Google has been threatening this for a while, but now they’re finally getting around to it; they’re starting to remove Manifest v2 (MV2) from Chromium (and thus Chrome, and likely many browsers based on chromium, which is the majority of the browser space, these days!).
What does this mean?
Chrome extensions use a set of APIs to talk to the browser engine. The main version that’s been in use for a number of years is “Manifest v2”. This set of APIs are extremely powerful and flexible and allow an extension to modify almost every aspect of your browsing experience. Extensions such as uBlock Origin (uBO) and NoScript make use of this to inspect web pages and modify them; e.g. to remove adverts, block JavaScript and so on.
Google are removing this API and replacing it with a newer one (“Manifest v3”; MV3) which is more limited in capabilities. This will cause a number of extensions to break, and may make it infeasible for them to operate at all.
If you are on the beta, dev or canary channels then you’ll already be seeing impact; it hasn’t yet reached the main stable channel, but it’s only a couple of major releases away.
Why are they doing it?
Google’s primary claims are around security and performance. If a rogue extension was deployed to your browser then with v2 it can see pretty much everything; it could steal your bank login credentials (so always use MFA!) or insert adverts or… anything. This is obviously bad. By enforcing a more limited API the risks are mitigated to some extent.
Similarly extensions (even ones you want) can be slow because they can do so much. An extension with thousands of rules could slow down every web page you go to, and take up lots of memory. Chrome frequently gets the blame for being a memory and CPU hog, but how much of this is the core browser engine and how much is due to the dozen extensions people load?
So what’s the problem?
Manifest v3 has strict limits which prevents uBO from being ported over. Instead, the author has created a uBO Lite. This has some functionality changes and a lot of limitations.
Possibly more importantly, filter rules are no longer updated from the internet but are embedded into the extension. The rules are now only update when the extension is updated, and this may take some time as it goes through the Google evaluation processes. This could mean that new advertising solutions may get through until the extension is updated; with MV2 the extension could regularly update its lists. In the past I’ve seen sites such as twitter modify how ads are displayed, but then a few hours later uBO rules update to handle this.
And this is why people are worried about MV3 and why Google’s rationale isn’t as persuasive; the feeling is that Google (the owner of the world’s largest digital advertising platform) is deliberately trying to hobble ad blockers.
We’ve seen ads used to propagate malware in the past, and even NIST recommend “Use advertisement blocking extensions” as part of safe web browsing, so there’s also a concern that Google are reducing overall security; an ad blocker could mitigate a Chrome zero-day attack!
What can we do?
For the immediate future, keep an eye on your extensions. If they get disabled you may be able to temporarily re-enable them.
It’s definitely worth trying out MV3 extensions to see if they’re good enough. It may be that you just don’t need the flexibility of the MV2 code, and the new extension is fine.
You could switch to another browser; Mozilla claims they have no plans to deprecate MV2 in Firefox, and many of the extensions you use on Chrome are available for Firefox.
There are some forks of Chromium that have built in ad blocking (e.g. Brave) but some of these may come with other concerns.
There are also some commercial Enterprise browsers out there with their own ad-blocker engines which shouldn’t be impacted by this (I was involved in the evaluation of one, and it was pretty good, but I try not to recommend products!)
Vivaldi wants to keep MV2 functionality “for as long as it’s still available in Chromium”, which may be until June 2025.
Getting another year of life
Which brings us to another way of keeping going until June 2025. Google are granting Enterprises the ability to keep MV2 extensions by setting a management policy. We can make use of this even for unmanaged browsers!
If you go to about:policy in chrome and click on “Show policies with no
value set” then you’ll see an entry called “ExtensionManifestV2Availability”.
This can be used to control if MV2 can be used. The default value is
“browser default” but we can set this to 2 to force it to be on.
How we do this will depend on your OS.
Obviously Enterprises using the Manager tool can set it there. But even without this the policy can be set on a machine by machine basis.
On Windows this is stored in the registry. We can set it from an admin command line:
C:\Windows\System32>reg add HKLM\Software\Policies\Google\Chrome /v ExtensionManifestV2Availability /t REG_DWORD /d 2
The operation completed successfully.
On Linux if you view the policy logs (“more actions / view logs”) you should see entries similar to
[VERBOSE] Skipping mandatory platform policies because no policy file was found at: /etc/opt/chrome/policies/managed
[VERBOSE] Skipping recommended platform policies because no policy file was found at: /etc/opt/chrome/policies/recommended
This tells us where the policy file needs to be placed. It may be different on Chromium. In my case I was then able to do
# mkdir -p /etc/opt/chrome/policies/managed
# echo '{
"ExtensionManifestV2Availability": 2
}' > /etc/opt/chrome/policies/managed/v2.json
In both scenarios, if you go back to about://policy and click on
“Reload policies” the value should show up.
With luck this will let us keep using MV2 extensions until June 2025.
This may come with a downside; Google are no longer accepting MV2 extensions into their store so if there is a security issue found in an extension then it may not get fixed. So definitely caveat emptor!
These changes are at the machine level, so every user of the machine will get this policy.
Enterprises could set the registry via a GPO and update the local file on Unix machines with their preferred management tool.
Home users can do this manually. It needs to be done on each machine, so if you have more than one machine then remember to make this change everywhere!
Summary
The MV2 deprecation is not popular. It may add some security benefits against rogue extensions but it definitely has downsides for the more privacy and security conscious folks.
In the long run we might see a resurgence of alternate browsers and the decline of Chromium based ones (much as Chrome killed Internet Explorer), but given many end users are likely just using Edge on Windows I won’t hold my breath.