uBlock Origin for Firefox, do I need more add-ons

This is exactly equivalent to what gorhill presented to you. You whitelist a site in the local column of Dynamic Filtering and block specific 3rd party sites. Where's the problem?

 

Ok, when you said "whitelisted sites" I assumed "disabling uBO for the site". What you are saying, according to your example, is "blocking video tags by default and allowing on a per case basis".



Just like with NoScript, I had to un-block "cnevids.com" and "dnkzzz1hlto79.cloudfront.net" before the video become available. The difference you maybe referring to with regard to NoScript, is that when clicking play on the video, NoScript will block the fetching of the webm file from "dp8hsntg6do36.cloudfront.net", while uBO does not block passive media (webm): this is not unexpected given that only 3rd-party scripts and frames are blocked in the picture above.

Not sure why this is an issue in the current example: someone wanted to enable the video for the site, and this is what occurred as a result of un-blocking the two above hostnames.

In any case, with uBO, if one wants to also forbid passive contents, this is done with the blocking of the "3rd parties" cell, in which case an extra step to also unblock (noop) "dp8hsntg6do36.cloudfront.net" will be needed, just like with NoScript, except that for that specific last step, NoScript makes it easier to identify what needs to be further un-blocked (there is an open issue in uBO for this -- the infrastructure to support this is probably already in there with dynamic URL filtering).

 

I guess you could say I prefer the 'granularity' of scripts over domains, since I consider them the bigger evil from a security standpoint vs privacy. Blocking domains is nice though, and uBO does that well giving one the option per site.

It's is not just vids, however. It's elements in general eg hamburger menus, fonts, buttons...
Take a look at this pic. http://i.imgur.com/hMv9PT0.png

uBO is allowing a script to be run from a Facebook domain (the counter gives it away, so I looked at the connections). NS is not allowing the script. In this case I had disabled all filters and set up uBO like NS. If I block the FB domain, the script disappears. With FaceBook allowed, that script is the only connection with Facebook. I tested uBO in standard FF as well, also with filters enabled (the defaults plus easy privacy, Fanb's annoyance). The script still got through.

Only NS, or disabling javascript natively in FF, blocked the script without blocking the FB domain. I'm assuming this has to do with how uBO handles 'objects' as compared to NS, fonts, buttons, etc. since NS often presents these as 'objects.'

NS is allowing Wired as well. Blocking Wired.com in uBO blocks the facebook script.

 

If you want such granular control you should use uMatrix and restrict uBlock Origin to static filtering.

 

I don't. I'm mainly concerned about scripts. Why is uBO allowing that FB script?

 

What script? From uBO logger i can see only this related to facebook:
xhr http://graph.facebook.com/?ids=http...an-palaces-metro-stations-hard-to-tell-apart/

That + does not mean a script. It can also be seen with uMatrix matrix. It is an xhr.

Instead pictures you should have posted a link to that page: http://www.wired.com/2015/11/david-...an-palaces-metro-stations-hard-to-tell-apart/

 

I don't understand why you don't block Facebook. It doesn't work with scripts forbidden, anyhow. So what's the rationale for not blocking the FB domain but blocking its scripts?

 

I'm looking at the Firefox network connections window (SHFT+CTR+Q), and that is what is in the pic posted. The FB domain is a script. That is the only FB connection. Disabling JS in Firefox kills the domain connection to FB (at least according to FF browser tools). NS kills the script and the FB domain, while allowing Wired.com 1st party scripts. uBO, when allowing 1st party domains, allows this FB script. You may test it your self. You have the link. Wired.com is kind of the proverbial example, so I stuck with it.
I'm aware of what the uBO + sign means, that is why I tested it. It's a script.

 

If you look at the pic, only facebook breaks through, not Twitter, etc. It's not a blacklist concern. It's a zero-day concern.

 

Look with that tool again and select only XHR from the bottom tab. uBlock Origin does not block xhr content, nor does it block plugin content (not with your settings or what is practical). To have that much and more power you should consider uMatrix.

EDIT:
You could block 3rd party, but in my opinion uMatrix is better suited for that kind of thing. Possible to do in the special sites of course with uBO too, but not for general nice surfing experience. I would use only the medium filtering in general.

Your settings might still block the script part of that request.

EDIT2:
Summerheat this is a reply to your post below mine: You should see the xhr using the settings he has in the local column. It has nothing to do with how facebook is allowed or if visited. Myself I don't even use it.

Remember to noop wired.com, because he has those paranoid 1st party script/inline script settings. Allowing a script will spawn like many times some additional requests, one of them is that xhr.

 

I can't reproduce as I don't even see facebook in my uBlock0 popup. Anyway - a possible explanation would be that you once were on the facebook site and allowed it in the global column. This applies to all sites everywhere as explained in the uBlock0 wiki. You should allow facebook only in the local column.

 

So – how may is actually required for good blocking/protections?
uBlock Origin and uMatrix, or is just one of them sufficient?

I am accustom to uMatrix that I find self explanatory and very user friendly.
Thank you gorhill for making it!

 

It is best in my opinion to use both of them. First as a newbie if you are to them uBO without dynamic filtering. It has them cosmetic static filters/adblocking.

Then as I do to run uBO also with medium filtering. When the whitelisting is needed I choose which one what to filter with. On some media sites I don't have the patience to do sometimes with uMatrix. So I disable the uMatrix matrix. Some other protections it has will still be in power. Some other sites the capablity with uM to have that granularity it offers bar none other extension is what I want. Then i disable medium filtering locally to that site in uBO.

I even run in Firefox Noscript same as summerheat in allow all scripts mode, to have them other things from it still protecting.

The best both uBo and uM have over NS is the scopes and able to dynamically whitelist also frames, so it is not like some inconvinient mask that NS offers. Bothered me a lot that need in NS to allow sites globally. As they are never good or bad exactly.

Any other extensions/addons I don't have.

For the hackers/stalkers I have nothing against to protect. Keyloggers etc ******* exploits got into my computer, nothing. At least with these extensions my computer is sort of safe from getting totally owned These ***** must be put to pay.

 

Jarmo P, thank you. I'll use both as good practice.
Is Strict HTTPS in uMatrix doing the same thing as HTTPS-Everywhere (by EFF Tech)?

 

I don't think it is quite the same. uMatrix is not modifying a web page, but instead only blocking the http content.

Btw those 3 dot options (user agent spoofing, referrer spoofing and strict https) are ones that when you disable the matrix filtering, will still stay in effect. A user might get in trouble on some web sites when having all these ticked globally and the site is not working. One should always remember of running uMatrix with so much power and if nothing else seems to help, just disable the extension.

One other "dangerous" option that comes to mind is disabling behind-the-scene scope requests. It can be quite safe actually in it disabling to install addons/extensions without your consent, then again it will also disable to update the hosts files or 3rd party filter lists or updating the installed extensions. uMatrix is very powerful, so beware users

 

Well, I tried umatrix a long while back, and noticed similar behaviors. If you look at my uBO settings, everything is blocked, including inline scripts. I just allow wired.com. Blocking complete domains is a bigger pain than blocking their scripts/cookies, etc. This was my original complaint, how uBO handles objects, as compared to NS. So, I'll say XHR items instead.

Though I am not a developer, it is my understanding that XHR is married to JS. And this particular object/JS relationship is allowing a 3rd party script to be run using uBO, even though the settings are set otherwise.

Here is the reference link, http://www.wired.com/2015/11/david-...es-metro-stations-hard-to-tell-apart/#slide-2

 

If in FF (I'm sure Chrome has something similar), hit sft+ctr+q. This will bring up all connections. Under XHR, you will see a connection to graph.facebook.com. You will also see the same thing under the JS tab. Under "all," it is also there.

It is evident by the FB counter that the connection is taking place to that domain, but it is also evident that FB is running a script with uBO blocking 3rd party scripts, but allowing 1st party scripts. This does not happen with NS blocking 3rd party scripts but allowing 1st party scripts.

 

You didn't comment on what I wrote. If you surf to facebook.com - is this domain allowed in the global column of Dynamic filtering or not?

 

You should have read my post #35 in this thread. Needs to stop uMatrix filtering of course and just use the medium filtering in uBO. But things are as expected, uBO won't block xhr requests. If you have blocked facebook globally, then you won't see any I think.

Maybe gorhill should consider blocking also xhr requests, then again I don't know what setbacks that might involve. To have uBO as a simple user friendly blocker.

To the screamingyang: uMatrix would have blocked that facebook request even when allowing all first party that triggered that XHR in uBO. It is useless to block 1st part scripts and inline scripts when you then nooped that first party.

EDIT:
We must take into consideration the static 3rd party filters too. I have only those checked that are mentioned in the medium filtering part of the Wiki.
After checking those 3 available social filters, that facebook xhr will be blocked:

Staattinen suodatus ||graph.facebook.com^$third-party,xmlhttprequest löytyi:

• Anti-ThirdpartySocial (see warning inside list)

The other 2 lists won't block it. The warning being: "Warning, will break on facebook-based comment sites and may also break on some facebook apps or games."

I think this means that in some media sites the comments won't be seen, so I unticked all 3 of them. I like sometimes everything to work. Of course for just this reason I can see why it would be nice to be able to block/unblock xhr with dynamic filtering in the practical medium mode for privacy.

 

No

 

https://github.com/gorhill/uBlock/issues/924

 

As usual gorhill totally ignored this forum. Some informaction lol.
There has been other issues etc. I have mentioned here too. Some of them that come to mind are that Chrome Web Store version of uMatrix was still 0.9.2.0 until updated today. The other one I will see if uMatrix non popup settings still can't be accessed from incognito mode.

 

Yeah, I saw that. It's to everyone's benefit that it gets sussed out.

 

uBlock Origin
Ghostery
Privacy Settings
WOT

 

I would say that uBlock Origin is sufficient, and personally would lean that way, given the 2 options. Blacklisting sites is a good idea, but for zero-day exploits, and things not blacklisted, then I would use a tool that allows blocking malicious behavior.

In my examples, no filters stopped the FB connection. That included Adblock PLUs filters with easy privacy, FanBoy Annoyance. It also included all of the default filters with uBO.

uBO was able to block it but by shutting down all scripts, or blocking the FB domain (or all 3rd party domains). NS blocked it when only allowing the 1st domain. Firefox blocked it by turning off JS completely.

NO FILTER BLOCKED IT! Including the built in privacy protection in FF.