This is specifically looking at (pre-manifest-V3) Chrome, so there are some other differences with Safari, but CNAME uncloaking is the most obvious example.
See also some of the previous comments I've made about this in the past (https://news.ycombinator.com/item?id=23622206). A few of these details might have changed (I vaguely think I remember Apple raising the rule limit), but I think the fundamentals are all still true.
> Did you personally vet the open source code? Did you compile it from scratch and install it on your phone or are you trusting it’s the same code?
I have read through parts of uBlock Origin's code, yes, but ultimately I'm trusting the broader Open Source community to say it doesn't have holes in it. And yes, I'm trusting Mozilla's vetting process for its "trusted extension" category. I think that's a reasonable thing for most people to do.
Of course, I could compile the extension myself, but I think to a certain degree that would be security theater.
----
Again, just really surprising to see an argument that boils down to "this Open Source application might potentially spy on me, and that's a greater danger than the websites that I know are actively spying on me right now." If Safari adblocking is good enough for you and your threat models, great. You don't need to justify that by pretending that uBlock Origin is insecure.
I will note, by the by, that Safari's limitations mean that (at least on desktop) the top-rated adblockers like AdGuard have shifted to running as external applications separate from the browser (https://adguard.com/en/welcome.html). This is not a dig at AdGuard, I think the AdGuard devs (as of last time I checked) are doing really great work. But if you're worried about sandboxing, running a desktop app is a lot more invasive than running a browser extension. I don't know if there are ways to do the same circumvention on iOS, so it's possible that AdGuard devs are staying in the browser sandbox there; I'd need to double-check.
Of course, you can use apps like AdGuard as pure extensions in their more limited form (I don't recommend a specific iOS app, but unless something has changed since the last time I checked, AdGuard is a solid choice) -- but you will get a more limited adblocker as a result. The performance might be good enough for you, and that's fine. But it's still correct to say that it will be more limited.
----
I will also add to this just to preempt anyone arguing otherwise that I am not saying that browser extensions shouldn't have better sandboxing. They should, extension sandboxing is awful and it needs to improve. What I am saying is that the specific sandboxing model that Safari uses (and that Chrome is moving towards) for adblocking limits their effectiveness.
https://github.com/gorhill/uBlock/wiki/uBlock-Origin-works-b...
This is specifically looking at (pre-manifest-V3) Chrome, so there are some other differences with Safari, but CNAME uncloaking is the most obvious example.
See also some of the previous comments I've made about this in the past (https://news.ycombinator.com/item?id=23622206). A few of these details might have changed (I vaguely think I remember Apple raising the rule limit), but I think the fundamentals are all still true.
> Did you personally vet the open source code? Did you compile it from scratch and install it on your phone or are you trusting it’s the same code?
I have read through parts of uBlock Origin's code, yes, but ultimately I'm trusting the broader Open Source community to say it doesn't have holes in it. And yes, I'm trusting Mozilla's vetting process for its "trusted extension" category. I think that's a reasonable thing for most people to do.
Of course, I could compile the extension myself, but I think to a certain degree that would be security theater.
----
Again, just really surprising to see an argument that boils down to "this Open Source application might potentially spy on me, and that's a greater danger than the websites that I know are actively spying on me right now." If Safari adblocking is good enough for you and your threat models, great. You don't need to justify that by pretending that uBlock Origin is insecure.
I will note, by the by, that Safari's limitations mean that (at least on desktop) the top-rated adblockers like AdGuard have shifted to running as external applications separate from the browser (https://adguard.com/en/welcome.html). This is not a dig at AdGuard, I think the AdGuard devs (as of last time I checked) are doing really great work. But if you're worried about sandboxing, running a desktop app is a lot more invasive than running a browser extension. I don't know if there are ways to do the same circumvention on iOS, so it's possible that AdGuard devs are staying in the browser sandbox there; I'd need to double-check.
Of course, you can use apps like AdGuard as pure extensions in their more limited form (I don't recommend a specific iOS app, but unless something has changed since the last time I checked, AdGuard is a solid choice) -- but you will get a more limited adblocker as a result. The performance might be good enough for you, and that's fine. But it's still correct to say that it will be more limited.
----
I will also add to this just to preempt anyone arguing otherwise that I am not saying that browser extensions shouldn't have better sandboxing. They should, extension sandboxing is awful and it needs to improve. What I am saying is that the specific sandboxing model that Safari uses (and that Chrome is moving towards) for adblocking limits their effectiveness.