Bypassing Google's big anti-adblock update
167 comments
·July 12, 2025al_borland
pjmlp
A monopoly achieved thanks to everyone that forgot about IE lesson, and instead of learning Web standards, rather ships Chrome alongside their application.
phendrenad2
A lot of people seem to believe that switching to a de-Googled Chromium-based browser isn't good enough. I think that's a psyop promoted by Google themselves. Firefox is different enough from Chrome that it's a big jump for people who are used to Chrome. Brave, custom Chromium builds, Vivaldi, etc. are all very similar to Google Chrome, they just don't have Google spy features.
The argument that "Google still controls Chromium so it's not good enough" is exactly the kind of FUD I'd expect to back up this kind of psyop, too.
sensanaty
> Firefox is different enough from Chrome that it's a big jump for people who are used to Chrome
I find this notion completely baffling. I use Chrome, Firefox and Safari more or less daily cause I test in all 3, and other than Safari feeling clunkier and in general less power-user friendly, I can barely tell the difference between the 3, especially between chrome and FF (well, other than uBlock working better in FF anyways).
jeffbee
The stuff INSIDE the viewport is pretty much the same across them all, but on the daily it makes a big difference how your other services integrate with the browser. Someone who is all-in with iCloud, macOS, iOS etc might find it annoying to use Firefox without their personal info like password and credit cards and bookmarks. And the same would be true I guess for Google fans switching to Safari and not having those things.
const_cast
I agree, there's little to no friction in switching to Firefox and I have never, not even once, noticed a difference with websites. The same is not true for Safari.
poly2it
Isn't that the exact argument behind the Serenity project? I legitimately feel there is a grave issue with the internet if one wallet controls all of the actual development of our browsers. Control over virtually all media consumption mustn't be in the hands of a corporation.
high_priest
Its not happening
agile-gift0262
I switched to Firefox and it's been wonderful. I wonder why I didn't switch earlier. It's only been a couple of months, but I can't imagine going back to a browser without multi-account containers.
galangalalgol
The only time I've used anything but firefox for the last. Well probably since netscape honestly? I am so old. Is to get the in flight entertainment to work on american, but firefox has worked for that for a few years now. People say chrome is faster and in the early 2000s I might have agreed, but now I really don't understand why anyone not on a mac or iphone isn't using Firefox. It is great.
lytedev
It definitely is, buy I think the silent majority just don't care all that much. Is that what you're referring to?
Etheryte
I don't know, I switched to Safari and it was painful for like two hours and then I stopped thinking about it. The only thing I somewhat miss is the built-in page translate, but I don't need it often enough to be bothered much.
Fire-Dragon-DoL
I find switching from chrome to safari essentially doing nothing. If you switched to a non-big-company owned browser, it would make sense but Apple has plenty of lock in which is as bad as chrome lock in.
mattkevan
Safari has had built-in page translate for years now. It’ll detect different languages and show a translate option in the site tools menu. Works well.
krackers
>They decided it wasn't a security issue, and honestly, I agree, because it didn't give extensions access to data they didn't already have.
So they admit that MV3 isn't actually any more secure than MV2?
Neywiny
I'd be shocked if anyone actually believes them. This article starts with the obvious conflict of interest. Of course letting an extension know what websites you visit and what requests are made is an insecure lifestyle. But I still do it because I trust uBO more than I trust the ad companies and their data harvesters.
Barbing
I wish I could browse the web kinda like this but minus the human:
Make Signal video call to someone in front of a laptop, provide verbal instructions on what to click on, read to my liking, and hang up to be connected with someone else next time.
(EFF’s Cover Your Tracks seems to suggest fresh private tabs w/iCloud Private Relay & AdGuard is ineffective. VMs/Cloud Desktops exist but there are apparently telltale signs when those are used, though not sure how easily linkable back to acting user. Human-in-the-loop proxy via encrypted video calls seems to solve _most_ things, except it’s stupid and would be really annoying even with an enthusiastic pool of volunteers. VM + TOR/I2P should be fine for almost anybody though I guess, just frustrated the simple commercial stuff is ostensibly partially privacy theater.)
jowea
https://stallman.org/stallman-computing.html section "How I use the internet" ?
krackers
One of the main goals of MV3 seems to be nullifying protection against tracking URLs. Most of the discussion about adblocking technically "still working" under MV3 misses this point. It doesn't matter if you're actually served ads or not, when when your underlying habits can still easily be collected from the combination of fingerprints and tracking URLs.
matheusmoreira
I believe them. The restrictions are reasonable and appropriate for nearly everyone. Extensions are untrusted code that should have as little access as possible. If restrictions can be bypassed, that's a security bug that should be fixed because it directly affects users.
I also think uBlock Origin is so important and trusted it should not only be an exception to the whole thing but should also be given even more access in order to let it block things more effectively. It shouldn't even be a mere extension to begin with, it should be literally built into the browser as a core feature. The massive conflicts of interest are the only thing that prevent that. Can't trust ad companies to mantain ad blockers.
GeekyBear
> Extensions are untrusted code that should have as little access as possible.
It's entirely possible to manually vet extension code and extension updates in the same way that Mozilla does as part of their Firefox recommended extensions program.
> Firefox is committed to helping protect you against third-party software that may inadvertently compromise your data – or worse – breach your privacy with malicious intent. Before an extension receives Recommended status, it undergoes rigorous technical review by staff security experts.
https://support.mozilla.org/en-US/kb/recommended-extensions-...
Other factors taken into consideration:
Does the extension function at an exemplary level?
Does the extension offer an exceptional user experience?
Is the extension relevant to a general, international audience?
Is the extension actively developed?
jowea
Why am I not allowed to trust an extension just as much as I trust the platform it is running on? This is the same logic behind mobile OSes creators deciding what apps can do.
sensanaty
I get what you mean and I think we align here, but I trust the uBlock team infinitely more than I trust Google to make my own extension decisions. I know there's a subset of regular users who fall for all manner of scam, but Manifest V3 doesn't even solve any of those issues, the majority of the same attack vectors that existed before still exist now, except useful tools like uBlock can no longer do anything since they got deliberately targeted.
Besides, there's ways of having powerful extensions WITH security, but this would obviously go against Google's data harvesting ad machine. The Firefox team has a handful of "trusted" extensions that they manually vet themselves on every update, and one of these is uBlock Origin. They get a little badge on the FF extension store marking them as Verified and Trusted, and unless Mozilla's engineers are completely incompetent, nobody has to worry about gorhill selling his soul out to Big Ad in exchange for breaking uBlock or infecting people's PCs or whatever.
Barbing
Would that rip off the how-do-we-fund-the-web bandaid, forcing new solutions? Worry about the interim where some publishers would presumably cease to exist. And who would remain afloat—those with proprietary apps, as Zucky as they are, I’d guess…
UBO is absolutely incredibly important. Figure you might know more than me about how journalists and reviewers and the like can still earn a keep in a world with adblockers built in to every browser.
SuperShibe
>finds way to make adblockers work on MV3
>snitches to Google
cool, thanks man
4gotunameagain
Well, in his defense it would have been patched immediately after the first adblocker used it, and he would have gotten nothing at all out of it.
Oh wait he got nothing at all anyway ;)
m4rtink
Would be quite different if they patched it and broke important extensions, possibly facing serieous outcry and bad publicity.
rollcat
Important extensions like, dunno, uBlock Origin?
devnullbrain
That's what they already did.
freed0mdox
Not really, this sort of fame farming is what makes candidates stand out in infosec interviews. A bug in Google systems is good for his future career.
38
wow what a scumbag
crazygringo
> Adblockers basically need webRequestBlocking to function properly. Pretty convenient (cough cough) for a company that makes most of its revenue from ads to be removing that.
Why does this keep getting repeated? It's not true.
Anyone can use uBlock Origin Lite with Chrome, and manifest v3. It doesn't just work fine, it works great. I can't tell any difference from the old uBlock Origin in terms of blocking, but it's faster because now all the filtering is being done in C++ rather than JavaScript. Works on YouTube and everything.
I know there are some limits in place now with the max number of rules, but the limits seem to be plenty so far.
zwaps
It is true though. Like, literally. Why do you think it is called Lite?
crazygringo
> It is true though. Like, literally.
Doesn't seem true to me. If it's true, then why is uBlock Origin Lite functioning properly as an adblocker for me?
> Why do you think it is called Lite?
Because it's simpler and uses less resources. And they had to call it something different to distinguish it from uBlock Origin.
rpdillon
One of the most frustrating things about these discussions is that it-works-on-my-machine effect. Anecdotal evidence is easily surpassed by a deeper understanding of the mechanisms that are changing. Here's what the author of uBlock Origin says about its capabilities in Manifest V3 versus Manifest V2.
> About "uBO Lite should be fine": It actually depends on the websites you visit. Not all filters supported by uBO can be converted to MV3 DNR rules, some websites may not be filtered as with uBO. A specific example in following tweet.
You can read about the specific differences in the FAQ:
https://github.com/uBlockOrigin/uBOL-home/wiki/Frequently-as...
My personal take is if you're a pretty unsophisticated user and you mostly don't actually interact with the add-ons at all, Manifest V3 will probably be fine.
If you understand how ads and tracking work and you are using advanced features of the extension to manage that, then Manifest V2 will be much, much better. Dynamic filters alone are a huge win.
rstat1
Its called Lite because it has tons of missing functionality from the not-Lite version that make the not-Lite version more effective as a content blocker.
tredre3
The statement was: "Adblockers basically need webRequestBlocking to function properly. "
This is demonstrably false, ublock lite proves that adblockers can work without it.
Whether or not ublock lite is missing functionalities because of MV3 is irrelevant to the original statement that adblockers need webRequestBlocking.
breve
The best bypass is to use Firefox. uBlock Origin works best in Firefox:
https://github.com/gorhill/uBlock/wiki/uBlock-Origin-works-b...
pnw
Haven't missed Chrome once since switching to https://brave.com/
rollcat
It's the same Blink engine underneath. Talk about lipstick.
I'm not aware of a Blink-based browser that isn't dropping manifest V2. That would be a soft fork, and wouldn't survive long.
CharlesW
In the "cons" column, Brave is still a for-profit and has a bunch of features that continue to give some people the ick. In the "pros" column, there's a bunch of "how to debloat Brave" content showing how to improve the default kitchen-sink confifguration. https://www.youtube.com/watch?v=W6cKFliWW6Q
Supermancho
Not being able to run Twitch on it has me switch for brief periods.
sundarurfriend
Heh, funny, Twitch was the primary reason I installed Brave because it was being glitchy on Firefox (at the time years ago - no longer the case). I've never had trouble with Twitch on Brave.
bung
You're personally unable to look at twitch on it?
Supermancho
The adblock causes a twitch stream error. I can watch until the first ad. This is annoying, so I switch to vanilla chrome.
Etheryte
Of all the browsers you could be using, giving your data away to sketchy crypto bros should really not be at the top of the list.
Supermancho
It's the top of the list because it works so well. I forget it's a different browser most of the time. I was able to turn off everything extraneous that I was concerned about. Brave is also Open Sourced.
null
bung
Might as well edit and add some suggestions
throwaway73945
So OP got Google to patch a harmless "issue" that could've been used by addon devs to bypass MV3 restrictions. Hope it was worth the $0.
StrLght
I don't agree with this conclusion. Google is fully responsible for MV3 and its' restrictions. There's no reason to shift blame away from them.
Let's do a thought experiment: if OP hasn't reported it, what do you think would happen then? Even if different ad blockers would find it later and use it, Google would have still removed this. Maybe they'd even remove extensions that have (ab)used it from Chrome Web Store.
Barbing
Indeed.
Perhaps a hobbyist would code “MV2-capable” MV3 adblocker for the fun of it, forking UBO or something, as a proof-of-concept. How much time would anyone spend on its development and who would install it when the max runway’s a few days, weeks, or months?
DALEK_77
It seems someone's already done it. It requires some extra setup, but I managed to get it working on my machine.
raincole
Really? You think Google is that dumb? As soon as any ad blocker that people actually use implements it, it'll be patched. It's not something you can exploit once and benefit from it forever.
antisthenes
Yeah, that was my take as well. OP did some free work for a megacorp and made the web a little bit worse, because "security, I guess" ?
Good job.
deryilz
Sometimes you get $0, sometimes you get more. I would like to mention this stuff on my college applications, and even if I tried to gatekeep it, it'd eventually be patched. Not sure what your argument is here.
sebmellen
Incredibly impressive to do this sort of work before applying to college!
mertd
The author claims to be 8 years old in 2015. So that makes them still a teenager. It is pretty cool IMO.
9dev
Are you guys honestly arguing like the zero day industry would, for a vector that couldn’t be used by any ad blocking extension since Google has them under an electron microscope 24/7? To pick on a very young, enthusiastic programmer? What the hell??
busymom0
Google would have found this bug if any extensions tried to rely on it and patched it instantly anyway.
null
fracus
> But I don't know how to make an adblocker, so I decided to report the issue to Google in August 2023. It was patched in Chrome 118 by checking whether extensions usin
Well, thanks for nothing?
deryilz
Author here, sorry. I don't think any open-source extension (especially large adblockers with millions of users) could actually get away with using this bug, because Google is paying close attention to them. It would've been patched immediately either way.
daft_pink
So what’s the conclusion? Can we use a different Chrome based browser and avoid MV3? What’s the decision for privacy after this has happened?
perching_aix
This blogpost covers a workaround they discovered that would have let MV3 extensions access important functionality that was not normally available, only in MV2.
This workaround was fixed the same year in 2023 and yielded a $0 payout, on the basis that Google did not consider it a security vulnerability.
The conclusion then is that uBO (MV2) stopped working for me today after restarting my computer, I suppose.
j45
The little I've read bout this says that maintaining MV2 might be something as well.
If other chromium based browsers didn't have this issue, that would be great, but likely in time Youtube won't support browsers that don't have MV3. Probably still have some time though.
SSchick
Switched to Firefox yesterday, I suggest you do the same.
dexterdog
If you're going to switch you should switch to a better option. I've been using librewolf for years since Firefox doesn't have the best track record either.
dwedge
Are they still funded to the tune of a billion a year by Google so that Google can pretend they don't have a monopoly? Are they still intent on redefining as an ad company?
j45
That's a good reminder to update Firefox.
I tend to oscillate back and forth every few years gradually.
Lately not Chrome proper, there are some neat browser takes worth trying out like Vivaldi, Brave, Arc, etc that are Chromium based.
urda
You bypass it by installing Firefox.
qustrolabe
Firefox is awful. Both as a browser itself and as a base for other browsers. Such a shame that Zen didn't use Chromium :(
bradgessler
Try Safari, Firefox, or any other non-Chrome browser.
Even if bigs exists to work around what Google is doing, that isn’t the right way forward. If people don’t agree with Google move, the only correct course of action is to ditch Chrome (and all Chromium browsers). Hit them where it hurts and take away their monopoly over the future direction of the web.