Some early notes on using uMatrix to replace NoScript in Firefox 56

January 24, 2018

Although people have been suggesting uMatrix (Github) to me for a while, it took Aristotle Pagaltzis' plug for it as his preferred JavaScript blocker in comments on yesterday's entry to push me into giving it a serious look. First, I took it for a spin in the Firefox on my laptop and then, somewhat impulsively, I decided to try switching from NoScript (and my cookie blocking extension) to it on my home machine. Having spent a couple of hours with it, I'm sold so far and will be switching my office Firefox over to it tomorrow.

I have three main reasons for this rapid enthusiasm. First, uMatrix gives me more fine-grained control over where and when JavaScript is enabled, because I can say 'JavaScript for X is only enabled when I'm on site Y'. Second, uMatrix's cookie blocking and cookie handling works, which means that I finally have a reliably working cookie-handling addon; my old one has been unsupported and only partially functional for years. However, the single largest reason I'm so enthused is that my Firefox appears to use significantly less memory with uMatrix. Firefox is definitely using significantly less memory on startup (once it loads all of my current set of windows) and I think it hasn't been leaking memory as fast.

(Some of this may be because of configuration differences in what JavaScript I'm allowing to run, but if so that's because uMatrix lets me do fine-grained things like only run YouTube's JS on YT itself, not on random sites that want to embed YT videos.)

Since I'm using uMatrix to replace NoScript and a cookie blocking extension, I have it set to default-deny JavaScript and cookies, with permanent exemptions for only a few specific sites. Figuring out how to set this up and to configure exemptions took a bit of reading of help material and experimentation, but once I got in tune with how uMatrix's UI works, working with it is relatively problem free. Setting up permissions on the BBC website was a bit tricky because I got myself into a redirect loop with an incomplete set of JavaScript allowances, but I was able to get things set in the end. A useful trick to learn was that I could make changes persistent in the uMatrix preferences dialog (in 'My rules', you can pick 'commit'); this is handy when enabling a rule immediately redirects you off a site.

(Since I'm also using uBlock Origin, I turned off all of uMatrix's site blocklists as just being duplication.)

uMatrix's Javascript blocking is more powerful than NoScript's because in uMatrix you normally scope permissions by the site you're visiting whereas NoScript only gives you global ones. In NoScript, if you enable JavaScript for Youtube, it's enabled on every site; in uMatrix I can say 'enable Youtube's JavaScript only when I'm visiting YouTube' (and this is the default way you'll set it up). This has made me much more willing to permanently enable various bits of third party JS on specific websites.

(This wide use of scoped permissions does make it harder to get a relatively global overview of what your permissions are. Of course part of this is that you're probably going to have more rules than you would have had in NoScript; I know that I do.)

When I switched over to uMatrix, I ran into my old Twitter no-JS endless redirect problem. In NoScript, this was fixed by a magic option to ignore META redirections in <noscript> elements. uMatrix does not have such a magic option, so I wound up turning off its 'spoof <noscript> tags' setting. This turns out to have useful side effects (for example, it turns out that Stack Overflow's obnoxious red 'we're better with JS' banner is in a <noscript> element). However, some things don't work with this off, such as external links on Tumblr sites. Fortunately uMatrix lets you enable this on a per-site basis.

(I believe that uMatrix also lets you disable <noscript> spoofing on a per-site basis, so in theory I could leave it enabled everywhere and just disable it on Twitter. But since the side effects of disabling it globally seem to be mostly positive, I'm sticking with my default-off for now.)

So far using uMatrix's UI has been reasonably non-annoying. There are some fiddly bits and I'm probably not using it in the best way possible, but I can get things done and it's not too painful. I don't expect to need to use it very often, especially once I've gotten things all tuned up; if a site wants JavaScript, mostly I feed it to another browser.

(So far the most annoying bit of the transition is that my Google search settings got damaged, again. If you do things just right, Google will give you cookies so that you get a nice, functional search experience even without JS and will stick to; however, the settings are quite fragile, fall off easily, and there's no obvious way to fully set yourself back to them.)

Comments on this page:

Since you evangelized me into trying this, and there isn't a particularly more prominent guide for people using uMatrix as a replacement for NoScript:

When I enable scripts for a site, I have to do a force reload. That is, shift-click on the reload button. Otherwise, I got a script tag still denied, with a CSP message in the browser console. This persisted even after disabling uMatrix :). It's as if uMatrix is somehow editting the page headers before they're recorded in the browser cache.

I suspect this specifically affects first-party inline scripts, so it doesn't affect users who leave the default allow rule for first-pary scripts.

The documentation (wiki) sneakily mentions this in passing. In a page called 'About "the page is still broken after I created all necessary rules"'.

(* Emphasis * is mine:)

"It may happen that a page is still broken * after force-reloading * once you have created all the needed allow rules for it."

Firefox 58.0.2

By cks at 2018-02-23 16:16:15:

That's interesting and I'll have to remember it for future use. I seem to mostly get away with a plain reload after adding permissions in uMatrix, but I'm (still) mostly using Firefox 56 (and with some non-webextensions addons) so things may be different in it. And I definitely have had times when I had to shift-reload to get things to fully take.

(In a test in the Fedora 27 version of Firefox 58, I could whitelist enough JS on to get it to correctly display an article with code snippets from github with just a plain reload. So it's probably both website and situation dependent.)

By Eliot at 2019-05-07 11:13:58:

Just a quick word on the granular JS enabling in uMatrix compared to noscript.

Legacy noscript did actually have this feature in the ABE scripting, however, whilst your scripts are still in the noscript flags in firefox, the functionality is not yet a part of noscript for Quantum. I'd imagine that the uMatrix granularity blocking is simpler than the old noscript one, too.

Still, it did always have that functionality. I'm sure when Georgio has time NS quantum will catch up, but it seems like they're trying to ensure that it will be scalable for the future, too, or something. Hence why I'm going to start using UMatrix AND noscript ;-)

Here's the FAQ section for legacy noscript (still available for seamonkey browser):

Check here for ABE scripting progress on NOSCRIPT Quantum:

Written on 24 January 2018.
« The addons that I would likely use with Firefox Quantum (57+)
What the Linux rcu_nocbs kernel argument does (and my Ryzen issues again) »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed Jan 24 02:24:17 2018
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.