Comment by lapcat

Comment by lapcat 2 days ago

3 replies

View on Hacker News

This is not accurate. Safari had webRequestBlocking functionality from 2010 to 2019 and indeed a version of uBlock Origin for Safari. What is true is that Safari was the first browser to ditch webRequestBlocking, replaced by its Apple-specific static rule content blocker API.

Otherwise, though, Safari still supports MV2. Everyone seems to think webRequestBlocking is the only relevant change in MV3, but it's not. Equally important IMO is arbitrary JavaScript injection into web pages, which MV2 allows but MV3 does not.

MV3 is so locked down that you can't even use String.replace() with a constructed JavaScript function. It's really a nightmare.

Google's excuse is that all JavaScript needs to be statically declared in the extension so that the Chrome Web Store can review it. But then the Chrome Web Store allows a bunch of malware to be published anyway!

rasz a day ago

There must be ways of injecting custom non static js because mv3 version of tampermonkey works https://chromewebstore.google.com/detail/tampermonkey/dhdgff...

Reply View 2 replies
  • lapcat a day ago

    After dragging their feet for literally years, Google finally implemented a specific userscripts API. However, the implementation was initially just statically declared rules like DeclarativeNetRequest, which sucked, and it also required that the user enable developer mode.

    In Chrome 135, which is very recent—the public is currently on Chrome 138—Google added an execute() method to run an individual script. However, the API is not available from the extension content script, so if it needs to be triggered from the content script, you have to make an async call to the background script (or more accurately, the background service worker, which is a whole other nightmare of MV3). Moreover, the API accepts only a string for JS code or a filename; you still can't use a Function() constructor for example.

    In Chrome 138, the current version, Google switched from developer mode to a dedicated userscripts permission toggle in the extension details, which is disabled by default. I think Google is still working on but has not finished a permissions request API. Remember this is almost SEVEN YEARS after Google first announced Manifest V3. The entire time, Google has been stalling, foot dragging, practically getting dragged kicking and screaming into doing the least possible work here.

    Reply View 1 reply
    • rasz 17 hours ago

      Iv been following https://github.com/Tampermonkey/tampermonkey/issues/644 since 2020. I remember a moment in 2021 where Google came out with this ridiculous notion of User code stored on User computer and executed by User Agent being "remote" because it wasnt under Google control, but somewhere around 2022 things started clearing up and Jan Biniok managed to get a working mv3 version a year ago in May.

      Surprisingly this async serialize/deserialize nature of the API (https://github.com/Tampermonkey/tampermonkey/blob/cdfc253c07... ?) somehow still manages to inject and execute scripts fast enough to make them act like content scripts at document_start. The only problem is no arbitration between extensions, cant force Tampermonkey inject before uBO (tons of adblock filters disable functions required for Tampermonkey and effectively kill Tampermonkey in the process).

      Reply View 0 replies