µMatrix - the HTTP Switchboard successor

Sorry I have not logged in for a few days did not see your post. I just use dan pollock's, hp hosts, and MVPS host in uMatrix and the default in uBlock Origin except malware domain list and with fanboys anti third party fonts, fanboys enhanced tracking list, fanboys annoyance list, and fanboys social blocking list, so their is no overlap between the two.

 

I block javascript in Chrome's settings on all but .com, .au, .ca, .uk, .org, .edu, .org, .net and .gov but I noticed that uMatrix now has over ridden that with allow for http://* and https://* . It may have been like this for some time and I never noticed. Is there a way to kill this option? What's the allow for anyway?

Another issue I am wondering about is that with no filters and just uMatrix a large part of providencejournal.com front page is missing when just using uMatrix but when I use it along with uBlockO and the base easylist that section of the newspaper shows up again so there is some over lap here that I can't identify. Using uBlockO adds content which I'm okay with just wondering what is happening in that process. Obviously uBlockO is over riding behavior in uMatrix it's just not obvious in what way.

 

I don't know if you control behind-the-scene requests in uMatrix - well, I do! I want to control "hidden" requests by the browser. And I had extensions installed in Chromium/Chrome which contacted specific 3rd-party sites every time I loaded a new website - obviously in order to track me. Fortunately, uMatrix blocked those b-h-s requests - an important protection against malicious extensions. This does not work any more in newer Chromium/Chrome versions!

Quote from gorhill:

It already doesn't work any more in Chromium 45. You can easily test this: Open the uMatrix logger and, e.g., manually update the filterlists in uBlock0. Those requests were logged by uMatrix before - but no longer. It still works in Firefox, though!

I'm not willing to accept that for the reasons outlined above. If this change in Chromium is going to stay and gorhill won't find a way how to circumvent this problem (I doubt that this will be possible), I will replace Chromium as my standard browser with Firefox. I've been running Firefox Aurora in Arch Linux for some months now with Electrolysis enabled without any problems. It's very stable, the vetting process for extensions is very thorough and much better than the purely automatic check on the Chrome webstore, it's more privacy-friendly and configurable than Chromium - and I'm running it in Firejail so it's adequately sandboxed. It's time to say good-bye to Chromium.

 

@Malwar

Fanboy's Social Blocking List is already include in Fanboy's Annoyance List :
https://easylist.adblockplus.org/fr/

So no need to use the second if the first is activated.

 

I agree. There is no overlap if uBlock0 is restricted to pattern-based filtering and if all hosts files are disabled which are enabled in uMatrix.

 

Wow..can not believe I did not know this..but at least they did not overlap because fanboys annoyance list was reduced and fanboys social blocking list showed 12769, thank you for this information.

 

Yep, and you get the ultimate protection if you just allow css+image in uMatrix without breaking a lot of sites you just got allow a few frames or etc. for certain sites to work, also you have all of the privacy switches and everything, I select them all.

 

I have changed a bit and think I was originally maybe too critical towards the default installation settings of uMatrix. I did use to make no difference between 1st-party and 3rd-party and only allowed css & image.

Now I block only cookies and frames from 1st-party. It makes surfing unknown sites a bit more comfortable without needing all the times to whitelist things. There are the other security programs I use as a protection to my more leisurely way of surfing.

 

Reading the comments on this post on reddit seems like the general consensus is that NoScript offers better protection than uMatrix regarding XSS

is that true or not?

 

Here's another take on it...

https://github.com/gorhill/uMatrix/issues/297

 

uMatrix doesn't have an XSS filter. However, it blocks all 3rd-party sites by default and explicitly blacklists numerous malicious sites through its hosts files (something which is not available in Noscript at all). Furthermore, if you whitelist a site in Noscript it's allowed everywhere as Noscript does not use scopes like uMatrix. Let's take the example from the uMatrix wiki: If you're using uMatrix with the domain-specific (or even site-specific) scope (2nd picture on that site) as the default (which you should absolutely do!) and you allow, say, disqus.com, it will only be allowed for wired.com but still be blocked for any other site! In other words, if you inadvertently allow a malicious 3rd-party site (which is not contained in one of the hosts files) the negative consequences will be very limited. In Noscript it would be allowed everywhere as Noscript only has a "global scope".

On the other hand, Noscript has a very good XSS and clickjacking filter. They work even if you allow scripts globally in Noscript. That's what I do, and it works perfectly with uMatrix.

 

Thanks alot guys for the thorough explanation. as i understand it there's no simple/easy answer to my question. Each of these approaches have their strengths and weaknesses with best solution to use both.

 

Even blocking 3rd party cookies can defeat some types of xss, as is the case in Demo application 2 here:

https://www.google.ca/about/appsecurity/learning/xss/

 

The global * scope settings in https://github.com/gorhill/uMatrix/wiki/Very-bare-walkthrough-for-first-time-users , first picture, are particularly useful for a nice but quite secure way to handle uMatrix.

Normal surfing should be done in operating uMatrix using domain scope, see the second picture. The top left cell should not be black but blue with the domain scope named in it instead *.

In domain scope just whitelisting the all-cell, you will allow everything else (to that 1st-party domain page) except the cookies will be denied from every domain that you have not explicitly whitelisted them. You will typically need to allow cookies to a domain that you log in.

Frames will also be denied from every 3rd-party domain that you have not explicitly whitelisted them. And of course still everything will be blocked from the domains that are hosts files blacklisted, even css & image will be blocked.

So you can have a quite powerful step in whitelisting a lot with that all cell. That is of course quite a lazy way of whitelisting and better would be whitelisting only some 3rd-party domains you need to unbreak the web site just enough for your needs. In many sites you won't even need whitelist anything 3rd-party. As summerheat told in his post above, if you allow too much (with the all-cell whitelist), you will still allow that nasty 3rd-party stuff only to that special site/domain that is in the matrix top left cell scope. Don't keep it black, because that means global scope.

 

Update: The computer in question has NOT been touched since last report. Today, when testing, the XHRs do NOT need to be turned on, as the target domain / host name DOES appear in uMatrix.

My guess is that the website's developers have been/are playing around with the order in which the scripts are being called. I assume so as, if they are in the "wrong" order, it messes up uMatrix, since it does not "remember" settings for scripts that are not yet called. Once a "hurdle" script or element is called allowing other scripts through, uMatrix only then refers to the settings.

Thanks. Did read that, already.

Today, was going to test turning off all the lists in uBlockO but set up my own (yes, that is counter to what is mentioned in that link for why having both uBlockO and uMatrix operating together). The dropper tool in uBlockO is very effective in hiding junk that the lists don't capture, and there is sufficient coverage/overlap in the lists via uMatrix that it seemed redundant to have them on in uBlockO, but still desirable to run uBlockO.

Then I found that there is no problem today. Anyway, may well move forward with the above plan.

 

Hi there, I've encountered an interesting situation with the search engine DuckDuckGo, and I just want to make sure I'm not misinterpreting the information in the uMatrix window. Sometimes when I make a search with the search engine and go to a result, the uMatrix window appears to show duckduckgo loading images, scripts, and links on the page. I made a reddit post about it here: https://www.reddit.com/r/duckduckgo/comments/3k4d1h/duckduckgo_is_inserting_scripts_into_certain/, and I'd appreciate it if someone more knowledgeable than me could check it out. Thanks!

 

Thanks for the clarification.

Based on your and others' comments, I have since removed filters in one, but did it in the opposite direction. I have dropped the uBlockO third party lists (but kept mine and the uBlockO native filters), and rely on the defaulted uMatrix third party ones.

 

Sounds good. If you need anything feel free to PM me anytime bro!

 

For the benefit of others here, reddit poster provided this link as the answer to the r.duckduckgo.com script...
https://duck.co/help/results/rduckduckgocom

It is their replacement for HTTP referers which pass on identifying information.

 

Many thanks to gorhill for his amazing extensions and dedication.

I tried a lot before posting but while I mostly solved my initial μMatrix perplexities and issues, I am unable to unbreak zdnet. This website seems so very bloated. It only works for me if I disable filtering entirely for that scope. For a quick check, I mouse hover the top-right account icon (it never works), and see if user comments can be loaded. Any help appreciated... thanks.

 

AmigaBoy are you saying you want to login and read the replys. The only way I could sign up and login was with these rules

www.zdnet.com www.googletagservices.com * allow
zdnet.com * script inherit
zdnet.com secure.zdnet.com frame allow

Add them to the My Rules. Its a starter for you but somebody on here will probably do better as it still needs some work.

My setup is Umatrix block 3rd script,Frames blocked all the privacy ,Hosts settings checked. Ublock on Easylist,Easyprivacy Ublock

Hope it helps you on your way

 

Thank you themorpethian, tried your rules but unfortunately they don't work here. Using uMatrix's default settings (which I think are, block all except 1st-party and CSS/Image) and the default hosts files (all selected and auto-updated).

The top-right icon won't pop-up (image below on how it pops-up when not blocked) and user comments won't load. I tried white-listing many entries/categories for zdnet.com but with no success. Also disabled uBlock0 just in case.

http://t1.someimage.com/rsoFIrv.jpg

 

Thanks, well I registered up to Zdnet and signed in OK but the popup box doesnt close where you sign in, got the dropdown of your picture.
I've been looking for a good test site anyway and this looks to be a good site (funny enough I was already a member did'nt even remember LOL)

 

User comments can be really difficult to get working. I just now got CBS comments working and I have been on again off again trying for some time. I actually cheered when they popped up.

Livefyre is ESPECIALLY difficult - it works with the website as opposed to a separate system like Facebook comments or Disqus. You have to see both 'livefyre' and 'fyre.co before you will see comments its like a chess game getting to them without disabling umatrix altogether. zdnet is a CBS property so the issues are somewhat similar. I have the comments working on zdnet now but there are some things that are probably not necessary so give me some time and I'll have the settings for you.

Well this was faster than I thought - you may be able to pare the permissions down more but here goes I just enable across the board for these - zdnet.com of course, cbsi.com, cbsimg.net, cbsistatic.com, demedex.net, googletagservices.com, tiqcdn.com, yimg.com, & of course livefyre.com and fyre.co

You may be able to kill some of the cbs urls but write down changes you make because sometimes it looks like you have it but you don't and you will have to enable these as you see them.

This may look like of lot of content to get to comments but you should see how much more is still being blocked.

I have also confirmed that you can login and comment with these settings.

Wow I forgot to say that I have the hosts files unchecked. I let Chrome take care of the malware avoidance - whether that is a good idea is for another discussion but I have found that it can be difficult enough to make commenting work on some sites without worrying whether a blacklist is also an issue.

 

Many thanks for your work and useful info, AutoCascade. It works fine now - no issues with hosts files enabled.

update: don't know if this a side effect or not (probably not), but every time I log-on to zdnet, I get a nasty email from them: You have successfully changed your newsletter preferences. You wish to receive the following newsletters by e-mail: --- (one of their newsletters here)