1. 68
  1.  

  2. 22

    Relevant excerpt:

    From the description of the declarativeNetRequest API[1], I understand that its purpose is to merely enforce Adblock Plus (“ABP”)-compatible filtering capabilities[2]. It shares the same basic filtering syntax: double-pipe to anchor to hostname, single pipe to anchor to start or end of URL, caret as a special placeholder, and so on. The described matching algorithm is exactly that of a ABP-like filtering engine.

    If this (quite limited) declarativeNetRequest API ends up being the only way content blockers can accomplish their duty, this essentially means that two content blockers I have maintained for years, uBlock Origin (“uBO”) and uMatrix, can no longer exist.

    Beside causing uBO and uMatrix to no longer be able to exist, it’s really concerning that the proposed declarativeNetRequest API will make it impossible to come up with new and novel filtering engine designs, as the declarativeNetRequest API is no more than the implementation of one specific filtering engine, and a rather limited one (the 30,000 limit is not sufficient to enforce the famous EasyList alone).

    Key portions of uBlock Origin[3] and all of uMatrix[4] use a different matching algorithm than that of the declarativeNetRequest API. Block/allow rules are enforced according to their specificity, whereas block/allow rules can override each others with no limit. This cannot be translated into a declarativeNetRequest API (assuming a 30,000 entries limit would not be a crippling limitation in itself).

    There are other features (which I understand are appreciated by many users) which can’t be implemented with the declarativeNetRequest API, for examples, the blocking of media element which are larger than a set size, the disabling of JavaScript execution through the injection of CSP directives, the removal of outgoing Cookie headers, etc. – and all of these can be set to override a less specific setting, i.e. one could choose to globally block large media elements, but allow them on a few specific sites, and so on still be able to override these rules with ever more specific rules.

    Extensions act on behalf of users, they add capabilities to a user agent, and deprecating the blocking ability of the webRequest API will essentially decrease the level of user agency in Chromium, to the benefit of web sites which obviously would be happy to have the last word in what resources their pages can fetch/execute/render.

    With such a limited declarativeNetRequest API and the deprecation of blocking ability of the webRequest API, I am skeptical “user agent” will still be a proper category to classify Chromium.

    1. 33

      I felt this bit was especially powerful:

      Extensions act on behalf of users, they add capabilities to a user agent, and deprecating the blocking ability of the webRequest API will essentially decrease the level of user agency in Chromium, to the benefit of web sites which obviously would be happy to have the last word in what resources their pages can fetch/execute/render.

      With such a limited declarativeNetRequest API and the deprecation of blocking ability of the webRequest API, I am skeptical “user agent” will still be a proper category to classify Chromium.

      Browsers are no longer seen as vehicles we use and control to explore the web. Instead, they’re a portal that corporations grant us to their “experience” of the web. Even in cases where ads aren’t an issue, it’s harder and harder to find websites that don’t view themselves more as art installations than useful content.

    2. 30

      I am skeptical “user agent” will still be a proper category to classify Chromium.

      Welcome to the party.

        1. 5

          I mean, Google would argue, and I think it’s a reasonable argument, that they are serving their customers, and the larger web ecosystem in general. It’s just that their definition of “customer” is “data broker” and they include in the “web ecosystem” all manner of malicious players, from ad exchanges on down.

          1. 2

            I wanted to say that this was hyperbolic. The API shown here is basically the same one that uBlock uses for blocking URL’s anyway, and the aesthetic filters are just custom stylesheets and thus unrelated to this API. Reducing the amount of IPC and JavaScript that’s in the hot path for loading stuff seems like a good idea…

            But the limit of 30K rules is ridiculous. EasyList alone has 86K rules in it for Christ’s sake! That cap is completely unacceptable. Make it a million and I’ll reconsider, but for now, if this hits Chrome, Google loses a user.

            I’m already using Firefox, for the same reason I use ProtonMail, but for most of the people that I act as “tech guy” for, I don’t usually try to switch them off of their preferred browser. I do insist on using an ad blocker, for all the crap that gets distributed through shady ad networks.

          2. 12

            For those who haven’t read until the end, the conversation is supposed to continue in a mailing list. See https://groups.google.com/a/chromium.org/forum/#!topic/chromium-extensions/veJy9uAwS00 for more.

            1. 9

              I have an alternate theory, that doesn’t assume malice. Bear with me, while I try to detangle this: My reading is that this is about security & performance.

              In a world with CPU bugs (spectre, meltdown), you’re concerned about lesser privileged code sharing a process with higher privileged code. So, if you were to isolate extensions into their own process, you’d need to do Inter-Process Communication (IPC) for everything that’s happening in an extension. That’s a decision, we’ll have to accept. You can’t have less privileged code (websites) share their realm with extensions.

              So, if you were to have extensions that want to block or modify all outgoing requests, you’d need a call into all of those extensions (through IPC). For every single requests. Can you imagine how bad this will be for performance?

              A logical next step is to expect an extension to state which resources it intends to modify (or block) up-front in a declarative way. With this, the browser can implement the necessary optimizations to only call into an extension, when it’s really worth it.

              Even with this a declarative approach, an extension will directly impact the amount of memory required for the browser process, as the list has to come straight from the extension. I think it’s a reasonable approach that browser vendors want to cap that somewhere. As it seems, the existing limit of 30k entries is too low for typical and popular extensions (e.g. uBlock Origin). Maybe one could just bump this limit, as it’s currently drafted? Maybe this limit could be removed with some technical hackery and optimizations (hash tables, bloom filters, ..)? We’ll see.

              1. 4

                The purported reason for this change is not to protect extensions from websites.

                1. 5

                  That’s obviously the cover story here. The real question is, why such a drastic change, and why at this moment?

                  1. 4

                    I don’t consider it drastic at all. Google has been announcing plans as early as October and published their first design doc draft in November.

                    By the way, their plans are still called Draft with a red and bold pretext of “Status: DRAFT. This document may be updated with additions, modifications, or removals.” On top of that, the very first section of the document (Objectives) says that this will be a year-long or later process.

                    Maybe it feels drastic to you, because of all the posts being spread, copied, re-posted as of the last day or so?

                    1. 9

                      I think it feels drastic to a lot of people to have it suggested that control over what their browser does might be wrested away from them.

                      1. 2

                        I think I misread drastic as “sudden”, not “harsh”. Either way, I think my argument holds true: The draft (!) is a conversation starter. It’s dirty and unhealthy conversation if everyone full-FUD & outrage.

                        1. 3

                          I totally agree about unhealthy conversations. But I think the response is rather reasonable, considering the circumstances. Just because there’s a lot of conversation doesn’t mean it’s counterproductive. That being said, the productivity of the conversation is entirely up to Google, and if they want to perceive this as FUD, then no one can stop them.

                2. 3

                  I wonder if this is Google’s way of competing with Apple’s content blocking on mobile. Perhaps we’ll eventually see some form of content blockers listed on the Play Store.

                  1. 4

                    Google and Apple have completely different business models. We may(we do) see some content blockers but google won’t allow blocking “approved”/their adverts. Same thing goes with video downloaders in chrome store: you are not allowed to make tools for downloading from youtube, other services are ok.

                  2. 3

                    From a casual observer’s point of view (mine) browser dominance seems to go in very similar cycles. My first browser was Netscape. That seemed to dominate or at least be popular, but then internet explorer (which often confused me because at one point it also worked as a file browser - I think?) ate the world. Everyone built their websites to work on IE. Then came Firefox. I used Firefox, but I see I was still in the minority. Then came chrome. Chrome is the modern IE: if you don’t build your site to work on Chrome, everyone will complain.

                    The problem is that gmail has eaten the world, the google suite of tools (docs, spreadsheet, presentation) has eaten the world, and Chrome integrates so tightly with them. And it’s all “free”. I’ve gotten so used to having my documents and my email from a “free” service that seems reliable and secure, it’s hard to break out.

                    But this too shall pass. Remember Yahoo? I do, when it’s name had a (!) at the end. I wonder what’s coming next?

                    I do have a question. Say I do want to step out of the google ecosystem, what do people suggest for

                    • email
                    • documents suite
                    • photos
                    • browser
                    1. 17

                      Hi, I’m Ted, I’m Google-free for about 5 years (Hi Ted!)

                      • I use runbox.com for email, but I’m obviously biased since I also work there. I can vouch that we’re not assholes :)
                      • I have no need for an online documents suite, and barely any need for any documents suite, but I use Libreoffice when I do have that need.
                      • I sync the photos from my phone (SailfishOS, not android) to my nextcloud, which I host on my digitalocean VPS. The non-phone photos are stored on my NAS at home, organized slightly by Gnome’s Shotwell.
                      • Firefox is my browser on all my devices.

                      Feel free to ask about more things; going Google-free seemingly forces you to be a bit of a technical Amish, rejecting modern technology, but surprisingly a lot of stuff outside of Google is actually really good: it takes trying out and getting used to the alternatives to realize how godawful some of Google’s “products” actually are.

                      1. 4

                        My private identity is de-googlified (I have to use some services for work). There’s a french free software company “framasoft” that aims to provide an alternative for every service that Google offers. See https://degooglisons-internet.org/en/ as it has good pointers, though I use almost none of their services.

                        Here’s what I use:

                        • mailbox.org for email (I can also recommend posteo, protonmail, fastmail), built-in android email client
                        • no cloud-document suite (libreoffice)
                        • photos on nextcloud, with auto-sync from mobile to my own instance.
                        • Firefox 🦊, mobile and desktop
                        1. 2

                          I’ve been using these:

                          email

                          ProtonMail and Fastmail

                          photos

                          Adobe Creative Cloud / Mega nz

                          browser

                          Firefox, switched to it during Firefox Quantum alpha and haven’t needed Chrome ever since.

                          Documents suite I don’t really need, for text-documents I’ve used what ever text-editor I usually tend to use.

                          1. 2

                            I’ve been trying to deGoogle slowly over the past years and I do not like running my own servers for email, contacts, cloud sync, etc.:

                            • email: I’ve been with my ISP since forever, however this is in Europe so we don’t have the nastiness US ISPs and telcos pull. Also, this has been a real solid ISP. For you, I would say FastMail or ProtonMail. I also use FastMail for my contacts and calendar (I wish my ISP offered this!),
                            • documents suite: I have no good answer to this since I do not depend on a documents suite, I just use either Emacs with org-mode or Markdown,
                            • photos: I use pCloud and sync them from my phone (also SailfishOS like Ted) with Rclone,
                            • browser: I’ve been using Firefox for ages with NoScript and uBlock as most important addons, but I do have a Chrome handy for the very few sites that do not work. People always complain about Firefox being slow but it’s always been pretty similar to Chrome for my non-typical usage. Similar enough to not want to switch to Chrome anyway.
                            1. 1

                              Out of curiosity, what’s the rationale for using both NoScript and uBlock? Seems a bit redundant?

                              1. 2

                                Hmm.. I don’t know actually, in the past the JavaScript-blocking and ad-blocking were in separate addons. I’ve always used NoScript to block JS and have gone through different ad-blockers over the years. I did not realize uBlock had functionality for blocking JS. How embarassing.

                                I’m used to NoScript’s UI though and I’ve got an extensive list of sites I do allow (some) JS for.

                            2. 2

                              I’m Google-free in my private life – I use Fastmail for email, calendars, and contacts syncing; I use iCloud and SmugMug for photos; I don’t use a shared document suite; and I use Safari. I also block all of Google’s and Youtube’s (and Facebook’s) domains on my main browser, and I keep a Firefox instance around for looking at youtube videos and suchlike.

                              For my work computer, I do have to use Chrome, because we use Google stuff at work.

                            3. 2

                              Here’s a link to the mailing list archive.

                              1. 2

                                Feel free to contribute to the mailing list discussion.