uMatrix
Definitely for advanced users.
Keep Github issues for actual bugs. User support is /r/uMatrix.
Forked and refactored from HTTP Switchboard.
Install manually the latest release, or install from:
-
Firefox AMO
- To help find issues with ongoing development: uMatrix dev build on AMO
-
Chrome store
- To help find issues with ongoing development: uMatrix dev build in Chrome store
- Opera store
You may contribute with translation work:
- For in-app strings, on Crowdin: uMatrix on Crowdin.
- For description (to be used in AMO, Chrome store, etc.), submit a pull request. Reference description is here (feel free to improve as you wish, I am not a writer).
HTTP Switchboard's documentation is still relevant, except for uMatrix's differences with HTTP Switchboard.
You may contribute with documentation: uMatrix's wiki.
Warnings
Regarding broken sites
uMatrix does not guarantee that sites will work fine: it is for advanced users who can figure how to un-break sites, because essentially uMatrix is a firewall which works in relaxed block-all/allow-exceptionally mode out of the box: it is not unexpected that sites will break.
So this means do not file issues to report broken sites when the sites are broken because uMatrix does its job as expected. I will close any such issue without further comment.
I expect there will be community driven efforts for users to help each others. If uMatrix had a home, I would probably set up a forum, but I do not plan for such thing, I really just want to code, not manage web sites. If you need help to un-break a site when using uMatrix, you can try Wilders Security, where you are likely to receive help if needed, whether by me or other users.
uMatrix can be set to work in allow-all/block-exceptionally mode with a single click on the all cell in the global scope *, if you prefer to work this way. This will of course break less sites, but you would then lose all the benefits which comes with block-all/allow-exceptionally mode -- though you will still benefit from the 62,000+ blacklisted hostnames by default.
License
1.2.0
gorhill released this 9 days ago · 10 commits to master since this release
Assets
Changes
Appearance
More choices of text size for the matrix UI in the Settings pane (text size dictates the popup panel size).
Per-scope switches
New switch: "Forbid web workers"
Purpose should be obvious.
Note that nuisance coin miners typically use web workers, so forbidding web workers globally might be a good idea, though mind that there are legitimate use for web workers. Keep in mind many of these miners are launched as 1st-party, so the new switch allows you to forbid them even when you allow 1st-party scripts.
Update: blocking web workers everywhere by default should lower quite significantly the probability of falling prey to exploits taking advantage of Meltdown/Spectre vulnerabilities through your browser (assuming your browser is vulnerable). Mind that often sites legitimately do need web workers to work properly -- so if you forbid web workers in the global scope, don't forget about this when you are puzzled as to why a web site is still broken despite you allowing the needed resources.
uMatrix is able to detect when a web worker is being instantiated. However, this does not work for Firefox 57-58, but works fine in Firefox 59 (Nightly). The reason is that SecurityViolationPolicyEvent has been implemented just recently in Nightly.
So this means if you are using uMatrix with Firefox 57-58, uMatrix will be unable to report to you whether web workers are used by a page, though you will be able to block these fine with the new per-scope switch. With Nightly, use (or attempt to use) web workers is properly reported in the logger and in the popup panel.
Per-scope switches redesigned and renamed
"Strict HTTPS" has been renamed "Forbid mixed content": I see too many instances of people thinking this feature is a replacement for HTTPS Everywhere: it is not.
The new visual will now convey whether a switch is relevant for the current document. A dot in the toggle button means that the switch is relevant, i.e. uMatrix may affect the page if the switch is toggled on.
- Forbid mixed content: a dot means that mixed content has been detected on the page.
- Forbid web workers: a dot means that web workers have been detected on the page (as mentioned above, the detection does not work for Firefox 57-58).
-
Spoof
refererheader: a dot means that 3rd-party referrer information has been seen in network traffic. -
Spoof
<noscript>tags: a dot means<noscript>tags have been detected in the current page.
I added info links to each per-scope switch: the links are pages from Mozilla Developer Network, so this gives a chance for the page to load in the user locale.
Logger
Ability to open the logger in the sidebar. Sidebar API is only available in Firefox and Opera (I didn't try the feature in Opera yet):
Note that since the logger is unified, should you open additional logger views, these will be left unused, until the first view is closed. By design.