Could uBlock developers not only create a localhost and HTTP MITM websocket[S] proxy and just use the webExtensions system to tell Chrome to use that proxy?
In this way, no more tyranny of preventing blocking of V3 Manifestos and advertisements.
OCSP, OCSP Staple, CRL checks would be performed by the MITM proxy.
Certificate transparency searches can be performed by the MITM proxy.
Certificate transparency is not required by Chrome if you are not using a public trust root certificate.
Even if it did, you can safely disable it with Group Policy, as MITM Proxy would do this for you against public trust root authority certificates.
Extensive validation checks can be done using this as well, although you won’t get any EV flags in the URL bar when using your own certificates.
Ditto for the verification of the TLS certificate.
Then the MITM proxy on localhost will generate a clone of the attributes of the original certificate, but it will create it with its own private key.
The MITM proxy would prompt the user to trust a root certificate generated on the user’s computer. It will be in the current user’s certificate store.
Then whenever it wants a request to be blocked, instead of trying to block it, uBlock should inject the ‘uBlock_MITM_Blocked: true’ header into it before letting it go.
Then the MITM proxy, when it sees the request with this header, will block it by directly bypassing the tyranny of Chrome.
I mean, if Chrome doesn’t allow you to block requests, instead of blocking it just use a standalone MITM proxy that blocks it for you.
Basically the method is that instead of blocking a request you inject an ‘MITM_Please_Block_That_Request’ HTTP header.
When the MITM proxy sees it, the request is blocked.
This could be a pretty interesting concept if Google ever tried to be your bossy digital nanny.
Regarding the security of the root certificate private key for the MITM proxy, in theory you can create malware that reads the private MITM proxy .pem file for the already trusted certificate.
Then use it to capture the encrypted traffic.
But you can still use the concept that MITM Proxy itself is a folder locking service that only allows itself to read a folder (using callbacks, not ACLs).
When a process other than itself wants to access it, access is denied.
You can also use HIPS-like technology to block WriteProcessMemory, DLL injection, etc.
I believe that eventually Google will completely remove uBlock Origin as well as all Manifest v2 extensions from the Chrome online store.
Just like what Mozilla did with the XUL addons.
And just like you are not authorized in Google Play to allow downloading YouTube videos / creating a YouTube client, Google will likely remove all add-ons that block Google Analytics, AdSense, YouTube ads, etc.
Also be aware that Google can remotely blacklist any extension you already own.
When this is the case, your extension is greyed out in the extension manager and you can no longer activate it.
The developers of uBlock Origin should explore alternative options such as delegating important tasks that Chrome obstructs to external, non-browser programs that run outside of the oppressive Chrome API.
Just drafting the general concept, the rest is probably best drafted by the uBlock developers themselves.
In Android, we already use this same concept for ad blocking because Android web browsers are trash for personalization, privacy, etc.
Only Firefox for Android supports uBlock Origin and even then you need to change all of the about: config options.
Because Mozilla always sets nasty settings like telemetry and extension blocklist checking to the worst defaults it can have.
In Android, the VpnService is used to hook DNS and WebSocket queries, HTTP / S traffic.
When you want to escape from a prison, it is difficult to do it yourself.
Instead, you need to use the API provided by the jail to talk to someone outside of the jail system.
Then the person outside the prison system will be able to help you from outside, with no prison restrictions to get you out.
I believe this is how breakouts are done most of the time in history.
Well, now you want to escape the jail of Google webExtensions?
You should research real world history and you will find the solution that worked for people back then, and maybe still works.
By the way, escaping prisons with the help of outside help is exactly what jailbreaking refers to for iPhone devices when you use a PC to jailbreak them.
Things that would have been hampered using only unattached iOS have been made possible by using its vulnerabilities from outside the prison (with a PC).