When you visit a website, you're getting more than you asked for. Modern webpages include a huge amount of third party scripts, assets, and content. In fact - looking at the top 100,000 websites in 2021 shows us a median of 25 additional external scripts loaded.
Although a lot of these additional requests bring in necessary functionality, an equal portion is likely being used to connect to social media, advertising, or analytics platforms. Unfortunately, we were never asked for our consent, so today we're going to show you how to opt-out of these extra scripts using uMatrix & UBlockOrigin.
- Read this article and watch the video.
- EASY: Get uBlock origin installed, use it normally!
- MEDIUM: Get uMatrix installed after reading the article. Browse your favorite websites and see what breaks. Take a look at the requests and allow the requests that restore functionality. Save these rules for that website or globally.
- EXERCISE: Looking at the web requests for your favorite sites, what did you learn? Did anything surprise you? What might you ask of the developers of your favorite sites?
- Enjoy a faster & more private web browsing experience!
uMatrix and uBlockOrigin are browser extensions available on Chrome and Firefox based browsers. They prevent your web browser from making unwanted web requests.
Are you looking for a private browser? Check out our open-source survival toolkit article for some options.
uBlock Origin Downloads
UBlockOrigin uses predefined lists to block undesirable scripts, while uMatrix blocks all third party scripts by default.
Let's start with uBlockOrigin, download it from your browser extension store of choice and install it.
Now visit a website, and note the number next to UBlockOrigin. Click on it to see the number of requests blocked and domains blocked.
You can drill down into the grouped domain requests by hitting 'More'.
When using uBlock Origin, from time to time, things may not work. In this case, the simplest thing to do is to click the power icon to turn off the blocker and allow all scripts to run.
Note that there is far more you can do with uBlock Origin, you can also setup rules to block individual or groups of requests. Please refer to the documentation below:
More advanced users will want to use uMatrix, and you can install it from your store of choice. When you use uMatrix, most if not all sites will 'break'. It will be up to you to restore functionality by figuring out what requests are critical.
You can popup a matrix of the web requests that are being made by hitting the extension icon.
- You'll notice that there is an X & Y access for uMatrix. On the X axis we see the different content types of requests that are made. On the Y axis we have the sources of the additional requests the current webpage is making. We will see numbers in the matrix that correspond to the types of requests that each side is making.
- By default uMatrix allows first-party requests and disallows all third party requests. These are requests that are coming from a entirely separate domain than the one you are visiting.
- uMatrix comes with sensible defaults, such as explicitly blocking well known advertising hosts and allowing css/image requests (since these are usually low risk). However, you can tweak your defaults to anything you see fit.
Types Of Requests
- Cookies: Small text files that sites store on your browser to remember you. If you're logging in or have some information such as a shopping cart, it would be normal to see cookies for the 1st party website, however 3rd party cookie requests would indicate tracking through an analytics or advertising platform.
- CSS: These are used to style the page, it is common to see first and third party requests as developers will build upon other styling libraries. There are attacks that can be performed with CSS but are quite rare and protected by the Content Security Policies that exist in most browsers. By default uMatrix allows all CSS requests.
- Images: Its very unlikely for a website to self-host all of its images and may link to other websites with an image preview. By default uMatrix allows all Image requests.
- Media: Specific HTML media tags
- Frame: Embedded content from another website. You may see this on older websites, or on websites that are using an embedded captcha or media content. Allow when needed.
How To Use uMatrix
- Since uMatrix blocks third party requests by default, many sites will end up breaking. This is because the modern web has built itself up in layers, with sites using third party services like content delivery networks, captchas, and social media features.
- When a site breaks you will reconstruct it with the requests that are absolutely needed. This will require thinking about what functionality you need to fix and what requests might correspond to it. For instance if you are trying to login and find you cannot login and are also notified about a 'captcha', you might look at requests from Google's recaptcha.
- In order to 'reconstruct' the page, you will allow the requests you need. You can explicitly allow or deny any requests in uMatrix. Click the top half of the matrix cell to explicitly allow (green), click the bottom half to explicitly deny (dark red).
- Now allow the requests you desire and refresh the page to see the changes. You can also save your request rules for the current site by clicking the lock icon in the top row. (blue row)
- Once you refresh the page you may find you have fixed the issue. However if it is still broken, its likely there are more request you need to allow. In fact, there are some requests that are the starting point for a chain of other requests. Not only does the first request need to be allowed, but any subsequent requests kicked off by allowing the first need to do as well. A great example of this you will find is reCaptcha.
- Instead of having to do this site by site, you can use global mode to allow a certain subset requests for all sites. Click the '*' button in the top bar to set global rules.
- The uMatrix defaults are a great way to start. You will find many things are broken and will need to experiment, enabling one request at a time and refreshing to see which request is responsible for the functionality.
- Be wary with chained requests (one requests that enables other requests). This often happens with captchas or other embedded content. Keep a look out for messages from whatever web application you're using for hints as to what requests are causing the issue.
- E-Commerce Sites: Will often have a large number of image/css requests from their platform of choice. Look out for requests to Shopify, you may need to enable these to start browsing.
- Media Content: Many sites with images and videos will load these from a content delivery network or (CDN), if you find that media is missing than enable requests to cdns.
- General Functionality: Many web applications host their code on content delivery networks, if you find that nothing works on your favorite site, look for script requests to CDNs such as Amazon Web Service's Cloudfront.
- Captchas: Mainly on login screens, but kick off a series of requests to Google - look out for an embedded frame request.
- Payments: Payment processing always depends on a third party service, so look to enable requests to that processor (Stripe/PayPal), if you want to pay. These will include scripts & frames.
The uMatrix browser extension is not in active development, there are no guarantees of updates - however an update was released July 2020. Even though the extension is not in active development it still serves its users as a reliable tool.
Is there a downside to using uMatrix? Aside from making the web faster and blocking tracking/advertising, there are devil's advocates who say using content blockers such as uMatrix can also serve as a way to fingerprint your activity. Although this possibility exists, it is far easier and more reliable to track users using 3rd party scripts and cookies.
Can we count on this in the future? Unfortunately, Google is working towards a new set of changes to its Chrome web browser that aims to limit our ability to block outward requests. This update supposedly improves browser security, however Google could have the mal-intent to prevent users from opting out of the biggest advertising platform on earth - Google ads.
Not only do uBlock and uMatrix make your browsing experience faster & safer, but it will give you a better understanding of how the modern web works. This is especially true if you use uMatrix and have gone through to fix all the sites you regularly browse.
There are many realizations that occur with the most apparent being:
- Certain platforms (Amazon, Google, Social Media, Payments) are part of the overwhelming majority of websites and are aware of the users browsing those sites.
- Most sites have way too many third party requests that are completely unnecessary for the user. It can be observed these are almost always advertisers and trackers.
Blocking web tracking is an important piece of a lifestyle that rejects surveillance. Make sure you take these steps!
Take Back Our Tech Newsletter
Join the newsletter to receive the latest updates in your inbox.