User.js: sticky: extensions

uBlock Origin webext released (dev channel) on AMO
https://github.com/gorhill/uBlock/releases/tag/1.13.9rc2

uMatrix webext released (dev channel) on AMO
https://github.com/gorhill/uMatrix/releases/tag/1.0.1b6

For anyone using Self-Destructing Cookies or Cookie AutoDelete...
the Cookies Exterminator still works as intended to delete cookies and storages as temporary solution until storage drama is resolved.
See https://github.com/nylira/prism-break/issues/1796#issuecomment-323604265

Decentraleyes has a webext beta out for nightly users only.
https://addons.mozilla.org/firefox/addon/decentraleyes/versions/beta?page=1#version-2.0.0beta1

Maybe make 2 lists for ESR and 57+? That of course, leaves the versions in between out in the cold, but not for too long. The guys in between can probably mix and match.

Also, violentmonkey on AMO is lagging behind what we have on the chrome store. That's not a dealbreaker, but if the situation continues I'd recommend Greasemonkey/Tampermonkey instead. I myself am a violentmonkey supporter, but I can't support being treated like a second class citizen.

Re VM, GM, TM. Please leave politics out of it. Still quite some time for GM to port yet. I want GM (reasons), and do not ever want to suggest TM (reasons). Was only looking at VM as an alternative.

My intention wasn't being political here. Forgive me, I meant to say that if VM seems to not update on AMO as often as it does on Chrome, then it's not a good idea to have it because it might imply a lack of interest from the author towards FF. I have no opinion on VM vs TM vs GM apart from knowing that VM is the only opensource webext among them. :)

I hope I'm in the best thread to expose my experience concerning uB0 Webextension running on Waterfox 55.0.2 with a profile on a RAMDisk.

In fact it's less a uB0 problematic than a Webextension using IndexedDB to store data in the user's storage folder.

I'm running Waterfox 52.2.0 with my profile on a RAMDisk.

I was surprised that backing up my uB0 settings, uninstalling uB0 1.13.8 legacy add-on, installing then uB0 Webextension 1.14.0 and restoring my settings ... would indeed install uB0 but just wouldn't handle the data in dedicated uB0 subfolder in Storage folder : the only data stored were those of My filters and My rules.

I then installed a new Waterfox profile on hard-disk, installed uB0 WE and all was OK, includinf data in Storage folder.

I spent hours trying to understand what was wrong. It wasn't a user.js setting because further testings on the new hard disk profile worked OK with the same user.js file copied before installing uB0 WE. I tried removing one after another several of my 67 add-ons ... nothing would do it.

So here is the culprit: when the profile is on a RAMDisk the IndexedDB process doesn't handle data management in the Storage folder correctly.

I installed once again a new profile on hard disk, copy-pasted my RAMDisk profile, backed-up my uBO settings, removed uBO legacy add-on, installed uBO WE and all was fine.

1- If this is the wrong thread please move it to the correct place;
2- I'm sharing this experience not because Pants' user.js is concerned but because Firefox is the main concern here.
3- If you have any info about this Firefox IndexedDB / RAMDisk issue thanks for sharing. I've searched the Web and found nothing up to now.
4- My RAMDisk is Dataram RAMDisk 4.4.0 RC36 with a 200MB RAMDisk partitioned with NTFS.

Thanks.

You can check this as maybe Dataram lacks the option to "Save contents to image".

@Atavic I use a 200MB image with Save Image at shutdown and Load Image at startup, that's not the problem. I've always had my Firefox profiles on the RAMDisk, now the Waterfox profile. All runs perfectly well. Sites which use the Storage folder do it correctly, it's only the IndexedDB process concerned managing a Webextensions data in the Storage folder which fails to do it right when the profile is on a (my, anyway) RAMDisk.

@Thorin-Oakenpants have a second look at the avatar, it's a vertical symmetry of that of Zymase's ... as my pseudo is his anagram! But the soul is the same. Zymase had closed his account and because that account was mine I opened a new one as a shade copy...
NEW topic? But I remembered you didn't like people starting new topics when a dedicated one was more pertinent... anyway, Pants, please feel free to move my comment to a new topic then. Thanks

EDIT: I did think about asking Gorhill but seems to me this problematic is closer to general FF issues (hence here) than to uB0 specifics.

• EditThisCookie
• History AutoDelete
• User Agent Switcher - _Thorin_ : we do not condone UA meddling except via privacy.resistFingerprinting
• Canvas Defender

https://addons.mozilla.org/en-US/firefox/collections/siric/webextensions-privacy-security

FoxyProxy just made the switch to WE.

Basic version: https://addons.mozilla.org/firefox/addon/foxyproxy-basic
Standard version: https://addons.mozilla.org/firefox/addon/foxyproxy-standard/

Login based SOCKS proxies don't seem to work (Probably a browser limitation atm).
Also I'm not sure if DNS lookups are performed through the proxy, this might leak browsing info. I will try to contact the addon developer about this.

I've wondered about this, ie FoxyProxy or similar - the way this works is that you can have certain domains run through different proxies, right? so what happens with the resources from 3rd party domains on those domains, do they get routed through the same proxy as the original domain or does every single request query FoxyProxy for the proxy to use?

Third party requests do not get routed through the proxy (if they don't match the rules). That's why I block third party requests in uMatrix on the sites I use the proxy on.

FoxyProxy used to have paid version which did detect third party requests and pushed them through the proxy but due to WE limitations support for that version has been dropped (for now, it might change in the future).

If you want third party requests going through the proxy, you need the third parties to be predictable (which is why I block the third party requests because it is all way too dynamic and you never know when a third party domain changes). You could also proxy all your traffic through 1 proxy but I'm not a fan of that. FoxyProxy + uMatrix to block third parties is the way to go for me.

Thank you. A proxy-per-container solution would be nice

Not separated by Containers (Yet):

• History
• Bookmarks

Source

Maybe a webext that uses the VirusTotal Public API could be listed as optional?

• https://add0n.com/virus-checker.html or
• https://add0n.com/security-plus.html

You may want to check out CookiErazor. It's brand new.

https://addons.mozilla.org/firefox/addon/cookierazor/
https://github.com/Miraculix200/CookiErazor

^^will keep an eye on it, but at this point it does not clear local storage. guess we need to wait for mozilla to make those APIs working.

@crssi Do you know if containers keeps local storage separate for each container? What's a good website to test local storage containment?

@Gitoffthelawn
Yes, from what I can see its separated and looks like each container has its own store.
I wonder if there are APIs to create and destroy containers... you can guess where I am aiming too.

There is a page I use to test (don't mind the language).
Main page: http://telekom.si
The sub page that fills the storage's: http://www.telekom.si/zasebni-uporabniki/mobiteli-in-naprave/mobiteli#v-prodaji=da

So... you can go to main... and you will see nothing in storage's, then go to the sub page, which fills the storage.
Close tab and open new one with a main page... you will see storage's with data still in.
You can even change some data to something you will remember. ;)

@Thorin-Oakenpants which repo?

@crssi Thanks! Any pages that test local storage directly without having to check manually in devtools?

http://www.theburningmonk.com/demos/web storage/storage_demo.html
https://www.w3schools.com/html/html5_webstorage.asp
https://hacks.mozilla.org/2009/06/localstorage/

@crssi Thanks, especially for:
http://www.theburningmonk.com/demos/web storage/storage_demo.html

@rekixex - see https://github.com/ghacksuserjs/ghacks-user.js/issues/249

I would like to suggest for Neat URL | GitHub
It completely replaces now obsoleted extensions like Clean Links and Pure URL.

It is already in the wiki. See here: https://github.com/ghacksuserjs/ghacks-user.js/wiki/Appendix-B:-Extensions

Is there any sense from "Multi-Account Containers" extension if I use uBlock and uMatrix? They are already blocking the spying on the user. What is the use of it.

Decentraleyes is now a webextension
Fully rewritten with new features

• [x] moved from legacy extensions to extensions now it's AMO landed - Thorin

^^ https://decentraleyes.org/test/ - pro tip: in NoScript you need to allow file:// ... I had that as default deny .. wonder if the old decentraleyes needed that? !! Oh well, now its working

Just released: WebAPI Manager
https://addons.mozilla.org/firefox/addon/webapi-manager/
https://github.com/snyderp/web-api-manager

Allows very granular control over which APIs each site can use.

How fares against ABE in NoScript?

^^ huh?

It is similar to NoScript's ABE, which handles various INCLUSION types, See:https://github.com/ghacksuserjs/ghacks-user.js/issues/257#issuecomment-336295427

A few types are in common with the webapi-manager items: https://github.com/ghacksuserjs/ghacks-user.js/issues/258#issuecomment-337923230

This is already covered. I'm trying to work out WTF is fixing it for me. When I moved to ViolentMonkey I ditched all my scripts bar one (GoogleMonkeyR, which contains an option to strip tracking on links - I also ditched a script called Google Privacy which I had for years). I've disabled that and the tracking is still removed. I also disabled Neat URL and Skip Redirect and Request Control and I still get the following

I did a search for test and that's my mouse hovering over the item to show the link in the bottom left. I'm stumped a little as to why this is cleaned up for me

@Thorin-Oakenpants I think NoScript cleans Google seach results too.

I disabled every single extension, cleared everything, even closed and restarted - and I still get no tracking on google search links. Note: i am firing these pages from a custom google search engine which was just the default https google.com search landing page added via AddToSearch years ago - but this should not make a difference. I also have no FollowOn system addon.

Edit: In a brand new FF56 profile, I get no google tracking on url links

@Thorin-Oakenpants What's the "no FollowOn system addon"? Link?

Could that be it? Or are you saying you don't have it installed?

^^

I also have no FollowOn system addon

System Addons: see section 0500. Correct, I have only one system addon xpi and that is screenshots (which I don't even use but left in for testing)

Self Destructing Cookies 0.1 WebExt by Dirty Little Helpers

hmmm... dot com domain that requires JS to view content; permissions include file downloads; no credit/mention of the original SDC; doesn't (yet?) do LocalStorage

Cookie AutoDelete doesn't support LocalStorage yet according to the extensions wiki. My question is: Is this an issue even for someone who uses cookie behavior as 2 (deny all)?

^^ Depends on who's cookies you allow. E.g I allow around 7 cookies - 5 of which are for sites that I log into. These 5 sites are useless without logging in. I lose nothing really by keeping their cookies/local-persistent data, as I am already uniquely ID'd by them. The other 2 sites are for convenience - DDG and ArsTechnica so that the dark theme auto applies. Everything else if I allow a cookie is for session only, so all data is destroyed on close.

AFAIK clearing cookies on close (such as session only cookies) also removes the local storage, BUT if you use CAD to destroy the cookie but leave the local storage, then sucks to be you.

I don't change anything cookie related from the default user.js available here, which has cookie behavior on deny all = 2 and on top of that i use the extension cookie controller.

I was looking to change it for CAD but i'm confused about the LocalStorage thing. I assume that even using deny all & clearing cookies on close it will still keep the local data.

You don't need to change it for CAD - CAD will still process any cookies you allow thru as exceptions. You do not need to allow ALL (1st party) cookies.

The user.js uses FPI (first party isolation) - cookie extensions cannot (yet, maybe by 59? 61? who knows) control cookies set with FPI, so it's pointless at this stage using one IMO. Note: extensions also cannot control PB mode cookies - so PB mode is pointless (almost) at this stage as well, IMO (use PB mode for one off windows).

Note: with FPI, everything is limited to 1st party, so even containers are pretty much obsolete. The only downside is that first party re-recognizing you. For sites you log in, not a big deal. For other sites you have options - eg I allow and keep DuckDuckGo and ArsTechnica - everything else is session only. AFAIK clearing the cookie clears the quota - someone correct me on this if I am wrong) . You can also use a one off PB window for sites - when all PB mode windows are closed, all data is removed - so you could use this to bypass your normal window's cookie behaviour (eg I could visit github in pb mode so I do not auto login). You can also use containers, as OA's concatenate (see #240 ) - i.e https://example.com^userContextId=1&firstPartyDomain=example.com - meaning a new separate instance of cookie+local+IDB etc

Because I allow sooooooooooooo little cookie exceptions, I have never had any IDB entries, but local storage I should really check out (since I do allow around 10 more for session only). The file I believe is storage.sqlite. We should test it with a site that sets local storage and see what happens when the cookie is session only, or when we manually clear cookies

tl;dr cookie extensions are useless right now: they cannot control local storage until FF58 and extension code updates (and removing the cookie may stop FF clearing the local storage) and with FPI and PB mode they do not work, period.

^ Edit: In a brand new FF56 profile, I get no google tracking on url links

bump! what gives? anyone else getting the same behaviour. Note: this is from the search bar using a sanitized search engine

@Thorin-Oakenpants thanks for the detailed information. I will keep an eye on this matter on the further releases then. :)

@Thorin-Oakenpants Why are you using PB mode instead of containers?

HTTPS Everywhere is now a webext

nice alternative to HTTPS Everywhere if anyone is interested

We went thru this smart https before (with Tom!). It is NOT smart in any way. The whitelisting approach breaks the model, the cache breaks the model (All websites that do not support HTTPS, are saved to memory), it also means persistent local data, and it hammering every single http site for https versions is ridiculous IMO. It also cannot handle complex rulesets - such as all those careful crafted by EFF.

Testing uBO-Scope:
https://github.com/gorhill/uBO-Scope
"A tool to measure over time your own exposure to third parties on the web"

greasemonkey 4.0 webext.

Is there a webext that can quickly enable/disable dom.storage on Firefox 57+ ?

Web Extensions can't control about:config prefs - but If you deny a site a cookie, it cannot use localStorage or IDB (or cookies). Workers can also use storage and there's no easy answer for that. Workers, and service workers seem to independently be able to store data - and some sites need workers (eg I believe google docs/gmail?, outlook.com, maps) - but the user.js disables all that sh*t off the bat.

@Thorin-Oakenpants Do you know where workers / service workers store data? RAM? In the profile on disk?

So if I block in uMatrix cookies completely not one site will not be able to use dom.storage and dom.indexedDB? Do I understand correctly? What about dom.event.clipboardevents?

^^ No. uMatrix blocks outgoing cookies. I am not sure about other cookie extensions - just deleting the cookie may not be enough (I do not know how the extensions do this, on some timer or something?), it is far better to actually deny the site permission using FF's internals - eg block all cookies and use site exceptions

Do you know where workers / service workers store data? RAM? In the profile on disk?

I have, in testing, seen service workers create IDB entries (youtube). I assume they use the storage quota and places the same as everything else

i`m use before Cookie Controller for exceptions. Not work on FF57 :(

Do you know where workers / service workers store data? RAM? In the profile on disk?

@Gitoffthelawn May not be of much use but here's a link going straight to 'serviceworker' storage section. Seems to only mention storage location vs. content but there's a lot info throughout the page, may have missed it.

https://github.com/mozilla/firefox-data-store-docs#file-based-stores

Also, there's this page (no serviceworker info) which is a less detailed, "quick notes" kind of listing of storage locations and content.

https://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-user-data

Even if they don't answer your questions specifiaclly they're just good reference links to have around.

NoScript webext is out with a completely re-designed UI
That's a first, some legacy figures are still missing, but it seems more granular via custom rules

NoScript: I think it's going to be a long long time before I use that. I'm about to ditch it (I'll keep a copy of my rules). I'm going to have to change my uM (and maybe uBo) settings a little now. uM currently allows 1st party scripts - I guess I'll change that to default deny?

* * * block
* * cookie block
* * css allow
* * frame block
* * image allow
* * other block
* * script block
* 1st-party * allow

slightly confused now ... 1st party property overrides scripts property (see pic)? .. do I need any other changes? (PS: I might disabled XHR as well by default). Earthlng - you use uM + uBo without NS, right - always have?

and

Soz, went OT a tad. NoScript - should I remove it from Legacy to Web Extensions and sticky a dirty big "this is shit and not ready for use" warning sign?

Soz, went OT a tad. NoScript - should I remove it from Legacy to Web Extensions and sticky a dirty big "this is shit and not ready for use" warning sign?

OK, I see earthlng moved it anyway. I have since moved it back, changed its title & link to the last legacy version and added a sub bullet point. NO WAY am i recommending NS for 57+, at least not yet

Earthlng - you use uM + uBo without NS, right - always have?

no I use all 3 of them.

slightly confused now ... 1st party property overrides scripts property

Your text rules look good. I think the problem is your inherit rule for github.com scripts, that's why it looks that way in your pic.
XHR relies on JS to be enabled, without JS no XHR, so the way you have configured it makes it easy to allow full JS functionality as soon as you allow JS. But I wouldn't use inherit, instead just make the 1st party script field dark green on domains where you want to allow JS. Or if you don't want full 1st party script allowance you can also only allow certain (sub)domains, fe. either github.com (effectively the same as 1st party) or only assets-cdn.github.com + live.github.com.

I'll have a tinker. I get the diff between inherit and a single cell. I'm trying to keep my rules down to the smallest amount since I am currently living without NS (still on 56 right now, but man, that NS WE is a PoS). Previously NS was default deny so very little ever got thru to uM - and now I cannot remember what settings I had exactly, but FWIW, I'm now making that sucker tighter than a nun's asshole - XHR is now default block. What also threw me was the change in scope selection in uM. Still working out which exact settings will cause the least work but still be effective

crssi: PoS stands for Piece of Sh*t

doh! need some beersies. My point was inherit (horizontal) overrides script (vertical) - was just checking

Something to consider about as to where you want to set your dark green fields: for example, as you can see in your pic, the scripts for github.com are hosted on assets-cdn.github.com. If a hacker manages to get access to the server that hosts github.com but can't get access to the server that hosts assets-cdn.github.com, then he'll have to drop his JS malware on the github.com server.
Because I set permissions on only the domains where it needs them, the malware won't run.

FYI the images from *.githubusercontent.com are light green because of this rule:
github.com githubusercontent.com image allow

^^ yeah, I totally get the more precise (and more work setting up but lets face it it's a one off job) use of cell control versus rows/columns. Maybe I should do that since my default is going to be block almost everything anyway

And yeah, time I learned to just add rules directly from the dashboard. Not convinced on default blocking images - sounds like a lot of work to make the web useable

One important thing to note is that after you made some changes you should always refresh the page with the uMatrix refresh button because if you used FF's refresh button it sometimes (at least in the past) wouldn't always stick - uMatrix would show the new permissions correctly but the site would not see the changes because I think FF refreshed the page with a cached content-security-policy header.

I also use uBO + uM + NS for a long time

Strategy:
uMatrix: default deny-all (except css, images)
uBO: static filtering, advanced user unchecked
NoScript: allow scripts globally but keep protection for XSS, ClearClick, ABE ...

The last version of NS seems of little help but I'll keep it to se what happens

NoScript: allow scripts globally but keep protection for XSS, ClearClick, ABE ...

ewwwwwwwwww ... allow global .. booo!! xD however, it really is redundant. Yup .. missing the XSS, ClearClick, ABE

uMatrix: default deny-all (except css, images)

same, i.e css & images are dark green - media on the other hand is pale red (neutral?) on the global scope - and I might try images as dark green as well as per earthlng's comments - it's just that sooo many (large) sites use a different server for images - eg amazon, itunes, discogs, etc - I am not too worried about smaller sites such as blogs etc. Might even make media red, since I never play vids or audio anyway

The last version of NS seems of little help but I'll keep it to se what happens

Nah - disable it. I read about it being a resource hog right now. Update it when needed and check it out in 2 months time or something

earthlng - check out this unsigned web extension -> https://bugzilla.mozilla.org/show_bug.cgi?id=444222#c87 .. maybe you can get it signed and we can test it.

For myself all three scripts in our wiki are broken still in 56 even though I only have 1 legacy extension. I'm beginning to think Violentmonkey can't run them with run at document start TBH

Edit: Actually, they do work now that I have no legacy addons (except scrapbook which does nothing to manipulate incoming/outgoing content). I just forgot to make then run at document start.

Still, the "conceal windows.name" does the same job, so the extension is not needed - got confused with the "conceal history.length" which is not really a solution

FYI: uMatrix is incompatible with NoScript 10

• reddit
• gorhill on twitter

I think incompatible is true but only to the extent that uMatrix can't see the requests that are already blocked in NoScript. They can still function together.

But it can also interfere with other extensions. For the record, the only XSS warning I ever got from NS in the last 5 or 6 years were false positives, and I could count them on one hand.

XSS, ClearClick, ABE - this is all I need (confused about the XSS part) and no idea exactly what ClearClick and ABE is. Are these is NS 10, or are they waiting for FF58/59 and APIs etc

It seems that you can use NoScript and uMatrix together if the former is in Global Allow mode: XSS filter, ABE, ClearClick and inclusion type checking are still activated.

When two extensions modify the same elements, they can throw DOM errors (as uBo + Ghostery) or they can become unusable. If one of the two conflicting extensions can be deactivated from modifying the common element, you can keep using both (as Privacy Badger + uMatrix).

Related: https://github.com/pyllyukko/user.js/issues/348

AFAIK ClearClick and ABE aren't even in NS10 yet - see https://addons.mozilla.org/en-US/firefox/addon/noscript/versions/ .. v1.10.1 "Next to come: ClearClick and ABE (in the next few weeks)", and that was 7 days ago and the two releases yet don't say anything about these (unless I'm blind)

btw Cookie AutoDelete now supports the removal of localstorage is obtained that dom.storage.enabled = true ??

^^ That's only available for FF58+ - see 1388428. There is also access to clearing IDB. I am not sure what clearing methods are available. localStorage by host for sure. Not sure on by time-time-range. Good to see mrdokenny has this feature implemented so its robust by the time 58 lands, but we still have the long ongoing saga with FPI & PB mode Origin Attributes on cookies - I really hope that is solved by 59.

closing this, starting a new clean extensions sticky