My recommendations for the ultimate configuration of uBlock Origin :)
NOTE: This project can be found on both Codeberg, which will act as the main & preferred way to contribute, and GitHub.
Privacy:
-
Disable pre-fetching (to prevent any connection for blocked network requests) -> ✅
-
Disable hyperlink auditing -> ✅
-
Block CSP reports -> ✅
-
Uncloak canonical names -> ✅
Default behavior:
- Disable JavaScript -> ✅ (This will cause breakage, but it heavily improves privacy & security, so I'd recommend enabling it if possible and if you're willing to re-enable JavaScript that need it)
Advanced:
- I am an advanced user -> ✅
Auto-update filter lists -> ✅
Suspend network activity until all filter lists are loaded -> ✅
Parse and enforce cosmetic filters -> ✅
Ignore generic cosmetic filters -> ❌
I would generally recommend configuring your filterlists as follows. This configuration matches what my Phoenix project uses, & is carefully considered for a balance between privacy, security, usability, & maintaining optimal performance.
We'll first go over lists built-in to uBlock Origin (as of October 23, 2024).
Note
I won't detail the Regions, languages category, as it heavily depends on you personally & your situation. My recommendation would be to only enable the lists you need here, if you need them at all.
Tip
😇 means the list is enabled by default.
✅ means the list is already included, but you should enable it.
-
Built-in
-
✅ uBlock filters 😇
-
-
Ads
-
Malware protection, security
-
Multipurpose
-
Cookie notices
-
✅ EasyList/uBO – Cookie Notices ✅
-
✅ AdGuard/uBO – Cookie Notices ✅
-
-
Social widgets
-
Annoyances
-
✅ EasyList - Annoyances ✅
-
✅ AdGuard - Annoyances 🚀
-
We can now go over what lists you should manually import to uBlock Origin.
I would generally recommend importing & enabling the following:
-
⭐️ ➗ Actually Legitimate URL Shortener Tool
https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt
-
⭐️ 🔍 yokoffing's Block third party fonts
https://raw.githubusercontent.com/yokoffing/filterlists/main/block_third_party_fonts.txt
-
⭐️ ⛔ yokoffing's click2load filters
https://raw.githubusercontent.com/yokoffing/filterlists/main/block_third_party_fonts.txt
-
⭐️ Divested Fingerprinting Blocklist
https://divested.dev/blocklists/Fingerprinting.ubl
-
⭐️
⚠️ BadBlock - Unsafehttps://badblock.celenity.dev/abp/unsafe.txt
-
⭐️ 💊 Dandelion Sprout's Anti-Malware List
https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Dandelion%20Sprout's%20Anti-Malware%20List.txt -
⭐️ 🔏 HaGeZi's Dynamic DNS Blocklist
https://gitlab.com/hagezi/mirror/-/raw/main/dns-blocklists/adblock/dyndns.txt
-
⭐️ 💻 HaGeZi's Badware Hoster Blocklist
https://gitlab.com/hagezi/mirror/-/raw/main/dns-blocklists/adblock/hoster.txt
-
⭐️ 🔐 HaGeZi's Threat Intelligence Feeds
https://gitlab.com/hagezi/mirror/-/raw/main/dns-blocklists/adblock/tif.txt
-
⭐️ FMHY Unsafe sites filterlist - Plus
https://raw.githubusercontent.com/fmhy/FMHYFilterlist/main/filterlist.txt
-
⭐️ 📙 HaGeZi Multi PRO++
https://gitlab.com/hagezi/mirror/-/raw/main/dns-blocklists/adblock/pro.plus.txt
Additionally, if you're fine with occasional breakage at the cost of enhanced privacy & security, you could also consider using:
-
⭐️ 1Hosts (Pro)
https://badmojr.gitlab.io/1hosts/Pro/adblock.txt
-
⭐️ My ⚡️ BadBlock Lite, 🔇 BadBlock, OR 🔥 BadBlock+
-
Do not use all 3 together, pick one that works best for you! 🔇 BadBlock is recommended for most users.
- ⚡️ BadBlock Lite
https://badblock.celenity.dev/abp/badblock_lite.txt
- 🔇 BadBlock
https://badblock.celenity.dev/abp/badblock.txt
- 🔥 BadBlock+
https://badblock.celenity.dev/abp/badblock_plus.txt
- ⚡️ BadBlock Lite
-
-
⭐️ Divested Combined Blocklist
https://divested.dev/hosts-domains-wildcards
-
⭐️ 📕 HaGeZi - Multi ULTIMATE
[!NOTE] Disable HaGeZi - Multi Pro++ from above if you decide to use this list.
https://gitlab.com/hagezi/mirror/-/raw/main/dns-blocklists/adblock/ultimate.txt
Furthermore, if you don't have a DNS content blocking solution in place (you should), or you just can't use the relevant list on your DNS blocker, you could also use the following:
-
⭐️ HaGeZi's Most Abused TLDs
https://gitlab.com/hagezi/mirror/-/raw/main/dns-blocklists/adblock/spam-tlds-ublock.txt
-
⭐️ HaGeZi/xRuffKez's Newly Registered Domains (14 days)
https://raw.githubusercontent.com/xRuffKez/NRD/main/nrd-14day_adblock.txt
-
⭐️ OISD - Big
https://big.oisd.nl
Once you're finished choosing your lists, don't forget to select Apply changes & Update now.
This is where it can really depend on you and your set-up. I'll provide my recommendations and filters here I myself use below:
First, I would highly recommend setting the following to protect against IDN Homograph attacks
You don't need to set this if you use BadBlock Unsafe above or if your DNS provider already provides IDN Homograph Attacks Protection (i.e. NextDNS):
xn--*
xn--*$doc,popup,frameI usually set the following to always enforce blocking Google's Doubleclick & Google Analytics: ((Why?)[https://github.com/gorhill/uBlock/wiki/Privacy-stuff])
||doubleclick.net^$important
||google-analytics.com^$importantAdditionally, I set the following to block social media tracking on websites:
||facebook.com^$important,third-party
||facebook.net^$important,third-party
||linkedin.com^$important,third-party
||instagram.com^$important,third-party
||tiktok.com^$important,third-party
||twitter.com^$third-party
||x.com^$third-partySee My rules section below for unbreaking X/Twitter...
I also set this to block tracking from Gravatar:
||gravatar.com^$important,third-partyI also set these rules to block 3rd party sign-in prompts from Google & Apple, as they're 1: annoying and 2: a tracking concern:
||accounts.google.com^$third-party
||appleid.apple.com^$third-party
||appleid.cdn-apple.com^$third-party
@@||accounts.google.com^$domain=youtube.com|chromium.org|gstatic.com|googleusercontent.com
@@||appleid.apple.com^$domain=appleid.cdn-apple.com
@@||appleid.cdn-apple.com^$domain=appleid.apple.comSince I block all 3rd-party requests (will be explained further in My rules section below), I set the following rules to still allow CAPTCHAs for sites: (Also see My rules)
||challenges.cloudflare.com^$third-party
@@||challenges.cloudflare.com/cdn-cgi/challenge-platform/$third-party,script,frame
||www.google.com^$third-party,subdocument
@@||www.google.com/recaptcha/$third-party,subdocument
||www.gstatic.com^$third-party,script
@@||www.gstatic.com/recaptcha/$third-party,scriptFinally, I usually set the following to block the annoying banner on Old Reddit promoting Reddit's new UI.
www.reddit.com###redesign-beta-optin-btn
old.reddit.com###redesign-beta-optin-btnOnce you are done here, make sure to select Apply changes.
First, I typically set the following to block all 3rd party requests:
I would not recommend this for most people, as you will basically have to unbreak pages yourself, but it provides the most private, secure, and fastest configuration possible.
* * 3p block
* * 3p-frame block
* * 3p-script blockIf you don't want as much breakage, you could potentially only set:
* * 3p-frame blockThis only blocks 3rd party frames, while keeping other resources untouched. I would recommend this if you have the tolerance to allow 3rd party frames for pages that need them.
I then set the following to allow CAPTCHAs for sites:
* challenges.cloudflare.com * noop
* www.google.com * noop
* www.gstatic.com * noopI also set the following to unbreak X/Twitter based off the filters we set above:
x.com twitter.com * noop
twitter.com x.com * noop⭐️ If you block 3rd party connections like me, then I would strongly recommend also using the LocalCDN extension with the following settings, as this will reduce breakage:
Hide donation button -> ✅
Block Google Fonts -> ❌ This is already covered by Yokoffing's Block third party fonts list that we added, leaving Google Fonts blocked here as well will just cause issues & breakage
Now, back to uBlock Origin, you should add the following rules in uBlock Origin for LocalCDN to be active:
* ajax.googleapis.com * noop
* ajax.aspnetcdn.com * noop
* ajax.microsoft.com * noop
* cdnjs.cloudflare.com * noop
* code.jquery.com * noop
* cdn.jsdelivr.net * noop
* fonts.googleapis.com * noop
* yastatic.net * noop
* yandex.st * noop
* apps.bdimg.com * noop
* libs.baidu.com * noop
* cdn.staticfile.org * noop
* cdn.bootcss.com * noop
* mat1.gtimg.com * noop
* lib.sinaapp.com * noop
* upcdn.b0.upaiyun.com * noop
* stackpath.bootstrapcdn.com * noop
* maxcdn.bootstrapcdn.com * noop
* netdna.bootstrapcdn.com * noop
* use.fontawesome.com * noop
* ajax.cloudflare.com * noop
* akamai-webcdn.kgstatic.net * noop
* gitcdn.github.io * noop
* vjs.zencdn.net * noop
* cdn.plyr.io * noop
* cdn.materialdesignicons.com * noop
* cdn.ravenjs.com * noop
* js.appboycdn.com * noop
* cdn.embed.ly * noop
* cdn.datatables.net * noop
* mathjax.rstudio.com * noop
* cdn.mathjax.org * noop
* code.createjs.com * noop
* sdn.geekzu.org * noop
* ajax.proxy.ustclug.org * noop
* unpkg.com * noop
* pagecdn.io * noop
* cdnjs.loli.net * noop
* ajax.loli.net * noop
* fonts.loli.net * noop
* lib.baomitu.com * noop
* cdn.bootcdn.net * noop
* fonts.gstatic.com * noop
* ajax.loli.net.cdn.cloudflare.net * noop
* akamai-webcdn.kgstatic.net.edgesuite.net * noop
* apps.bdimg.jomodns.com * noop
* cdn.bootcdn.net.maoyundns.com * noop
* cdn.bootcss.com.maoyundns.com * noop
* cdn.embed.ly.cdn.cloudflare.net * noop
* cdn.jsdelivr.net.cdn.cloudflare.net * noop
* cdnjs.loli.net.cdn.cloudflare.net * noop
* cds.s5x3j6q5.hwcdn.net * noop
* developer.n.shifen.com * noop
* dualstack.osff.map.fastly.net * noop
* fonts.loli.net.cdn.cloudflare.net * noop
* gateway.cname.ustclug.org * noop
* iduwdjf.qiniudns.com * noop
* lb.sae.sina.com.cn * noop
* lib.baomitu.com.qh-cdn.com * noop
* mat1.gtimg.com.tegsea.tc.qq.com * noop
* materialdesignicons.b-cdn.net * noop
* mscomajax.vo.msecnd.net * noop
* sdn.inbond.gslb.geekzu.org * noop
* use.fontawesome.com.cdn.cloudflare.net * noop
* vo.aicdn.com * noopOnce you're done configuring your rules here, select Save & Commit.
-
Use Firefox with my Phoenix, as Firefox respects your privacy and has the best support for uBlock Origin.
-
Enable Safe Browsing in your browser if possible and if it's not done in a privacy-invasive way. (You should use i.e. Google Safe Browsing on "Standard" Mode, Firefox's Safe Browsing, & Brave's Safe Browsing, you should avoid most other options i.e. Google Safe Browsing on "Enhanced" Mode, Microsoft SmartScreen, & Opera Sitecheck).
-
Use a private, secure, & reputable DNS provider of your choice. I would recommend setting up your own NextDNS configuration if you are able to (See my recommendations for NextDNS here), otherwise I would recommend Quad9. (Even if you have a private/secure DNS provider set on your OS/network level, make sure to also set it in your browser as well, so that you can take advantage of Encrypted Client Hello)
-
Use a (reputable) anti-virus if possible. On Windows, you can use the built-in Microsoft Defender Antivirus, on macOS, you can stick to the built-in XProtect, on Android, you can use Hypatia, and on Linux, you can use ClamAV. NOTE: You should install Hypatia through the DivestOS Official Repo instead of F-Droid's main repo, as it will allow you to receive quicker updates directly from the developer. It's also recommended to use F-Droid Basic as your F-Droid client of choice.