CRW

Home Wiki

User:Basicotter1919

View on consumerrights.wiki ↗

Manifest V3 (WIP rewrite)

Manifest V3 is an update to the manifest structure used by browser extensions across the majority of the browser market. It was first mentioned on October 1st 2018 in a Chromium blog post[1], saying it's aim was "to create stronger security, privacy, and performance guarantees". In the same blog post, Wagner wrote "We want to help all developers fall into the pit of success; writing a secure and performant extension in Manifest v3 should be easy, while writing an insecure or non-performant extension should be difficult."

Early disapproval by developers

Almost as soon as a design draft for Manifest V3 was made public, on November 9th 2018, developers disapproved of the changes proposed by it, including the developers of privacy and security-focused tools such as NoScript, AdGuard, uMatrix, and uBlock Origin.[2] On January 22, 2019, in response to the design draft, the developer for uBlock Origin and uMatrix would go on to write, "if this (quite limited) [...] API ends up being the only way content blockers can accomplish their duty, this essentially means that content blockers I have maintained for years, uBlock Origin ("uBO") and uMatrix, can no longer exist." And also, "[...] deprecating the blocking ability of the [...] API will essentially decrease the level of user agency in Chromium, to the benefit of web sites which obviously would be happy to have the last word in what resources their page can fetch/execute/render."[3] A developer for AdGuard would second his points. A Chromium developer did not immediately answer these points, but instead directed the discussion to take place over private emails rather than the bug tracker.[4]

Dataspii

In February 2019[5], Sam Jadali begins investigating suspicious browser extensions and the developers behind them. Over time he would find eight browser extensions, primarily for Chromium-based browsers, to be collecting sensitive data from unsuspecting users, which would then be sold for profit.[6] This would compromise the private data of as many as 4 million Chrome and Firefox users. Also impacted were companies such as Bank of America, AT&T, and even the Pentagon.[7] Each extension, as he reported them for their suspicious activity, would be removed from the Chrome Web store. However data collection continued for months after this. It's only in early July, when Google remotely disabled the extensions, that the data collection finally stopped.[5] Though the disabled extensions had a notice saying, "This extension violates the Chrome Web Store policy.", the notice said nothing of the data collection or the selling of said data. At the same time the extensions could be forcibly re-enabled.[5]

In a statement responding to contact by Kate O'Flaherty, a cybersecurity and privacy journalist, a Google spokesperson says: "We want Chrome extensions to be safe and privacy-preserving, and detecting policy violations is essential to that effort."[8] The spokesperson went on to mention, referring to Manifest V3, changes to extensions that "will mitigate or prevent this behavior," and "new policies that improve user privacy." Sam Jadali disagreed that Manifest V3 would make any meaningful change. [9] This is because Manifest V3 doesn't make changes to how "content scripts" work, or how extensions are allowed to observe data.[9] According to the EFF, "The only part of Manifest V3 that goes directly to the heart of stopping DataSpii-like abuses is banning remotely hosted code."[9]

  1. Wagner, James (2018-10-01). "Trustworthy Chrome Extensions, by default". Chromium Blog.{{cite web}}: CS1 maint: url-status (link)
  2. "Extensions: Implement Manifest V3". issues.chromium.org. 2018-10-18.{{cite web}}: CS1 maint: url-status (link)
  3. "Extensions: Implement Manifest V3, comment #24". issues.chromium.org. 2019-01-22.
  4. "Extensions: Implement Manifest V3, comment #34". issues.chromium.org. 2019-01-22.{{cite web}}: CS1 maint: url-status (link)
  5. 5.0 5.1 5.2 Goodin, Dan (2019-07-18). "My browser, the spy: How extensions slurped up browsing histories from 4M users". Ars Technica.{{cite web}}: CS1 maint: url-status (link)
  6. "DataSpii". dataspii.com.{{cite web}}: CS1 maint: url-status (link)
  7. Jadali, Sam (2019-12-05). "Tweet by Sam Jadali". X.
  8. O'Flaherty, Kate (2019-07-19). "Data Leak Warning Issued To Millions Of Google Chrome And Firefox Users". Forbes. Retrieved 2025-11-22.{{cite web}}: CS1 maint: url-status (link)
  9. 9.0 9.1 9.2 Miagkov, Alexei; Gillula, Jeremy; Cyphers, Bennett (2019-07-31). "Google's Plans for Chrome Extensions Won't Really Help Security". EFF. Retrieved 2025-11-22.{{cite web}}: CS1 maint: url-status (link)