Google web services take advantage of an API that only Google knows about.
Completely unsurprising. Google should have been given the anti-trust treatment long ago. There's not a saving us because the ones to save us are completely complicit. And people who write independent browsers will be smacked back down by having places like YouTube throttle them.
In the comments its not just chrome that is affected.
Its apparently all Chromium browsers.
Isn't chromium open source? How are the APIs a secret?
Simply noone ever looked and it's not documented. And the api is locked to work only on google domains so it wasn't usable to anyone to accidentally notice what's going on.
The code doesn't do anything on non-Google domains.
Luca says this - I'm inclined to agree:
This is interesting because it is a clear violation of the idea that browser vendors should not give preference to their websites over anyone elses.
Follow up question: How many other parts of the chromium codebase limited to work on (maybe other) specific domains?
The code doesn't do anything on non-Google domains.
A Google engineer adds a piece of code, does not document what exactly it does, and it was approved without question. Something is seriously wrong with this or I don't know how the Chromium project works.
I read somewhere a long time ago that chromium is a "look, but not touch" type of foss project. You can fork it, fix it, do whatever you want with the code, but on the main chromium repo they rarely accept PRs from random contributors
Here is an article from 2020, about the first non google employees getting some rights in the repo, before that all decisions was made by google employees: https://www.cnet.com/tech/mobile/google-gets-web-allies-by-letting-outsiders-help-build-chromes-foundation/ This api was added in 2013
And the workaround for this issue is really simple, and it was recommended privacy wise for a long time: don't use chromium based browsers and don't visit google related sites, as much as you can.
You can fork it, fix it, do whatever you want with the code, but on the main chromium repo they rarely accept PRs from random contributors
This needs to be discussed more by the community.
I can kind of understand what's happening. They want to have complete control over what goes in an out of Chromium. Some PM is probably overseeing the PRs, and if some PR hinders their ability to collect data, that PR gets rejected. Mighty fine project this is. Other forks probably don't have the resources to go through all the commits issued by Google and just accept them as it is. They just makes the changes to suit their own agenda. All the more reason for people to switch to Firefox
I wonder how Ungoogled Chromium is affected by all this.
I don't know what needs to be discussed. Everyone owns their code, every project has some kind of hierarchy. Chromium is a project started by google, so Alphabet Inc. has a final word in any decisions. Similarly Linus Torvalds has a final say in Linux kernel development, and Lennart Poettering in systemd. That's how it always worked, and I think it's good enough.
What you can do is, you can hard fork a project, than you can have a final say there. This is actually how chromium's engine started: its Blink engine is the fork of Apple's webkit engine which is again a fork of Kde's khtml engine.
Ungoogled chromium is not a hard fork it's just a list of patches: https://github.com/ungoogled-software/ungoogled-chromium They can override google's decisions this way, but the more thing they patch the more thing they have to maintain, more work, and more things can break with each update. Afaik it's similar how all other chromium based browsers work.
Everyone said this for years now. If you care about the freedom of internet (caring about your privacy is secondary) you shouldn't use chromium based browsers. Stop using it now.
Open source doesn't mean they have to accept community input. The rights you're granted are the right to take their code and alter it for your own project, or redistribute it, not direct it.
A lot of corporate owned open source projects choose not to accept third party contributions at all (or at least without giving them actual ownership), because if they own the entire codebase, they can sell different licenses to businesses that may not like some restriction of the open source license.
I prefer the VS Code approach. The entire codebase is open but owned by Microsoft. But because of the MIT licence, the community has made VSCodium. Microsoft does not interfere with VSCodium (AFAIK). This I think is a good model.
including Vanadium?
This comes from hangout_services/thunk.js
I searched for hangout in the vanadium repo, no result, so it's not patched there either: https://github.com/GrapheneOS/Vanadium
Vanadium
Just asked in their matrix channel.
hybridstaticanimate:discord Vanadium did not enable this at build time.
hybridstaticanimate:discord There is nothing to patch.
hybridstaticanimate:discord Other browsers chose to enable this.
Kind of. Vivaldi let's you turn it off though. Privacy, disable meet extension.
Fuck Chromium. Don't let Google single handedly control how the Internet works. Don't support Chromium browsers.
This is why we need to all back firefox...
I dont care if the CEO sucks, or if they have some opt-out anti-features....
Chrome monopoly is a far greater threat
Google should have been given the anti-trust treatment long ago
Lina Khan on the horizon looming ominously.
People are conditioned by Windows to treat it as normal that they are using something developed by a hostile entity, but that entity is kinda benevolent and doesn't do ... what it can always do and no one will notice for a few months or years.
I switched to Linux being 16, so - still sufficiently maximalist to just believe that it shouldn't be this way at all. (Still I have Chromium installed and sometimes use it, so same situation as everyone.)
For sane adult people it's hard to just say no to unhygienic parts of tech, at least in their own mind, because IRL of course you can't get rid of everything bad.
Remember this thumb rule -> if it's not open-source, you are allowing the software to do whatever it wants to do.
No regulation, law, support group is going to help you. You are digging your own grave.
I agree, but... This was in open source software. Chromium. Not just Google Chrome. https://github.com/chromium/chromium/commit/422c736b82e7ee763c67109cde700db81ca7b443
hangout_services/thunk.js (via) It turns out Google Chrome (via Chromium) includes a default extension which makes extra services available to code running on the *.google.com domains - tweeted about today by Luca Casonato, but the code has been there in the public repo since October 2013 as far as I can tell.
https://simonwillison.net/2024/Jul/9/hangout_servicesthunkjs/
This is included in the chromium source code which is public
If it's any software you didn't write yourself or audit every line of...
For a typical Linux distro that's tens of thousands of packages...
I am no expert on code-auditing. But I'm slightly at peace that there are 100s of experts looking at the code because it's open-source. But i also understand mistakes can still happen. It's not a perfect system, but it's the best solution so far.
There's some truth to that, but bad actors have managed to slip things through in the past. It happened recently with xz.
I guess my point is that we put a lot of trust in strangers when we run any code on our systems. Open or not.
True. We can also not run code at all and be perfectly safe.
I wish there was a comparison. Number of 0days in open source and 0days in closed source for comparible projects and a measure for time to mitigate the 0days.
Hopefully no one comes in here and tells me Firefox does shit like this as well... I just swapped back.
Firefox doesn't have a huge number of pages like Google does. The problem is collusion between browser and websites run by the same company.
This is a most excellent place for technology news and articles.
