←back to thread

Hardening Firefox – a checklist for improved browser privacy

(andrewmarder.net)
263 points amarder | 7 comments | 30 Aug 25 11:26 UTC | HN request time: 0s | source | bottom
Show context
userbinator ◴[30 Aug 25 20:32 UTC] No.45077766[source]
If the first item isn't "whitelist JS", you're doing it wrong. So many problems arise from letting any site run programs on your computer that it's best to reserve the privilege to the most trusted of sites.
replies(3): >>45077846 #>>45078131 #>>45083362 #
stusmall ◴[30 Aug 25 20:43 UTC] No.45077846[source]
Meanwhile if I see that I just move on. It just isn't practical to have a workable browser with JS whitelisting for the general case. I doubt people who do this actually do any kind of thoughtful review before hitting "accept". It just adds manual toil with limited benefit.

If they are doing meaningful review, I question how much they actually get done in life.

replies(4): >>45078402 #>>45078915 #>>45079253 #>>45080838 #
1. Sophira ◴[31 Aug 25 06:25 UTC] No.45080838[source]
When it was developed, uMatrix was a brilliant method of being cautious about what runs, and it had a logger so you could easily see what domains you should enable the current domain to have access to.

I still use it honestly, but I'll need to move on at some point - not just because it's MV2-only, but also I've found a way in which uMatrix can be bypassed if a website were to specifically target it. (It doesn't affect uBlock Origin, although I haven't tested the Lite MV3 version.)

replies(3): >>45083029 #>>45083670 #>>45085884 #
2. SahAssar ◴[31 Aug 25 13:30 UTC] No.45083029[source]
> I've found a way in which uMatrix can be bypassed if a website were to specifically target it

Please do tell.

replies(1): >>45085530 #
3. neandrake ◴[31 Aug 25 14:59 UTC] No.45083670[source]
I'm a huge fan of uMatrix too, and have debated getting involved to help revive it.

Can you share more information on the bypass you mention?

replies(1): >>45085342 #
4. Sophira ◴[31 Aug 25 18:01 UTC] No.45085342[source]
Given that uMatrix isn't being developed any more, I've been a bit wary about sharing explicit details. I can say that the bypass works on uMatrix 1.4.4 (the latest release) and that even if you've disabled JavaScript from running via uMatrix - whether via a blacklist or via a whitelist - using this bypass will allow JavaScript to run on the page according to your browser settings.

I haven't tested whether it allows the other elements that uMatrix can block - XHR, frames, etc - but I'm pretty sure that it does.

I've been holding onto this info since the GitHub repository has been archived and read-only for years, and I'm not sure of the best way to handle it given that it's not being developed any more. I've wanted to get this out there but I want to make sure that people are safe, especially now that MV2 is deprecated, so there may be even less chance of an update. This is kinda new territory for me.

replies(1): >>45089880 #
5. Sophira ◴[31 Aug 25 18:19 UTC] No.45085530[source]
I've been a bit wary of giving details due to it not getting updated. See my other comment: https://news.ycombinator.com/item?id=45085342
6. schiffern ◴[31 Aug 25 18:51 UTC] No.45085884[source]
uMatrix can be (somewhat) replicated by setting up uBlock Origin with multiple modes and configuring the "Relax Blocking Mode" hotkey.

So for instance you can start with an extremely restrictive mode like noJS/3rd-party/images, then with each time pressing the hotkey it relaxes to noJS/3rd-party, and then noJS/embeds, then no embeds, then full access (ie like uBO comes configured out-of-the-box).

https://github.com/gorilla/ublock/wiki/Keyboard-shortcuts

https://github.com/gorhill/uBlock/wiki/Advanced-settings#blo...

https://github.com/gorhill/uBlock/wiki/Blocking-mode

You still need a solution for cookies (eg CookieBro), and I still long for an "expanded expanded" mode on uBO's menu that reveals uMatrix columns, but this might help replace some of your use cases that currently require uMatrix.

7. SahAssar ◴[01 Sep 25 06:03 UTC] No.45089880{3}[source]
MV2 is not deprecated on firefox, does the bypass work there too?

I'd probably send gorhill a message with the info and then it can either be published to the readme or the extension unarchived and hotfixed or at least published somewhere else.