Google 公告了 Chrome Extension 對於權限的新規範

是收到信件通知 (因為之前有開發一些 extension),裡面提到的重點主要是出自「Developer Program Policies」裡的兩項。

第一項是要求權限最小化:

Request access to the narrowest permissions necessary to implement your Product’s features or services. If more than one permission could be used to implement a feature, you must request those with the least access to data or functionality.

第二個是你現在沒有實做的功能就不能要權限:

Don't attempt to "future proof" your Product by requesting a permission that might benefit services or features that have not yet been implemented.

這些新條文將會在 2019/10/15 生效:

Your extensions must be compliant with this policy by October 15th, 2019. You can learn more about these changes and how they may apply to you in our User Data FAQ.

在 Chrome 的 FileSystem API 的漏洞被補上後,偵測私密瀏覽模式的方式

Google Chrome 74 版修掉了一般模式與私密瀏覽模式下 FileSystem API 明顯的不同處後,自然就會有人研究其他的偵測方式:「Bypassing anti-incognito detection in Google Chrome」。

作者提出來的方式是透過 Quota Management API,一般模式與私密瀏覽模式下會得到不同的值,尤其是硬碟夠大的時候上限是不一樣的:

不過這個看起來應該比較好修?

JavaScript 的 sort 變成 stable

看到「Stable Array.prototype.sort」這篇在講 JavaScript 規格書裡的 sort...

本來 JavaScript 的規格書裡,各種 sort 都沒有保證 stable,而在「[Normative] Make Array.prototype.sort stable #1340」與「[Normative] Make %TypedArray%.prototype.sort stable #1433」這兩個地方則有了變化,提案在規格裡加入 stable 的要求,可以減少開發者因為不知道 unstable 而造成的問題...

Firefox 則是很久前就決定使用 Merge sort 了 (看了一下,當時還在從 Firebird 轉換名稱到 Firefox 的時期):「Array.sort isn't a stable sort (switch to MergeSort)」。

另外這篇也剛好提到了 V8 使用 Timsort 當作 stable sorting algorithm,之前就有看到但發現沒在 blog 上提過...

Timsort 是 1993 年發明出來的演算法,與 Merge sort 的情況類似,除了 stable 外,還可以保證最差的情境下的時間複雜度是 O(n*log(n))

Timsort is a hybrid stable sorting algorithm, derived from merge sort and insertion sort, designed to perform well on many kinds of real-world data.

這個演算法的重點是善用已經排好的子序列,藉此降低記憶體操作次數而提昇效能,符合真實環境裡常見到的資料:

The algorithm finds subsequences of the data that are already ordered, and uses that knowledge to sort the remainder more efficiently.

除了 V8 採用這個演算法以外,其他常見的包括了 PythonAndroid 上的 Java SE:

Timsort has been Python's standard sorting algorithm since version 2.3. It is also used to sort arrays of non-primitive type in Java SE 7, on the Android platform, in GNU Octave, and Google Chrome.

Firefox Premium

Firefox 打算要推出 Firefox Premium:「Mozilla will reportedly launch a paid version of Firefox this fall」。

現有的功能仍然會維持免費,所以目前猜測 Firefox Premium 應該是把附加服務包起來變成月費包裝:

So, what we want to clarify is that there is no plan to charge money for things that are now free. So we will roll out a subscription service and offer a premium level. And the plan is to introduce the first one this year, towards fall. We aim for October.

目前有提到的是 VPN,先前 Mozilla 有跟 ProtonVPN 合作,有可能會在接下來的 Firefox Premium 也一起合作...

Hacker News 上的討論「Mozilla will reportedly launch a paid version of Firefox this fall (thenextweb.com)」有些值得看一下...

其中一個討論的主題是,既然以 Firefox 當作招牌打包,那麼本來免費時的某些行為大家還可以「忍受」,到了付費版的時候就不是這樣了...

既然目標是十月,先放著吧... 後續應該會有其他的新聞。

其他用 Chromium 核心的瀏覽器不打算跟進 webRequest 的修改

先前提到的「所以 Google 要對 ad blocker 全面宣戰了...」,現在朝著幾個方向在發展:一個是寄託在反托拉斯法的部份,另外一個是市場的替代方案。

Firefox 算是常被提出來的替代方案,但 Firefox 的流暢度比 Chromium 差了一大截,所以目前主要的替代方案應該還是在各家使用 Chromium 核心的瀏覽器身上。

ZDNet 詢問了這些瀏覽器的人,大多數都表態會維持 webRequest 的原來運作:「Opera, Brave, Vivaldi to ignore Chrome's anti-ad-blocker changes, despite shared codebase」。

目前只剩下剛換到 Chromium 核心的 Microsoft Edge 還沒有回應 ZDNet

先繼續看看吧...

所以 Google 要對 ad blocker 全面宣戰了...

一月的時候 Google 就提出了「Manifest V3」,打算閹掉 extension 透過 webRequest 攔截連線的能力,而這個功能就是 uBlock Origin 這類 ad blocker 的基礎。

當時 Google 宣稱 webRequest 嚴重影響瀏覽器效能,但 Ghostery 的團隊則做了實驗證明影響極小:「Ad blocker performance study in response to Manifest V3 finds that Ghostery's ad blocker beats the competition」、「Google遭證據打臉,廣告封鎖程式幾乎不影響Chrome效能」。

All content-blockers except DuckDuckGo have sub-millisecond median decision time per request.

另外在 Alphabet (Google 母公司) 遞交給美國證管會的資料 (FORM 10-K) 可以看到他們把 ad blocker 視為威脅:「goog10-kq42018.htm」。

New and existing technologies could affect our ability to customize ads and/or could block ads online, which would harm our business.

Technologies have been developed to make customizable ads more difficult or to block the display of ads altogether and some providers of online services have integrated technologies that could potentially impair the core functionality of third-party digital advertising. Most of our Google revenues are derived from fees paid to us in connection with the display of ads online. As a result, such technologies and tools could adversely affect our operating results.

所以後續的行為就很清楚了,他們決定 Manifest V3 還是會閹掉 webRequest (以有效抑制 ad blocker 的能力,反正繼續堅持效能問題,當作沒聽到),只開放企業版本使用:「Google to restrict modern ad blocking Chrome extensions to enterprise users」。

Mozilla 愈來愈不成氣候的情況下,現在要看的戲應該是 Google 是否會因此受到 anti-trust 的挑戰呢...

在 DOM 操作時的 insertAdjacentElement

看到「Why I'm still using jQuery in 2019」這篇,裡面提到了 jQuery 很多操作上相較於 vanilla javascript 簡單很多,其中一個例子提到了 DOM 操作的 insertAdjacentElement()

el.insertAdjacentElement('afterend', other) undoubtedly works, but $(el).after(other) is actually palatable.

其實我不知道 insertAdjacentElement() 這個功能,我知道的操作都是透過 parentElementfirstChild 在移動位置,然後用 appendChild()insertBefore() 放進去。

跑去 MDN 上查了「Element.insertAdjacentElement() - Web APIs | MDN」後才發現有這個好用的東西:

targetElement.insertAdjacentElement(position, element);

position 的四個變化減少了以前組積木組多了會頭暈的情況。

接下來是研究支援度的問題,才發現可能是因為 Firefox 一直到 48 才支援 (從「Firefox version history」可以看到 48 是 2016 年八月釋出),所以網路上大多數的文章都還是用組積木的方式在介紹 DOM 操作,以避免相容性的問題:

Firefox 48 was released on August 2, 2016 for both desktop and Android.

另外還看到 insert​Adjacent​HTML()insert​Adjacent​Text() 可以用,其中讓我注意到 MDN 上面提到 insert​Adjacent​HTML() 居然是 Firefox 8+?本來以為是 48+ 的誤植,但從 Mozilla 的記錄「Implement insertAdjacentHTML」這邊可以看到,應該是在 Firefox 8 的時候實作的,這樣的話可以當作 insertAdjacentElement() 的替代品 (如果考慮到古早的相容性),只是這邊需要輸入 html string,跟其他操作是是用 element 不太一致...

意外的學到不少歷史故事... @_@

Firefox 引入 BigInt,Safari 也在實作...

Firefox 實作了 BigInt (進度可以在「Implementation of BigInt values for SpiderMonkey」這邊看到):「bigint shipping in firefox!」,現在可以在 68 beta 版裡使用:

I am delighted to share with folks the results of a project I have been helping out on for the last few months: implementation of "BigInt" in Firefox, which is finally shipping in Firefox 68 (beta).

另外文中也提到了其他瀏覽器的情況 (再 Can I Use 也可以看到「BigInt」目前的支援情況),用 V8 engine 的都已經支援 (包括 Chrome 與新版的 Edge),而 Safari 也在實作中:

BigInt is also shipping already in V8 and Chrome, and my colleague Caio Lima has an project in progress to implement it in JavaScriptCore / WebKit / Safari. Depending on your target audience, BigInt might be deployable already!

另外一個有趣的事情是 license,其中馬上可以想到的是 GMP,裡面牽扯到 LGPLv3GPLv2 的授權問題:

Since version 6, GMP is distributed under the dual licenses, GNU LGPL v3 and GNU GPL v2. These licenses make the library free to use, share, and improve, and allow you to pass on the result. The GNU licenses give freedoms, but also set firm restrictions on the use with non-free programs.

從說明有提到一些目標,短期可能會用 GMP 以儘快時做出合理的效能版本,長期則是希望用自己的版本:

An important design question is whether to implement the arithmetic operators as native or self-hosted intrinsics, probably using an external library such as GMP in the former case. Using an existing library has the advantage of providing good performance for less initial effort, but a self-hosted library also has advantages, such as greater flexibility in representation, better compiler integration, and simpler integration with the rest of the JS runtime (GC, etc.).

2018 年一月的討論有提到有一包 patch 是使用 GMP 的版本,這樣看起來應該是有解決 license 上的問題...

The current version of the patch uses libgmp for BigInt arithmetic, supports most features from the current proposal, and passes all up-to-date test262 tests for BigInt. Direct compiler support for BigInt has been removed; instead, compilation should fail if a possible BigInt value is encountered.

後續的描述裡面也都有提到 GMP 相關的事情,應該是沒錯...