So, consider this a layman explanation of why this change is bad from someone who spends their time securing end-users.

This change is good for the majority of users, but is actually bad for large enterprise customers and highly-regulated customers. It puts more control and onus of responsibility on to Google, rather than the end-user. So, we will expect to see better enforcement of controls from Google for the lowest-hanging-fruit that some aspects of MV2 exposed.

What's that, you say? MV2 changes? Well there's 3 things.

1. Remote code execution. The ability for someone to just yeet commands into your browser. A little harder to do directly.. Still very possible, just with extra steps.

2. Removing the ability for extensions to access network requests directly, which is what adblockers often relied on. It also means malicious extensions could snoop on your requests. They still can, just with extra steps.

3. Background persistence, an extension could stay alive, maintain state, run timers, keep connections open, and coordinate across tabs. So this shuts off the "background persistence" piece -- but helps with ensuring better isolation. Still possible, but now requires yeeting your data to an external provider instead of keeping the state contained locally.

Those 3 changes are incredibly powerful, and will impact many, many Enterprise security tools. Tools that now instead will result in products like "Island Browser", and "Enterprise Chrome" being rolled out to supplement the functionality that MV2 gave us.

This change goes against the US and Australian government's hardening advice, and reduces the overall efficacy of security controls we're able to implement within our web browsers natively.

CISA's own guidance on this is pretty straightforward (aptly named Securing Web Browsers and Defending Against Malvertising for Federal Agencies): https://www.cisa.gov/sites/default/files/2023-09/CISA%20CEG%...

Here's the Australian Government's control relating to it:

> Control: ISM-1485; Revision: 1; Updated: Sep-21; Applicable: NC, OS, P, S, TS; Essential 8: ML1, ML2, ML3 > Web browsers do not process web advertisements from the internet.

And if you're wondering about what incentives there are that led to this change, you can read this letter written to the Chairman of the FTC by a US Senator back in 2020. This letter is linked to from the same CISA document I shared earlier.

You should read it in full, and consider what incentives the Senator was referring to -- and how they also apply in this scenario.

https://www.wyden.senate.gov/imo/media/doc/011420%20Wyden%20...

Those Enterprise Chrome products I mentioned earlier? Chrome's change has now put some of this functionality which was previously possible with an extension, behind the Enterprise Chrome Premium SKU: https://chromeenterprise.google/products/chrome-enterprise-p...