Enhancing uBlock Origin with uMatrix

Discussion in 'other software & services' started by Jarmo P, Sep 20, 2016.

  1. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    Now this is for all readers familiar with uBO and the dynamic filtering and maybe unfamiliar with uMatrix.

    I am telling how you can block (first party) cookies and third party frames with an example. Here is more than just an example though, some general ideas how to use the 2 extensions together.

    1. I assume that you use most times uBO. Go check therefore in uBO dashboard all malware filters and and uncheck all the hosts files in uM dashboard. We are going to use the extensions together and want only one extension doing the static filtering or anyways blocking what is in them.

    2. Make uM global (*) scope rules as seen in this picture:

    uMatrix_global mask.jpg


    The limitation that any filtering mode of uBO has is that when you (locally) noop some 3rd party domain, you most times want to allow just it's scripts and NOT the iframes. But you can't do that with an individual domain, only with every script allowed to run from all the domains. Not with uBO and it's GUI means alone.

    This is the example. We are on a media site, say Wired.com. So we first in uMatrix click all-button (on the top left) to make it green in the wired.com-scope, like in this picture:

    all_allowed.jpg


    Looking at the pic you can see that with the above global scope rules functioning as a mask, the cookies and 3rd party frames are blocked (red) and everything else is allowed (green). You can block/unblock what ever you want/need from the matrix, but above happened with just one click.

    You can now go to work with uBO to noop or allow what ever domains needed to make the media you want to work. uM will take care of blocking the frames (if any) or whatever you want it to block.

    Usually the easiest way to operate uBO is to have uM extension disabled. If you just disable the matrix of uM, the scope specific rules will still be in force. As well as other uM privacy settings. They might be though what you want, but you also need to take it into account if something is not working.

    The example showed how to make them work quite easy together with uM being the safety backbone so to say, to enhance the dynamic filtering limitations of uBO.
     
    Last edited: Sep 20, 2016
  2. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    And because this thread assumes the reader is not maybe familiar with uMatrix, here are the global "mask" rules from the first picture:

    • * * * block
    • * * cookie block
    • * * css allow
    • * * doc allow
    • * * frame block
    • * * image allow
    • * 1st-party * allow
    • * 1st-party frame allow

    Global rules can be also restricted as an example to say against facebook as a 3rd party, allowing it only in facebook or whatever domain you want:

    * facebook.com * block
    * facebook.net * block
    facebook.com facebook.com * allow
    facebook.com fbstatic-a.akamaihd.net * allow


    The scope selector in top left of the uM popup GUI is very important. I used both global scope * and a domain scope wired.com in the example.
     
    Last edited: Sep 20, 2016
  3. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,081
    Location:
    Netherlands
    Jarmo, impressive post to show how to micro manage what dynamic code is allowed to run in your browser.

    Now although the example is clear. It shows that wired has zero iframes blocked, so your example shows that you block 3 first party cookies, which you call a safety backbone?

    o_O what am I missing?
     
  4. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    WS, this site https://www.wired.com/ is just an example site. I have almost never used it myself, but took it as it has been used before in uMatrix or uBlock Origin's wikis as an example site. I did not want to put some finnish language media site instead that few people except me here would understand. Wired.com was maybe not the the best site to use but it does not matter to demonstrate the concepts.

    Anyways, if you noop all the scripts in uBO locally, the "backbone" will block 3 third party frames and 11 first party cookies as shown in the matrix. My Chrome settings block all 3rd party cookies so can't say any about them.

    The global "mask" rules are not related or special in any way how uM was used in this example. They have always been like this with me. Blocks cookies as many sites work without them if you don't need to login etc. The only thing that is different now to my previous usage of uM is that the hosts files are unchecked as I'm experimenting with just using them in uBO.
     
  5. malexous

    malexous Registered Member

    Joined:
    Jun 18, 2010
    Posts:
    828
    Location:
    Ireland
    Or another way is to create a filter in uBlock $subdocument,third-party

    uMatrix will, of course, give you better control if you ever do want to allow a particular third-party frame.
     
  6. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    My experiences of the example approach. Some sites have user comments from facebook.com or pictures from instagram.com etc. with frames included. Nooping locally all scripts simple uBO approach, no need for uM backbone, won't work.

    So I will have to noop those domains in those sites locally AND remember to allow their frames also in uMatrix if the matrix filtering is activated. So double whitelisting of frames. Seems not be too much of a bother in normal usage though.
     
  7. malexous

    malexous Registered Member

    Joined:
    Jun 18, 2010
    Posts:
    828
    Location:
    Ireland
    You could also create an exception $subdocument filter for what ever domain Facebook and Instagram use.

    That way, if you noop a wabsite, third-party frames will be blocked unless they come from Facebook or Instagram.
     
  8. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    Thank you again malexous. I am not in much knowledge of a filter rule syntax and I think dynamic filtering works more flexible. But there are surely uses for it and I really should get more familiar with static filtering yes.


    The evolvement of this thread experience has made me change the first rule in post #2 to
    *** allow
    instead blocking all by default.

    Also I have globally unchecked these from uMatrix Privacy settings:
    1. Spoof HTTP string of third-party requests.
    2. Strict HTTPS: forbid mixed content.
    3. Spoof User-Agent string randomly.

    On site basis I can force them on if wanting from uM UI as well as do a total filtering. I took them off to not normally have to touch uM UI for anything else except to allow cookies when needed and to allow frames on specific 3rd-party domains..
     
    Last edited: Oct 2, 2016
  9. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    your pictures and settings show normal behavior or settings from uBlock. where exactly is the difference to use uMatrix?
     
  10. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    Well, what else would you have changed? uMatrix settings as they come are pretty much good for uM users.

    This thread is intended for users of uBlock Origin and how it is possible to utilize uM same time without having to disable it. A teaching thread.
    The power of all-cell in domain scope needed to be introduced, able to unblock, or as in the last of my post to block everything when by default they are allowed.
    As well as unchecking the hosts files in uM that i consider a truly important change.

    At the moment I can't think anything else done to uM for the 2 extensions running together and complementing each other.

    Now i'm not a member of github forum, nor intending to post this in there, but I warmly wellcome anyone who likes the ideas in this thread to do so.

    Another reason for this thread is also for critical comments. This is just my way of running them. I was never totally happy with uBO alone as an old user of HTTP Switchboard and later uMatrix.
     
  11. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    884
    I see nothing wrong with using uMatrix and uBlockO together.
    But i never configured the "matrix" in uBlockO, i do it mainly in uMatrix.
    In my case:
    uBlockO = responsible for (only) blocking ads (and remote fonts)
    uMatrix = responsible for blocking the rest (3rd-party scripts, cookies, frames, etc.)
     
  12. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    Yes that is one way of using uBO. As an adblocker etc.

    It is just that the uM is too much for most people, including myself, on normal surfing.
    And rather use only uBO dynamic filtering, except on sites that I want uMatrix do that. This way you can have both as an option if any day whitelisting uMatrix becomes too much a bother for you.

    For Brummelchen it became too much and as I understand he/she changed to using only uBO. But he had anyways some wierd uM rules of blocking more than the default install settings. I really did not quite understand his/her post. This thread is not about configuring uBO, but rather to make uM compatible with it and uBO's dynamic filtering.
     
    Last edited: Oct 2, 2016
  13. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    @mood
    a) uBo can block scripts, also special scripts for a site or scripts with keywords in it (which uM cant)
    - and more: uBo can block different type of scrips: inline, 1st-party, 3rd-party - and for each site,
    uM can only block scripts per site - this means more settings = blowing the settings file

    b) cookies are blocked in browser (in some cases blocking 3rd-party cookies results in wrong site showing or functionality)
    c) uBo can block frames
    d) uBo can block css too using the logger, means a bit more work but same effectiv
    e) uBo can block popups too, uM is more granular but the most popups (xhr) are generated by same site
    f) blocking plugins is not really necessary - browsers have a settings for this. in special for firefox the NPAPI is running out of business so that plugins in general dont need any longer a blocking. opera dont have any plugin (chrome has pepperflash inside, too bad)

    uB and uM are using same blocking lists, so raymond recommended in the wiki to deactivate those in uB or uM to avoid interference (in special hosts file block)

    as i try to point out - uM is more granular, but only for really special things which the regular user dont need to filter. and i think that most users of uBo + uM dont really use the fully potential of uBo nor have any idea how to dive into when the expert setting is activated.

    thats why i asked what settings are now special for uM and extend uBo filtering. i had my time to learn about uBo and after it i uninstalled uM because it dont give me more security nor anti-spying.

    from my experience with uM it is possible to filter websites to death or push users own paranoia. it does not raise security or offers so much more to uBlock. but people should make their own experience with it, it is hardly to tell and understand the meaning behind - lack knowlegde of the potential of the used software.
     
  14. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    884
    If you block cookies with the browser (not via extension), the site can't even write the cookie and is displaying a message like: "Enable cookies, please..."
    If cookies are blocked with uMatrix, the writing of the cookie is allowed (no message like: "you have to enable cookies...") but uM doesn't let the site read the previously saved cookie.
    This means, all cookies (3rd-party and even 1st-party) can be "blocked" in uMatrix without problems, this can enhance the privacy.
    (uBlockO can't block them)

    The exception is of course, if the user needs to login somewhere or visit a shop then cookies are needed, and the user has to whitelist cookies for the site in the matrix.
    In all other cases they can theoretically be blocked with uMatrix, without loosing functionality of websites.
    With uMatrix there is much better control. Yes, it is more granular.
    If a lot of blocking is involved, the matrix of uM can handle it better.
    If i block 3rd-party-scripts and frames and i go to a website that is loading resources from domain A and B, i have the choice to allow 3rd-party-scripts for domain A and frames for domain B in uMatrix.
    But if i noop the domain A in uBlockO, 3rd-party-scripts and frames are allowed.
    See:
    Using both extensions doesn't mean that these users are "not able to" work with uBlockO alone. I think that's not the problem :cautious:
    uMatrix can block/allow with better granularity, can handle cookies (and 1st-party frames), and XHR-Requests are shown in the matrix (and don't have to be added via the logger like with uBlockO).
    But with dumping uMatrix (and only using uBlockO) all these advantages are gone.

    a) uBlockO can be used as an ad-blocker, and uMatrix is blocking all these stuff (scripts,frames,...) with more control than with uBlockO.
    b) Or the blocking is done with the matrix of uBlockO and uMatrix can be used in addition to it (blocking cookies,frames, and features like: change referer,user-agent, [if needed])
    At what level begins the "paranoia"? :cautious:
    * Blocking third-party images
    * allowing scripts from facebook.com only on facebook.com
    * using "hard-mode" / "nightmare-mode"
    ...
     
  15. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    i never noticed that because i use the browser function for that - if i dont want a cookie then i dont want it in general and not only "write only"
    a point i problably never dived into
    and that makes no really sense for me - i block iframes but allow its scripts? i never noticed any difference but if i dont want iframes i also dont want its content - at all.
    depends on user i would say. i have some stronger rules which i need to loose a bit sometimes.
    although you gave me a deeper view to uM i dont think its made for the masses.

    last days i was lot of times on adobe sites and i had to set several settings from scratch otherwise adobe site will be buggy. if a had to do that also for uM i would have gone crazy. just too much.

    ty
     
  16. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    Malware often uses iframes for its malicious code, so blocking iframes only can be and is beneficial, especially for those who favor convenience over excessive management of script control.
     
  17. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    i understood iframes and malware before, but why to load scripts from iframes which cant be used due xss - there is no cross-domain usage possible for scripts.
    but - wilders uses iframes for its forum software - if you speak about iframes from the same domain?

    but - i have iframes allowed but not all scripts from the same domain or subs or other domains until i allow them (deny/allow policy).

    i had same setting in uM, dont allow XHR and dont allow scripts until i do. i can allow xhr but not all scripts and vice versa - im uBo and uM too.

    uM allow me to set XHR for separate domains - thats what i understood for granular - but i had less ocurance for this - same for other settings and thats why i uninstalled uM.
     
  18. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    884
    With the "cookie-management" of uMatrix this is needed. But the cookie doesn't leave the browser, only if the user whitelisted it.
    But blocking within the browser is a more stricter approach, and less cookie-cleaning is needed :)
    (not the scripts from the iframe itself, but from the site/domain which is embedding the iframe)
    If the user allows all scripts, scripts from iframes can be loaded too. In that case it's better to block iframes.
    -----
    Correct.
    But configuring uM can be a pain sometimes, especially on "big" sites.
     
  19. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    1,140
    Location:
    Cape Town, South Africa
    My question may be slightly OT here, but here goes. I used to use uMatrix to control cookies amongst other elements in addition to UBlockO in medium mode, but now just use UBlockO in medium mode with recommended settings.

    In Firefox I have 3rd party cookies set to 'From visited' and 'Until they expire' to minimise breakage, but then also run Self Destructing Cookies add-on.

    In this scenario, would there be any privacy benefit in running EFF Privacy Badger add-on as well (instead of using UMatrix for this)?
     
  20. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    884
    Firefox: "3rd party cookies" = allowed ('From visited' - 'Until they expire')
    Privacy Badger: "3rd party cookies / tracker" = blocked
    Self Destructing Cookies: "Tracking cookies" = blocked
    (Or do they block 1st-party cookies too?)
    If the job of these extensions is only to block 3rd party cookies (i'm not sure), then it would be easier to use the browser for that (=Accept 3rd-party: "Never")
    And then you don't need these extensions.

    More privacy:
    a) To go a level higher you can even block all cookies with the browser (untick "Accept cookies") and you can add exceptions for sites which needs a cookie (wilders for example)
    b) an alternative is to use uMatrix for that: "Block all cookies" and if a site needs one, whitelist it in the matrix. Ok, you have used uMatrix before, so you know it already ;)
    -----
    It may overlap with the other extension (blocking the same tracking cookies,...)
     
  21. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    I like your posts about cookie handling. Along the thought in the above quote I had already the same time I changed *** block to *** allow , also stopped blocking 3rd-party cookies with my browser setting. I was curious to see them blocked cookies in the matrix. Now that I've made that browser setting change I better remember it, to not disable matrix filtering in any site or to disable uMatrix extension.
     
Loading...