Myself and others are completely serious in our resolve that we wouldn’t even use the modern web if powerful content blocking tools weren’t available. Which is why I advise anybody, technical or otherwise, to at least install some such addon for their browsers.
Few are great, most not so much. I rate them here based on their effectiveness in their default-deny capacity to strip pages down to plain HTML, their granularity and how well they convey information about web requests/page elements.
|S||uMatrix||Unrivaled web page firewalling.|
|A||xiMatrix, Policy Control||Excellent and contains advanced features, but makes unfortunate design concessions. Would handily enter S tier if minor shortcomings addressed.|
|B||uBlock Origin (Advanced User Mode), NoScript Security Suite||Quite granular and informative but unable to completely block certain classes of requests. Has a suboptimal interface that dark patterns users toward whitelisting domains.|
|D||uBlock Origin (Basic User Mode), Adblocker Ultimate, Adguard AdBlocker||Low capability. Heavily blocklist oriented rather than by class of request. Default deny infeasible.|
|F||Adblock Plus, Privacy Badger, Ghostery, Firefox Enhanced Tracking Protection (Strict)||Garbage tier. Major shortcomings.|
Despite being in maintenance mode, uMatrix maintains exceptional effectiveness against a wide class of web requests. It is basically a full browser firewall which can discriminate requests globally or per-domain/subdomain and each request class can be blocked individually from one another. Unfortunately, if uMatrix ever falls out of viability, we would lose an almost irreplaceable line of defense.
Policy Control is one gem that left me impressed. It can block many request types including WebSockets, Ping and Fonts. There is an included logger to monitor requests and can whitelist per script within the same domain beating out uMatrix, even. Just make sure to check “enabled” for rules to apply globally. This isn’t made quite clear as that field normally says “disabled” and flips when you toggle it. Unfortunately, it automatically opens add0n.com (cuckflared + googleslavemanager) after installation. One of the only other marks against it being that there’s currently no way to distinguish between third party domains and no interception is offered for cookies. Somehow only known about and used by only 791 people at the time of this writing.
uBlock Origin (Advanced User Mode):
(Basic User Mode):
Demoted to D tier. Aside from doing some clever tricks under the hood (that make it a great second-line of defense behind real blockers), uBlock Origin in basic user mode is only made noteworthy by it’s element picker, fonts blocking and infamously extensive blocklists. Otherwise, it’s not actually all that much better than Adguard Adblocker or Adblocker Ultimate.
Inspired by uMatrix and seems to aim to take up the torch. It can block by request type, domain and subdomain (in the grid directly) while global scope very wisely starts out as default deny. It can also handle remote fonts, a feature even uMatrix does not have. Rules are written neatly to an XML file, making for easy textual rule making as well. However, xiMatrix is missing controls for blocking cookies and fails to distinguish between image and video content. It is early in development and does not even have a reload page option yet. Otherwise xiMatrix holds great potential.
NoScript Security Suite:
Like uMatrix, also capable of discriminating globally and per-domain/subdomain. It is also capable of blocking elements not individually covered by uMatrix such as webgl. Unfortunately, it doesn’t seem to be able to strip all requests from a domain as it maintains rather permissive css rules. NoScript also defaults to very permissive site templates (probably for normies) which need to be removed or overridden before global default deny can be enabled. Custom rules default to “ANY SITE” scope. I also want to mention a long time has passed since the author was found whitelisting ads. I think he has turned around and become a force for good among addon development, contributing the NSCL and also being one of the developers behind the respectable JShelter.
HTML Content Blocker:
I was pleasantly surprised at the simplicity of HTML Content Blocker relative to how effective can be. It is hampered by being only global in scope and only capable of dealing with just five request types; js, css, img, obj, media. The default is to allow all categories so toggle each category off before loading any pages (to set global deny). HTML Content Blocker is fast and dead simple.
Very blocklist oriented but at least has an element picker. Default allow with no possibility to default deny. Low tier.
One redeeming quality of Adguard is its dedicated logger window which shows requests by category and can be filtered by all, tab, etc. It may be possible, albiet clunky, to write custom rules based off logger information. Filters are automatically downloaded on first run. Otherwise it’s like Adblocker Ultimate.
Adblock Plus is still up to their old antics with whitelisting “acceptable” partner ads, which has now been made opt-out. Can be configured in the global settings to block social icons, cookies and push notifications. Barely helpful for anyone who knows how to configure their browser.
Can block by domain, but idiotically forces users to wait until the third party domain has been recognized on other sites or for the user to manually block after the damage has already been done. “The domain does not appear to be tracking you: \www.googletagservices.com” lol. Even though it is possible to block things manually (and clumsily), I think this addon is just meant to be a set-and-forget helper for grandmas.
Advertises a “block by default” option but still fails massively by letting various resources through. You can restrict things on a per-site basis and Ghostery does a moderate job at informing what has been blocked vs allowed in the detail view. But new domains cannot be manually blocked until after they have been encountered in the wild. Has a setting “A/B tests” which is opt-out data collection. Oh man, it gets worse. Ghostery now also requires users to agree to terms and conditions before enabling blocking functionality. I would never expect anyone to rely on Ghostery.
Firefox Enhanced Tracking Protection (Stict settings, built-in):
Per-site toggle and enabled by default. Although it is list based with no interactive way of discriminating by web request type. You can only look at the block statistics history. It’s probably supposed to be overly simple but ETP is pretty pathetic on its own as a content blocker.
*Evaluated within a fresh Firefox-ESR base with suggested Arkenfox hardening applied and anonymized DNS routing (at host).
No, many extensions specialize in list-based tracking. We consider list-based tracking out-of-scope of the JShelter mission. You should keep using a tracker blocker like uBlock Origin in parallel with JShelter. We believe that web extensions like NoScript Security Suite and uMatrix origin are good but do not protect the user from accidentally allowing malicious code.
So it is therefore preferable to run JShelter behind an existing whitelist firewall like uMatrix, while allowing JShelter to act as a second-line of defense sanitizer for those scripts that you do allow.
REMOVED FROM LIST because, like JShelter, it is an anti-fingerprinting tool. It could be considered a rather glorified browser settings tweaker with blocklists stuffed in. Trace modifies requests and spoofs information. Some additional marks against it are the site being cuckflared (and, by extension, the blocklist updates) and the code being marked “All Rights Reserved”, despite being posted on a git repository. Just use JShelter instead.