A uMatrix guide for Firefox

The Firefox extension uMatrix (it is also available for Chrome and other browsers), gives users control over a website's connections, and data that is loaded when the site is loaded in the browser.

The extension is developed and maintained by Raymond Hill (Gorhill), the developer of uBlock Origin, a popular content blocker that is also available for various browsers including Firefox.

Why two extensions and not just one? While both extensions can be used for the same purpose -- blocking content -- they are different when it comes to scope. Without going into too many details: uMatrix is like the advanced brother of uBlock Origin. It gives you more control, and comes with privacy enhancements on top of that.

uMatrix for Firefox

umatrix firefox guide

You can install uMatrix in any recent version of the Firefox web browser from Mozilla AMO. Simply visit the website, and click on the "add to Firefox" button to do so. I suggest you disable or remove any content blocker that is installed in the browser before you do so (e.g. NoScript, uBlock Origin, Adblock Plus) to avoid issues.

The extension adds an icon to Firefox's main toolbar that you use to control what sites may load. Before you do, you may want to visit the options of the extension to make changes to the initial configuration.

The preferences are divided into tabs, similarly to how this is handled in uBlock Origin.

umatrix settings

Here is a list of preferences that you may find useful. I suggest you go through them all though as you may find some useful that are not mentioned here.

  • Settings > Convenience -- Show the number of distinct requests on the icon.
  • Settings > Convenience -- Collapse placeholder of blocked elements. (If an element is blocked, placeholder is collapsed. May result in a cleaner site, may cause display issues on some sites.
  • Privacy -- Delete blocked cookies. uMatrix does not prevent sites from setting (blacklisted) cookies, but it blocks cookies from leaving your local system.
  • Privacy -- Delete local storage content set by blocked hostnames.
  • Privacy -- Spoof HTTP referrer string of third-party requests
  • Privacy --Spoof User-Agent string by randomly picking a new one below every x minutes.

You may also check the list of hosts lists the extension uses by default, and may add new lists to it. It loads six lists by default to block malware, ads and tracking servers automatically.

Once you are done with that, you need to decide how to run uMatrix. You have two main options basically to do so: block all or allow all.

The interface

umatrix interface

The interface may look intimidating on first glance. It lists all first party and third-party connections a web page makes, and data types such as cookies, CSS or script, that are loaded or blocked.

Colors are used to indicate loaded and blocked content, with green highlighting content that is loaded and red content that is blocked.

Read also:  Firefox: powerful smartUp Gestures Chrome extension ported

You may click on a header, e.g. cookie, to set up uMatrix to allow or disallow this type of data globally (with exceptions that you define). Green indicates that a content type is allowed, red that it is disallowed.

Tip: you set something to allowed (green) if you click in the upper half of a box, and to disallowed (red) if you click in the lower half. The difference between dark and light green, and dark and light red is the following one: Darker colors mean that there is a whitelist or blacklist entry assigned to the cell, lighter colors that the status is inherited.

Another option that you have is to allow or disallow for specific hostnames. You may block or allow all for a hostname, or use the granular controls to allow or disallow certain types of data, for instance frames.

Block all

block all

If you set uMatrix to block all, all is blocked from being loaded except for the things that you whitelist. To enable the block all mode, blacklist (set to red) the "all" and "frame" cells of the table.

You may want to allow the "css" and "img" cells so that styles and images do get loaded when you connect to sites.

Click on the padlock icon to save the modified configuration.

This mode blocks all but CSS and images. It improves privacy and security, and is beneficial to the bandwidth on top of that. A downside to this is that you will run into sites that don't render properly or at all so that you may need to allow certain things on particular sites to access them.

Allow All

allow all

Allow all allows any connection and type to be loaded with the exception of hostnames that are blacklisted. This is better for compatibility purposes, but problematic from a privacy and security point of view.

To configure it, set the "all" cell to green, and make sure any other cell is set to green as well. Don't forget to click on the padlock icon to save the new configuration.

The core advantage of allow all is that you won't run into nearly as many rendering issues as with block all, but the effect on privacy and security is diminished.

Closing Words

How you configure uMatrix depends entirely on you. If you want maximum privacy and security, you should go with the block all approach and whitelist only hostnames that you trust. You can still allow certain things temporarily using uMatrix, or load a site in private browsing mode instead.

uMatrix resources and further reading

Summary
Article Name
A uMatrix guide for Firefox
Description
The uMatrix guide for Firefox helps you get started with the Firefox extension uMatrix, a sophisticated connection and ontent blocker for the browser.
Author
Publisher
Ghacks Technology News
Logo
Advertisement
Please share this article

Facebooktwittergoogle_plusredditlinkedinmail


Filed under:


Responses to A uMatrix guide for Firefox

  1. uMatrix fan November 28, 2017 at 7:51 am #

    A good configuration for uMatrix for both privacy and convenience is to allow all except (or not) frames, block all scripts.
    For convenience, when pages break, just allow all parties temporarily.
    uMatrix cannot block scripts independently from host names, you can use uBlock Origin for that.

    • Millenicide December 4, 2017 at 5:47 pm #

      "uMatrix cannot block scripts independently from host names, you can use uBlock Origin for that."
      Can you please explain this in more detail. :)

  2. yikes November 28, 2017 at 8:49 am #

    Can anyone explain the little triangles in the top left corner of some of the squares?

    • Martin Brinkmann November 28, 2017 at 9:05 am #

      Green triangle on light red cell: permanently whitelisted cell that is temporarily graylisted (anything from hostname will be blocked, but the main frame).

      Green triangle on dark red cell: permanently whitelisted cell that is blacklisted temporarily.

  3. Mike November 28, 2017 at 9:21 am #

    I've always wondered this but if you install uMatrix, is uBlock Origin not necessary anymore? Can uMatrix do everything that uBlock does but better?

    • Cloudman November 28, 2017 at 1:51 pm #

      uMatrix doesn't have esthetic filters.

      • BM November 28, 2017 at 3:30 pm #

        Agree. The eyedropper tool (element picker) is a big reason we have both installed. There are other reasons, I have since forgotten, but I think one reason had to do with lists unique to uB Origin not available in uMatrix. (Edit: I see Donkeyfumbler below mentions this).

        uMatrix is a PITA if one uses a virtual/sandbox environment, as the settings cannot be easily saved. However, the extra level of protection is still worth it, IMHO.

    • Django November 29, 2017 at 3:10 pm #

      uBO is a second line of defence. uMatrix replaces advantageously the dynamic filtering part of uBO, but the static filtering part remains. If you allow YouTube embedded videos on Ghacks through dynamic filtering, static filtering will ensure that YouTube tracking scripts and ads will remain blocked.

      uBO has dynamic filtering but it's limited and I can find no satisfying way to use it, so ultimately I always have to install uMatrix and defer ALL dynamic filtering to it.

      The downside is that uBO can't inject neutered scripts any more, those help in keeping site functionality intact when they are coded poorly enough to break without, say, Google Analytics.

      I wish uBO and uMatrix were more readily compatible and made to work with each other. I don't see a point in using uMatrix without an adblocker, and uBO's dynamic filtering doesn't cut it for me. IMO uMatrix UI is also infinitely more appropriate when what the user wants is a clear view of what's going on.

  4. Donkeyfumbler November 28, 2017 at 9:33 am #

    I'm really not entirely sure why there are two add-ins by the same developer that seem to do fairly much exactly the same thing.

    From what I can see UBlock, once you turn on advanced mode, does exactly the same kind of element filtering in exactly the same way, down to the light and dark colours. However it also has fairly extensive ad-blocking filter black lists that Umatrix doesn't.

    From what I can tell then, the question is the other way round - why would I use umatrix when ublock does the same and more? Also, why does the dev not just combine the two into one add-in?

    • Sophie November 28, 2017 at 10:15 am #

      I found when I tried Umatrix, (being already a UBO user, with extensive use of UBO), that Umatrix seemed almost overkill. I would be happy with the learning curve, as I like to understand as much as possible, but I found that it needed too much management and broke too many things. To be honest, everything went fairly haywire.

      Granted that all this would settle down once you managed it properly, so this is in no way the fault of Umatrix, I simply reached the conclusion that UBO was more than sufficient. Big thanks to the developer though, pretty much nothing to touch his extensions.

      • BM November 28, 2017 at 3:59 pm #

        Depends on your use case. If you do a lot of research online (i.e. need to visit multiple sites over time vs visit a limited number of sites), you get to have a very good feel for which hostnames to allow, and which to remain blocked.

        Where things go "haywire" are websites that require some element (usually a script) that is only available after authorizing a hard blocked (dark red) hostname's script (i.e. a script that is flagged within one of the lists). That required one will not be present until the prerequisite is authorized.

        Figuring this out is problematic, to say the least. If the site is important enough, sometimes I turn off uMatrix, and sometimes even uB Origin too. Sometimes that is not even enough. If site is "crucial" and reached this point, then it is on to (rarely used) Edge. Otherwise, I abandon that site.

        We use two additional Chrome extensions to help: uB Origin Extra and uB Origin Protection. The latter helps greatly with websites that block adblockers, usually with another page or an overlay that obscures content.

        Overall, having more difficulties with sites that block VPN access than with using Gorhill's tools.

      • BM December 10, 2017 at 12:11 am #

        Just noticed that the extension called uBlock Origin Protection is now called Nano Defender. FYI

    • Silver November 28, 2017 at 11:28 am #

      "From what I can tell then, the question is the other way round - why would I use umatrix when ublock does the same and more?"
      It's the opposite. Why would I use ublock when umatrix does the same and more.

      That being said, like Sophie, umatrix is overkill. It's very powerful but as a result, it's very tedious for very little more protection. Therefore for most users, it's better to just stick with ublock in advanced mode. However, for the power users who like minute control over everything as well as knowing exactly how many images, scripts, and more are loaded from which domain, umatrix is perfect for that. But for me? Not my cup of tea.

      • Donkeyfumbler November 28, 2017 at 11:48 am #

        As I said Ublock has the filtering lists that Umatrix lacks, but the script and content blocking is fairly much the same on either product. Unless you really need those extra privacy options (and really don't like cookies), why then choose umatrix over ublock? Lots of people saying it's 'more powerful' but failing to show how that's actually the case.

      • Silver November 29, 2017 at 12:08 am #

        @ Donkeyfumbler
        One thing is uMatrix shows exactly what type of resource and how many of these resources are being loaded from which domain. Basically if a 3rd party frame is loaded, uMatrix shows the domain of that 3rd party frame. uBlock does not do that or makes it very hard to find out. In other words, uBlock simply tells you nothing about what resources are being loaded unless you decided to block them which uBlock will show something like "18 or 81%" resources blocked from loading. uMatrix tells you exactly how many resources were blocked, where it's coming from (the domain), and what type is the resource. All these information is given whether you blocked the resources or not. That gives you a lot more info in helping you modify your lists and filter for certain sites.

        uMatrix then allows you fine control over those resources from different domains. For example, what if I don't want to block all 3rd party scripts? Only certain ones? Basically like I said, uMatrix gives you granular control. And that's very likely the very reason why the author did not combine the two. If you give uBlock that much granular control, it's too much for most users. Instead, the author separate this fine granular control into uMatrix and the "coarse" control in uBlock. For most users, uBlock is good enough. For the users that are anal about over every resource type and where it's coming from, they have uMatrix.

        People saying uMatrix is more powerful does not take anything away from uBlock so I honestly don't know why you are so worried over it. Who cares if a Ferrari is more powerful than a minivan if all I want to do is have enough space to carry my groceries. Something being more powerful does not mean it's the best at everything.

  5. dd November 28, 2017 at 10:31 am #

    use a browser with lots of blocker stuff for regular use.. use another browser with less when it breaks. use edge for no filter when you can't be bothered to figure out what gets what blocked

  6. Hans November 28, 2017 at 10:39 am #

    What ist the effect of the the rule „* * frame block“? The frame column is coloured light red just like the (unblocked) script column for instance. I can’t see the difference.

    • gorhill November 28, 2017 at 1:18 pm #

      * * frame block = "block all frames from everywhere" (starting from the scope where the rule exists).

      This will cause the header "frame" cell to be blacklisted (dark red). The higher precedence "frame" cells will inherit this block rule (pale red) by virtue of uMatrix rule-propagation logic.

      • Hans November 28, 2017 at 3:19 pm #

        Now I got it, thank you!

  7. Thorky November 28, 2017 at 10:42 am #

    The first thing you should do after installing uMatrix is:

    - click the small grey cogwheel in the upper left of uMatrix window
    - open My Rules
    - click Edit-Button below Temporary Rules on the right side of the page
    - add the term> * * script block <to the list
    - click Save
    - click Commit

    From now on, Scripts are blocked by standard like in NoScript! :)

    • Tom Hawack November 28, 2017 at 11:00 am #

      > "From now on, Scripts are blocked by standard like in NoScript! :)"
      And the per-site script authorizations' madness as well! The number of sites which rely on scripts is a majority. Here with uBO I do block all scripts ... from 3rd-party sites (as well as calling those very sites) but indeed that doesn't protect from a given site's own scripts : for those I rely on uBO's filters. Sure, this policy is applicable with uMatrix I guess. But a too high granular protection can be terribly time consuming.

      • Django November 29, 2017 at 3:26 pm #

        You can allow all first party scripts with uMatrix (NoScript too) by default if you want. With per-site permissions you can save your non-global rules without worry, which means you only have to setup rules once, not twice. (Like you do with a Windows per-application firewall)

        Many sites don't need JavaScript, so if you allow CSS, images and frames to first party sites by default, you won't need to tweak all sites even on first time visit. Maybe 50% ?

        If on top of that you also allow CSS and images globally for all sites except those blocked by filter lists, first time visits where you need to add permissions become rather infrequent.

         

        And with uMatrix (and NoScript), you don't end up allowing more than you thought, unlike uBO. (I love uBO but I just have to defend uMatrix and NoScript because I don't think it's remotely true that uBO can replace either of them, its role is to run alongside one of them if security and privacy are the user's priorities.)

  8. Tom Hawack November 28, 2017 at 10:47 am #

    uMatrix's page on AMO is explicit : "*For advanced users.*".
    What defines an "advanced user"? What does it mean to be, to consider myself or someone as advanced in terms of computing knowledge? I don't have the answer. A rather relative definition perhaps. Some users stick on 'Adblock (Plus)' because they consider that 'uBlock Origin' (uBO) required advanced skills. That's my position regarding uMatrix and some uMatrix users on the other hand will consider the extension as perfectly accessible... hard to tell.

    What is sure is that uBO is not presented as "For advanced users" and is obviously less complex to use than uMatrix. Complex, not complicated. Some may also as myself lack confidence in their true abilities and/or express a sort of "intellectual laziness" (yawn and "wow, too tiring").

    As far as I'm concerned I'll point out this :
    1- Yes, I believe I could make it to uMatrix should I make the effort. Yes, I'd make the effort if uBO didn't exist because traditional ad blockers are far too far from what I consider as essential to give a chance to privacy and security nowadays when running a browser.
    2- I use uBO intensively, I have a wide array of filters and rules, mine included. I'd have to move those to uMatrix, in what conditions, what is movable and what is not.... Maybe I should have started with uMatrix rather than uBO, maybe did I lack self-confidence or maybe was I tempted by a good "less effort"/"efficiency" ratio.

    Magnana maybe. (is that how you spell 'tomorrow in Spanish?!). I often doubt that laziness is considered as a capital sin and sometimes I vaguely perceive why is could definitely be one :)

    • Sophie November 28, 2017 at 11:44 am #

      @Tom - agreed too.....I have made use of a lot of filtering on uBO, my own as well as what's on offer, and also export these to a NAS drive which my whole network picks up and Syncs with.

      To migrate those over to uMatrix, be uncertain how they will fit - what will work, what won't , what might break....and then at the end of it, not even be sure if I have achieved much, these are the reasons I stick with uBO.

      If I had gone with iMatrix to begin with, I would be at that place of "maturity" with it, but as I see it, it just seems like life is too short, and the ability for it to break things perhaps just a little too great. Not its' fault of course....only mine for not trying hard enough.

    • BM November 28, 2017 at 4:14 pm #

      Making a mountain out of a mole hill.

      uMatrix is easy for anyone with technical skills. For most use cases, uMatrix need only be set the first time a site is encountered, and the settings saved. Unless the website changes, this should suffice for all future encounters.

      One can either do this, or choose to invest their time with a wide array of filters and rules in uB O. I don't bother with that, as I like the deny first approach of uM and the easy selectivity right at the browser.

      Agree that even with uB Origin, users needs some level of technical understanding to deal with any configuration settings outside of the default.

      Indeed, it is relative, as is the "efficiency ratio".

      • Tom Hawack November 28, 2017 at 4:33 pm #

        "uMatrix is easy for anyone with technical skills." : that's the montain!
        "Agree that even with uB Origin, users needs some level of technical understanding to deal with any configuration settings outside of the default." : that's the moll hill!

        You can choose (not you, BM, I'm talkin' to 'em fellas lazier than I) flat grounds but where's the pleasure with no effort?! Forget the pleasure, it's privacy and security which are concerned! Bonus? Besides privacy and security, no ads and faster page rendering : now what would we say about that? I say : grrr, I should at least give uMatrix a try. Don't whip me, that don't help; rather share your experience with uMatrix, as BM does, with a smile and an Everest of encouragements : we need them :)

    • Richard Allen November 28, 2017 at 5:12 pm #

      Mañana ;)

      Totally agree. I would probably have to say that performance, ease of use, security and privacy are my 'goals' when online, and probably in the order that they are listed. I like uMatrix but once I moved from FF ESR, I started to pare down my add-ons in preparation for 57+ and uMatrix ended up in my disabled list. In it's place I've been using "No-Script Suite Lite (revived)", it's lite on resources, takes like two seconds to enable js, most often permanently, and I'm basically just using it as a javascript whitelist, mostly so that when visiting a new site (intentionally or not) js will be disabled, there are also a handful (surprisingly large handful) of sites I regularly visit that I've left js disabled because they work and look fine for my purposes.

      Even blocking js on new, unknown websites might be a little on the overkill side of things for some people since I use uBlock Origin to globally block 3rd party iframes and I use dozens of my own personal rules and filters. For example, some websites I have javascript enabled in No-Script Suite Lite but then have 3rd party js blocked with uBO or maybe just a specific individual script is blocked preventing auto playing video. On websites that I know are guilty of having inadvertently (maybe) distributed malware in the past, the odds of my enabling All javascript on those sites is Very slim. With the capability available in uBO it's hard for me to feel like I'm missing out by not using uMatrix. or even NoScript Security Suite, which should not be confused with No-Script Suite Lite (revived), the latter is what I'm using.

      All that said, I feel very fortunate to have Mr. Hill developing both uBO and uMatrix!! I'm hoping somehow someway that the ad ecosystem gets cleaned up or at the very least doesn't get worse than it is now so that I don't feel like I need to resort to using something like uMatrix. I am much too lazy to have to do that!!

      • Tom Hawack November 28, 2017 at 5:26 pm #

        Hello Richard!
        I read you attentively as always. You mention the "No-Script Suite Lite (revived)" Firefox extension which "allows JavaScript (inline & external) to be executed only by trusted websites of your choice." (as mentioned on AMO). But this feature is included in uBO with the '1st-party scripts' setting. What is the advantage of adding an extension which performs the same thing as uBO?

      • Richard Allen November 28, 2017 at 5:43 pm #

        Basically, I do Not want to Globally block w/uBO: inline,1st party or 3rd party javascript and maybe most importantly I do Not want to visit a new website, no matter how I got there, with Any javascript enabled. Ease of use is extremely important, for me.

      • Richard Allen November 28, 2017 at 6:03 pm #

        I'm going to repeat myself because I edited my post in the last minute and it will probably be stuck in the Twilight Zone for a while. I know better and I still do it too often, a last minute edit. ;)

        Basically, I do Not want to Globally block w/uBO: inline, 1st party or 3rd party javascript and maybe most importantly I do Not want to visit a new website, no matter how I got there, with Any javascript enabled. Ease of use is extremely important, for me.

        You're right, the exact same thing can be done with uBO. It just feels easier to me to let No-Script Suite Lite take care of globally blocking js instead of in the long run adding a hundred or two more rules in uBO.

      • Richard Allen November 28, 2017 at 6:21 pm #

        I forgot to mention my concern about at what point does the number of personal rules and filters that I'm using start to impact the performance and memory use of uBO. I'm already using dozens of MY Rules and MY Filters. I don't know what the impact would be or if there is even any impact at all if I were to add another hundred or two rules. So... I'm just playing it safe a little bit.

  9. Var November 28, 2017 at 12:50 pm #

    I have used uMatrix to bypass paywalls on certain sites. Doesn't work on all but on a few its quite effective. But it seems to have a steep learning curve, its not easy to get right away.

  10. dw4rf_toss November 28, 2017 at 12:57 pm #

    Cool, with a side of "I'll shoot my eye out". There's an older release that runs with "old" Firefox without webextensions (1.1.4), so I'm running the old version. I've disabled uMatrix hosts files, as I either opted out of them in uBlock or they are already covered by it. So if I end up hating this, I can just uninstall uMatrix.

    Again: got uBlock and uMatrix running in tandem, all seems well enough. Side note: I'm letting uBlock origin handle the "list" blocking and disabled such in uMatrix; I was getting unnecessary page reloads when both have same lists enabled.

    So far, uMatrix has proven useful, though. It shows exactly what it is blocking, and unblocking things to test is thankfully pretty simple. I was able to allow Disqus chat and some other functions very quickly. Then ya click the lock icon to save permanently once ya get it all just so.

    Just disable the lists in uMatrix if you want to play with it and not break anything you depend on in uBlock. I guess my bottom line is that uBlock is just too useful to let go (element zapper, anyone?).

  11. 12bytes November 28, 2017 at 1:41 pm #

    Firefox Configuration Guide for Privacy Freaks and Performance Buffs | 12Bytes.org
    http://12bytes.org/tech/firefoxgecko-configuration-guide-for-privacy-and-performance-buffs

  12. Peter November 28, 2017 at 3:03 pm #

    Love it! Too bad support for Pale Moon was dropped but as long as 1.0.0 works I'm a happy camper.
    It does miss the element blocker UBO harbours.

  13. MdN November 28, 2017 at 3:09 pm #

    I've been using uMatrix ever since I found out about it. Once I learned my way around it, it has become a routine, and compared to uBlock sometimes I save a few seconds of loading time on some websites simply because it's easier to see what there is to filter. For my use it's perfect as I, 90 percent of the time, tend to visit the same bunch of websites. When I started I installed it on my less-used browser and I would slowly, when I had free time, edit the settings for all my favorite websites. Once I was done, I just exported the settings and applied them to uMatrix in my other browsers.

  14. Daguil November 28, 2017 at 4:46 pm #

    I use UBo for static filtering (non-advanced-mode) and uMatrix for Dynamic filtering.

    I am not a developer. But I did spend a full week reading the Wilders Security forum on UBo. While Gorhill removed the page from his wiki on how to use both UBo and Umatrix together :(, here’s what I’ve been able to piece together from Wilder’s security forums.

    NOTE: this assumes you’re going to use UBo and Umatrix together.

    In UBo:
    - Settings:
    o Uncheck “I am an advanced user”
    o Check all the Privacy settings
    - 3rd Party Filters:
    o Check the boxes for “Auto-update” and “Parse Cosmetic”
    o Myfilters
    o All the uBlock filters (per Gorhill, these are not optional)
    o Easylist
    o Easyprivacy
    o All the Fanboy’s stuff
    o Personal:
    * Chef Koch’s BarBlock @ https://raw.githubusercontent.com/CHEF-KOCH/BarbBlock-filter-list/master/uBlock.txt
    * NoCoin Filter List
    o UNCHECK all of the Malware domains.
    o UNCHECK all of the multipurpose domains.
    o Only check the “Regions” that apply to where you live & browse.
    - My rules:
    o no-csp-reports: * true
    o behind-the-scene * 3p noop
    o behind-the-scene * 3p-frame noop

    In uMatrix:
    - Settings: Self explanatory.
    - Privacy: Check everything. (Except for me, I unchecked “Spoof User Agent”...this broke a few sites I need to work.)
    - My rules:
    o You’ll tailor these as needed to make your own sites work. Everyone draws a different line between privacy and convenience. I've seen others share their lists, but I personally didn't find it very helpful since we all browse different sites.
    o Generally, I block all and allow as exceptions only on the websites I need to get working. But I universally allow youtube vids, since they are pretty much everywhere and I didn’t want to bother too much with enabling them on every site. Most would find my approach too difficult/time-consuming, others would say I’m crazy to allow Youtube everywhere.
    o If you find yourself allowing "ajax.googleapis.com" on every site and you don't want to bother with a rule to allow it on each site, then allow it universally like I did. Ditto for "Code.jquery.com".
    o After about a week of using this config, you'll find the pattern of what needs to be enabled for sites to work. Seems like many sites use a 3rd party site for their own CDN & images. i.e. consumerreports.org requires: consumerreportscdn.org and static5.consumerreportscdn.org. You must allow those two scripts/XHR on their site in order to see the tables of product comparisons.
    o Using the consumerreports.org example: All of the really bad staff that got blacklisted by the filters was NOT required for the site to function. And I recognized the CDN & Static script/XHR right away a allowed them on that site only. So I had this site running almost immediately, and it worked fine while blocking the most intrusive stuff. That's how it is with many sites (for now.)
    o If you use the “Decentraleyes” (recommended by Gorhill), there’s a few domains you must allow. See: https://github.com/Synzvato/decentraleyes/wiki/Frequently-Asked-Questions
    - Hosts Files:
    o Check the box to auto-update.
    o Turn on all hosts files. You’ll notice that these are all the filters you unchecked over in UBo. I forget the technical reason for this, but the developer-types on the Wilders Security forums seemed fairly certain this was the way to go.

    Backup your configurations. I invested several weeks mastering this configuration, I can’t even imagine starting from scratch.

    I also use Pants/Earthlng’s User.js file, to include blocking all cookies/enabling them on a per-site/per-session basis. Between the two Gorhill extensions and the User.js file, I’m confident that I’m safe from non-targeted attacks/privacy intrusions. The biggest risk now is…me.

    There are sites that just refuse to work with this much stuff blocked. So, I use a tiered approach, with my old Chrome setup as the secondary, Edge as the third option (with UBo in advanced blocking mode), and Internet Explorer as an absolute last resort that requires a full disk-cleanup and a quick shower after using.

    Big thanks to Gorhill, Pants, Earthlng, Chef Koch, Synzvato, 12bytes, and everyone else (especially the filter/blocklist maintainers) who make the Internet safe to browse. I think of you guys all the time! Seems like a handfull of heroes maintain free privacy tools for us laypeople against billions, billions, and billions of dollars’ worth of corporate revenues generated by invading our privacy & risking our security from malware. You guys are singular contributors in the history of capitalism. Thank you.

  15. Bronckman November 28, 2017 at 6:00 pm #

    Thank you, Martin for bringing some light into this matter. Personally I do consider Umatrix's UI a desaster. It is confusing and not self explanatory. I tried to work with it and ended up being highly frustrated and toxicated after solacing myself with some powerful drops of spirits from my bar.

    I am not saying this program is bad. I believe it's a fine piece of work but ruined by its UI. So, dear developer: please have mercy with us ignorant and illiterate computer users and try to change it for the better. I am also greatly convinced it won't happen.

    I am ready and willing to take the usual insults and name callings which are happening here much too often. Honestly, I don't care about it and the person behind it, it's meaningless. But if someone has something meaningful to say, your are very, very welcome.

    • Clairvaux November 29, 2017 at 6:20 am #

      Have a look at the Wiki. It's extremely helpful. uMatrix has a learning curve, but this was the help formerly missing to clear the first hurdle, which is quite low actually. Once you've got the first knack of it, you're allowed mistakes and you don't need to understand everything to use it. Provided you learn the basics, it's like getting to ride a bicycle or to drive a car. It's only intimidating when you've never left base.

      https://github.com/gorhill/uMatrix/wiki

  16. Gabriel November 28, 2017 at 8:07 pm #

    Great article, Martin.
    The only thing I wish uMatrix had was selective blocking. As in, for example, being able to block specific scripts on a webpage and not all of them.
    I messaged the developer about this and said he wasn't going to implement it.

    Sometimes a webpage has 3 scripts.. 2 needed for it to function and 1 nasty one.
    What to do in these cases?

    • Tom Hawack November 28, 2017 at 8:31 pm #

      Many, most if not all lists include scripts' filtering, not only ads. This is true with uBO and it is true with uMatrix. This is why lists are so important given that they remain as body guards in case the user opts for the less protective policy (allow all and block selectively). The ultimate is always block all and allow selectively but requires more work, even if with time we get used to it and spot quickly what can/should be allowed.

      • Gabriel November 28, 2017 at 8:34 pm #

        Hi Tom.
        Yes, that's what I do.
        I block all and then allow what is needed.
        But you can't allow 1 script and block 2 other scripts from the same domain. You block all or allow all.

      • Tom Hawack November 28, 2017 at 8:53 pm #

        @Gabriel, I don't know how it works in uMatrix but with uBO you can enable/disable scripts selectively with the 'Logger' feature : just search for 'Scripts' from within the Logger and you can then manipulate whatever script (as whatever data type) selectively. Unfortunately I know nothing of uMatrix.

      • Bjoern November 30, 2017 at 8:37 am #

        @Gabriel: Did you try Tom's suggestion, but instead with the uMatrix logger, to see if you could effectively achieve selective script blocking within a domain perchance?

    • Sam November 29, 2017 at 5:04 pm #

      > The only thing I wish uMatrix had was selective blocking. As in, for example, being able to block specific scripts on a webpage and not all of them. Sometimes a webpage has 3 scripts.. 2 needed for it to function and 1 nasty one. What to do in these cases?

       

      Use uBO together with uMatrix for that: uMatrix is not made to use adblocking syntax, it's not the same role :)

      You don't need to enable uBO's advanced mode when you have uMatrix. You can use it in set and forget mode with a bunch of filter lists.

  17. Clairvaux November 28, 2017 at 8:13 pm #

    Great and timely article, Martin. I have a question. On some of your screenshots, the blue background on the top left cell, where the URL of the main Web page is to be found, is cut in half, and the other half is grey. (Like in [www.reddit.com])

    This started to happen to me with Firefox 57, and I presumed I did something wrong. Is it a bug of the add-on ? Does it have some specific meaning ?

    • Richard Allen November 28, 2017 at 9:27 pm #

      Look at scope selector at the link. Specifically the text that is covered in blue.
      "https://github.com/gorhill/uMatrix/wiki/The-popup-panel"

  18. Keith November 28, 2017 at 8:40 pm #

    For uBlock Origin users, here's a post on improved UB settings by a pretty sharp guy named RejZor. I use these and UB works fine with rarely any site breakage. You can always click it off to disable it on any website.

    Post #13
    https://www.techpowerup.com/forums/threads/ublock-origin-how-the-heck-do-you-use-it.232035/

    • Sam November 29, 2017 at 4:09 pm #

      If that was sharp, then anyone here is scalpel grade!

  19. vitamin c November 28, 2017 at 9:06 pm #

    Yes, this is completely normal, it's a new layout design that was added very recently to uMatrix.
    It means you can use the grid of rules you can see for multiple level domains.

    For example, in the top image on this page, "reddit.com" is highlighted in blue, and to the left of it is in grey. This means that all the rules within the grid (red for block and green for allow), are being applied to any website that ends in 'reddit.com'.
    This is useful because you might want rules to only apply to 'magic.madeupwebsite.com' and not 'tasty.madeupwebsite.com' or in this case to both of them with 'madeupwebsite.com'.
    The little asterisk to the right is then for 'general' which means 'apply these rules to every single website'.

    This is fantastic for fine-tuning. So I can block scripts from blah.com on any website (using the general asterisk and making 'scripts' for 'blah.com' red), but then only allow it specifically on 'tasty.madeupwebsite.com'. This means it won't load the scripts on any site (even madeupwebsite.com, only specifically on tasty.madeupwebsite.com) - a good usecase for this is facebook. You might want to use facebook on facebook.com but block 'connect.facebook.com' following you on news sites or asking you to connect your account to it.

    A bit advanced, but a fantastic tool when you get the hang of it.

    • Clairvaux November 29, 2017 at 5:46 am #

      Thank you, Richard Allen and vitamin c.

      It seems to me that Gorhill tremendously extended the uMatrix Wiki since I remarked here how shorter it was compared to uBlock's. He also linked to a new how-to that wasn't there when I last had a look :
      http://adamantine.me/index.php/2015/11/18/umatrix-desperately-needed-guide/

      He says about the documentation, "feel free to improve as you wish, I am not a writer", but I think he's being modest.

      Just noticed the solution to a nagging problem I had (like many other people, presumably) :
      https://github.com/gorhill/uMatrix/wiki/How-to-get-past-%22uMatrix-has-prevented-the-following-page-from-loading%22

      This is fantastic work. We're getting traction here ! If other talented and devoted people such as him get up to speed on Web Extensions, we would be on to something...

      • Sam November 29, 2017 at 4:31 pm #

        Personally I don't need or actually, WANT, any other privacy or security extension. The more you have, the higher the risk that they mess each other up in unnoticeable yet really counterproductive ways. It was especially true with legacy add-ons but I don't think WebExtensions are completely immune to that either.

        So it's a matter of picking the right ones. I think uBO+NoScript and uBO+uMatrix are pretty nice combinations. With the former, cookies remain to be covered so a third privacy add-on is needed but you get targeted protections against many attacks, some of those enabled even with scripts allowed. It also has script surrogates, which uBO has but can't use with NoScript. With the latter, cookies are covered and you get an amazing user interface that makes you fully aware of what's going on, and allows you to unbreak things easily and quickly even when you don't want to allowing anything more than the bare minimum.

        Yet, even with just two well known add-ons, in both cases there is some amount of messing one another up going on. Fortunately the collisions do not affect security or privacy or anything important, it's just illustrating that this risk is real.

        Some people would add Decentral Eyes to the list, which will limit network requests to common CDN resources needed by many sites, by replacing resources such as (I imagine - I don't use that add-on) ajax.googleapis.com or cdnjs.cloudflare.com. I don't know if it collides in any way with NoScript, uBO or uMatrix.

         

        Finally, a fully featured NoScript should make uBO+NoScript more secure than uBO+uMatrix. The current WebExtension NoScript is not yet fully featured though (but it's planned to get there), so at the moment I recommend uBO+uMatrix on Firefox 57+.

      • Sam November 29, 2017 at 4:42 pm #

        CORRECTION:

        *script surrogates, which uBO has but can't use with uMATRIX. So NoScript having them restores the functionality.

        (It's called neutered scripts in uBO)

  20. Anonymous November 29, 2017 at 5:24 am #

    The developer took the decision not to support xul based browsers anymore (safe browsers like Pale Moon). Which means for updates you are now forced to install spyware browsers (e.g Google Chrome, Mozilla Firefox). Sounds like a nonsense to me.

    • Alien November 29, 2017 at 12:19 pm #

      "install spyware browsers (e.g Google Chrome, Mozilla Firefox). Sounds like a nonsense to me."
      Yeah, this does sound like nonsense.

      • Tom Hawack November 29, 2017 at 12:35 pm #

        The comment, I presume.

    • gorhill November 29, 2017 at 4:51 pm #

      > Sounds like a nonsense to me.

      Feel free to contribute and volunteer to maintain the legacy version.

  21. Homeboy November 29, 2017 at 1:32 pm #

    Problem with uMatrix is that all of your configuration data gets stored locally, and your network connection fingerprint will look different and more unique, and, and, .... better stay up with Tor Browser homeboy!

    • Sam November 29, 2017 at 3:51 pm #

      If you use the Tor network then yes, this matters. For privacy and security nothing is better than Tor Browser, which Firefox private browsing mode should end up becoming in the future, once Mozilla and the Tor team are done with Tor Uplift, once the Tor network is ready for the load and as a last step once Tor is shipped with Firefox.

      If or when you don't use the Tor network, reducing exposure by limiting network connections is best :)

    • Clairvaux November 29, 2017 at 5:34 pm #

      Tor is a thoroughly different step in the privacy arms race. Tor changes your IP. Whereas blockers speed up your browsing, Tor slows it down, considerably in some cases. It's also also completely non-configurable, and you need to accept a smallish window, at least if yo don't want to break the inbuilt privacy.

      There are some (important) sites that are difficult, or impossible to use with Tor. Some sites will start to throw captchas at you all the time. Some might flag you as a potential fraudster if your IP changes at each visit.

  22. CHEF-KOCH December 3, 2017 at 9:43 pm #

    My own solution to workaround is to give people a database (they can contribute to it) to add their own findings, which lowers the time re-creating the rules each time manually or in case you're too lazy. The project currently offers, configurations and pre-configured rules for uBlock, uMatrix, NoScript and ScriptSafe. Sadly all of the mentioned tools don't native support a crowd which can submit/commit their findings, so that's why I created the project.

    https://github.com/CHEF-KOCH/NoScript-Whitelist

Leave a Reply