From c44ef3fcf37c1b9614d3bbcfcacc9a993da0e48c Mon Sep 17 00:00:00 2001 From: Nishant Arora <1895906+whizzzkid@users.noreply.github.com> Date: Wed, 29 Nov 2023 00:34:03 -0700 Subject: [PATCH] Update src/_blog/2023-ipfs-companion-MV3-update.md Co-authored-by: Marcin Rataj --- src/_blog/2023-ipfs-companion-MV3-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/_blog/2023-ipfs-companion-MV3-update.md b/src/_blog/2023-ipfs-companion-MV3-update.md index a2249fe67..0c44d9f9c 100644 --- a/src/_blog/2023-ipfs-companion-MV3-update.md +++ b/src/_blog/2023-ipfs-companion-MV3-update.md @@ -30,7 +30,7 @@ Chrome's changes have been much more invasive, as they push for the use of backg When MV3 changes got announced, there was [uproar in the community](https://arstechnica.com/gadgets/2022/09/chromes-new-ad-blocker-limiting-extension-platform-will-launch-in-2023/) that the `webRequest` API was going to be deprecated and replaced by `declarativeNetRequest`. The main reason for this was that the `declarativeNetRequest` API is not as powerful as the `webRequest` API, and it doesn't allow extensions to block requests. Instead, it allows the extension to add and update a limited number of rules per-extension. This was promoted as a way to improve performance and privacy, as the browser would be able to block requests without having to load the extension's code. However, this also meant that the extension would not be able to intercept the requests, and would have to rely on the browser to do so that too for a very limited number of domains. -However, it turns out that the `declarativeNetRequest` API is not as secure as it sounds, because even though the extension cannot intercept or block a request in-flight, it can still observe the request and add or update a rule based on a given observation. Which means a malicious extension can still observe the requests and send them to a remote server for analysis, which is not very different from what the `webRequest` API allows. +In practice, there are no privacy or security benefits of `declarativeNetRequest`, and the old behaviour (required by IPFS Companion) can be reimplemented with extra steps. Even though the MV3 extension cannot intercept and block a request in-flight, it can still observe all HTTP requests without blocking them, and work-around rule count limit by adding or updating dynamic rules on the fly. When a matching request is found by read-only observer, extension can programmatically reload document to force fresh page load against updated dynamic rules. In other words, the MV3 version of Companion extension can emulate the behaviour from MV2: ![declarativeNetRequest API](../assets/ipfs-companion-mv3-declarativenetrequest.png)