Opened 4 years ago

Last modified 6 weeks ago

#15279 new project

uMatrix & uBlock to Replace NoScript

Reported by: johnakabean Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: johnakabean, ui_priv Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I always slightly hated noscript because if I wanted to add a site exception to enable ONLY javascript, I was forced to risk allowing, for example, cross-site scripting or XHR for that site along with any others that I wanted to keep blocked.

If I wanted to allow ONLY a function of a 3rd party site required to make the 1st party site run, I had to allow unlimited access to the 3rd party site instead of just what I wanted.

Of course, I could go into noscript preferences and disable "block javascript" but that was GLOBAL and a pain to have to go back in settings to re-enable before browsing another site. Worse, it would be a risk if the current site threw a 3rd-party popup while I had the Global temporarily off...... you get the idea!

The makers of NoScript, in parallel, have been developing HTTP Switchboard for a long time. It is the exact same as NoScript but extremely better, allowing FULL flexibility. You can set, per Site, each domain's ability to manipulate the site in EITHER OR ALL categories of cookie(s), css, images, plugins, scripts, XHR, and "others".

This means if I go to yahoo.com, I can allow, either by default or individual site basis, yahoo.com to ONLY push images, css, and images. Then I can allow ONLY any subdomain required for certain functionality to ONLY run those elements needed for that functionality.

If I need to allow a third party, it's all the same and, unless I choose to make that exception global, that 3rd party domain's element will ONLY be allowed on THAT site!

If I want to allow a certain domain's element on ALL sites, by default, that's an option but, unlike noscript, I don't have to allow a global exception just to get a local exception for that one site's functionality.

They have now went even further to make uBlock and uMatrix, two addons that work together. The only difference between uMatrix and HTTP Switchboard is they took the checkbox on the option pages of HTTP Switchboard, to allow all 1st party elements, and put it on the main switchboard/matrix, allowing specific elements on ALL first party sites by default instead of having to either allow ALL elements on first party sites OR manually selecting on each new 1st party domain visited (see pictures).

uBlock, along with either uMatrix or Http Switchboard, are even better now by having auto-updating malicious (uMatrix) and privacy lists (uBlock), with the ability to add custom ones to block scripts/xhr on sites that would leak the ip, track you, or be malicious! If I choose to unblock an entire subdomain instead of specific elements on that 1st/3rd party (sub)domain, they will still block portions of those domains appearing on the self-updating block lists, unless I go further to override that.

The BEST PART OF ALL: I've worried about extensions I've installed and what sites they can connect to; with uMatrix, you can choose to have a separate set of permissions to apply to the extensions. Finally, I can restrict extensions that shouldn't connect to anywhere to not being able to :) This is the ONLY and FIRST noscript-like element manager, afaik, that can do this! You can use uMatrix to block uMatrix itself from getting blocklist updates, as I've accidentally done :)

The abilities to customize what to SAFELY allow and what to keep blocked, no matter what domain or what site, are ENDLESS; this will really help people use Tor more safely! PLEASE TAKE NOSCRIPT TO THE 21st CENTURY BY REPLACING IT WITH UMATRIX AND UBLOCK!

Child Tickets

TicketStatusOwnerSummaryComponent
#15280closedImages attached, showing functionality......- Select a component

Attachments (2)

umatrix.png (213.0 KB) - added by johnakabean 4 years ago.
uMatrix Features
ublock.png (233.4 KB) - added by johnakabean 4 years ago.
uBlock & uMatrix Features

Download all attachments as: .zip

Change History (13)

Changed 4 years ago by johnakabean

Attachment: umatrix.png added

uMatrix Features

Changed 4 years ago by johnakabean

Attachment: ublock.png added

uBlock & uMatrix Features

comment:1 Changed 4 years ago by gk

Resolution: wontfix
Status: newclosed

There is no plan to ship ad blockers in Tor Browser. See: https://www.torproject.org/projects/torbrowser/design/#philosophy section 5. Also, NoScript is doing more for us than JavaScript handling (we use it e.g. for click-to-play things). Also also, we got some handcrafted things from Giorgio for our security slider we rely on starting with 4.5 stable. Thus, this is a won't fix.

comment:2 Changed 4 years ago by johnakabean

It's not really for ads (that's just a bonus). try these addons> they can block what domains/ip any EXTENSION connects to. By default, all my extensions cannot contact any external source. When I add an exception for an extension to contact a site required for functionality, it does not automatically allow other extensions or even a script of that site on that one extension, if I intended to only allow xhr.

Noscript is ridiculous to use for torbrowser when its creator made something even better. It's like staying with windows 98 when we have Windows 10 coming out.

PLEASE just try umatrix! umatrix is NOT for blocking ads; ublock isn't really either; it's just what it's good at.

Last edited 4 years ago by johnakabean (previous) (diff)

comment:3 Changed 4 years ago by johnakabean

Cc: johnakabean added
Priority: majornormal
Resolution: wontfix
Status: closedreopened

comment:4 Changed 3 years ago by bugzilla

Keywords: Tor Browser uMatrix HTTP Switchboard noscript replace noscript upgrade noscript removed
Severity: Normal
Status: reopenednew
Type: enhancementproject

It's not obvious that it will be an enhancement, but this ticket is a good starting point for accumulating proposals on the topic.

comment:6 Changed 2 years ago by cypherpunks

I'm using uBlock Origin with TBB with blocking.
uBO itself is good, but it has spyware inside. The author refused to fix this.
It constantly try to connect raw.githubusercontents.com.

But NoScript itself is bad too.
https://liltinkerer.surge.sh/noscript.html

comment:7 Changed 2 years ago by cypherpunks

Summary: uMatrix & uBlock to Replace NoScript (and they're awesome)uMatrix & uBlock to Replace NoScript

comment:8 Changed 5 months ago by cypherpunks

This is a good idea. uMatrix has had four years to evolve since this ticket was originally created. Now there are versions of uMatrix for various platforms, and they work well. (I do not understand why we need uBlock also. It seems to me that uMatrix is sufficient.)

  1. There is essentially nothing that NoScript does that uMatrix cannot do also.
  1. The design of NoScript is based on an assumption, specifically that a user essentially never wants to run scripts from some sites and always wants to run scripts from others. This might be appropriate if the threat model is malware. It is emphatically inappropriate if the threat model is cross-site tracking. For example, I might want to allow scripts from google.com for certain first-party sites that use Recaptcha, but not in the general case. uMatrix addresses this elegantly.
  1. NoScript and uMatrix interact together poorly. Specifically, allowing a site with NoScript and blocking it with uMatrix results in the site being always allowed, despite the fact that it would be both safer to apply the most restrictive policy and more logical to interpret fine-grained uMatrix rules sequentially last.

So let's do this, folks. There is no reason to make it hard for people who want to use uMatrix for more fine-grained control.

Last edited 5 months ago by cypherpunks (previous) (diff)

comment:9 Changed 5 months ago by gk

Closed #29443 as a duplicate. See: #17569 which proposes to just include uBlock Origin to Tor Browser.

comment:10 Changed 5 months ago by gk

Cc: ui_priv added

comment:11 Changed 6 weeks ago by cypherpunks

umatrix is not ublock. And noscript is shit. it doesn't block tracking pixels.

Note: See TracTickets for help on using tickets.