Hardening Firefox – a checklist for improved browser privacy

If the first item isn't "whitelist JS", you're doing it wrong. So many problems arise from letting any site run programs on your computer that it's best to reserve the privilege to the most trusted of sites.

Meanwhile if I see that I just move on. It just isn't practical to have a workable browser with JS whitelisting for the general case. I doubt people who do this actually do any kind of thoughtful review before hitting "accept". It just adds manual toil with limited benefit.

If they are doing meaningful review, I question how much they actually get done in life.

and it's trivial to do with uBlock.

it have both a global option to disable js, and a option to set a keyboard shortcut to reenable as needed for each site.

I have NoScript by default set to no run. Some sites work better without it.

You only have to whitelist your top sites once, not every day.

I very clearly remember, many years ago, a site (which was otherwise perfectly usable) nagging me to "enable JS for a better experience"; curious, I did and was immediately assaulted with all manner of hostile and irritating crap like popups, text selection hijacking, and even attempts to disable the right-click menu. Hurriedly disabled JS again to regain sanity. Nope. I'm never falling for that again... Of course the problem these days is with sites that don't work at all without JS even if they're just static content, and I suspect part of the reason is to force-feed you the crap along with the real content.

It's quite telling that even the mobile version of Chrome, well known for being the most user-hostile browser, has the option to whitelist or blacklist JS and various other features like location access.

Chrome didn't have anything other than a global JS on/off at first, so they clearly added this feature later.

When it was developed, uMatrix was a brilliant method of being cautious about what runs, and it had a logger so you could easily see what domains you should enable the current domain to have access to.

I still use it honestly, but I'll need to move on at some point - not just because it's MV2-only, but also I've found a way in which uMatrix can be bypassed if a website were to specifically target it. (It doesn't affect uBlock Origin, although I haven't tested the Lite MV3 version.)

NoScript also allows you to select which scripts you want to allow. It's not all or none. You can also view the source before you decide to let it run.

> I've found a way in which uMatrix can be bypassed if a website were to specifically target it

Please do tell.

I have also found that since using Noscript that way and only whitelisting the few sites I actually use interactively, now because all the Cookie warning garbage, clicking away of subscribe dialogs etc is gone, all in all I do less manual annoying interaction on sites I visit.

I'm a huge fan of uMatrix too, and have debated getting involved to help revive it.

Can you share more information on the bypass you mention?

>and I suspect part of the reason is to force-feed you the crap along with the real content.

Insert the quote about being malicious and incompetent. Modern frontend frameworks like react make sure that your site won't work without js at all, unless you intentionally put some work for that 0.1% of internet users who browse with js disabled

Given that uMatrix isn't being developed any more, I've been a bit wary about sharing explicit details. I can say that the bypass works on uMatrix 1.4.4 (the latest release) and that even if you've disabled JavaScript from running via uMatrix - whether via a blacklist or via a whitelist - using this bypass will allow JavaScript to run on the page according to your browser settings.

I haven't tested whether it allows the other elements that uMatrix can block - XHR, frames, etc - but I'm pretty sure that it does.

I've been holding onto this info since the GitHub repository has been archived and read-only for years, and I'm not sure of the best way to handle it given that it's not being developed any more. I've wanted to get this out there but I want to make sure that people are safe, especially now that MV2 is deprecated, so there may be even less chance of an update. This is kinda new territory for me.

I've been a bit wary of giving details due to it not getting updated. See my other comment: https://news.ycombinator.com/item?id=45085342

uMatrix can be (somewhat) replicated by setting up uBlock Origin with multiple modes and configuring the "Relax Blocking Mode" hotkey.

So for instance you can start with an extremely restrictive mode like noJS/3rd-party/images, then with each time pressing the hotkey it relaxes to noJS/3rd-party, and then noJS/embeds, then no embeds, then full access (ie like uBO comes configured out-of-the-box).

https://github.com/gorilla/ublock/wiki/Keyboard-shortcuts

https://github.com/gorhill/uBlock/wiki/Advanced-settings#blo...

https://github.com/gorhill/uBlock/wiki/Blocking-mode

You still need a solution for cookies (eg CookieBro), and I still long for an "expanded expanded" mode on uBO's menu that reveals uMatrix columns, but this might help replace some of your use cases that currently require uMatrix.

MV2 is not deprecated on firefox, does the bypass work there too?

I'd probably send gorhill a message with the info and then it can either be published to the readme or the extension unarchived and hotfixed or at least published somewhere else.