Google Manifest V3 does not improve security issues

In the past few months, there has been a lot of controversy over the new extension system for Google Chrome, and some well-known extension developers have protested Google’s ability to deliberately limit extensions. For example, the new extension system limits the number of rules called by the adblocking software. The most intuitive experience for users is that some ads cannot be automatically blocked. The reason given by Google is that the new extended system changes the way it is invoked, which helps prevent some malicious extensions from stealing users’ private content such as URLs.

The well-known industry organization Electronic Frontier Foundation recently issued a document saying that Google’s upcoming new expansion system does have some malicious use. But there are actually other ways for malicious extensions to continue to extract user browsing data, including URLs visited by users and web content. So from a security perspective, this improvement is basically the same as no improvement, because malicious extensions can still steal user information. Based on the above situation, the Electronic Frontier Foundation believes that Google’s so-called improved security is actually lying, at least Google’s statement is not true!

“One change in Manifest V3 that may or may not help security is how extensions get permission to interact with websites. Under Manifest V3, users will be able to choose when they’re visiting a website whether or not they want to give the extension access to the data on that website. Of course it’s not practical to have to allow an ad- or tracker-blocker or accessibility-focused extension every time you visit a new site, so Chrome will still allow users to give extensions permission to run on all sites. As a result, extensions that are designed to run on every website—like several of those involved in DataSpii—will still be able to access and leak data.”