- Aug 19, 2019
- 1,157
So many options with uBO, I find myself often going with simple rules but looks like it's time I review my setup with it.
uBlock Origin/Nano Adblocker - User Tips, Questions and Issues Thread
- Thread starter oldschool
- Start date
- Mar 29, 2018
- 7,600
I keep coming back to Medium Mode. It's simple and elegant.
- Oct 1, 2019
- 1,120
To be honest, for security reasons it is a half baked solution as Gorhill himself admits in this post (link to Github uBlock-issue). There are many ways to execute remote scripts (XMLHTTPrequest, Fetch, Ajax, DOM, etc see link to wikipedia).
For protection you should use should hard mode (3rd-party blocking) or disable javascript (block first-party and in-line scripts). This requires even more fiddling than medium mode, so not a suitable solution for the average user.
I like the solution of Kees1958 by blocking 3rd-party and NOOP-ing some Top Level Domains. This also has a large hole in it, but requires way less fiddling.
Medium mode vs Kees1958 easy-hard mode (link to easy-hard mode post)
When you compare medium mode with Kees1958 easy hard mode, than medium is driving around in a car with your front doors locked (but back doors unlocked). ery time you want to get in or out you have to manually unlock your doors. With Easy-hard mode all your doors are locked when you drive in strange countries, but doors are open when you drive in the countries you normally visit.
Last edited:
- Feb 7, 2014
- 1,540
Sites can bypass 3p-script block with an XHR request. · Issue #2527 · gorhill/uBlock
Describe the issue Sites can bypass 3p-script block by eval()ing a XHR request. The only way to block this is to block all third party connections. (3p block) The connection shows up in the console...
github.com
fix gorhill/uBlock#2527
- Mar 29, 2018
- 7,600
True, but not everyone drives in strange countries. Some people dislike travel with its unpredictable nature, inconveniences, uncomfortable beds, bad food, etc. and find home is where the heart is!
I still find Medium Mode the simplest for me. It also remains true to my surfing axiom: Stay safe, not paranoid!
- Oct 1, 2019
- 1,120
So what? It only is a band-aid for that specific instance, it does not solve the problem. uBlock medium mode simply does not block xmlhttprequests nor fetch nor websocket nor DOM nor ....gorhill added a commit to uBlockOrigin/uAssets that referenced this issue Apr 11, 2017
Sites can bypass 3p-script block with an XHR request. · Issue #2527 · gorhill/uBlock
Describe the issue Sites can bypass 3p-script block by eval()ing a XHR request. The only way to block this is to block all third party connections. (3p block) The connection shows up in the console...
fix gorhill/uBlock#2527
- Oct 1, 2019
- 1,120
True, but not everyone drives in strange countries.
I still find Medium Mode the simplest for me. It also remains true to my surfing axiom: Stay safe, not paranoid!
Well with third-party XMLHTTPrequest, fetch, etc you don't need to drive into strange countries yourself, you will be teleported to it
But everyone to his own, enjoy medium mode
- Mar 29, 2018
- 7,600
In which case, one may use hard mode, which is no more difficult.
Edit: and this from Gorhill
6 of one, a 1/2 dozen of the other ...
Last edited:
- Oct 1, 2019
- 1,120
That is why Kees1958 adviced to whitelist some TLD's by nooping them, which makes hard mode easy to useIn which case, one may use hard mode, which is no more difficult.
Edit: and this from Gorhill
6 of one, a 1/2 dozen of the other ...
* * 3p block
* com * noop
* edu * noop
* eu * noop
* gov * noop
* io * noop
* net * noop
* org * noop
* nl * noop
NL for Netherlands. but when you are in Poland it could be * PL * NOOP or in Germany * DE * NOOP or in France * FR * NOOP or Finland * FI * NOOP, etc
I will rest my case to Kees1958
Last edited:
- Nov 10, 2017
- 3,250
Full article and the review
uBlock Origin—everything you need to know about the ad blocker - Firefox Add-ons Blog
Rare is the browser extension that can satisfy both passive and power users. But that’s an essential part of uBlock Origin’s brilliance—it is an ad blocker you could recommend to your most tech forward friend as easily as you could to someone who’s just emerged from the jungle lost for the past...
addons.mozilla.org
- Mar 29, 2018
- 7,600
I think I posted this elsewhere but WTH! It turns out I really like classic hard mode, and the more I use it the more I like it. If one has some experience with medium mode, hard mode is a breeze with little learning curve - the crux of which is identifying the big 3rd party players. Also, surprising how many sites aren't broken right out of the box. Feel the power of µBO!
- Mar 29, 2018
- 7,600
Added
to µBO thanks to former MT member SH @ Wilders.
Code:
Actually Legitimate URL Shortener ToolMr. Gorhill's tip: disable cosmetic filtering by default en enable when needed [link to source: Per site switches · gorhill/uBlock Wiki
Benefits are twofold according Mr. Gorhill himself : prevent anti adblock scripts being triggered and save some CPU cyles
Disable cosmetic filtering in settings by default
Enabling it on a per site basis is easy, just click on the EYE-icon
Benefits are twofold according Mr. Gorhill himself : prevent anti adblock scripts being triggered and save some CPU cyles
Disable cosmetic filtering in settings by default
Enabling it on a per site basis is easy, just click on the EYE-icon
Last edited by a moderator:
Tip: use uBlockOrigin TLD (Top Level Domain) increased flexibility
As with some other uBlock innovations, they are result of copying innovations from Adguard (e.g. removeparam option to strip tracking parameters from URL's). Since second quarter of 2020 uBO has implemented the * (all) to be used in TLDs. This simplfied rules for Google domains (e.g. ||blockrule$domain=google.com| google.ca|google.us|etc, could be replaced by ||blockrule$domain=google.*).
Mister Gorhill being a perfectionist, always reviews his code to to implement these improvements in other area's of his content blocker also. In this case the 'dynamic' uBO rules. A feature of uBO is the per website switch to enable or disable javascript on a website.
This javascript switch can even be used (like the popup, large media files and cosmetic filterering and fonts switches) without the need to enable advanced mode. Reversely fans of medium and hard mode blocking can use the below tip on top of their medium/hard mode advanced blocking. So this can be used by both medium and advanced UBO users.
___ My Rules example ___
no-scripting: * true
no-scripting: com false
no-scripting: edu false
no-scripting: net false
no-scripting: gov false
no-scripting: org false
no-scripting: au false
no-scripting: ca false
no-scripting: ie false
no-scripting: nz false
no-scripting: uk false
no-scripting: us false
___ Explanation ___
The first rule (no-scripting: * true) disables first-party and inline scripting system wide.
The 2nd to 6th rule allows scripting for the Top Level Domains COM, EDU, NET, GOV, ORG
The 7th to 12th rile allows scripting for the Country Codes AU (Australia), CA (Canada), IE (Ireland), NZ (New Zeeland), UK (United Kingdom) and the US (USA).
__ In Action __
All websites with a TLD matching the 'no-scripting false' rule above will be correctly displayed. So when your DNS does not block bad TLD's AND you prefer an easy way to reduce the internet attack surface this might be a nice uBO feature to use (when you are redirected to a malware XYZ website, scripting is disabled).
__ Visual feedback uBO __
When this script blocking is on, the number of items blocks are in a purple background in stead of grey (normal mode) or red (advanced mode). Simply by clicking on the </> icon you an enable scripts.
As with some other uBlock innovations, they are result of copying innovations from Adguard (e.g. removeparam option to strip tracking parameters from URL's). Since second quarter of 2020 uBO has implemented the * (all) to be used in TLDs. This simplfied rules for Google domains (e.g. ||blockrule$domain=google.com| google.ca|google.us|etc, could be replaced by ||blockrule$domain=google.*).
Mister Gorhill being a perfectionist, always reviews his code to to implement these improvements in other area's of his content blocker also. In this case the 'dynamic' uBO rules. A feature of uBO is the per website switch to enable or disable javascript on a website.
This javascript switch can even be used (like the popup, large media files and cosmetic filterering and fonts switches) without the need to enable advanced mode. Reversely fans of medium and hard mode blocking can use the below tip on top of their medium/hard mode advanced blocking. So this can be used by both medium and advanced UBO users.
___ My Rules example ___
no-scripting: * true
no-scripting: com false
no-scripting: edu false
no-scripting: net false
no-scripting: gov false
no-scripting: org false
no-scripting: au false
no-scripting: ca false
no-scripting: ie false
no-scripting: nz false
no-scripting: uk false
no-scripting: us false
___ Explanation ___
The first rule (no-scripting: * true) disables first-party and inline scripting system wide.
The 2nd to 6th rule allows scripting for the Top Level Domains COM, EDU, NET, GOV, ORG
The 7th to 12th rile allows scripting for the Country Codes AU (Australia), CA (Canada), IE (Ireland), NZ (New Zeeland), UK (United Kingdom) and the US (USA).
__ In Action __
All websites with a TLD matching the 'no-scripting false' rule above will be correctly displayed. So when your DNS does not block bad TLD's AND you prefer an easy way to reduce the internet attack surface this might be a nice uBO feature to use (when you are redirected to a malware XYZ website, scripting is disabled).
__ Visual feedback uBO __
When this script blocking is on, the number of items blocks are in a purple background in stead of grey (normal mode) or red (advanced mode). Simply by clicking on the </> icon you an enable scripts.
Last edited by a moderator:
- Mar 29, 2018
- 7,600
One consideration when choosing your browser or how to manage browser compartmentalization (if you use it):
uBlock Origin works best on Firefox · gorhill/uBlock WikiThis document explains why uBO works best in Firefox.
CNAME-uncloaking
Ability to uncloak 3rd-party servers disguised as 1st-party through the use of CNAME record. The effect of this is to make uBO on Firefox the most efficient at blocking 3rd-party trackers relative to other other browser/blocker pairs:
The dark green/red bars are uBO before/after it gained ability to uncloak CNAMEs on Firefox.
Source: "Characterizing CNAME Cloaking-Based Tracking on the Web" at Asia Pacific Network Information Centre, August 2020.
HTML filtering
HTML filtering is the ability to filter the response body of HTML documents before it is parsed by the browser. For example, this allows the removal of specific tags in HTML documents before they are parsed and executed by the browser, something not possible in a reliable manner in other browsers. This feature requires the webRequest.filterResponseData() API, currently only available in Firefox.
Browser launch
At browser launch, Firefox will wait for uBO to be up and ready before network requests are fired from already opened tab(s). This is not the case with Chromium-based browsers, i.e. tracker/advertisement payloads may find their way into already opened tabs before uBO is up and ready in Chromium-based browsers, while these are properly filtered in Firefox. Reliably blocking at browser launch is especially important for whoever uses default-deny mode for 3rd-party resources and/or JavaScript. There is an advanced setting available to tentatively mitigate this issue in Chromium-based browsers (disabled by default), see suspendTabsUntilReady (this setting should be left untouched in Firefox-based browsers).
Pre-fetching
Pre-fetching, which is disabled by default in uBO, is reliably prevented in Firefox, while this is not the case in Chromium-based browsers. Chromium-based browsers give precedence to websites over user settings when it comes to decide whether pre-fetching is disabled or not. See documentation for "Disable pre-fetching" .
WebAssembly
The Firefox version of uBO makes use of WebAssembly code for core filtering code paths. This is not the case with Chromium-based browsers because this would require an extra permission in the extension manifest which could cause friction when publishing the extension in the Chrome Web Store.
For more about this, see: No way to use WebAssembly on Chrome without 'unsafe-eval' · Issue #7 · WebAssembly/content-security-policy.
Storage compression
The Firefox version of uBO use LZ4 compression by default to store raw filter lists, compiled list data, and memory snapshots to disk storage. LZ4 compression requires the use of IndexedDB, which is problematic with Chromium-based browsers in incognito mode -- where instances of IndexedDB are always reset, causing uBO to always launch inefficiently and with out of date filter lists (see #399). An IndexedDB instance is required because it supports storing Blob-based data, a capability not available to browser.storage.local API.
Last edited:
Blocking first-party Cname spoofing can also be done by using NextDNS or using the Easylist privacy blocklist (which has incorporated Adguard's CNAME blocklist).
In regard to browser choice: security aware surfers better use Edge (than Chrome) and privacy aware users better use Firefox (than Chrome). Brave is good for both, but I simply don't trust their business model. Vivaldi/Brave need a minimum user base allowing Google ads to be replaced by Vivaldi/Brave advertising. They can't burn investor money forever. At some point they need to earn money out of advertising.
In regard to browser choice: security aware surfers better use Edge (than Chrome) and privacy aware users better use Firefox (than Chrome). Brave is good for both, but I simply don't trust their business model. Vivaldi/Brave need a minimum user base allowing Google ads to be replaced by Vivaldi/Brave advertising. They can't burn investor money forever. At some point they need to earn money out of advertising.
- Jul 5, 2019
- 605
In my eyes it's a matter of trust. When they say that they don't track or profile me, I believe them until proven otherwise.
Edit: some advertising isn't bad. But I think we're going OT.
Last edited:
Well, for the past few days, I noticed the comment section of any/all YouTube videos would be missing all text. I'd see avatars and some dots next to each one, but no comments. So I decided to get off my lazy behind and after some shenanigans, I saw the issue was uBO-related. So I began disabling each filter one by one and lo and behold! Still no comments!
So there's a little entry near the top called "my fitlers." Disabling that brought back the YouTube comments but I wouldn't know what rule it specifically affected. (my rules is created via Element Picker--an absolute necessity for me.)
So, does anyone happen to know what rule exactly causes YouTube comments to disappear? Prob. a needle-haystack thing. But if anyone is ever confronted with this issue, have a look at "my rules" in the uBO dashboard. Chances are it's something in there.
Edit: here are the "my rules" for Firefox. One of them appears to be the culprit, one of the Youtube/gstatic ones it seems.
So there's a little entry near the top called "my fitlers." Disabling that brought back the YouTube comments but I wouldn't know what rule it specifically affected. (my rules is created via Element Picker--an absolute necessity for me.)
So, does anyone happen to know what rule exactly causes YouTube comments to disappear? Prob. a needle-haystack thing. But if anyone is ever confronted with this issue, have a look at "my rules" in the uBO dashboard. Chances are it's something in there.
Edit: here are the "my rules" for Firefox. One of them appears to be the culprit, one of the Youtube/gstatic ones it seems.
Last edited:
I think it's most likely the
youtube.com###main, since gstatic is just Google's domain for their (CDN) static content loading by up- and downloading to/from the nearest Google server near your IP or location. That line should only block an image with that same name, and nothing else.
- Mar 29, 2018
- 7,600
Learn to use the logger and you can pinpoint the source of the issue. It takes some time but is well worth it.
Similar threads
