Skip to main content

Google Chrome is cracking down on extensions - and that's a bad thing

Google Chrome
(Image credit: Google)
Audio player loading…

Google is cracking down on extensions for Chrome, but not everyone agrees with the direction the company is taking. 

While Google argues the changes will make browser extensions perform better, be more secure, and protect user privacy better, the Electronic Frontier Foundation ( an international non-profit digital rights group) believes the changes will instead “hurt innovation, reduce extension capabilities, and harm real-world performance”.

In a Chromium blog post (opens in new tab), David Li (Product Manager for Chrome) and Simeon Vincent (Developer Advocate for Chrome) explained that the company plans on rolling out Manifest V3 -  a new version of the extensions platform that aims to achieve the abovementioned goals.

Manifest V3

With Manifest V3, Google plans on disallowing remotely hosted code, as it believes this mechanism is being used as an attack vector by bad actors to circumvent Google’s malware detection tools. 

“The removal of remotely hosted code will also allow us to more thoroughly and quickly review submissions to the Chrome Web Store. Developers will then be able to release updates to their users more quickly,” the announcement reads.

As for performance, the team is introducing service workers as a replacement for background pages. 

“Unlike persistent background pages, which remain active in the background and consume system resources regardless of whether the extension is actively using them, service workers are ephemeral. This ephemerality allows Chrome to lower overall system resource utilization since the browser can start up and tear down service workers as needed,” the two authors explain.

Furthermore, extension APIs in general are moving to a more declarative model. This, the managers argue, provides a more reliable end-user performance guarantee across the board.

On the privacy (opens in new tab) front, more permissions will be made optional, allowing users to withhold sensitive permissions at install time. “Long-term, extension developers should expect users to opt-in or out of permissions at any time,” it was said.

Users can experiment with Manifest V3 on Chrome 88 Beta, Google confirmed, saying the Web Store will start accepting extensions for the new version in January, “shortly after Chrome 88 reaches stable”.

There’s still no exact date when Manifest V2 extensions will lose support, but developers can expect the migration period to last at least a year.

Opposing view

The news did not sit well with the Electronic Frontier Foundation, though. Reacting to the news in a blog post (opens in new tab), technologists Alexei Miagkov and Bennett Cyphers said Google will achieve the exact opposite of what it’s trying to do:

"According to Google, Manifest v3 will improve privacy, security and performance," said Miagkov. "We fundamentally disagree. The changes in Manifest v3 won’t stop malicious extensions, but will hurt innovation, reduce extension capabilities, and harm real-world performance."

"Under Manifest v2, extensions are treated like first-class applications with their own persistent execution environment," said Miagkov and Cyphers. "But under v3, they are treated like accessories, given limited privileges and only allowed to execute reactively."

A week prior, another EFF technologist, Daly Barnett, wrote: "Manifest V3, or Mv3 for short, is outright harmful to privacy efforts. It will restrict the capabilities of web extensions – especially those that are designed to monitor, modify, and compute alongside the conversation your browser has with the websites you visit. Under the new specifications, extensions like these – like some privacy-protective tracker blockers – will have greatly reduced capabilities."

  • You might also want to check out our list of the best VPN providers out there
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.