I don't think V3 is as bad as it's being portrayed, but also I don't really get why Chrome doesn't just do what FF does? Just backport declarative to V2 and maintain WebRequests in V3.
Conversation
Replying to
They want to take steps towards resolving extensions being a major privacy and security issue. Even high quality open source extensions using this API are bypassing site isolation by handling the connections and data for a bunch of sites within the same global extension process.
1
4
Extensions are actually much more invasive than native apps on platforms like Android which can't access the data of other apps. Android also makes it much harder for users to enable scary special access like accessibility services, especially with Android 13 restricted settings.
Sketchy companies buy out widely used extensions including open source ones and turn them into data harvesting systems.
When we used to use Content-Security-Policy, we'd see a lot of errors from adware/spyware extensions since Firefox had a bug not excluding extensions from CSP.
1
2
The main reason we turned off Content-Security-Policy reporting was because it was an endless stream of useless data caused by adware/spyware extensions along with others not properly adding CSP exceptions for themselves. Happens less now that extensions are mostly excluded...
3