nowadays, that's how little Microsoft cares about gamers/how good Valve is (depending on how you look at it), but the fact of the matter remains.
bboygravity
I was going to post a rant on drivers in Linux, but on my newest Lenovo laptop Linux Mint/Ubuntu off the shelve driver support is actually complete and Windows 10 (unsupported by Lenovo) extremely lacking (no wifi driver, no lid driver, no proper standby). And there's no way I'm going to start using Windows 11.
So yeah, maybe this is the year of Linux. After decades on this planet :p
debugnik
> (steamOS), which isn't available to a general PC
Most of its secret sauce is either in Proton or upstreamed into Wine, DXVK, SDL, etc. All available to a general PC.
Unless your focus is competitive online games, which often come with Windows-only anti-cheats, you've got a huge catalogue of great games playable on Linux distros. I did the switch about four months ago and I'm not missing Windows, the only pain point has been Nvidia drivers and I'll be solving that by switching vendors.
ronjakoi
Proton is available for desktop Steam as well, just pick your distro and go.
zulban
You can always tell how much someone has tried Linux based on how they talk about it.
Takennickname
I disagree that that's the majority of users.
The majority of users either use only web applications, or web applications and Microsoft Office.
The true majority of users are on mobile.
Windows is only unreplaceable for gamers. Which is fine, because Windows is a toy anyway.
baobun
> Microsoft Office
Doesn't even exist anymore. She's "365 Copilot" and web-first now.
Ylpertnodi
>Windows is only unreplaceable for gamers.
And quite a few musicians. When they make my software for Linux - and, it works ootb - I/ we'll be willing to change.
begueradj
The day Linux will be used more than Windows, it will be in more trouble than Windows will.
Threat actors are attracted by the most used system.
anthk
Fedora Bazzite it's Steam OS. And with Flatpak and Lutris you can have that setup everywhere, but some distros optimize the setings and compilations for the desktop better than Others:
- Solus OS
- Fedora Bazzite
- Catchy OS
arcfour
You should read the article before commenting; your comment is a non-sequitur.
bravesoul2
It's a oui-sequitur for sure.
doctorpangloss
I don’t know. Eventually you read enough of this stuff and you would rather the next breath be, take leadership on a real solution. To me it’s a “sequitur” to say, the biggest fuck you is to convince people to stop using Chrome, not to fix bugs for their extremely highly paid engineers for free.
spenczar5
Uh sir the article is about JavaScript Browser APIS
johnnyanmac
I switched to Firefox, but I'm unfortunately stuck to Windows for professional work. I need several high profile software to get proper Linux support before I can make that jump.
When I eventually go indie, though: I am 100% making use of a Linux workflow.
>Do people need to jerked around 50 times for 20 years before realizing it will keep happening and their "bypasses" are just temporary bandaids?
Sadly, yes. The networkign effect is extremely strong. Twitter was complained about even before musk, but it still too 3 years before people really started considering the move. emphasis on "consider": because twitter still has a lot of foot traffic for what it is in 2025.
sky2224
I get what you're saying, but the problem is the software does 90% of what I want really well and I like that they do that 90% super well and I want to keep that.
In your Windows vs. Linux example, Linux just doesn't do a lot of things very well on the UI/UX side of things (e.g., window management, driver support, an out of the box experience). Knock Windows all you want, but it honestly does quite a few pretty important things very well.
So that's why I'll spend some time to resist the negative changes.
ObscureScience
>In your Windows vs. Linux example, Linux just doesn't do a lot of things very well on the UI/UX side of things (e.g., window management, driver support, an out of the box experience).
That judgement confuses me a lot. Window management, drivers and out of the box experience has been much better in Linux for the last 10 years in my experience. Sure, there are some companies that don't ship drivers for Linux or the configuration software is not fully fledged. Window management has almost always been better in Linux, but of course depends on the WM. Windows innovated one nice feature in Vista (aero snap) which most desktop environments has implemented since.
If you install Fedora, Ubuntu or Linux Mint, what are you lacking from that out of the box experience? Generally no driver installation needed, and no cleaning up of bloatware.
sky2224
With regard to window management, this will certainly depend on the distro. Ubuntu's WM has been quite good I'll admit, but that seems to have occurred in only pretty recent versions in the past 5 years or so. My previous experience with Ubuntu had the window management closer to the experience that MacOS provides (albeit slightly better). Ultimately, this point is subjective, so maybe it wasn't the best example.
Driver support is still a very big problem in my opinion, especially if you're a laptop user. There was a lot of tweaking with power configuration that I needed to do to prevent my laptop running Ubuntu 22.01 from dying in 2 hours. Additionally, trackpad drivers were horrendous, which made two-finger scrolling next to impossible to do with any sort of accuracy. Hardware accessories like printers, keyboards, etc. are still a gamble.
You're right though that it has gotten a lot better, but it's these little things that prevent most users from making the switch.
Kwpolska
Have you ever used Linux with high DPI monitors? Windows handles them OK since Windows Vista, and really well since 8. I've seen the classic Windows XP bug of measurements not being scaled and labels being cut off on modern Linux.
How about mixed DPI multi monitor setups? Great since Windows 10. On Linux, you're screwed. X doesn't support this. Wayland does, but not all apps work well with that, and not all apps and GPUs support Wayland.
Workaccount2
People like the service/product, but don't like cost.
So the solution is mental acrobatics while using a backdoor for access.
temporallobe
I get it, and mostly agree, but sometimes consumers don’t have much choice with browsers and OSs; moreover, most consumers are simply technologically ignorant or agnostic of those things. Many users don’t even know exactly what a browser or OS is, and they just want to live their lives scrolling through tiktok or getting work done.
zulban
I wasn't writing about consumers though. I was writing about "hackers" who might read this article and try this hack.
ivanjermakov
> No idea why so many "hackers" doing "bypasses" can't instead take action that is simpler
Because hacking is about solving hard and unnecessary problems
RS-232
I really wish Apple revived Safari for Windows.
In my opinion, it's the only browser that nicely balances performance, privacy, and security.
cbolton
Doesn't Safari have basically the same limitations as Chrome with Manifest v3?
throw123xz
Safari isn't the solution in this case as they were actually the first ones to heavily restrict adblocking. Manifest v3 is inspired by what they did.
pnw
Haven't missed Chrome once since switching to https://brave.com/
rollcat
It's the same Blink engine underneath. Talk about lipstick.
I'm not aware of a Blink-based browser that isn't dropping manifest V2. That would be a soft fork, and wouldn't survive long.
bigstrat2003
The point is you don't need to worry about manifest v3 interfering with ad blockers, because Brave has an ad blocker built into the browser. Also makes it a good Chromium-based option for mobile, since you can't install extensions on Chrome mobile at all.
CharlesW
In the "cons" column, Brave is still a for-profit and has a bunch of features that continue to give some people the ick. In the "pros" column, there's a bunch of "how to debloat Brave" content showing how to improve the default kitchen-sink confifguration. https://www.youtube.com/watch?v=W6cKFliWW6Q
Supermancho
Not being able to run Twitch on it has me switch for brief periods.
sundarurfriend
Heh, funny, Twitch was the primary reason I installed Brave because it was being glitchy on Firefox (at the time years ago - no longer the case). I've never had trouble with Twitch on Brave.
bung
You're personally unable to look at twitch on it?
Supermancho
The adblock causes a twitch stream error. I can watch until the first ad. This is annoying, so I switch to vanilla chrome.
deryilz
From my experience (as a Brave user), using a User-Agent switching extension and setting it to Firefox for twitch.tv gets around that :)
swat535
Brave runs of Chromium, it's the same thing as Chrome.. Manifest V3 will eventually be implemented.
burnte
[flagged]
triyambakam
Shields can be turned off right from the url bar as needed.
burnte
Yeah, if I want to turn it off manually for literally every site. I don't find that helpful.
rustcleaner
>Brendan Eich's hateful hands
LOL California Proposition 8 was pretty mainstream opinion back then. Maybe stop with the ex post facto persecution?
acdha
Hate can be popular but that still doesn’t make it right. He knew that he was spending money hoping to take away rights from people he knew, to tell some of them that their marriages shouldn’t be allowed, and did it anyway. That’s hateful regardless of how many other people joined him.
burnte
I have a closer knowledge that you think, having been inside Mozilla for a long time. He's not a bad human, but he's blinded by religion. Separately, slavery was mainstream, it was still hateful and wrong. Prop 8 was pure hate propaganda.
travoc
Really? I turned off the crypto buttons once several years ago and it’s been just fine since.
Etheryte
Of all the browsers you could be using, giving your data away to sketchy crypto bros should really not be at the top of the list.
Supermancho
It's the top of the list because it works so well. I forget it's a different browser most of the time. I was able to turn off everything extraneous that I was concerned about. Brave is also Open Sourced.
null
bigstrat2003
I really don't care about crypto stuff. If you do, I can understand why that's a dealbreaker for you. But for me, it doesn't matter at all. I just turn the crypto features off and continue on my way.
esskay
The crypto part is an optional thing, which takes a split second to turn off - thats it. Once its off you are basically running chrome without the google call home, and with a built in adblocker unaffected by manifest v3.
It's also opensource so it's not like theres anything being hidden here.
bung
Might as well edit and add some suggestions
homebrewer
Maybe take a look at Vivaldi, it's a continuation of the old Opera, with basically the same development team. It's the most user-friendly and configurable option at this moment, they're very responsive to feedback, and are the only organization that doesn't have some horrible privacy violations in the past (maybe excluding Apple, I don't know and don't care, 90% of users on this planet can't run Safari).
Also they are in Norway if you care about that sort of thing.
It's not FOSS, though, at least for now.
urda
You bypass it by installing Firefox.
qustrolabe
Firefox is awful. Both as a browser itself and as a base for other browsers. Such a shame that Zen didn't use Chromium :(
bluehatbrit
Your comment is pretty meaningless without more specifics.
I switched to Firefox again back in 2017, I have 0 issues with it. If anything it's faster and less resources hungry than chrome in my usage. The extension ecosystem is now arguably better with MV3 being rolled out to chrome.
Probably the only annoying thing was learning where the buttons are in the devtools. They're all still there, just laid out differently. It took about a week to get to grips with that.
What exactly makes you say it's an awful browser?
srcoder
I use Zen everyday and a love it! I am glad they chose Firefox as a base, otherwise I would have skipped it. Firefox is stable, I open it when I boot my PC which runs for weeks and never think anything about it. On topic of ad blocking, I think that there are more ways to anoy users using ad blockers today despite of which browser someone uses, with ad block detection and blocking access. If your browser is build by a ad company, expect these changes. For this reason I won't use these browsers
dangraper2
Weird, Firefox blows Chrome out of the water. What do you smoke?
lucb1e
The smoke on the water!
More seriously, I'm a Firefox user since ~2006 but I'm about equally surprised by the statement that Firefox should blow Chrome/ium out of the water as that Firefox supposedly sucks. They're both browsers. I think Chromium is a bit faster in page rendering, whereas Firefox is more open, privacy-friendly, and customizable. Similar to how I wish consumers would not choose an anti-consumer organization (anyone who values a free market and general computation1 should not choose iOS), I think nobody should choose Chrome but, still, I can understand if someone does choose it because they've gotten used to how it works and they're not willing to change. It's about equal in practical functionality that 95% of people use, wouldn't you say? Or in what way is Firefox blowing Chrome out of the water?
¹ https://www.thekurzweillibrary.com/the-coming-war-on-general...
RockstarSprain
Would love to give Firefox a chance but one thing that stops me (apart from occasional website loading bugs) is inability to install PWAs. Not sure why it’s not implemented like it has been for a long time in Chrome and all its forks.
I have found a 3rd party extension that claims to facilitate this (0) but still feel uncomfortable to use this for privacy reasons.
(0) https://addons.mozilla.org/en-US/firefox/addon/pwas-for-fire...
rs186
If you really care, it's ok to just Firefox for the majority of your web browsing activities but use Chrome or a fork for PWA.
Although using Firefox increasingly means a worse experience, including:
* infinite loop of Cloudflare verification * inferior performance compared to Chrome (page loading, large page scrolling) * subtle bugs (e.g. audio handling) * WebUSB support
I have personally run into all of them. Some are under Firefox's control but others are not. I do still use Firefox for most websites unless it's technically not possible, but unfortunately the exception is happening more and more.
acdha
> * infinite loop of Cloudflare verification * inferior performance compared to Chrome (page loading, large page scrolling) * subtle bugs (e.g. audio handling)
The first two are likely due to extensions rather than the core Firefox. I find at least as many cases where it’s faster, and it usually uses less memory. The third one has high variability - I’ve reported enough bugs against all of the major browsers not to trust any of them but these days there are a lot of web developers who only test on Chrome and half of the time I find what appears to be a bug in Safari or Firefox it’s really an unnecessary reliance on something Chrome specific.
paulryanrogers
I don't run into CAPTCHA loops with Firefox. Have you tried changing your user agent to pretend to be Firefox on Windows or Mac? I've heard Linux users are more likely to be interpreted as bots.
rs186
The machine is on a corporate network, that's the issue. I don't have issues when
1) using Chrome/Edge on that same machine on corporate network 2) using Firefox on Linux on corporate network 3) using Firefox on Windows on my own machine at home
Unfortunately.
bagacrap
Probably wants to share state though (cookie jar, history, password manager, etc)
The bottom line is that Google invests more in Chrome than Mozilla can afford to invest in Ff, so the latter will likely never catch up in features or performance.
Even if bigs exists to work around what Google is doing, that isn’t the right way forward. If people don’t agree with Google move, the only correct course of action is to ditch Chrome (and all Chromium browsers). Hit them where it hurts and take away their monopoly over the future direction of the web.