I've been using the eye dropper a lot lately. It's great for making websites usable. It even works on mobile for disabling hostile ux elements such as "xyz is better with the app" nags.
For some reason, Content Blockers on iOS only work on Safari. Other browsers on iOS are not allowed or able to implement them.
uBlock Origin is also more fully featured than Content Blockers, which don't have the on-demand whitelisting features and toggles. However, since uBlock Origin is only available as a browser extension, it can only be used with a browser that supports extensions. No browser on iOS is able to support uBlock Origin.
Firefox Focus on iOS blocks 78% with all tracker blocks are enabled, and 62% with the last “Block other content trackers” option disabled. Percentage figures are from test on https://d3ward.github.io/toolz/adblock.html.
Firefox Focus is a nice browser for certain use cases, but it can't compare to uBlock Origin, which scores 100% on that test for me on a fresh install with default settings (using Firefox on Android and desktop).
It's interesting how Firefox Focus on iOS also acts as a Content Blocker for Safari, but I find AdGuard to be more comprehensive on iOS.
Brave on iOS only scores 77% for me with the default settings, which includes the "Block cross-site trackers" Shield setting. Do you have some other setting enabled?
I was replying specifically to the first paragraph in the parent comment that other apps on iOS are not able to implement content blockers. Firefox Focus does appear to do just that. Obviously, not as effectively as uBlock Origin (thanks for testing!) but uBO isn’t yet available to install on Firefox on iOS.
(Edit since I can’t reply):
Firefox Focus does appear to implement iOS content blocker since it appears as an option under Safari settings for content blockers.
Firefox (standard and Focus) and other iOS browsers can block ads and trackers, but not as comprehensively as that API can. That API is limited to Safari due to platform restrictions, which I hope get removed in the future.
Firefox Focus appears under Safari settings > content blockers, along with more typical blockers like AdGuard. I think they both implement Content Blocker API.
The way Firefox Focus is implemented on iOS is a little complicated, since it's both a browser and a Content Blocker. As of 2017, Firefox Focus uses WKWebView as the webview component: https://github.com/mozilla-mobile/focus-ios/pull/507
WKWebView does not support the Content Blocker API. Ad blocking apps that use the Content Blocker API are only compatible with Safari and the SFSafariViewController component, which is very feature-limited and not suitable for a full web browser app:
As a workaround, Firefox Focus uses script injection to block ads and trackers within the browser part of itself, but the Content Blocker part of Firefox Focus only affects Safari:
However, both Firefox Focus and Safari (with the Firefox Focus Content Blocker enabled) score 78% on that test, so Firefox Focus might be good enough for web browsing on iOS if you're comfortable with its feature set and don't need the additional filter lists or custom rules that another third-party Content Blocker would offer.
Apple should still allow third-party browsers to use third-party Content Blockers, since this restriction is an unnecessary handicap for any non-Safari browser on iOS.
Increasing YouTube ad display rates on mobile drove me to using the (somewhat clunky) AdGuard share button in safari that blocks ads when using YT in Safari. I’m just glad there is some option on iOS.
It is funny that Android has better adblock features (uBO on Firefox).
One rather effective way to get much higher (approx 99%) on iOS is to use a DNS over HTTPS provisioning profile (or app), and use a DNS server that blocks ads.
If you run your own server, you can get to 100% by turning on blocking for a couple of hosts not in standard blocklists that this test has highlighted.
The DNS setting applies to most or all apps, as far as I can see, as it's applied as a system level provisioning setting. iOS 15 gives more visibility of this in the UI, but it works in iOS 14.
Similarly, disabling the social features on SO was very useful. The "Hot network questions" block to the side is needlessly distracting and adds 0 value.
I must’ve purged over 50% of visual elements from Fandom wikis with my uBlock filters. It’s outrageous how much garbage is served. I wonder what their UX design meetings look like.
A site:reddit.com/r/DaystromInstitute/ search with a plugin to redirect www. to old. if you're not logged in can replicate a lot of what Memory Alpha has from all the discussion. At least until Reddit finishes alienating everyone interested in weird niche discussion in favor of clickbait.
Even for areas where there is a community wiki (e.g. uesp, combineoverwiki), Google seems to prefer the Wikia/Fandom version with all the crap on the pages.
And a lot of those community wikis that originally set up not on Wikia intentionally, like minecraft, terraria and wowpedia wikis, ended up on Gamepedia which Wikia took over and reeled them back in.
Well, the icons are just terrible, utterly insipid and lacking in power. It needs labels rather than icons, and better names for “zapper” and “picker” too (something like “remove elements from this page” versus “block elements from this site”).
I’m not sure if browsers apply height limits to these popups, but if not, almost every time there will be oodles of space for full labels and replacing the two single rows of buttons with columns. And even if scrolling is introduced, that’d still be better.
At least they now have tooltips - I remember when choosing "Advanced mode" (which you need for a lot of features) just disabled tooltips in the UI, on the theory that advanced users shouldn't need them! I (and likely many others) argued how crazy an assumption that was, that just because we understood how HTML and JS worked, we should remember a bunch of icons and what the dev decided they meant. Thankfully they were willing to listen and change the decision, and the UI is a lot better for it.
If you have some pull here, it would be really nice to have popups added to the grid in the middle of the dropdown where the colored boxes are. I use these very rarely and can never remember which column of colored boxes do what.
Yandex Browser on Android [which is based on Chrome] supports Chrome extensions. I'm running it with uBlock Origin, Privacy Badger and a few others. If an extension won't load directly from the Chrome Webstore you can toggle 'Developer Mode' under 'chrome://extensions' and load the downloaded and unpacked CRX directly.
I had high hopes for Kiwi Browser but, unfortunately its text-reflow feature has been broken since forever. Yandex Browser is the only one available on Android that ticks both those 'must have' boxes for me: full support for extensions and a functional text-reflow feature --without which a huge swathe of the web is unreadable for me, due to microscopic text sizes.
I know other browsers have their own built-in ad-blockers, but I prefer to use uBlock Origin across all my devices so, when I setup a new one, I can just import my existing rules & settings, built up and tweaked over many years, rather than start from scratch.
This feature is so good but so confusing to use, really the best thing about ublock beyond the ad-blocking. I use very extensively, I almost wish it was a standalone tool, so that the filtering aspects could be shared more easily.
This is one of the best hidden features of uBlock. While we're on the topic, how does one effectively block facebook ads?
I've got simple rules to chop the ads from LinkedIn, but if you do an inspect on FB, they've been very sneaky about how the elements are set up, eg it doesn't just say "Sponsored" in a string, it's a weird mash that ends up looking like that when rendered but hard to nail down.
Then again I'm more of a backend dev, so maybe that's why I don't know what to do.
> weird mash that ends up looking like that when rendered but hard to nail down.
It is designed to be very hard to select automatically. It is also why I don't use Facebook more than 5 minutes a week - it is among the only services where ads annoy me.
> *Important News*: 4th September 2021: Sponsored Posts Issue: It seems Facebook have just changed their code for Sponsored Posts, so some people have started seeing Sponsored Posts in their Newsfeed again, I am working on fixing this, please be patient, thanks! *UPDATE* It seems for some people the sponsored posts are only getting through if your Newsfeed is set to "Top Posts", if you switch to "Most Recent", the Sponsored Posts should in theory disappear. The good news is that FBP has an option to keep you permanently on the "Most Recent" feed when you visit the Newsfeed, so that could possibly solve the issue for now, give it a try and let me know if that solves it for you. In the meantime, I will continue working on a more robust fix.
Open the FBP options screem by clicking the "FBP" button in the navigation bar at the top of the page.
Under the "Further options" heading there is a setting titled "News Sort: Most Recent". Tick that option, then click the "Save and Close" button.
As mentioned above this is not guaranteed to fix hiding the sponsored posts, but a lot of people are reporting success with it, as Facebook seem to pepper the "Top Posts" version of the Newsfeed with more ads than the "Most Recent" version, and "Top Posts" is Facebook's default setting for the Newsfeed.
This has the strange effect of removing every item in the feed, causing it to flash while waiting for a refresh, forever. Skeleton -> flash of new item -> skeleton -> etc
It also blocks the paywall in some webs that aren't too well designed (the content is loaded under a frame that hide it). It's great to have such a good tool.
The eye dropper is also quite useful for writing userscripts and userstyles directly on Android; I tap the element, hit preview to see what happens (margins, padding, border collapse, etc), type a note at the end of the element name and sirens it to the clipboard, then move on. Back in the editor, I just paste my notes from the clipboard, and I can quickly write up a stylesheet override for a dynamic webpage without resorting to debugging on my desktop.
I don't understand why Firefox mobile can't be used to debug another Firefox mobile, I I'd love it if I could open devtools off to the side and see a live tree view instead of manually prefixing the URL with `view-source:` only to find out the html doesn't actually include any content.
His work has saved me gigabytes, if not terabytes of data, and hours, if not days of attention time. Thank you very much gorhill. If you ever need a place to stay or just a coffee, you are very welcome.
10+ million users on the Chrome App Store, 1GB saved per year per user for say 5 years (pulling these numbers out of nowhere really but I think they’re fairly conservative) = 50 exabytes.
don't usually flex with tech but isn't uMatrix [1] just a little bit harder to learn and a million times more satisfying? at least on my often-used systems, I have a hard time imagining loading a website without being able to control the third party content in a matrix these days.
If you want to avoid ads and tracking, the last browser you should use is Google Chrome. Google has been deliberately crippling Chrome so that ad blockers don't work properly.
I don't really recommend it for anyone other than very bored devs, but it is very satisfying at times. The effort-to-utility ratio is honestly quite bad. Most of the *actually useful* functionality is redundant now with newer uBlock features.
I love the seratonin rush of one-click "disable 1p CSS" on an ugly website, or figuring out how to fuck with a clever-but-stupid paywall for the first time. :)
Also, the uMatrix UX is absolutely brilliant (that genius 2.5D green/red matrix).
ublock can block everything umatrix can but reverse is not true. It had been the case from beginning but people are not aware. So I find ublock much more satisfying.
I think it might be true, but it's a lot harder to do uMatrix things in uBO, because the 'advanced mode' just gives you allow/disallow per domain, not the er matrix at CSS/image/media/scripts/XHR/frames/other granularity.
I think you can get that granular in the manual/text based rules edit of uBO in settings, but I stopped looking into it / considering switching fully at that point (I'd always used it in simple mode in addition to uMatrix, just to block cosmetic DOM stuff that uMatrix doesn't do) since I need it to be far easier and quicker than that, as it is jn uMatrix.
So switching to nuTensor (a light-touch security/necessary FF updates only sort of fork) has been on my to-do list.
My uMatrix default is all cookies blocked; third-party media, scripts, XHR, frames, other blocked. Of course I often then have to allow some third-party script, and I can do so in one click without also allowing XHR or frames to/from that domain.
uBO doesn't allow that (in the toolbar UI, 'advanced'/'more' mode), because it's missing the columns from the 'matrix', so you either allow/block a domain wholesale.
I don't want to block ads on every site I go to, and having an extension rather than a DNS sinkhole makes toggling between blocking and not blocking much simpler.
I find both are needed. It is nice to see that I block a huge amount of data from getting used up by ads when pihole block it. And just in case it gets through ublock. ublock is usually ahead of the more sophisticated attacks.
I found the most frustration came from links in emails not working as intended. For some reason many companies, government agencies, and schools use metrics tracking on emails.
Pi-hole has a nice temporarily disable blocking feature on its dashboard to help in those cases. Simple click to whitelist is also available.
It’s probably not ideal tbh. You can whitelist stuff that’s blocked, but it involves logging into the admin console and whitelisting either manually or via a recently blocked request, easy enough for techies but I wouldn’t back it for non techies.
I use a fairly aggressive Pihole list that breaks stuff reasonably often, there may be less strict lists which are “safer” in this regard.
Some sites breaking was a complaint my wife had when I set all devices on our network to use the pi-hole.
To solve this I setup a Shortcut on her iPhone so she can simply say "hey siri, stop pi-hole" and it will turn off the pi-hole for 5 minutes using a simple web request. The pi-hole turns itself back on after 5 minutes.
A bookmark works just as well but she prefers to use Siri as she never remembers where the bookmark is lol. It is mostly on her phone anyway that something doesn't quite work right so Siri was the best solution.
I also have Wire Guard setup and our phones configured to connect to it always for mobile data and unknown wifi so all our connections are routed via our home internet connection and via the pi-hole. As I have stupidly fast home internet (10Gbit EPON with free.fr) it works fantastically.
Please don't use DoH as an evil advertising bogeyman. It's a huge win in the fight against censorship and surveillance, and everything that it lets advertisers do can be equally done by hardcoding an IP address in the app instead.
But to win against “surveillance” you need to make a smart, conscious decision about who you want to give your browsing history to.
For me, I’d rather my ISP sees my DNS, than all that data is sent to some American mega-corp keen to hoover up every last datapoint about me they can.
My ISP can for the most part look at HTTPS SNI field and see all the domains I access anyway. So switching to say, Google DoH, only means that now Google have that list as well as my ISP.
> some American mega-corp keen to hoover up every last datapoint about me they can
That's a really good description of both Comcast and Verizon. Not so much of Cloudflare though - they seem to actually care about people's privacy.
> My ISP can for the most part look at HTTPS SNI field and see all the domains I access anyway. So switching to say, Google DoH, only means that now Google have that list as well as my ISP.
Isn't this just an argument to hurry up and get eSNI/ECH rolled out everywhere?
Sure Cloudflare are better than those other big US ISPs.
But for those of us in the EU, where such practices are illegal, we may want to think twice about giving our data to Cloudflare (who are subject to requests from US govt for instance.)
Even in the EU, couldn't there still be a privacy benefit? Set aside for a minute what's legal and illegal, and just consider what entities are capable and incapable of. By using a DoH provider (that sees what domains your client IP is looking up) other than your ISP (that knows that your client IP goes with your real-life identity), there's now no single entity capable of associating your real-life identity with which domains you've looked up.
And I already use trusted DNS providers (over TLS) so it's not really an issue. My provider can't see my DNS lookups. Also, in the EU providers are not allowed to use deep packet inspeciton so they only know your queries if you use their own DNS.
Hardcoding an IP is really difficult to do for adtech providers for 2 reasons:
1) They usually subcontract to cloud providers that don't
guarantee IPs
2) It breaks SNI (Server Name Indication), also heavily used on cloud services
There's better ways to do secure DNS than DoH, like DoT (DNS over TLS)
I like secure DNS but I still want my own server to be the middleman. With DoH this isn't easily possible, especially on mobile due to the root CA issue. DoH is normally implemented using a major player like CloudFlare. Sure, they promise not to look at it. But the phrase "Don't be evil" still is pretty fresh in my mind.
But anyway, it's a moot point. Even if we could block DoH somehow (we can't due to certificate pinning and Android no longer allowing to add a global root CA since Android 7), app providers could just implement their own lookup system or something. Whether we like DoH or not it's here to stay.
Sure, but that's only because your computer can't distinguish your Pi-hole blocking DNS to block ads from an evil ISP blocking DNS to censor you. And if your device supports DoH, can't you just point it to one of the many publicly-available DoH servers, or set up a DoH server on your Pi-hole and then point at that?
> It breaks SNI (Server Name Indication), also heavily used on cloud services
They can just hardcode the IP in the hosts file, not in the client program. Then SNI will still work normally.
> There's better ways to do secure DNS than DoH, like DoT (DNS over TLS)
Then the people who want to do censorship and surveillance will all just block port 853. It's a feature that DoH is hard to distinguish from other HTTPS traffic.
> I like secure DNS but I still want my own server to be the middleman. With DoH this isn't easily possible, especially on mobile due to the root CA issue.
Can't you set up your own DoH server with its own domain name, get a Let's Encrypt certificate for it, then point your mobile device at that?
> DoH is normally implemented using a major player like CloudFlare. Sure, they promise not to look at it. But the phrase "Don't be evil" still is pretty fresh in my mind.
Isn't the alternative that your ISP is definitely looking at it?
> Can't you set up your own DoH server with its own domain name, get a Let's Encrypt certificate for it, then point your mobile device at that?
Yes. But what’s the angle here? You trust “ISP(s) hosting your DoH server” but not “ISP providing phone connection?”
Might be a legitimate reason for that, but ultimately as with all these discussions it’s just a matter of who you’d rather give the data to.
And your ISP will still be able to see from SNI for the most part so… it boils down to “my ISP can see anyway (via SNI), should I also let someone else see (DoH provider)?”
> Yes. But what’s the angle here? You trust “ISP(s) hosting your DoH server” but not “ISP providing phone connection?”
Your own DoH server could just do the filtering you want and then hand off the work to another real DoH server like Cloudflare's.
> Might be a legitimate reason for that, but ultimately as with all these discussions it’s just a matter of who you’d rather give the data to.
True, but in most of the USA, your ISP is the least trustworthy choice for who to give your data to.
> And your ISP will still be able to see from SNI for the most part so… it boils down to “my ISP can see anyway (via SNI), should I also let someone else see (DoH provider)?”
> Then the people who want to do censorship and surveillance will all just block port 853. It's a feature that DoH is hard to distinguish from other HTTPS traffic.
Not an issue here in the EU. Alternative DNS is not blocked. Providers sometimes block the pirate bay but they're never obliged to block alternative DNS and they're not allowed to anyway as they're not allowed to do Deep Packet Inspection.
> Isn't the alternative that your ISP is definitely looking at it?
No, this is not allowed in the EU. They can see it if you use their DNS. Otherwise not.
I understand the feature that hiding the DNS traffic among other HTTPS traffic brings, but this is mainly a feature in countries without strong privacy laws. For me I would prefer to separate the traffic so I can control it myself.
And really if I'm in a country with such invasive censoring I would prefer to use a VPN and avoid their prying eyes altogether. DNS is only part of the equation. IP endpoints still tell them a lot. Especially on IPv6 as there's no more need for SNI.
I'm just not sure if it's a good idea to obfuscate core protocols of the internet, just to avoid an issue in certain countries that is not very well solved by this anyway. At the same time I have to give up a lot of valuable statistics, troubleshooting data and validation about whether apps do as they claim.
However like I said I can't stop an app doing this, precisely for the reason it's obfuscated. I won't use it on my own network however.
> Can't you set up your own DoH server with its own domain name, get a Let's Encrypt certificate for it, then point your mobile device at that?
I don't want to bother with getting public domain names and validate their IP with Let's Encrypt just because I want to use them internally. The renewal process is really complex for something that doesn't have a public IP and I don't want to have my internal DNS available on the internet (it also contains local domain names only available on my LAN and P2P VPN)
In fact encrypting that traffic on the local segment doesn't really add any value for me. I just encrypt the outbound part (from the pihole) with DoT.
> They can just hardcode the IP in the hosts file, not in the client program. Then SNI will still work normally.
How would that work? I control my host file. Apps can not mess with it. Not on my computer and not on my phone.
It's great that you live somewhere where you don't have to worry about any of these things, but a lot of us aren't so lucky.
> And really if I'm in a country with such invasive censoring I would prefer to use a VPN and avoid their prying eyes altogether.
Those countries block VPNs.
> Especially on IPv6 as there's no more need for SNI.
I can foresee CloudFlare offering a single-IPv6 shared endpoint for the sole purpose of making eSNI/ECH remain effective.
> At the same time I have to give up a lot of valuable statistics, troubleshooting data and validation about whether apps do as they claim.
Can't you get this information directly off of your endpoint device, whether or not the traffic is encrypted over the network?
> How would that work? I control my host file. Apps can not mess with it. Not on my computer and not on my phone.
I was thinking more about IoT appliances when I wrote that. For programs on your phone or computer, they can tell their TLS library to use whatever SNI you want, so even if they did hardcode the IP in the client program, SNI could still include the right hostname.
DNS over HTTPS. It is a new(ish) way to do lookups that deals with the insecurity of most DNS setups (where packets are often neither signed nor encrypted) by hitting a resolver over https. Often the application will hard code the resolvers it intends on using, which leads people to believe it is adtech as it allows apps to bypass blocking by PiHole and the like. It, like most tech, can be used or abused.
Once the system, or network admin would set the DNS servers up and everything on the system would use those. There is no reason why that paradigm couldn’t continue and move to DoH.
The other change is that applications are now bypassing the system-configured DNS and sending requests (and thus data about what you are looking at,) where the application wants. The “centralisation” issue also comes into this. But again, the change from a system-level to per-app setting could happen with regular old plaintext DNS.
DoH is part of the discussion in both cases, which clouds the debate.
If you want dns-level ad blocking, there's also nextdns.io. You can also use it outside of your home network. I'm on their free tier and very happy with them.
On chrome (and chromium based browsers afaik), the browser loads the web pages first and then loads extensions compared to firefox which loads extensions first and then the web pages.
uBlock Origin is amazing in that it has not succumbed to scammers. Every other blocker including AdBlock and the original uBlock have sold out to scummy companies. It's a problem with every successful browser extension, they all start getting offers from scammers to sell out.
We all owe a huge debt of gratitude that gorhill is a principled character and has stayed on to guide uBlock Origin all these years.
Absolutely. Ublock origin is probably one of the highest impact products on my life. I would have a measurably worse time if it didn't exist or didn't work as well as it does. And it is free!
The developer is a saint, and it just occurred to me that I should donate to their project.
Sadly uTorrent did succumb to darkness a while ago by bundling a bitcoin miner and other dodgy software with the client as installer opt-out checkboxes.
That's not an accident. uBlock Origin used to be called just "uBlock". The author of uBlock Origin gave up control of uBlock because he was frustrated with requests to the project.[0] He immediately regretted this decision, forked the original project and this event cemented his view that uBlock Origin would never be out of his control.
uBlock Origin is cool, but the reason I stopped using it is that any web page stopped opening on my work PC. Never found out why, used Adblock Plus since. Considering going back now.
Ironically, ublock origin does not work on this blog page & allows scripts such as google analytics to run because it is hosted under the umbrella domain addons.mozilla.org
I wish the exception for add-ons not working on the addons site would only apply to the actual add-on download portion of the site, and they don't host random non-addon-download content on the same domain.
> We now have two check boxes in our GA premium account that allows us to opt-out of additional usage of our data. Because Mozilla pushed Google so hard, those two check boxes are available to every other GA user in the world regardless if they have a premium account like we do. GA also doesn't track IPs or store PII within the tool.
I'm very confused. How the hell does Mozilla have enough lobbying power with Google to strong-arm them into providing an option for every user to undercut the very data collection Google provides GA for?
But this assumes you trust Google. Why would you trust an entity whose business model is against your interests and who has the ability to hide their misuse of data (given how many factors go into ad targeting, it's impossible to prove whether a particular ad was targeted based on data collected legally or not) and is big enough to successfully fob off privacy regulators (their consent flow is still not GDPR compliant)?
This a really interesting point I never considered, but Mozilla isn’t being paid by a ton of different advertisers to not implement blocking - are they? How would we know?
Side note, I would absolutely pay for a browser that rolled everything in without setting it up myself.
Still true. Apple makes money off adversting just like anyone else. they also get paid obsurd amounts of money to from Google to make them the default search engine in Safari.
I don't know why you are being downvoted for your curiosity.
To answer your question - it's because the major source of revenue for browser makers is search engines. Google, Yahoo, Bing etc. pay browser maker money to bundle their search engine in the browser, and also share a small percentage of revenue with them. Search engines make money from advertising. So obviously they discourage browser makers from including ad blocking tech in browsers. (Look at the money involved - Google Said to Pay Apple $15 Billion to Remain Default Search Engine on Safari in 2021 - https://gadgets.ndtv.com/apps/news/google-apple-default-sear... ... and you can understand why it is so difficult to say no to it).
Re the downvotes, I talk too much like Reddit. Dw though I don’t fall for the endorphin trap of seeking approval from my peers; it deters original thought.
Also this accounts a burner so I guess I do fall for the trap but downvote away if you like.
I too love ublock but your statement just smacks of stupidity. I don't want a mainstream browser to be so opinionated as to take it upon itself to block various domains. And the meme of calling everything you don't like "absolutely insane"... Take that shit back to Reddit imo
Sure, I get the censorship issue but there’d be nothing stopping you select a blocklist which you politically and socially align to. AFAIK unlock origin does this, so why baking that directly into the browser makes you so mad is beyond me.
And absolutely insane is a dig at this distopia where we’re allowing advertising companies to drive the technology which would arguably be more valuable than currency.
But sure, off to Reddit I go, just because you don’t like the way I talk.
I think your point about browser companies controlling blocklists is valid, particularly in the current landscape.
I’m all for data privacy and freedom of speech, but i also think we need to place revocable trust in other parties to curate our data in a way that improves signal to noise ratios while not impeding on actual freedoms (lest we revoke our trust).
But also browsers should just disable auto play videos they’re damn offensive.
I too often wonder about this. The answer is conflicts of interest. We can't trust Google to maintain an effective ad blocker. Firerox is also funded by Google.
Was worried about running all my web history through this extension for privacy reasons, has anyone gone through the source code to verify uBlock Origin’s privacy policy?
I’ve really been enjoying Firefox lately, and this just makes it better. I was historically suspicious of the idea of doing things in the browser, but for many things it now seems the most portable and privacy-preserving way to do most things, and I’ve given up many apps (e.g. I listen to podcasts now from the browser).
Using Firefox + uBlock will also increase battery saving - with uBlock Firefox makes fewer network connections (to the ads / trackers servers), fewer ad images / videos are loaded by the browser saving both processing power, memory and bandwidth, and cpu processing is reduced due to blocking of unwanted (ad / tracker) javascript.
I just wish that they'd add a text or symbol in the top of the global and local dynamic filtering boxes. Every single time that I use it I have to look up which one's which, because it isn't obvious and I can't remember.
I recently discovered that it also acts as a great anti-productivity page blocker. Simply add your top social and news addiction pages to the blacklist and you’re set.
I use Firefox only for work, which has helped me immensely to stay focused and not “just quickly check hacker news for the tenth time in an hour” (as much as I like to ;)).
On my phone, I blocked the feeds for Hacker News, Reddit and a few other sites. I blocked notification badges on most sites. I can still get to individual pages from Google, but I can't mindlessly browse those websites.
It's really effective. I don't even know what to do with my phone any more.
> I don't even know what to do with my phone any more.
I hear there's some way you can use an app on your phone to have a voice conversation with someone else, but apparently you need to know a magic number?
I'm told there was even a time when the number only addressed a location, so you would have to figure out who was talking on the other end through a complex linguistic handshake.
And it didn't even have identity authentication, past a basic voiceprint!
I do something similar, I noticed that a link to a tweet in an article that I'm reading will always result in me clicking through and then wasting time catching up.
I used this filter, it makes twitter links look like normal text:
Yes, the ability to block parts of pages is handy too.
I've not taken to blocking whole sites yet. But sites with "recommendations" attached to every page are a real distraction. I block them on stackoverflow, otherwise I end up reading about the etymology of some obscure word or advice for a dungeon master in a weird D&D scenario =)
At present Firefox on android only allows a limited range of extensions from Addons Manager, but you're right, uBlock Origin is one of them. I really look forward to them being opened up so I can build my own without any hassle.
uBlock Origin is one of the 18 extensions that are pre-approved for use in Firefox for Android. To use any other add-ons from addons.mozilla.org, you'll need to use Firefox Nightly (https://play.google.com/store/apps/details?id=org.mozilla.fe...) and follow these instructions:
I'm not sure why Mozilla is refusing to allow these extensions on the Beta channel, since the WebExtensions support is definitely stable enough for Firefox Beta.
I'm not sure why companies think that restricting usage this way improves their product in any way. You need a different build, and an online account to do something that should require neither.
Heck, I can only partially understand the "click many times over crap" to enable experimental features, which should have been _enough_ to begin with (and certainly not a requirement in a beta build). How many hoops do I need?
After reading this, I was really /hoping/ Fennec would remove the requirement of having a Mozilla account, but no, you still need to create an account and an useless "collection".
TBH I use (and ever used) Firefox just due to the available extensions. The value proposition has decreased quite a bit with recent FF versions, and on Android uBlock is pretty much the only reason I stick to it.
I wish I had more alternatives, because clearly the browser duopoly isn't working.
259 comments
[ 3.1 ms ] story [ 246 ms ] threaduBlock Origin is also more fully featured than Content Blockers, which don't have the on-demand whitelisting features and toggles. However, since uBlock Origin is only available as a browser extension, it can only be used with a browser that supports extensions. No browser on iOS is able to support uBlock Origin.
Safari 13+ on macOS also no longer supports uBlock Origin due to platform restrictions: https://github.com/el1t/uBlock-Safari/issues/158
It's interesting how Firefox Focus on iOS also acts as a Content Blocker for Safari, but I find AdGuard to be more comprehensive on iOS.
And unfortunately, on iOS the alternative isn’t ublock origin.
(Edit since I can’t reply): Firefox Focus does appear to implement iOS content blocker since it appears as an option under Safari settings for content blockers.
Firefox (standard and Focus) and other iOS browsers can block ads and trackers, but not as comprehensively as that API can. That API is limited to Safari due to platform restrictions, which I hope get removed in the future.
Firefox Focus appears under Safari settings > content blockers, along with more typical blockers like AdGuard. I think they both implement Content Blocker API.
WKWebView does not support the Content Blocker API. Ad blocking apps that use the Content Blocker API are only compatible with Safari and the SFSafariViewController component, which is very feature-limited and not suitable for a full web browser app:
- https://www.wwdcnotes.com/notes/wwdc20/10188/
- https://developer.apple.com/news/?id=trjs0tcd
As a workaround, Firefox Focus uses script injection to block ads and trackers within the browser part of itself, but the Content Blocker part of Firefox Focus only affects Safari:
- https://github.com/mozilla-mobile/focus-ios/blob/main/Blockz...
- https://github.com/mozilla-mobile/focus-ios/blob/main/Blockz...
- https://github.com/mozilla-mobile/focus-ios/issues/1761
However, both Firefox Focus and Safari (with the Firefox Focus Content Blocker enabled) score 78% on that test, so Firefox Focus might be good enough for web browsing on iOS if you're comfortable with its feature set and don't need the additional filter lists or custom rules that another third-party Content Blocker would offer.
Apple should still allow third-party browsers to use third-party Content Blockers, since this restriction is an unnecessary handicap for any non-Safari browser on iOS.
It is funny that Android has better adblock features (uBO on Firefox).
If you run your own server, you can get to 100% by turning on blocking for a couple of hosts not in standard blocklists that this test has highlighted.
The DNS setting applies to most or all apps, as far as I can see, as it's applied as a system level provisioning setting. iOS 15 gives more visibility of this in the UI, but it works in iOS 14.
PM me when we're wheeling out the corporate guillotine.
I’m not sure if browsers apply height limits to these popups, but if not, almost every time there will be oodles of space for full labels and replacing the two single rows of buttons with columns. And even if scrolling is introduced, that’d still be better.
At least they now have tooltips - I remember when choosing "Advanced mode" (which you need for a lot of features) just disabled tooltips in the UI, on the theory that advanced users shouldn't need them! I (and likely many others) argued how crazy an assumption that was, that just because we understood how HTML and JS worked, we should remember a bunch of icons and what the dev decided they meant. Thankfully they were willing to listen and change the decision, and the UI is a lot better for it.
Also, Vivaldi has a fairly complete adblocker built-in, with custom filter lists and also scores a solid 100% on that test.
I know other browsers have their own built-in ad-blockers, but I prefer to use uBlock Origin across all my devices so, when I setup a new one, I can just import my existing rules & settings, built up and tweaked over many years, rather than start from scratch.
I've got simple rules to chop the ads from LinkedIn, but if you do an inspect on FB, they've been very sneaky about how the elements are set up, eg it doesn't just say "Sponsored" in a string, it's a weird mash that ends up looking like that when rendered but hard to nail down.
Then again I'm more of a backend dev, so maybe that's why I don't know what to do.
It is designed to be very hard to select automatically. It is also why I don't use Facebook more than 5 minutes a week - it is among the only services where ads annoy me.
> *Important News*: 4th September 2021: Sponsored Posts Issue: It seems Facebook have just changed their code for Sponsored Posts, so some people have started seeing Sponsored Posts in their Newsfeed again, I am working on fixing this, please be patient, thanks! *UPDATE* It seems for some people the sponsored posts are only getting through if your Newsfeed is set to "Top Posts", if you switch to "Most Recent", the Sponsored Posts should in theory disappear. The good news is that FBP has an option to keep you permanently on the "Most Recent" feed when you visit the Newsfeed, so that could possibly solve the issue for now, give it a try and let me know if that solves it for you. In the meantime, I will continue working on a more robust fix.
Under the "Further options" heading there is a setting titled "News Sort: Most Recent". Tick that option, then click the "Save and Close" button.
As mentioned above this is not guaranteed to fix hiding the sponsored posts, but a lot of people are reporting success with it, as Facebook seem to pepper the "Top Posts" version of the Newsfeed with more ads than the "Most Recent" version, and "Top Posts" is Facebook's default setting for the Newsfeed.
I don't understand why Firefox mobile can't be used to debug another Firefox mobile, I I'd love it if I could open devtools off to the side and see a live tree view instead of manually prefixing the URL with `view-source:` only to find out the html doesn't actually include any content.
https://github.com/gorhill/uBlock/wiki
They don't accept donations. Gorhill you are a beautiful person.
ublock is almost required infrastructure on my machines. os, editor, mpv, browser+ublock
i'm so pissed that the courthouse admins didn't include it, our cripled network is filled with stupid ads that could have been avoided
1. https://addons.mozilla.org/en-US/firefox/addon/umatrix/
I'm gonna need sources if you're talking about something else
- https://github.com/el1t/uBlock-Safari/issues/158
- https://www.theregister.com/2020/12/10/googles_browser_exten...
- https://9to5google.com/2019/05/29/chrome-ad-blocking-enterpr...
I love the seratonin rush of one-click "disable 1p CSS" on an ugly website, or figuring out how to fuck with a clever-but-stupid paywall for the first time. :)
Also, the uMatrix UX is absolutely brilliant (that genius 2.5D green/red matrix).
this is built in to firefox since it was netscape navigator, under view -> page style -> no style.
even the menu items have barely changed since then: http://www.alanwood.net/unicode/net7_encoding.gif
https://www.reddit.com/r/uMatrix/comments/onp0c6/umatrix_142...
https://github.com/gorhill/uMatrix
I think you can get that granular in the manual/text based rules edit of uBO in settings, but I stopped looking into it / considering switching fully at that point (I'd always used it in simple mode in addition to uMatrix, just to block cosmetic DOM stuff that uMatrix doesn't do) since I need it to be far easier and quicker than that, as it is jn uMatrix.
So switching to nuTensor (a light-touch security/necessary FF updates only sort of fork) has been on my to-do list.
* * 1p-script block
* * 3p block
* * 3p-frame block
* * 3p-script block
* * image block
* * inline-script block
CSS, media can be blocked if it has extension:
*.css
*.webm
*.mp4
*.mp3
*.aac
I don't like gifs, so I used to block it through *.gif, which I'm not sure if umatrix can do.
In uMatrix that's one click in the appropriate column per domain's row, in the toolbar drop-down.
My uMatrix default is all cookies blocked; third-party media, scripts, XHR, frames, other blocked. Of course I often then have to allow some third-party script, and I can do so in one click without also allowing XHR or frames to/from that domain.
uBO doesn't allow that (in the toolbar UI, 'advanced'/'more' mode), because it's missing the columns from the 'matrix', so you either allow/block a domain wholesale.
Pi-hole should be the easiest for family members, they don’t need to do anything at all.
On most sites, it simply leaves a blank space in where ad supposed to be.
Pi-hole has a nice temporarily disable blocking feature on its dashboard to help in those cases. Simple click to whitelist is also available.
I use a fairly aggressive Pihole list that breaks stuff reasonably often, there may be less strict lists which are “safer” in this regard.
To solve this I setup a Shortcut on her iPhone so she can simply say "hey siri, stop pi-hole" and it will turn off the pi-hole for 5 minutes using a simple web request. The pi-hole turns itself back on after 5 minutes.
A bookmark works just as well but she prefers to use Siri as she never remembers where the bookmark is lol. It is mostly on her phone anyway that something doesn't quite work right so Siri was the best solution.
I also have Wire Guard setup and our phones configured to connect to it always for mobile data and unknown wifi so all our connections are routed via our home internet connection and via the pi-hole. As I have stupidly fast home internet (10Gbit EPON with free.fr) it works fantastically.
I use both but I don't think the network level blocking will work forever.
But to win against “surveillance” you need to make a smart, conscious decision about who you want to give your browsing history to.
For me, I’d rather my ISP sees my DNS, than all that data is sent to some American mega-corp keen to hoover up every last datapoint about me they can.
My ISP can for the most part look at HTTPS SNI field and see all the domains I access anyway. So switching to say, Google DoH, only means that now Google have that list as well as my ISP.
That's a really good description of both Comcast and Verizon. Not so much of Cloudflare though - they seem to actually care about people's privacy.
> My ISP can for the most part look at HTTPS SNI field and see all the domains I access anyway. So switching to say, Google DoH, only means that now Google have that list as well as my ISP.
Isn't this just an argument to hurry up and get eSNI/ECH rolled out everywhere?
Sure Cloudflare are better than those other big US ISPs.
But for those of us in the EU, where such practices are illegal, we may want to think twice about giving our data to Cloudflare (who are subject to requests from US govt for instance.)
And I already use trusted DNS providers (over TLS) so it's not really an issue. My provider can't see my DNS lookups. Also, in the EU providers are not allowed to use deep packet inspeciton so they only know your queries if you use their own DNS.
Hardcoding an IP is really difficult to do for adtech providers for 2 reasons:
1) They usually subcontract to cloud providers that don't guarantee IPs
2) It breaks SNI (Server Name Indication), also heavily used on cloud services
There's better ways to do secure DNS than DoH, like DoT (DNS over TLS)
I like secure DNS but I still want my own server to be the middleman. With DoH this isn't easily possible, especially on mobile due to the root CA issue. DoH is normally implemented using a major player like CloudFlare. Sure, they promise not to look at it. But the phrase "Don't be evil" still is pretty fresh in my mind.
But anyway, it's a moot point. Even if we could block DoH somehow (we can't due to certificate pinning and Android no longer allowing to add a global root CA since Android 7), app providers could just implement their own lookup system or something. Whether we like DoH or not it's here to stay.
Sure, but that's only because your computer can't distinguish your Pi-hole blocking DNS to block ads from an evil ISP blocking DNS to censor you. And if your device supports DoH, can't you just point it to one of the many publicly-available DoH servers, or set up a DoH server on your Pi-hole and then point at that?
> It breaks SNI (Server Name Indication), also heavily used on cloud services
They can just hardcode the IP in the hosts file, not in the client program. Then SNI will still work normally.
> There's better ways to do secure DNS than DoH, like DoT (DNS over TLS)
Then the people who want to do censorship and surveillance will all just block port 853. It's a feature that DoH is hard to distinguish from other HTTPS traffic.
> I like secure DNS but I still want my own server to be the middleman. With DoH this isn't easily possible, especially on mobile due to the root CA issue.
Can't you set up your own DoH server with its own domain name, get a Let's Encrypt certificate for it, then point your mobile device at that?
> DoH is normally implemented using a major player like CloudFlare. Sure, they promise not to look at it. But the phrase "Don't be evil" still is pretty fresh in my mind.
Isn't the alternative that your ISP is definitely looking at it?
Yes. But what’s the angle here? You trust “ISP(s) hosting your DoH server” but not “ISP providing phone connection?”
Might be a legitimate reason for that, but ultimately as with all these discussions it’s just a matter of who you’d rather give the data to.
And your ISP will still be able to see from SNI for the most part so… it boils down to “my ISP can see anyway (via SNI), should I also let someone else see (DoH provider)?”
Your own DoH server could just do the filtering you want and then hand off the work to another real DoH server like Cloudflare's.
> Might be a legitimate reason for that, but ultimately as with all these discussions it’s just a matter of who you’d rather give the data to.
True, but in most of the USA, your ISP is the least trustworthy choice for who to give your data to.
> And your ISP will still be able to see from SNI for the most part so… it boils down to “my ISP can see anyway (via SNI), should I also let someone else see (DoH provider)?”
So let's hurry up and deploy eSNI/ECH everywhere.
Not an issue here in the EU. Alternative DNS is not blocked. Providers sometimes block the pirate bay but they're never obliged to block alternative DNS and they're not allowed to anyway as they're not allowed to do Deep Packet Inspection.
> Isn't the alternative that your ISP is definitely looking at it?
No, this is not allowed in the EU. They can see it if you use their DNS. Otherwise not.
I understand the feature that hiding the DNS traffic among other HTTPS traffic brings, but this is mainly a feature in countries without strong privacy laws. For me I would prefer to separate the traffic so I can control it myself.
And really if I'm in a country with such invasive censoring I would prefer to use a VPN and avoid their prying eyes altogether. DNS is only part of the equation. IP endpoints still tell them a lot. Especially on IPv6 as there's no more need for SNI.
I'm just not sure if it's a good idea to obfuscate core protocols of the internet, just to avoid an issue in certain countries that is not very well solved by this anyway. At the same time I have to give up a lot of valuable statistics, troubleshooting data and validation about whether apps do as they claim.
However like I said I can't stop an app doing this, precisely for the reason it's obfuscated. I won't use it on my own network however.
> Can't you set up your own DoH server with its own domain name, get a Let's Encrypt certificate for it, then point your mobile device at that?
I don't want to bother with getting public domain names and validate their IP with Let's Encrypt just because I want to use them internally. The renewal process is really complex for something that doesn't have a public IP and I don't want to have my internal DNS available on the internet (it also contains local domain names only available on my LAN and P2P VPN)
In fact encrypting that traffic on the local segment doesn't really add any value for me. I just encrypt the outbound part (from the pihole) with DoT.
> They can just hardcode the IP in the hosts file, not in the client program. Then SNI will still work normally.
How would that work? I control my host file. Apps can not mess with it. Not on my computer and not on my phone.
> And really if I'm in a country with such invasive censoring I would prefer to use a VPN and avoid their prying eyes altogether.
Those countries block VPNs.
> Especially on IPv6 as there's no more need for SNI.
I can foresee CloudFlare offering a single-IPv6 shared endpoint for the sole purpose of making eSNI/ECH remain effective.
> At the same time I have to give up a lot of valuable statistics, troubleshooting data and validation about whether apps do as they claim.
Can't you get this information directly off of your endpoint device, whether or not the traffic is encrypted over the network?
> How would that work? I control my host file. Apps can not mess with it. Not on my computer and not on my phone.
I was thinking more about IoT appliances when I wrote that. For programs on your phone or computer, they can tell their TLS library to use whatever SNI you want, so even if they did hardcode the IP in the client program, SNI could still include the right hostname.
Once the system, or network admin would set the DNS servers up and everything on the system would use those. There is no reason why that paradigm couldn’t continue and move to DoH.
The other change is that applications are now bypassing the system-configured DNS and sending requests (and thus data about what you are looking at,) where the application wants. The “centralisation” issue also comes into this. But again, the change from a system-level to per-app setting could happen with regular old plaintext DNS.
DoH is part of the discussion in both cases, which clouds the debate.
By contrast, browser extensions work wherever you are -- at work, in a bus/train, in a hotel, etc.
Ublock origin can block much more content than a pi-hole…
So, use both.
Even if a third-party list you've added blocks something you don't want to block, you have an overriding whitelist.
What am I missing?
https://github.com/gorhill/uBlock/wiki/uBlock-Origin-works-b...
We all owe a huge debt of gratitude that gorhill is a principled character and has stayed on to guide uBlock Origin all these years.
The developer is a saint, and it just occurred to me that I should donate to their project.
That's a reason why I strictly install very few addons.
VLC should get a special award for not sucking after gaining popularity.
[0] https://en.wikipedia.org/wiki/UBlock_Origin
Absolutely. Thank you gorhill!
I wish the exception for add-ons not working on the addons site would only apply to the actual add-on download portion of the site, and they don't host random non-addon-download content on the same domain.
https://bugzilla.mozilla.org/show_bug.cgi?id=697436#c14
If there is an "obvious" problem, chances are it has already been addressed and you are not the first person to see it.
I'm very confused. How the hell does Mozilla have enough lobbying power with Google to strong-arm them into providing an option for every user to undercut the very data collection Google provides GA for?
Open a new tab. Enter about:config
Search for this specific line: extensions.webextensions.restrictedDomains
Remove any entries you feel offend. I personally clear the whole list out, no website should bypass my addons.
Source: https://forums.informaction.com/viewtopic.php?p=97010&sid=7f...
The state of web browsers is absolute and pure insanity.
Because the maker of your Web browser is funded by advertising money.
This a really interesting point I never considered, but Mozilla isn’t being paid by a ton of different advertisers to not implement blocking - are they? How would we know?
Side note, I would absolutely pay for a browser that rolled everything in without setting it up myself.
Any browser beside Chrome or Firefox seems to only be installed by power users, who also know how to install an adblocker.
(And ABP isn't what it once was, anyway, that's for sure)
To answer your question - it's because the major source of revenue for browser makers is search engines. Google, Yahoo, Bing etc. pay browser maker money to bundle their search engine in the browser, and also share a small percentage of revenue with them. Search engines make money from advertising. So obviously they discourage browser makers from including ad blocking tech in browsers. (Look at the money involved - Google Said to Pay Apple $15 Billion to Remain Default Search Engine on Safari in 2021 - https://gadgets.ndtv.com/apps/news/google-apple-default-sear... ... and you can understand why it is so difficult to say no to it).
Also this accounts a burner so I guess I do fall for the trap but downvote away if you like.
And absolutely insane is a dig at this distopia where we’re allowing advertising companies to drive the technology which would arguably be more valuable than currency.
But sure, off to Reddit I go, just because you don’t like the way I talk.
I’m all for data privacy and freedom of speech, but i also think we need to place revocable trust in other parties to curate our data in a way that improves signal to noise ratios while not impeding on actual freedoms (lest we revoke our trust).
But also browsers should just disable auto play videos they’re damn offensive.
In the case of Brave[1] and Vivaldi[2], it is.
[1]: https://support.brave.com/hc/en-us/articles/360022973471-Wha...
[2]: https://vivaldi.com/features/ad-blocker/
https://github.com/gorhill/uBlock/wiki/uBlock-Origin-works-b...
https://hostfiles.frogeye.fr/
sloccount gives 34516 LOC for the src/js directory. As the sibling points out, you can also verify the code yourself.
I use Firefox only for work, which has helped me immensely to stay focused and not “just quickly check hacker news for the tenth time in an hour” (as much as I like to ;)).
[1]: https://www.proginosko.com/leechblock/install/
It’ll make finding tips like this much harder.
It's really effective. I don't even know what to do with my phone any more.
I hear there's some way you can use an app on your phone to have a voice conversation with someone else, but apparently you need to know a magic number?
I'm told there was even a time when the number only addressed a location, so you would have to figure out who was talking on the other end through a complex linguistic handshake.
And it didn't even have identity authentication, past a basic voiceprint!
I used this filter, it makes twitter links look like normal text:
I've not taken to blocking whole sites yet. But sites with "recommendations" attached to every page are a real distraction. I block them on stackoverflow, otherwise I end up reading about the etymology of some obscure word or advice for a dungeon master in a weird D&D scenario =)
( https://blog.mozilla.org/addons/2021/01/20/extensions-in-fir... )
Shows what I know..
https://blog.mozilla.org/addons/2020/09/29/expanded-extensio...
Alternatively, you can use Fennec F-Droid, a fork of Firefox that supports a "Custom Add-on collection" by default: https://f-droid.org/en/packages/org.mozilla.fennec_fdroid/
I'm not sure why Mozilla is refusing to allow these extensions on the Beta channel, since the WebExtensions support is definitely stable enough for Firefox Beta.
Heck, I can only partially understand the "click many times over crap" to enable experimental features, which should have been _enough_ to begin with (and certainly not a requirement in a beta build). How many hoops do I need?
After reading this, I was really /hoping/ Fennec would remove the requirement of having a Mozilla account, but no, you still need to create an account and an useless "collection".
TBH I use (and ever used) Firefox just due to the available extensions. The value proposition has decreased quite a bit with recent FF versions, and on Android uBlock is pretty much the only reason I stick to it.
I wish I had more alternatives, because clearly the browser duopoly isn't working.