A uMatrix guide for Firefox
The Firefox extension uMatrix (it is also available for Chrome and other browsers), gives users control over a website's connections and data that is loaded when the site is loaded in the browser.
The extension is developed and maintained by Raymond Hill (Gorhill), the developer of uBlock Origin, a popular content blocker that is also available for various browsers including Firefox.
Why two extensions and not just one? While both extensions can be used for the same purpose -- blocking content -- they are different when it comes to scope. Without going into too much detail: uMatrix is like the advanced brother of uBlock Origin. It gives you more control, and comes with privacy enhancements on top of that.
uMatrix for Firefox
You can install uMatrix in any recent version of the Firefox web browser from Mozilla AMO. Simply visit the website, and click on the "add to Firefox" button to do so. I suggest you disable or remove any content blocker that is installed in the browser before you do so (e.g. NoScript, uBlock Origin, Adblock Plus) to avoid issues.
The extension adds an icon to Firefox's main toolbar that you use to control what sites may load. Before you do, you may want to visit the options of the extension to make changes to the initial configuration. The easiest way to get there is to click on the extension icon after installation and there on the title bar that displays "go to dashboard" on hover.
The preferences are divided into tabs; the very first, Settings, list several interesting options.
Here is a list of preferences that you may find useful. I suggest you go through them all though as you may find some useful that are not mentioned here.
- Settings > Convenience -- Show the number of distinct requests on the icon.
- Settings > Convenience -- Collapse placeholder of blocked elements. (If an element is blocked, placeholder is collapsed. May result in a cleaner site, may cause display issues on some sites.
- Settings > PrivacyÂ -- Delete blocked cookies. uMatrix does not prevent sites from setting (blacklisted) cookies, but it blocks cookies from leaving your local system.
- Settings > PrivacyÂ -- Delete local storage content set by blocked hostnames. (removes data stored by blocked hostnames on the local system).
- Settings > Privacy -- Spoof HTTP referrer string of third-party requests. The extension will spoof the HTTP referrer information if the domain name of the HTTP referrer is third-party to the domain name of net request.
- Settings > Privacy -- Strict HTTPS: forbid mixed content -- Prevents the loading of non-secure content on HTTPS sites.
- Settings > Privacy -- Block all hyperlink auditing attempts. Prevents that sites may add pings to links to inform "any party".
You may also check the list of hosts lists the extension uses by default, and may add new lists to it. It loads six lists by default to block malware, ads and tracking servers automatically.
Switch to the Assets tab to take a look. You may use the import option to add hosts files or disable some of the available resources.
Once you are done with that, you need to decide how to run uMatrix. You have two main options to do so: block all or allow all.
The interface may look intimidating on first glance. It lists all first party and third-party connections a web page makes, and data types such as cookies, CSS or script, that are loaded or blocked.
Colors are used to indicate loaded and blocked content, with green highlighting content that is loaded and red content that is blocked.
You may click on a header, e.g. cookie, to set up uMatrix to allow or disallow this type of data globally (with exceptions that you define). Green indicates that a content type is allowed, red that it is disallowed.
Tip: you set something to allowed (green) if you click in the upper half of a box, and to disallowed (red) if you click in the lower half. The difference between dark and light green, and dark and light red is the following one: Darker colors mean that there is a whitelist or blacklist entry assigned to the cell, lighter colors that the status is inherited.
Another option that you have is to allow or disallow for specific hostnames. You may block or allow all for a hostname, or use the granular controls to allow or disallow certain types of data, for instance frames.
If you set uMatrix to block all, all is blocked from being loaded except for the elements that you whitelist. To enable the block all mode, blacklist (set to red) the "all" and "frame" cells of the table.
You may want to allow the "css" and "img" cells so that styles and images do get loaded when you connect to sites.
Click on the padlock icon to save the modified configuration.
This mode blocks all but CSS and images. It improves privacy and security, and is beneficial to the bandwidth on top of that. A downside to this is that you will run into sites that don't render properly or at all so that you may need to allow certain things on particular sites to access them.
Allow all allows any connection and type to be loaded with the exception of hostnames that are blacklisted. This is better for compatibility purposes, but problematic from a privacy and security point of view.
To configure it, set the "all" cell to green, and make sure any other cell is set to green as well. Don't forget to click on the padlock icon to save the new configuration.
The core advantage of allow all is that you won't run into nearly as many rendering issues as with block all, but the effect on privacy and security is diminished.
How you configure uMatrix depends entirely on you. If you want maximum privacy and security, you should go with the block all approach and whitelist only hostnames that you trust. You can still allow certain things temporarily using uMatrix, or load a site in private browsing mode instead.
uMatrix resources and further reading