The Google Security Blog has waded into the controversy about Google’s changes to the Web Request API, painting it as part of the fight Google is engaging in to keep web users safe.

Google explained that they have been fighting a quiet battle against malicious extension developers, blocking 1,800 malicious extension uploads a month to their extension store, and that they have had to increase their extension abuse engineering team by 300% and a number of reviewers by 400% recently in response.

This has met with some success, with the rate of malicious installations down by 89% since early 2018.  Google ultimately felt however that they needed to give extensions less access to user data, which meant changes to the Web Request API, which sets extensions up as men in the middle, allowing extensions to process web pages before being rendered by the browser.

Google’s new Declarative Net Request API would allow extensions to give processing rules to the browser, who would them implement when without allowing extensions to touch web page data.

Google notes:

This has been a controversial change since the Web Request API is used by many popular extensions, including ad blockers. We are not preventing the development of ad blockers or stopping users from blocking ads. Instead, we want to help developers, including content blockers, write extensions in a way that protects users’ privacy.
We understand that these changes will require developers to update the way in which their extensions operate. However, we think it is the right choice to enable users to limit the sensitive data they share with third-parties while giving them the ability to curate their own browsing experience. We are continuing to iterate on many aspects of the Manifest V3 design, and are working with the developer community to find solutions that both solve the use cases extensions have today and keep our users safe and in control.

While Google’s implementation appears more secure, it is clearly less powerful than having extensions working directly with the data, and suggests Google feels users should not be able to trust companies with millions of users such as UBlock or Adblock Plus with their data. It represents in effect the closing in of the once open browser ecosystem, and one can only wonder which class of extension will be next to suffer? Do we really need 3rd party password managers for example, when Google can look after your sensitive data themselves?

One of the main defences against monopoly accusations for browser developers has been the low cost of switching.  It remains to be seen of Google closing the browser ecosystem will be enough to prompt users to take advantage of this feature.

Thanks, Leo for the tip.

Comments