Skip to content

Dynamic filtering: default deny

Raymond Hill edited this page Jul 25, 2015 · 46 revisions

Back to Dynamic filtering


Default-deny is an awesome blocking mode for whoever agrees that in general most 3rd-party resources from web pages:

  • are not really all required
  • increase privacy exposure

Strictly speaking, default-deny means to block everything and let the user choose what should not be blocked. This strictest mode of default-deny is impractical though, as this means that most web pages would be broken, and more than likely most users would not make use if it.

With uBlock it is possible to use more relax (and thus practical) versions of default-deny: 3rd-party-deny (stricter), and 3rd-party active content-deny (for lack of better expression).

3rd-party-deny will result in more remote resources being blocked, as anything which is 3rd-party to the current site will be blocked by default. This means a higher likelihood that web pages won't render or behave properly:

Default-deny anything which is 3rd-party
Default-deny all 3rd-party: more likely to break, this will need fixing by the user.

A more friendly approach is to use 3rd-party active content-deny, which will block only 3rd-party active content, where active content refers to script and frame resources. In such case the likelihood of page breakage is much lower the 3rd-party-deny, and yet this is where most of the benefits are reaped:

Default deny only 3rd-party scripts/frames
Default-deny 3rd-party active content only: less breakage, yet most 3rd-party resources are blocked.

The 3rd-party status of a network request is determined as follow: if the domain of a network request does not match the domain of the web page from which it originates, the network request is deemed 3rd-party. The domain information is extracted as per the official Public Suffix List.

The benefits of using default-deny are plenty:

  • Faster page load
  • Reduction of bandwidth consumption
  • Reduction of privacy exposure
  • Increase browser security
  • Easier on your browser's memory and CPU footprint

The advantages do not come for free. Often, default-deny will require a bit of work the first time you visit a web site. Using The Guardian as our current example:

Default-deny

As seen in the picture above, a few 3rd-party domains related to theguardian.com had to be un-blocked for the page to display and behave properly. Notice that noop rules (dark gray) were used to un-block the domains.

A noop rule is different than an allow rule (green): an allow rule will cause all block filters from static filtering to be bypassed, while a noop rule will just disengage dynamic filtering and keep static filtering engaged.

Keep in mind that all rules are permanent as soon as they are set (or unset). As of v0.8.8.0, you need to click the padlock to save your rules: all rules are now temporary by default. This allows users to fiddle with rules without worries about polluting their good ruleset. When you want to keep rules for a specific site, click the padlock. The padlock appears if and only if there is at least one temporary rules in the pane.

You can disengage default-deny for the current site with one click: set the "3rd-party" local setting to noop if you prefer to work this way:

Default-deny
Default-deny cancelled locally. Notice that the blocking of 3rd-party frames is still in effect: cells with higher precedence won't have their rules overriden by cells with lower precedence.

This results in default-deny being disengaged for the current site (The Guardian in our example), while keeping engaged static filtering (EasyList, EasyPrivacy, etc.). In this particular example, as can be seen in the picture, 3rd-party frames will still be blocked (usually a good thing privacy- and security-wise).


This is an important aspect of uBlock's dynamic filtering compared to µMatrix, RequestPolicy, Policeman: in uBlock, rules are ternary, not binary.


working on it.. topic to cover:

no need to use malware domain lists since all 3rd-parties are blocked by default = leaner uBlock

ubiquitous servers blocked by default, i.e. no need to pre-emptively block facebook, google, twitter, linkdin, etc. to prevent tracking by these

provide many real-life examples of how easy it is to un-break websites

Clone this wiki locally