Email or username:

Password:

Forgot your password?
5 comments
folti

@sdueckert @mathew @ljrk @catsalad @mozilla @torproject @eff it's de facto managed by the Google Chrome team as the base of Chrome. So don't expect anything else from it than from Chrome. Some other browsers based on it pledged to either retain V2 support, or implement their own adblock features (Brave, Opera, Vivaldi), while others don't, like Microsoft Edge who already stopped supporting V2.

lj路rk

@FamilyCyclist @sdueckert @mathew @catsalad @mozilla @torproject @eff Yup, if nothing changes, the code will not only be disabled but removed from the code base and maintaining a fork that keeps it is unrealistic.

tbqf, the fundamental idea of MV3 isn't bad: Allowing for near arbitrary scripts to execute in the browser, fetched automatically from remote servers is basically a critical RCE vulnerability by design. The move to declarative filters and reimplementing the filtering code itself in native code is a good move and even speeds up filtering! It's something we, usually, should cheer!

Unfortunately Google decided to have a rather restricted set of API filtering features available that don't aren't sufficient to reimplement uBO in this declarative way, and also put arbitrary restrictions on foreign filtering rules. It's a gift, but a poisoned one.

@FamilyCyclist @sdueckert @mathew @catsalad @mozilla @torproject @eff Yup, if nothing changes, the code will not only be disabled but removed from the code base and maintaining a fork that keeps it is unrealistic.

tbqf, the fundamental idea of MV3 isn't bad: Allowing for near arbitrary scripts to execute in the browser, fetched automatically from remote servers is basically a critical RCE vulnerability by design. The move to declarative filters and reimplementing the filtering code itself in native...

mkind

@ljrk @FamilyCyclist @sdueckert @mathew @catsalad @mozilla @torproject @eff Execute code from a remote source is the whole idea of the web. That's the design idea. The CSP allows mitigating arbitrary exec though.

lj路rk

@mkind @FamilyCyclist @sdueckert @mathew @catsalad @mozilla @torproject @eff Well, it's the idea of the web since Javascript -- at least depending on your definition of "executing code". But I'd argue viewing an HTML file is not executing remote code but local code that's interpreting a declarative(!) file, just like viewing a PNG; I wouldn't call either executing remote code.

That being said, running code from a website is still less of a problem than an extension, since the website's code (barring exploits) can only exfiltrate data I give/enter the website the data anyway. The extension can, in theory, exfiltrate data from any website.

@mkind @FamilyCyclist @sdueckert @mathew @catsalad @mozilla @torproject @eff Well, it's the idea of the web since Javascript -- at least depending on your definition of "executing code". But I'd argue viewing an HTML file is not executing remote code but local code that's interpreting a declarative(!) file, just like viewing a PNG; I wouldn't call either executing remote code.

Go Up