sticky: extensions

[Thorin-Oakenpants]

:exclamation: DO NOT START DISCUSSIONS IN HERE, start a new issue instead. ONLY use this thread to report extensions - thank you

Use this issue for extension announcements: new, gone-to-sh*t, recommendations for adding or dropping in the wiki Extensions page. Stick to privacy and security related items, and do not mention legacy extensions

:small_orange_diamond: Added Web Extensions

• ... go look on the Wiki page - not listing things twice

:small_orange_diamond: Pending Web Extensions

• Negotiator | GitHub
  • doesn't work (yet) full of bugs and errors - ask earthlng - worth revisiting
• Google search link fix | GitHub
  • google/yandex. Personally, I use a user script called "google privacy" which has been working for years - I should find a link for it, see if it's maintained, stick in the wiki for user scripts? -Thorin
• Searchonymous2 | GitHub
• Modify Header Value
• Referer Control
• eCleaner (Forget Button) | GitHub
  • NOTE: bulk clean per storage type: eg indexedDB, dom storage etc
  • NOTE: Is using wrong Storage API for settings??? Requires cookies in order to access local dom.
• mHeaderControl | GitHub
• Shape Shifter | GitHub
• EditThisCookie
• History AutoDelete
• Canvas Defender
• FoxyProxy
  • Basic
  • Standard
• WebAPI Manager | GitHub

:small_orange_diamond: Rejected ^{If you strongly disagree, then by all means, bring it up}

• ... nada yet

...

[Gambit78]

Is there a webext that can quickly enable/disable dom.storage on Firefox 57+ ?

[Thorin-Oakenpants]

Web Extensions can't control about:config prefs - but If you deny a site a cookie, it cannot use localStorage or IDB (or cookies). Workers can also use storage and there's no easy answer for that. Workers, and service workers seem to independently be able to store data - and some sites need workers (eg I believe google docs/gmail?, outlook.com, maps) - but the user.js disables all that sh*t off the bat.

[Gitoffthelawn]

@Thorin-Oakenpants Do you know where workers / service workers store data? RAM? In the profile on disk?

[Gambit78]

So if I block in uMatrix cookies completely not one site will not be able to use dom.storage and dom.indexedDB? Do I understand correctly? What about dom.event.clipboardevents?

[Thorin-Oakenpants]

^^ No. uMatrix blocks outgoing cookies. I am not sure about other cookie extensions - just deleting the cookie may not be enough (I do not know how the extensions do this, on some timer or something?), it is far better to actually deny the site permission using FF's internals - eg block all cookies and use site exceptions

[Thorin-Oakenpants]

Do you know where workers / service workers store data? RAM? In the profile on disk?

I have, in testing, seen service workers create IDB entries (youtube). I assume they use the storage quota and places the same as everything else

[Gambit78]

i`m use before Cookie Controller for exceptions. Not work on FF57 :(

[grauenwolfe]

Do you know where workers / service workers store data? RAM? In the profile on disk?

@Gitoffthelawn May not be of much use but here's a link going straight to 'serviceworker' storage section. Seems to only mention storage location vs. content but there's a lot info throughout the page, may have missed it.

https://github.com/mozilla/firefox-data-store-docs#file-based-stores

Also, there's this page (no serviceworker info) which is a less detailed, "quick notes" kind of listing of storage locations and content.

https://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-user-data

Even if they don't answer your questions specifiaclly they're just good reference links to have around.

[2glops]

NoScript webext is out with a completely re-designed UI That's a first, some legacy figures are still missing, but it seems more granular via custom rules

[Thorin-Oakenpants]

NoScript: I think it's going to be a long long time before I use that. I'm about to ditch it (I'll keep a copy of my rules). I'm going to have to change my uM (and maybe uBo) settings a little now. uM currently allows 1st party scripts - I guess I'll change that to default deny?

* * * block
* * cookie block
* * css allow
* * frame block
* * image allow
* * other block
* * script block
* 1st-party * allow

slightly confused now ... 1st party property overrides scripts property (see pic)? .. do I need any other changes? (PS: I might disabled XHR as well by default). Earthlng - you use uM + uBo without NS, right - always have?

and

---

Soz, went OT a tad. NoScript - should I remove it from Legacy to Web Extensions and sticky a dirty big "this is shit and not ready for use" warning sign?

[Thorin-Oakenpants]

Soz, went OT a tad. NoScript - should I remove it from Legacy to Web Extensions and sticky a dirty big "this is shit and not ready for use" warning sign?

OK, I see earthlng moved it anyway. I have since moved it back, changed its title & link to the last legacy version and added a sub bullet point. NO WAY am i recommending NS for 57+, at least not yet

[earthlng]

Earthlng - you use uM + uBo without NS, right - always have?

no I use all 3 of them.

slightly confused now ... 1st party property overrides scripts property

Your text rules look good. I think the problem is your inherit rule for github.com scripts, that's why it looks that way in your pic. XHR relies on JS to be enabled, without JS no XHR, so the way you have configured it makes it easy to allow full JS functionality as soon as you allow JS. But I wouldn't use inherit, instead just make the 1st party script field dark green on domains where you want to allow JS. Or if you don't want full 1st party script allowance you can also only allow certain (sub)domains, fe. either github.com (effectively the same as 1st party) or only assets-cdn.github.com + live.github.com.

[Thorin-Oakenpants]

I'll have a tinker. I get the diff between inherit and a single cell. I'm trying to keep my rules down to the smallest amount since I am currently living without NS (still on 56 right now, but man, that NS WE is a PoS). Previously NS was default deny so very little ever got thru to uM - and now I cannot remember what settings I had exactly, but FWIW, I'm now making that sucker tighter than a nun's asshole - XHR is now default block. What also threw me was the change in scope selection in uM. Still working out which exact settings will cause the least work but still be effective

crssi: PoS stands for Piece of Sh*t

[Thorin-Oakenpants]

doh! need some beersies. My point was inherit (horizontal) overrides script (vertical) - was just checking

[earthlng]

Something to consider about as to where you want to set your dark green fields: for example, as you can see in your pic, the scripts for github.com are hosted on assets-cdn.github.com. If a hacker manages to get access to the server that hosts github.com but can't get access to the server that hosts assets-cdn.github.com, then he'll have to drop his JS malware on the github.com server. Because I set permissions on only the domains where it needs them, the malware won't run.

FYI the images from *.githubusercontent.com are light green because of this rule: github.com githubusercontent.com image allow

[Thorin-Oakenpants]

^^ yeah, I totally get the more precise (and more work setting up but lets face it it's a one off job) use of cell control versus rows/columns. Maybe I should do that since my default is going to be block almost everything anyway

And yeah, time I learned to just add rules directly from the dashboard. Not convinced on default blocking images - sounds like a lot of work to make the web useable

[earthlng]

One important thing to note is that after you made some changes you should always refresh the page with the uMatrix refresh button because if you used FF's refresh button it sometimes (at least in the past) wouldn't always stick - uMatrix would show the new permissions correctly but the site would not see the changes because I think FF refreshed the page with a cached content-security-policy header.

[2glops]

I also use uBO + uM + NS for a long time

Strategy: uMatrix: default deny-all (except css, images) uBO: static filtering, advanced user unchecked NoScript: allow scripts globally but keep protection for XSS, ClearClick, ABE ...

The last version of NS seems of little help but I'll keep it to se what happens

[Thorin-Oakenpants]

NoScript: allow scripts globally but keep protection for XSS, ClearClick, ABE ...

ewwwwwwwwww ... allow global .. booo!! xD however, it really is redundant. Yup .. missing the XSS, ClearClick, ABE

uMatrix: default deny-all (except css, images)

same, i.e css & images are dark green - media on the other hand is pale red (neutral?) on the global scope - and I might try images as dark green as well as per earthlng's comments - it's just that sooo many (large) sites use a different server for images - eg amazon, itunes, discogs, etc - I am not too worried about smaller sites such as blogs etc. Might even make media red, since I never play vids or audio anyway

The last version of NS seems of little help but I'll keep it to se what happens

Nah - disable it. I read about it being a resource hog right now. Update it when needed and check it out in 2 months time or something

[Thorin-Oakenpants]

earthlng - check out this unsigned web extension -> https://bugzilla.mozilla.org/show_bug.cgi?id=444222#c87 .. maybe you can get it signed and we can test it.

For myself all three scripts in our wiki are broken still in 56 even though I only have 1 legacy extension. I'm beginning to think Violentmonkey can't run them with run at document start TBH

Edit: Actually, they do work now that I have no legacy addons (except scrapbook which does nothing to manipulate incoming/outgoing content). I just forgot to make then run at document start.

Still, the "conceal windows.name" does the same job, so the extension is not needed - got confused with the "conceal history.length" which is not really a solution

[Thorin-Oakenpants]

FYI: uMatrix is incompatible with NoScript 10

• reddit
• gorhill on twitter

[publicarray]

I think incompatible is true but only to the extent that uMatrix can't see the requests that are already blocked in NoScript. They can still function together.

[Thorin-Oakenpants]

But it can also interfere with other extensions. For the record, the only XSS warning I ever got from NS in the last 5 or 6 years were false positives, and I could count them on one hand.

XSS, ClearClick, ABE - this is all I need (confused about the XSS part) and no idea exactly what ClearClick and ABE is. Are these is NS 10, or are they waiting for FF58/59 and APIs etc

[Atavic]

It seems that you can use NoScript and uMatrix together if the former is in Global Allow mode: XSS filter, ABE, ClearClick and inclusion type checking are still activated.

When two extensions modify the same elements, they can throw DOM errors (as uBo + Ghostery) or they can become unusable. If one of the two conflicting extensions can be deactivated from modifying the common element, you can keep using both (as Privacy Badger + uMatrix).

Related: https://github.com/pyllyukko/user.js/issues/348

[Thorin-Oakenpants]

AFAIK ClearClick and ABE aren't even in NS10 yet - see https://addons.mozilla.org/en-US/firefox/addon/noscript/versions/ .. v1.10.1 "Next to come: ClearClick and ABE (in the next few weeks)", and that was 7 days ago and the two releases yet don't say anything about these (unless I'm blind)

[canusuck]

btw Cookie AutoDelete now supports the removal of localstorage is obtained that dom.storage.enabled = true ??

[Thorin-Oakenpants]

^^ That's only available for FF58+ - see 1388428. There is also access to clearing IDB. I am not sure what clearing methods are available. localStorage by host for sure. Not sure on by time-time-range. Good to see mrdokenny has this feature implemented so its robust by the time 58 lands, but we still have the long ongoing saga with FPI & PB mode Origin Attributes on cookies - I really hope that is solved by 59.

[Thorin-Oakenpants]

closing this, starting a new clean extensions sticky