Hot Take 3P-Matrix-lite : uMatrix revived for Chromium browsers using DNR

LinuxFan58

Level 16
Thread author
Nov 30, 2025
752
2,845
1,467
Reason I call it 3P-Matrix-lite is because it offers "only" 3P-scripts and 3P-frames filtering (no hard mode).. On top of this is also blocks third-party HTTP, IP-addres only and non-standard port conneections. It is designed for easy of use and performance. Run a Speedometer 3.1 benchmark of 3P-Matrix-lite against API-Void Script Stop while closing the browser in between sessions to clear the cache, I suggested this user inter face to NovirusThanks but they did not implement in API Void Script Block, so I made it myself :-).

It is a very easy to use version using build-in whitelists to prevent website breakage and has some cool features like locking protection levels for specific websites, a startup mode level and 5 protection modes inspired on uBo dynamic filtering (using the same terminology as uBo's Github uBlock Wiki). It has a very user friendly interface using a slider (with an explanation of the Active Policy applicable for that level). The icon has the color of the mode you are currently using (applicable for non-locked websites)

1782978923341.png


On top of the well known uBo dynamic filtering modes (1=easy,2=easy with enhanced security, 5=medium mode), it also facilitates @Jan Willy easy medium mode (level 3). and it helps the user by auto adding Country Code's to the whitelist (also using a slider).
1782979147599.png


On top of those level's it has an extra level 4 (allow 3P-scripts from domain's with CDN in name). I picked this idea from a Mv2 Extension (Policy Control) which offered uMatrix like control using Control Security Policy settings and this mode was advertised for watching dodgy (adult) websites. I also used his per domain lock idea (so when you navigate to a dodgy website it automatically sets the protection to the locked level).
1782979445303.png



The logger shows what is allowed and blocked (which counts back from 5 minutes and closes itself for performance reasons)
1782979734512.png


Open source: GitHub - Kees1958/3P-Matrix-lite: uMatrix-style third-party traffic control via Declarative Net Request

I will post an update when it is available in the webstore (but than can easily take 3 weeks). Until it becomes available in Chrome Webstore, you have to download the zip from Github, unpack it and load it as unpacked extension (in developer mode). I uploaded it to VT and it shows clean.

1782978524909.png



Suggested hassle free use:
  • keep the startup level at 1 (allow all)
  • Surf to the websites you want to contain and lock them on level 4 (set and forget hassle free safe surfing)
    or level 5 when you want to hand pick what is allowed using the logger (I only added this option for hardcore uBo dynamic filtering fans)
  • for casual browsing switch level to 2 (neatly behaving websites should work in EU and 5 Eyes countries)
    or level 3 (additionally reduce 3P-javascript attack surface with 50% while 95% of websites in EU and 5 Eyes should work).
Happy surfing :)
 
Last edited:
Yes :-)

I first tried to implement a TLD firewall using uBol and AG (with all filters disabled), but uBol has no decent log and AG's user interface is not designed for it. (you can´t lock websites and change level on the fly). But you are right Brave's build in Adblock removes ads and trackers before extensions get a chance to "see"them. For checking what Brave blocks and not, I find Privacy badger best suited (enable learning and enable show websites which PB has not decided yet).
 
For me the log is a little bit confusing. In mode 3 a site is blocked because of the not allowed TLD 'no'. The log doesn't show it is blocked (shows no action).

View attachment 298556
First thanks Jan for testing.

Secondly, It looks like it is the old log of version 1.2 let me check whether I uploaded the correct version, the V1.3 log has an action to clarify that (allow or block).

So you are right that it is confusing (in version 1.2) I will upload the latest version (1.3) to Github. I apologize for the mistake 😟 (it now has V1_3 as zip).

1783010313738.png
 
Last edited:
  • Thanks
Reactions: Jan Willy
It's not clear to me to what extent mitigations of JS- and other risks can be build into extensions for chromium based browsers. But I bring some settings to your attention I found in the Gecko based Android-browser WebLibre from German (?) developer Fabian Freund.
 

Attachments

  • Suggestions.jpg
    Suggestions.jpg
    77.4 KB · Views: 21
Thanks for the suggestion.

I am only using DNR rules, not touching the javascript (just in time) precompiler. Also Chrome's sandbox is a lot stronger than Firefox (ask AI FF sandbox is 3 to 5 years behind Chrome) and Chrome's mitigations are much stronger (e.g. uses PDFium a compiled binary which is both much safer and faster than PDF.js Javascript). Asking for FF Javascript mitigations in Chrome is like asking people living in Switserland why they don´t have inundation flood reservoirs like the Dutch. I am not using this analogy to bash you (that is why I explicitely thank you), but it is annoying how some Firefox security features are promoted which for Chrome are a non-issue.

That is why the TLD-whitelist you promoted using AG when Chrome implemented Mv3, is such a great idea. Yes it has some risks of website breakage, but it is very low (even using static rules), but you reduce the 3P-Javascript attack surfave with 50%, 5% breakage risk versus 50% risk reduction is a good deal IMO.

Making the protection level changeable on the fly in combination to offer a safe startup (protection) mode (eg 1 allow all) and the lock websites settings (level 4 for shady websitees) makes level 3 such a great option to use when you are doing random surfing. Because the icon remembers you which mode you are using it, the breakage risk of your easy-medium mode is lower (I think) using 3P-Matrix-lite in real world usage.

I only added level 5 for hard core uBo medium mode fans, but my advice to uBo Mv2 medium mode lovers, use the combo API Void Browser Protection and API Void Script Stop, for level 5 (deciding and tweaking yourself) that is the better combo and take the small Speedo meter performance penalty for granted
1783072426580.png
1783072495136.png

The small performance drop is caused by the API-Void Script Stop popup which shows in (nearly) realtime what is blocked
1783072667088.png


With 3P-Matrix-lite you need to open the logger (performance is the reason of the count down from 5 minutes to auto-exit the logger)
1783072728841.png


For levels 2, 3 and 4 of 3P-Matrix-lite people would normally won't need to use the logger when they use 3P as adviced
That is why this is mty suggested use scenarion for 3P-Matrix-lite
1. Keep startup level to 1 (allow all)
2. Surf to shady websites and lock them (first level 4 and use level 3 as fallback), so are safe on next visits to these websites.
3. Switch to level 3 on demand (or 2 when you don´t trust it) for random surfing.

Same for API-Void Browser Protection download block, use it when you want to figure it out yourself of let Download Sentinal do a VT Download URL reputation assessment with some additional heuristics. Both are directed to for hassle free ease of use.
 
Last edited:
  • Like
Reactions: Jan Willy
it is annoying how some Firefox security features are promoted which for Chrome are a non-issue.
Yes, I understand. But enough people don't like (or hate) anything that has to do with Google. So in that way tweaked Gecko alternatives fill a gap. But I think now we're going OT.
 
Last edited:
  • Like
Reactions: LinuxFan58
@LinuxFan58

I use APIVoid Script Stop in “allow by default” mode with a blacklist of 9 TLDs.
So SS is enabled only for these 9 TLDs.

Is it possible to use your extension in exactly the same way?
And if it's not possible now, will it be possible in the future?

The reason is that SS causes a performance drop that exceeds even that caused by uBo, according to the Speedometer 3.1 test.
A very noticeable drop in performance on a slow PC like mine.:(
 
@LinuxFan58

I use APIVoid Script Stop in “allow by default” mode with a blacklist of 9 TLDs.
So SS is enabled only for these 9 TLDs.

Is it possible to use your extension in exactly the same way?
And if it's not possible now, will it be possible in the future?

The reason is that SS causes a performance drop that exceeds even that caused by uBo, according to the Speedometer 3.1 test.
A very noticeable drop in performance on a slow PC like mine.:(
Well I could add a TLD blacklist option to Level 2 and add a slider with and auto-add and same interface mechanism as the TLD whitelist of level 3.
- NONE = no TLD's blacklisted (this would be the default)
- USER = user specific (does this fit your request?, blocking all iframes except imported whitelisted and scripts from selected TLD's)
- GENERIC = most abused Generic TLD's (like xyz, zip and mov)
- WORLD = most abused generic TLD's plus countries known for spam and fraud
World would need an extra check whether it does not clashes with the country code's associated with the language enabled in the browser.
 
  • Like
Reactions: Sampei.Nihira
The method I use in SS involves adding custom TLDs; I’ve added 9, of course.
You wrote that you want to set up a whitelist.
With SS, the whitelist takes precedence over the blacklist, so I don’t have any TLDs on the blacklist.

I’m interested in Level 3.

Even though I also use the 1p-frame block in SS, I’m not asking you to add this additional complication.

Thank you for whatever you can do.;)(y)

P.S.

SS reduces my Speedometer 3.1 test results by 13.1% compared to Brave + uBo + Download Sentinel.
 
The method I use in SS involves adding custom TLDs; I’ve added 9, of course.
You wrote that you want to set up a whitelist.
With SS, the whitelist takes precedence over the blacklist, so I don’t have any TLDs on the blacklist.

I’m interested in Level 3.

Even though I also use the 1p-frame block in SS, I’m not asking you to add this additional complication.

Thank you for whatever you can do.;)(y)

P.S.

SS reduces my Speedometer 3.1 test results by 13.1% compared to Brave + uBo + Download Sentinel.
Level 3 blocks all 3p-scripts except the ones on the TLD-whitelist, so there is no need for a blacklist.

I suggested to add a TLD-blacklist in level 2 (which is off in default settings) and has a slider
Level 2 allows all 3p-Scripts except the ones coming from a blacklisted TLD (the imprtant JS-libraries whitelist would overrule the TLD 3p-script blacklist)
None = no blocklist
User = user specifies a blacklist using the same mechanism as users can specify a TLD-whitlist in level 3
Generic = blocks a list of (user changeable) generic TLD's which are on the much abused TLD list
World = blocks generic TLD's plus country code's known for spam and fraud. The extension performs an extra check whether the language of the browser is not one of country code's with a bad reputation, if so extension shows a warning and does not add country code's (known for fraud and spam) to the TLD blacklist

I thought you asked for a TLD-blacklist.
 
  • Wow
Reactions: Sampei.Nihira