In a recent blog post from the Electronic Frontier Foundation, the digital rights group warns that Google Chrome's latest specification for building Chrome extensions, known as Manifest V3, "is outright harmful to privacy efforts." EFF technologist Daly Barnett writes: Like FLoC and Privacy Sandbox before it, Manifest V3 is another example of the inherent conflict of interest that comes from Google controlling both the dominant web browser and one of the largest internet advertising networks. [...] It will restrict the capabilities of web extensions -- especially those that are designed to monitor, modify, and compute alongside the conversation your browser has with the websites you visit. Under the new specifications, extensions like these -- like some privacy-protective tracker blockers -- will have greatly reduced capabilities. Google's efforts to limit that access is concerning, especially considering that Google has trackers installed on 75% of the top one million websites.

It's also doubtful Mv3 will do much for security. Firefox maintains the largest extension market that's not based on Chrome, and the company has said it will adopt Mv3 in the interest of cross-browser compatibility. Yet, at the 2020 AdBlocker Dev Summit, Firefox's Add-On Operations Manager said about the extensions security review process: "For malicious add-ons, we feel that for Firefox it has been at a manageable level... since the add-ons are mostly interested in grabbing bad data, they can still do that with the current webRequest API that is not blocking." In plain English, this means that when a malicious extension sneaks through the security review process, it is usually interested in simply observing the conversation between your browser and whatever websites you visit. The malicious activity happens elsewhere, after the data has already been read. A more thorough review process could improve security, but Chrome hasn't said they'll do that. Instead, their solution is to restrict capabilities for all extensions.

As for Chrome's other justification for Mv3 -- performance -- a 2020 study (PDF) by researchers at Princeton and the University of Chicago revealed that privacy extensions, the very ones that will be hindered by Mv3, actually improve browser performance. The development specifications of web browser extensions may seem in the weeds, but the broader implications should matter to all internet citizens: it's another step towards Google defining how we get to live online. Considering that Google has been the world's largest advertising company for years now, these new limitations are paternalistic and downright creepy.

Mozilla has announced through its Mozilla Hacks blog that it plans to ship a 'novel sandboxing technology' called RLBox with Firefox 95 which it has been developing alongside researchers from the University of California San Diego and the University of Texas. From a report: It said RLBox makes it easier to isolate subcomponents of the browser efficiently and gives Mozilla more options than traditional sandboxing granted it. Mozilla said this new method of sandboxing, which uses WebAssembly to isolate potentially-buggy code, builds on a prototype that was shipped in Firefox 74 and Firefox 75 to Linux and Mac users respectively. With Firefox 95, RLBox will be deployed on all supported Firefox platforms including desktop and mobile to isolate three different modules: Graphite, Hunspell, and Ogg. With Firefox 96, two more modules, Expat and Woff2, will also be isolated.

Microsoft is backtracking on changes it made to Windows 11 that made it more difficult to switch default browsers. From a report: A new test build of Windows 11 now allows users of Chrome, Firefox, and other browsers to set a default browser with a single button, which is a far simpler process. Rafael Rivera, developer of the excellent EarTrumpet Windows app, discovered the new Windows 11 changes earlier this week. Instead of having to change individual file extensions or protocol handlers for HTTP, HTTPS, .HTML, and .HTM, Windows 11 now offers a simple button that lets people switch default browsers in a similar way to Windows 10. Microsoft has confirmed the changes are intentional and are currently being tested. "In the Windows 11 Insider Preview Build 22509 released to the Dev Channel on Wednesday, we streamlined the ability for a Windows Insider to set the 'default browser' to apps that register for HTTP:, HTTPS:, .HTM, and .HTML," explains Aaron Woodman, vice president of Windows marketing, in a statement to The Verge. "Through the Windows Insider Program you will continue to see us try new things based on customer feedback and testing."

Microsoft has never been a fan of Windows users downloading Chrome instead of using Edge, but the company has now stepped up its campaign to keep people using its built-in browser. From a report: Windows 10 and Windows 11 have both started displaying new prompts when people navigate to the Chrome download page, in an effort to discourage people from installing Google's rival browser. These new prompts, spotted by Neowin, include messages like:

"Microsoft Edge runs on the same technology as Chrome, with the added trust of Microsoft."
"That browser is so 2008! Do you know what's new? Microsoft Edge."
"'I hate saving money,' said no one ever. Microsoft Edge is the best browser for online shopping."

Microsoft has decided to add "Buy Now, Pay Later" financing options to its Edge browser in the U.S. -- and the overwhelming response has been negative. The Register reports: The Buy Now Pay Later (BNPL) option pops up at the browser level (rather than on checkout at an ecommerce site) and permits users to split any purchase between $35 and $1,000 made via Edge into four instalments spread over six weeks. The system is powered by Zip, previously Quadpay, and offers a Chrome extension for users who want to split their payments (interest-free if you make the payments on time, although Zip charges $1 per installment). Microsoft has now bundled the platform into Edge.

Feedback could charitably be described as negative so far, as demonstrated by the tags assigned to the post on Microsoft's Tech Community site. Comments (numbering 119 at time of writing) posted by visitors to the site can be pretty much summed up thusly: "This [is] a cheap and disgusting move from Microsoft and edge team to the browser users. You should be ashamed for pushing such crap to users. Listening to the users checkout flows, suggesting third party services. Bloating the browser. Seriously, be better and more responsible." "It's deeply shocking this is built into the base Windows OS on billions of devices," writes cybersecurity expert Kevin Beaumont in a tweet. "I feel like I should start a GoFundMe for Microsoft, or teach them how to beg bounty, as clearly they need the money."

"Remember how Microsoft spent years in hot water in the late '90s and early '00s by forcing Internet Explorer on its customers?" asks ZDNet.

"European open-source cloud company Nextcloud does." Now, with a coalition of other European Union (EU) software and cloud organizations and companies called the "Coalition for a Level Playing Field," Nextcloud has formally complained to the European Commission about Microsoft's anti-competitive behavior by aggressively bundling its OneDrive cloud, Teams, and other services with Windows 10 and 11.

Nextcloud claims that by pushing consumers to sign up and hand over their data to Microsoft, the Windows giant is limiting consumer choice and creating an unfair barrier for other companies offering competing services. Specifically, Microsoft has grown its EU market share to 66%, while local providers' market share declined from 26% to 16%. Microsoft has done this not by any technical advantage or sales benefits, but by heavily favoring its own products and services, self-preferencing over other services. While self-preferencing is not illegal per se under EU competition laws, if a company abuses its dominant market position, it can break the law. Nextcloud states that Microsoft has outright blocked other cloud service vendors by leveraging its position as gatekeeper to extend its reach in neighboring markets, pushing users deeper into its ecosystems. Thus, more specialized EU companies can't compete on merit, as the key to success is not a good product but the ability to distort competition and block market access....

So, Nextcloud is asking the European Commission's Directorate-General for Competition to prevent this kind of abusive behavior and keep the market competitive and fair for all players. Nextcloud is doing this by filing an official complaint with this body. In addition, Nextcloud has also filed a request with the German antitrust authorities, the Bundeskartellamt, for an investigation against Microsoft. With its partners, it's also discussing filing a similar complaint in France.

Nextcloud is being joined in its complaint by several open-source, non-profit organizations. These include the European DIGITAL SME Alliance; the Document Foundation, LibreOffice's backing organization; and the Free Software Foundation Europe (FSFE)... Numerous businesses are also supporting Nextcloud's legal action. This includes Abilian, an open-source software publisher; DAASI, an open-source identity management company; and Mailfence.

Google has pledged more restrictions on its use of data from its Chrome browser to address concerns raised by Britain's competition regulator about its plan to ban third-party cookies that advertisers use to track consumers. From a report: The Competition and Markets Authority (CMA) has been investigating Google's plan to cut support for some cookies in Chrome - an initiative called the "Privacy Sandbox" -- because it is worried it will impede competition in digital advertising. Alphabet's Google has said its users want more privacy when they are browsing the web, including not being tracked across sites.

Other players in the $250 billion global digital ad sector, however, have said the loss of cookies in the world's most popular browser will limit their ability to collect information for personalising ads and make them more reliant on Google's user databases. Google agreed earlier this year to not implement the plan without the CMA's sign-off, and said the changes agreed with the British regulator will apply globally.

Microsoft Edge recently gained a feature that allows people to pay for online purchases in installments. It's known as buy now, pay later (BNPL), and it's currently in testing on Microsoft Edge Dev and Canary. The option drew criticism from fans and users of the browser that expressed frustration in the comments section of the post announcing the feature. From a report: The center of most complaints is the belief that Microsoft Edge is becoming bloated with shopping features rather than delivering a pure browsing experience. BNPL is optional, but its detractors are against the concept of Edge having shopping features built in. "It's impressive how quickly you can throw away years of hard work and good will with a ridiculous feature like this," said vyrotek. "The Edge teams need to pause and think how they possibly thought this was a good idea. Even the Bing features are getting too aggressive." Cameron_Bush states asks for Microsoft to reconsider the addition. "This sounds like an awful idea that will only be seen as a shameless cashgrab are/or bloat by media outlets. I beg you reconsider pushing this to live. The negative press this feature is going to receive isn't worth it."

Mozilla announced last week via a support article that its Firefox Lockwise password manager app will reach end-of-life on December 13th. The final release versions are 1.8.1 (iOS) and 4.0.3 (Android) and will no longer be available to download or reinstall after that date. The Verge reports: What started in 2018 as a small experimental mobile app called Lockbox ended up bringing a way to access saved passwords and perform autofills on iOS, Android, and desktop devices to a small but enthusiastic following of Firefox fans. The app was also later adapted as a Firefox extension. It seemed like it was apt to stick around for the long run.

The support article recommends that users continue accessing passwords using the native Firefox browsers on desktop and mobile. In an added note on the support site, Mozilla suggests that later in December, the Firefox iOS app will gain the ability to manage Firefox passwords systemwide. The note alludes to Mozilla adopting the features of Lockwise and eventually integrating them into the Firefox browser apps natively on all platforms.

An anonymous reader quotes a report from The Next Web: YouTube's decision to hide dislike counts on videos has sparked anger and derision. One inventive programmer has attempted to restore the feature in a browser extension. The plugin currently uses the Google API to generate the dislike count. However, this functionality will be removed from December 13. "I'll try to scrape as much data as possible until then," the extension's creator said on Reddit. "After that -- total dislikes will be estimated using extension users as a sample."

The alpha version isn't perfect. It currently only works on videos for which the Youtube API returns a valid dislike count. The calculations could also be skewed by the userbase, which is unlikely to represent the average YouTube viewer. The developer said they're exploring ways to mitigate this, such as comparing the downvotes collected through the public of extension users to a cache of real downvotes. The results should also improve as uptake grows. The plugin could provide a useful service, but its greatest value may be as a potent symbol of protest. You can try it out here -- but proceed at your own risk. If you want to check out the code, it's been published on GitHub. Further reading: YouTube Co-Founder Predicts 'Decline' of the Platform Following Removal of Dislikes

Z00L00K writes: From Schneier on Security

I received email from two people who told me that Microsoft Edge enabled synching without warning or consent, which means that Microsoft sucked up all of their bookmarks. Of course they can turn synching off, but it's too late. Has this happened to anyone else, or was this user error of some sort? If this is real, can some reporter write about it? (Not that "user error" is a good justification. Any system where making a simple mistake means that you've forever lost your privacy isn't a good one. We see this same situation with sharing contact lists with apps on smartphones. Apps will repeatedly ask, and only need you to accidentally click "okay" once.) EDITED TO ADD: It's actually worse than I thought. Edge urges users to store passwords, ID numbers, and even passport numbers, all of which get uploaded to Microsoft by default when synch is enabled.

Also from one comment:

Ted November 17, 2021 8:29 AM It looks like Microsoft released some documentation on "Microsoft Edge -- Policies" for Enterprise on 11-9-21. It is only a 472 minute read, but there is some info on Forced Synching, for example: ForceSync Force synchronization of browser data and do not show the sync consent prompt https://docs.microsoft.com/en-...

Google Chrome 96 was released yesterday, and users are reporting problems with Twitter, Discord, and Instagram caused by the new version. BleepingComputer reports: The issues have been reported to Google in a Chromium bug post where Google employees have started to investigate the problems. "We're continuing to see user reports about this behavior, including reports from our social team," notes Google product manager Craig Tumblison. "One user has shared that disabling the "chrome://flags/#cross-origin-embedder-policy-credentialless" flag resolves the behavior. Another report shares a specific error message: "The connection was rejected at https://cards-frame.twitter.com". Test team, would you be able to try enabling that flag to see if the behavior appears?"

The 'chrome://flags/#cross-origin-embedder-policy-credentialles' flag is related to a new Cross-Origin-Embedder-Policy feature released with Chrome 96. Google states that you can fix these bugs in some cases by setting the "chrome://flags/#cross-origin-embedder-policy-credentialless" to disabled. If you are affected by these issues, you can copy and paste the above chrome:// address into the Google Chrome address bar and press enter. When the experimental flag appears, please set it to Disabled and relaunch the browser when prompted.

The creator of EdgeDeflector said this week that the latest Insider build of Windows 11 now blocks all default browser workarounds. If this functionality makes its way to the finished product, it will mark a new, dark chapter for Microsoft, which told the media at the Windows 11 launch that it was aware that it had made changing app defaults pointlessly difficult, but that it had not done so maliciously and would fix it. This is the opposite of that claim. From a report: "Something changed between Windows 11 builds 22483 and 22494 (both Windows Insider Preview builds)," EdgeDeflector creator Daniel Aleksandersen writes in a new blog entry. "The build changelog ... omitted the headline news: you can no longer bypass Microsoft Edge using apps like EdgeDeflector."

Microsoft not communicating effectively? I find that hard to believe. Cough. But Microsoft moving to make Windows 11 behave even more maliciously towards its users and browser rivals? That I have a hard time with. Basically, EdgeDeflector, as well as third-party browsers like Mozilla Firefox and Brave, intercept OS-level URL requests that force you to use Microsoft Edge even when you have gone through the incredibly ponderous steps to make a non-Edge browser the default in Windows 11. But in the latest Insider Preview build, Microsoft is changing how these URL requests work. And it's no longer possible to intercept URL requests that force users to use Edge instead of their default browser. (In the Insider builds. This functionality will come to mainstream users in the coming months unless we can change Microsoft's collective mind.)

A year after releasing the first preview build of its Chromium-based Edge browser for Linux, Microsoft is announcing its general availability. From a report: The new release supports a variety of Linux distributions, including Ubuntu, Debian, Fedora and openSUSE. Microsoft announced Linux on Edge's availability milestone during the first day of its Ignite IT Pro conference. As of the release of Edge for Linux to the "stable" (mainstream user) channel, Edge is now available on Windows, Mac, iOS, Android and Linux. As it did when introducing the new Edge on macOS, Microsoft has been positioning Edge on Linux as more of an offering for IT pros and developers who want to test web sites than as a browser for "normal" users on those platforms. However, any user on any supported platform can use the new Edge.

Zoom is piloting showing ads to users on its free "Basic" tier, the company has announced in a blog post. From a report: Ads will appear on the browser page shown to users at the end of a call. Zoom says ads are being rolled out to free users in "certain countries," though its blog post doesn't detail exactly which these are. Users on the service's Basic tier will only see ads if they join a meeting hosted by another Basic tier user. Although ads won't be shown during meetings themselves, it's still a potentially big shift for the videoconferencing service. Zoom has typically imposed only minor restrictions on its free tier, which helped the service explode in popularity last year as people around the world adapted to working and socializing from home. Even its end-to-end encryption, which Zoom initially said would be limited to paid users, ended up coming to free users after all.

A Microsoft software engineer working on open-source technologies recently wrote that "you can find an open-source implementation for (almost) anything.

"But the mobile landscape is a notable exception." While there are some open-source success stories, Android being a massive one, only a handful of major companies rule hardware and software innovation for the devices we carry in our pockets. Together, Apple and Samsung hold over 50 percent of the world's market share for mobile devices, a figure that underscores just how few dominant players exist in the space. Numbers like these might leave you feeling somber about the overall viability of mobile open source. But a growing demand for better security and privacy, among other factors, may be turning the tides, and a host of inspectable, open-source solutions with transparent life cycle processes are emerging as promising alternatives....

Along with the open-source messaging app Telegram, Signal has garnered attention as a more privacy-focused alternative to apps like Facebook Messenger. The browser Chromium and the mobile game 2048 are other noteworthy examples, as well as proof that although open-source apps aren't the norm, they can be widely adopted and popular. For example, over 65 percent of mobile traffic flows through Chromium-based browsers...

Despite the many open-source technologies available to help build mobile apps, there's plenty of room to grow in the user-facing space — especially as more people recognize the value of having open-source and open-governance applications that can better safeguard their personal information. That growth isn't likely to extend to the hardware space, where the cost of building open-source implementations isn't as rewarding for developers or users — though we may start to see more devices that allow people to choose individual hardware modules from a variety of providers.
The article does cite the open source mobile hardware company Purism. And there's plenty of interesting open source software for mobile app developers, including frameworks like Apache Cordova (which lets developers use CSS3, HTML5, and JavaScript) and a whole ecosystem of open source libraries. But it all does raise the question...

Why aren't there more open source solutions for mobile devices?

Scott Gilbertson, writing for The Register: The legacy of Internet Explorer 6 haunts web developer nightmares to this day. Microsoft's browser of yore made their lives miserable and it's only slightly hyperbolic to say it very nearly destroyed the entire internet. It really was that bad, kids. It made us walk to school in the snow. Uphill. Both ways. You wouldn't understand. Or maybe you would. Today developers who want to use "cutting-edge" web APIs find themselves resorting to the same kind of browser-specific workarounds, but this time the browser dragging things down comes from Apple. Apple's Safari lags considerably behind its peers in supporting web features. Whether it's far enough behind to be considered "the new IE" is debatable and may say more about the shadow IE still casts across the web than it does about Safari. But Safari -- or more specifically the WebKit engine that powers it -- is well behind the competition. According to the Web Platform Tests dashboard, Chrome-based browsers support 94 per cent of the test suite, and Firefox pulls off 91 per cent, but Safari only manages 71 per cent.

On the desktop this doesn't matter all that much because users can always switch to Google Chrome (or even better, Vivaldi). On iOS devices, however, that's not possible. According to Apple's App Store rules: "apps that browse the web must use the appropriate WebKit framework and WebKit Javascript." Every iPhone user is a Safari/WebKit user whether they use Safari or Chrome. Apple has a browser monopoly on iOS, which is something Microsoft was never able to achieve with IE. In Windows you could at least install Firefox. If you do that on iOS it might say Firefox, but you're still using WebKit. The reality is if you have an iOS device, you use Safari and are bound by its limitations. Another thing web developers find distressing is Apple's slow development cycle. Apple updates Safari roughly every six months at best. Blink-based browsers update every six weeks (soon every four), Firefox releases every four weeks, and Brave releases every three. This means that not only is Apple slow to add new features, but its development cycle means that even simple bug fixes have to wait a long time before they actually land on users' devices. Safari workarounds are not quick fixes. If your website is affected by a Safari bug, you can expect to wait up to a year before the problem is solved. One theme that emerges when you dig into the Web Platform Tests data on Safari's shortcomings is that even where WebKit has implemented a feature, it's often not complete.

Bloomberg: There was a sense that, without the moderating influence of the late Steve Jobs, perhaps Jony Ive started to prioritize aesthetics a little too much. Since he stepped down as chief designer at the end of 2019, Apple seems to have reemphasized function. From the iPhone to Apple TV to the Macbook, gone are the days of "The user be damned, we think this looks cool." Monday's unveiling of a new Macbook Pro lineup of laptops provides evidence of the shift. Headline features released five years ago under Ive's aegis have been scrapped. Gone is the so-called "butterfly" keyboard, which rendered the device thinner but whose clunky mechanics made typing more difficult; farewell too to the Touch Bar, a touch sensitive strip display along the top of the keyboard which could show functions for the web browser one moment and mixing tools for music apps the next, but was almost impossible to use without looking; back are HDMI ports, which let you plug the computer into high-definition displays without using an adapter. Perhaps this would have happened under Ive, but Evans Hankey, who now heads the industrial design team, has overseen plenty of other tweaks that seem to indicate a change of philosophy.

[...] But there is merit in sometimes listening to your customers, particularly when the pendulum has swung too far away from function and towards form. After all, you're liable to lose professional customers -- architects, musicians, film-makers -- if they can't plug their laptops into external monitors. And professional users can afford to pay for the top-of-the-range devices that are more profitable to Apple. Dieter Rams, a significant influence on Ive, compiled 10 principles for "Good Design." Number three was "good design is aesthetic." Apple seems to have remembered numbers two and four: "good design makes a product useful" and "good design makes a product understandable."

Google today released Chrome v95, the latest version of its popular web browser and a version that contains several changes that will likely cause problems for a considerable part of its users. The problematic changes include: removing support for File Transfer Protocol (FTP) URLs -- ftp://
removing support for the Universal 2nd Factor (U2F) standard, used in old-generation security keys (Chrome will only support FIDO2/WebAuth security keys going forward)
adding file size limits for browser cookies
removing support for URLs with non-IPv4 hostnames ending in numbers, such as http://example.0.1

In addition to breaking changes, Chrome 95 also comes with a new UI component called the "Side Panel," which can be used to view the Chrome browser's Reading List and Bookmarks.

As Paul Thurrott reports, Brave is removing Google Search as its default search engine. From the report: Going forward, the Brave web browser will default to Brave Search. "Brave Search has grown significantly since its release last June, with nearly 80 million queries per month," Brave CEO and co-founder Brendan Eich says. "Our users are pleased with the comprehensive privacy solution that Brave Search provides against Big Tech by being integrated into our browser. As we know from experience in many browsers, the default setting is crucial for adoption, and Brave Search has reached the quality and critical mass needed to become our default search option, and to offer our users a seamless privacy-by-default online experience."

Brave Search is built on top of an independent index, and doesn't track users, their searches, or their clicks, the firm says. And starting with Brave 1.3 on desktop and Android, and Brave 1.32 on iOS, it will be the default search engine in the browser, instead of Google, in the United States, Canada, and the United Kingdom. It is also replacing Qwant in France and DuckDuckGo in Germany, and Brave says that more locales will be added in the next several months. Existing users can keep their chosen search engine default, of course, and new users who prefer other search engines can configure as needed. Brave Search doesn't display ads today, but the free version of the service will soon be ad-supported. An ad-free Premium version is coming "in the near future," Brave says. Along with this search engine news, Brave announced the Web Discovery Project (WDP), "which it describes as a privacy-preserving system for users to anonymously contribute data to improve Brave Search results," writes Thurrott. "The WDP is an opt-in feature that protects user privacy and anonymity by ensuring that contributed data is not linked to individuals, their devices, or any set of users." It has a GitHub repo available to help you learn more about this system.