New Update 3P-Matrix-lite version 2.12 is available in Chrome Webstore with improved functionality

LinuxFan58

Level 17
Thread author
Nov 30, 2025
827
3,067
1,567
uMatrix-style third-party traffic control via Declarative Net Request

3P-Matrix-lite gives you control over third-party traffic in your browser using a simple five-level slider. It is inspired by the classic uMatrix extension but built entirely on Chrome's native Declarative Net Request (DNR) API, which means all filtering happens inside the browser engine itself — no background script reading your traffic, no interception, no data leaving your device.

The idea is straightforward: most privacy and security problems on the web come from third-party scripts and frames that load silently in the background when you visit a page. Trackers, fingerprinting scripts, ad networks, and malicious injections all arrive this way. 3P-Matrix-lite lets you decide how much of that you allow, and makes it easy to dial it back when something breaks.

Open source: GitHub - Kees1958/3P-Matrix-lite: uMatrix-style third-party traffic control via Declarative Net Request
Chrome store: 3P-Matrix-lite - Chrome Web Store


How it works

When you install the extension, it starts in Easy mode — allow all, which applies no restrictions and lets you observe the default browsing experience. From there you move the slider right to increase protection.

Level 1 — Easy mode - allow all. At first start this extension uses Easy Mode (allow all) as startup mode. You can change the startup mode by clicking on the one (1) in the green rounded square/rectangle in the upper right corner.

Level 2 — Easy mode with enhanced security blocks the most obviously dangerous categories: connections to raw IP addresses (a common sign of malicious infrastructure), connections on non-standard ports (allow 80, 8080, 443 and 8443), and third-party frames. Whitelisted domains always pass through regardless of level. Option to blacklist much abused TLD's.

Level 3 — Easy medium mode adds script blocking on top of level 2. Only domains whose top-level domain is on your TLD whitelist are allowed to load 3P-scripts and frames. On a fresh install your TLD whitelist is pre-populated with common TLDs (com, org, io, net etc.) and with the country TLDs of your browser's language settings — so a Dutch browser gets .nl added automatically.

Level 4 — Medium mode — trust CDN's keeps the same blocking rules as level 5 but makes an exception for any URL that contains "cdn" in the hostname or path. This is a practical compromise for sites that load their own assets from a CDN host rather than their own domain. Without this exception, many sites break even though their CDN is perfectly legitimate. Your domain whitelist applies at this level.

Level 5 — Medium mode is the strictest setting. All third-party scripts and frames are blocked. Only domains you have explicitly added to your domain whitelist are allowed through. Use this when you want maximum control and are prepared to whitelist what you need.


New features
Level 1: has a feature to import domains (just copy-paste the domain names from a text editor, one domain per line) and lock the websites at level 1 (allow all)

Level 2 and 3: now also have the option to add domains to the whitelist (level 4 and 5 already had this)
1784281133811.png


Killer features (what makes 3P-Matrix-lite really easy to use).

1. Use of a slider with presets for easy on the fly adjustment with visual feedback of the icon changing color
(1=green, 2=blue, 3=amber, 4=orange, 5=red)

2. Startup mode
When you switched to a high level in your previous browsing session, in the next (new browsing) session the startup mode will be automatically applied to prevent website breakage (set it al level 1 to be absolutely certain, move it to 2 or 3 when you are familiar with 3P-Matrix-lite and locked all your important websites to allow all).

3. Lock website
Dodgy websites can be locked at level 4 (most adult websites) with fallback to level 3 (easy medium mode). Next time you open this website the 3P-mitigations will be applied

4. Level 3 auto add country codes
Level 3 has most used generic TLD's on the whitelist and it automaticallt adds the country code of the languages enabled in your browser. It has a slider to extend it to the continent (e.g. when you speak German also whitelist AT=Austria and CH=Zwitserland) or world (e.g when you speak Portuguese also put BR=Brasil on the TLD whitelist).

5. Uses internal whitelists to prevent website breakage.


Suggested use
1. Import all important websites to lock them at level 1 (or surf to them one by one and lock website).

2. Surf to dodgy websites and lock them to level 4 (when it breaks fall back to level 3) or
(only for hardcore NoScript and former uMatrix users) move it to level 5 and hand pick the domains you want to whitelist using SHOW BLOCKS button.

3. Use it for two weeks with startup level 1 and switching to level 3 during a browsing session (fallback to level 2 when it breaks) and lock more websites at level 1 or
adjust the TLD blacklist/Domain whitelist (level 2) or adjust TLD whitelist/Domain Whitelist (level 3).

4. When comfortable with 3P-Matrix-lite functions and usage, move startup slider to level 3
This reduces 50% of 3P-attack surface while 99,99% of the websites from EU+5Eyes should work normally. Additionally locking important websites to level 1 (for 100% compatibility) and dodgy websites to level 4 (for maximum security) provides real world protection without breaking surfing/viewing only functionality.
 
Last edited:
uMatrix-style third-party traffic control via Declarative Net Request

3P-Matrix-lite gives you control over third-party traffic in your browser using a simple five-level slider. It is inspired by the classic uMatrix extension but built entirely on Chrome's native Declarative Net Request (DNR) API, which means all filtering happens inside the browser engine itself — no background script reading your traffic, no interception, no data leaving your device.

The idea is straightforward: most privacy and security problems on the web come from third-party scripts and frames that load silently in the background when you visit a page. Trackers, fingerprinting scripts, ad networks, and malicious injections all arrive this way. 3P-Matrix-lite lets you decide how much of that you allow, and makes it easy to dial it back when something breaks.

Open source: GitHub - Kees1958/3P-Matrix-lite: uMatrix-style third-party traffic control via Declarative Net Request
Chrome store: 3P-Matrix-lite - Chrome Web Store


How it works

When you install the extension, it starts in Easy mode — allow all, which applies no restrictions and lets you observe the default browsing experience. From there you move the slider right to increase protection.

Level 1 — Easy mode - allow all. At first start this extension uses Easy Mode (allow all) as startup mode. You can change the startup mode by clicking on the one (1) in the green rounded square/rectangle in the upper right corner.

Level 2 — Easy mode with enhanced security blocks the most obviously dangerous categories: connections to raw IP addresses (a common sign of malicious infrastructure), connections on non-standard ports (allow 80, 8080, 443 and 8443), and third-party frames. Whitelisted domains always pass through regardless of level. Option to blacklist much abused TLD's.

Level 3 — Easy medium mode adds script blocking on top of level 2. Only domains whose top-level domain is on your TLD whitelist are allowed to load 3P-scripts and frames. On a fresh install your TLD whitelist is pre-populated with common TLDs (com, org, io, net etc.) and with the country TLDs of your browser's language settings — so a Dutch browser gets .nl added automatically.

Level 4 — Medium mode — trust CDN's keeps the same blocking rules as level 5 but makes an exception for any URL that contains "cdn" in the hostname or path. This is a practical compromise for sites that load their own assets from a CDN host rather than their own domain. Without this exception, many sites break even though their CDN is perfectly legitimate. Your domain whitelist applies at this level.

Level 5 — Medium mode is the strictest setting. All third-party scripts and frames are blocked. Only domains you have explicitly added to your domain whitelist are allowed through. Use this when you want maximum control and are prepared to whitelist what you need.


New features
Level 1: has a feature to import domains (just copy-paste the domain names from a text editor, one domain per line) and lock the websites at level 1 (allow all)

Level 2 and 3: now also have the option to add domains to the whitelist (level 4 and 5 already had this)
View attachment 298878

Killer features (what makes 3P-Matrix-lite really easy to use).

1. Use of a slider with presets for easy on the fly adjustment with visual feedback of the icon changing color
(1=green, 2=blue, 3=amber, 4=orange, 5=red)

2. Startup mode
When you switched to a high level in your previous browsing session, in the next (new browsing) session the startup mode will be automatically applied to prevent website breakage (set it al level 1 to be absolutely certain, move it to 2 or 3 when you are familiar with 3P-Matrix-lite and locked all your important websites to allow all).

3. Lock website
Dodgy websites can be locked at level 4 (most adult websites) with fallback to level 3 (easy medium mode). Next time you open this website the 3P-mitigations will be applied

4. Level 3 auto add country codes
Level 3 has most used generic TLD's on the whitelist and it automaticallt adds the country code of the languages enabled in your browser. It has a slider to extend it to the continent (e.g. when you speak German also whitelist AT=Austria and CH=Zwitserland) or world (e.g when you speak Portuguese also put BR=Brasil on the TLD whitelist).

5. Uses internal whitelists to prevent website breakage.


Suggested use
1. Import all important websites to lock them at level 1 (or surf to them one by one and lock website).

2. Surf to dodgy websites and lock them to level 4 (when it breaks fall back to level 3) or
(only for hardcore NoScript and former uMatrix users) move it to level 5 and hand pick the domains you want to whitelist using SHOW BLOCKS button.

3. Use it for two weeks with startup level 1 and switching to level 3 during a browsing session (fallback to level 2 when it breaks) and lock more websites at level 1 or
adjust the TLD blacklist/Domain whitelist (level 2) or adjust TLD whitelist/Domain Whitelist (level 3).

4. When comfortable with 3P-Matrix-lite functions and usage, move startup slider to level 3
This reduces 50% of 3P-attack surface while 99,99% of the websites from EU+5Eyes should work normally. Additionally locking important websites to level 1 (for 100% compatibility) and dodgy websites to level 4 (for maximum security) provides real world protection without breaking surfing/viewing only functionality.
Assessment and important limitations

This is an interesting uMatrix-inspired approach, and using Chrome’s Declarative Net Request API can reduce the extension’s ability to observe or process browsing traffic compared with an interception-heavy design. However, the security claims should be interpreted carefully.

  • Blocking raw IP connections or non-standard ports is useful as a heuristic, but neither is inherently malicious. Legitimate applications, local services, enterprise portals, and some websites may use them.
  • A third-party frame is not automatically dangerous, while blocking frames does not prevent all tracking or malicious behavior.
  • TLD-based decisions are coarse. A domain’s TLD provides little information about the trustworthiness of the individual site or resource.
  • The “cdn” exception is convenient but should not be treated as a trust boundary. An attacker can use “cdn” in a hostname or URL path, and legitimate CDNs do not necessarily contain that string.
  • Third-party script blocking can significantly reduce tracking and attack surface, but it cannot protect against compromised first-party scripts, malicious browser extensions, unsafe downloads, server-side attacks, or phishing.
  • Whitelisting a domain grants it additional capability, so important whitelists should be kept as narrow as practical. Prefer the exact required domain rather than a broad parent-domain rule where the extension permits that distinction.
  • DNR rules are enforced by the browser, but the effective protection still depends on the extension’s rule design, permissions, update process, browser behavior, and any built-in exceptions. Those details should be verified from the source code and manifest rather than inferred from the general description.

The suggested gradual rollout is sensible. Starting permissively, locking trusted sites to a compatibility level, and testing stricter levels on less important sites is safer than enabling the strictest mode globally without preparation.

For evaluation, users should review the extension’s requested permissions, inspect its rule-generation and whitelist logic on GitHub, check release activity, and submit the extension or relevant files to reputable scanners such as VirusTotal when appropriate. Community testing should also distinguish privacy benefits from malware-prevention claims.

Overall, 3P-Matrix-lite may be useful as a third-party request-control and privacy-hardening tool, but it should not be presented as a complete security solution or as proof that blocked or allowed resources are malicious or safe.