In the previous post of this series, What is Manifest v3 and how it affects JShelter, we've stressed the limitations of the new WebExtensions APIs, along with the challenges and the threats it poses to privacy and security extensions such as JShelter.
As part of our strategy to mitigate these problems, we mentioned "actively participating in the ongoing /browser extensions API design work/ of the Web Extensions Community Group (WECG), to steer the MV3 specification in the most favorable direction for security and privacy use cases".
Here, we want to provide some updates about these design participation activities, and pointers to follow their progress.
Specifically, we prompted the W3C's WECG to resume the discussion of the two main issues "blocking" JShelter, which we had originally opened more than 2 years ago:
- LAN-aware Declarative Net Request filters, required for the Network Boundary Shield to operate in Chromium-derived browsers and Safari on MV3
See public notes of the meetings of the WECG for more details on the working of the group.
This time, the response has been unanimously positive on #1, and generally positive on #2, with Google expressing a neutral position motivated by Chromium developers unsure if the Network Boundary Shield use case would be better served by a built-in browser UI around their (not ready for prime time yet and planned for quite a long time now) Private Network Access.
- Proposal: RegisteredContentScript.func and RegisteredContentScript.args (similar to ScriptInjection)
- Proposal: RegisteredContentScript.workers property to inject WorkerScope(s)
- Proposal: Proposal: RegisteredContentScript.tabIds and RegisteredContentScript.excludeTabIds properties to filter injection
Browser vendors now signalling adequate understanding of our requirements and their will to implement our API proposals or equivalent alternatives before MV2 sunset can finally induce some cautious optimism about a reasonably better MV3 for privacy and security extensions.