-
Notifications
You must be signed in to change notification settings - Fork 471
How to work in hardcore "block almost everything" mode
Instead of starting with a permissive model, start with a very restrictive model and whitelist as necessary.
Go to the uMatrix panel and select the global scope. Deselect everything except 1st-party CSS.
Open a new page. It might look horribly broken, but don't panic! Look at the uMatrix panel for third party CSS resources (anything with a number in it in the CSS column is probably useful). Select the CSS box for those (sub)domains. Reload. Hopefully, the site looks decent now!
The next step is images. Again, toggle specific (sub)domains until the site looks reasonable.
If this is a site you visit fairly often, you should probably save the rules so that you don't have to go through this too often. Otherwise, I wouldn't bother - the fewer the rules, the less the potential for unexpected things to happen.
Let's take facebook.com as an example. We'll walk through how to figure out what the site needs and how.
First, we visit Facebook. I will be using a vanilla Firefox profile with only uMatrix installed.
-
Facebook is utterly broken. We click on the uMatrix panel and note that
static.xx.fbcdn.net
has a7
in the CSS box. We toggle that and reload. -
It already looks a lot better! Now we fix the images. We see that the
facebook.com
,www.facebook.com
,scontent-ort2-2.xx.fbcdn.net
, andstatic.xx.fbcdn.net
entries have multiple images, so we toggle the image box forfacebook.com
and the last two (www.facebook.com
is automatically whitelisted as you can see in the screenshot). We reload. -
We now see that Facebook complains that Javascript is disabled in the browser, so we go ahead and toggle the script box for
facebook.com
and reload. -
We now try logging in. When we click "Login", we get an error that cookies are not enabled, so we go ahead and toggle the cookie box for
facebook.com
and try logging in again. -
This is enough to get us logged in! However, Facebook itself doesn't work! The screen is blank. The only resource that shows as blocked (currently) is the script box of
static.xx.fbcdn.net
, so let's toggle that and try again. -
That worked! We're able to see stuff in the Newsfeed now. However, clicking on Notifications doesn't seem to work. When we click on it, we see the XHR box in
www.facebook.com
tick up, so let's try toggling that. -
Cool! Now we can see notifications (and click on them). However, images aren't loading (the ones in the newsfeed will load, but try clicking on one of them). We see that the image box of
scontent.xx.fbcdn.net
is blocking something, so we'll try toggling that. -
This seems to just bring up a new domain (
external-ort2-2.xx.fbcdn.net
)! Let's toggle its image box as well. -
That worked! We can now view images both inline and in theatre mode. Now try scrolling down. Uh oh. Facebook refuses to load new things! If you look at the console, you'll see that it's trying to pull new content from
1-edge-chat.facebook.com
. Anticipating what is going on, we can go ahead and whitelist XHR for 1st-party. Let's try reloading now. -
Huh, it still doesn't work. Perhaps whitelisting the frames in
staticxx.facebook.com
andwww.facebook.com
would help? -
Cool! It works! Now let's try to find an embedded video to see if it will play (Hint: it won't). We get a loading circle which almost immediately stops. We see a
video-ort2-2.xx.fbcdn.com
, so let's whitelist its XHR (it needs to fetch the video after all!). -
And it works! You can now view posts, images, and videos while only whitelisting the specific things Facebook needs for those purposes.
uMatrix: Point and click matrix to filter net requests according to source, destination and type.