Recent changes to this guide are listed at the end of the document.
Introduction
First and foremost, use only uBlock Origin (uBO) by Raymond 'gorhill' Hill (here's the uBlock Origin page on the Firefox Add-ons website). While there may be some legitimate forks, there are also many ripoffs out there, including one named 'uBlock', and i would highly recommend avoiding them.
uBlock Origin is not simply an ad blocker, rather it is a powerful content filter, similar to a firewall, that is capable of both dynamic and static filtering. In addition to blocking annoying content such as ads, it can also dynamically block JavaScript, frames, images, 3rd party fonts and more, all of which help to prevent tracking and malware.
Working with uBO requires an understanding of static and dynamic filtering. Static filters are filter rules which are provided by the authors of the various filter lists. Essentially you have no control over static filters; you either enable a filter list, or you don't. Static filters attempt to block content like ads, malware, tracking technologies, annoyances and more. The static filter lists are enabled from the 'Filter lists' tab of the uBO dashboard. Dynamic filters are controlled from the pop-up interface when you click the uBO toolbar icon. Here you can create temporary or permanent filter rules to dynamically control the loading of images, JavaScript and frames on a global or per-domain basis. Dynamic filtering only becomes available after enabling the 'I am and advanced user' option in the uBO settings and it is crucial to read the uBO wiki before doing so.
Following are my personal preferences for setting up uBlock Origin. There are no "best" settings since every use case is different, however i like to think they are generally sensible settings to start with. The configurations in the 2nd and 3rd columns of the table are intended to be used with the The Firefox Privacy Guide For Dummies! and the Firefox Configuration Guide for Privacy Freaks and Performance Buffs, respectively. In the former case the advanced mode option is disabled because i thought it might be too overwhelming for followers of the 'dummy' guide.
Regardless of which guide you are following, it is essential that you read the uBlock wiki with the exception of the Advanced-user-features section if uBO's advanced mode will not be enabled. If you are not following either guide i would suggest enabling the advanced mode option in order to leverage its dynamic filtering capability, as well as reading the Advanced-user-features section of the wiki.
Once uBO is installed, click its toolbar icon to reveal its popup user interface, then click the little sliders icon to reveal the "secret" Dashboard (i say "secret" because apparently some users don't know it exists). Following are the settings i recommend:
'Settings' tab
Settings not shown here are optional.
| Setting name |
'Dummy' guide settings |
Advanced guide settings |
| Hide placeholders of blocked elements 1 | disabled | optional |
| Show the number of blocked requests on the icon | enabled | optional |
| Disable tooltips | disabled | optional |
| I am an advanced user 2 | disabled | enabled |
| Privacy: | ||
| Disable pre-fetching | enabled | enabled |
| Disable hyperlink auditing | enabled | enabled |
| Block CSP reports | enabled | enabled |
| Uncloak canonical names | enabled | enabled |
| Default behavior: | ||
| Disable cosmetic filtering | enabled | enabled |
| Block media elements larger than [50] KB | disabled | optional |
| Block remote fonts 3 | disabled | disabled |
| Disable JavaScript 4 | enabled | optional |
Footnotes
1 - If you are new to uBO and content filtering, you should probably not enable this option. Leaving this option disabled will sometimes provide a visual indication when something is blocked in the form of a placeholder where the object was, thus letting you know that something was blocked.
2 - This option may be enabled only after reading the Advanced user features section of the uBO wiki.
3 - Instead of blocking remote fonts globally and then allowing them per-site, you can automatically allow all 1st party fonts while blocking only 3rd party fonts. See the 'My filters tab' section below for more information. Novice users, or those that simply don't want to fool with filters for unblocking a 3rd party font needed for a given domain, may find it easier to set this to 'enabled' and then allow all remote fonts (1st and 3rd party) as needed from the uBO Dashboard.
4 - Enabling this option disables JavaScript globally by default and causes uBO to honor <noscript> HTML tags. A potential problem with this is that some page elements that might have been displayed had the <noscript> tags been ignored, may not display when this option is enabled. On the flip side, some websites may display a JavaScript disabled warning message which can be beneficial for novices. Also see Display website content hidden by JavaScript. For anyone concerned with their on-line privacy, JavaScript must be disabled globally, then allowed only for the websites where the functionality it provides is necessary. If you are following the advanced guide then you can either enable the 'Disable JavaScript' master switch in uBlock's settings, or block inline, 1st party and 3rd party scripts from the uBlock toolbar popup.
'Filter Lists' tab
| Filter lists: | |
| Auto-update filter lists | enabled |
| Suspend network activity until all filter lists are loaded | enabled |
| Parse and enforce cosmetic filters | disabled |
| Ignore generic cosmetic filters | enabled |
| Network filters: | |
| My filters | enabled |
| Built-in: | |
| uBlock filters | enabled |
| uBlock filters – Badware risks | enabled 1 |
| uBlock filters – Privacy | enabled |
| uBlock filters – Resource abuse | enabled |
| uBlock filters – Unbreak | enabled |
| Ads: | |
| AdGuard Base | disabled |
| AdGuard Mobile Ads | disabled 2 |
| EasyList | enabled |
| Privacy: | |
| AdGuard Tracking Protection | disabled |
| AdGuard URL Tracking Protection | enabled |
| Block Outsider Intrusion into LAN | enabled |
| EasyPrivacy | enabled |
| Malware domains: | |
| Online Malicious URL Blocklist | enabled |
| Phishing URL Blocklist | enabled |
| PUP Domains Blocklist | enabled |
| Annoyances: | |
| AdGuard Annoyances | enabled |
| AdGuard Social Media | disabled |
| Anti-Facebook List | disabled |
| EasyList Cookie | disabled 3 |
| Fanboy’s Annoyance | disabled |
| Fanboy’s Social | disabled |
| uBlock filters – Annoyances | enabled |
| Multipurpose: | |
| Dan Pollock’s hosts file | disabled |
| MVPS HOSTS | disabled |
| Peter Lowe’s Ad and tracking server list | enabled |
| Custom: | |
| ClearURLs for uBo (unofficial) 4 | https://raw.githubusercontent.com/DandelionSprout/adfilt/master/ClearURLs%20for%20uBo/clear_urls_uboified.txt |
Footnotes
1 - Optional for Linux users, highly suggested for non-technical Windows users
2 - Enable if using Firefox on a mobile device
3 - Enabling this list will hide a lot of those idiotic cookie notices however this list is already included in the Fanboy’s Annoyance list if you wish to enable it. In the future Firefox will apparently offer an option to block a lot of these retarded cookie notices so hopefully no list will be necessary.
4 - Removes tracking parameters from URLs. This list replaces the basic functionality of the Clear URLs add-on. For a description see this.
Don't worry about the 'Regions, languages' section unless you browse sites in languages other than English in which case you'll want to enable those languages.
There are millions of additional filter lists available for uBO, however i strongly advise you to be very careful about what ones you add, if any. In my experience the default filter lists offered by uBO are quite sufficient for general web browsing and adding more will use more memory, slow things down and potentially cause more conflicts and breakages.
'My filters' tab
You might wish to disable the 'Block remote fonts' option on the 'Settings' tab add the following to the 'My filters' settings instead. Depending on which line you uncomment (remove the ! ) you can allow all 1st party fonts while blocking all 3rd party fonts, or block all 3rd party fonts except for a single domain, or block all 3rd party fonts except for multiple domains. As written, the code below will allow all 1st party fonts while blocking all 3rd party fonts. All lines beginning with ! are comments and are not read by uBO. Only uncomment one line.
! >>> UNCOMMENT ONLY ONE LINE AND EDIT IT AS NECESSARY <<< ! uncomment the line below to allow 1st party fonts + block 3rd party fonts (default): *$font,third-party ! uncomment the line below to allow 1st party fonts + allow 3rd party fonts for a single domain (example.com): !*$font,third-party,domain=~example.com ! uncomment the line below to allow 1st party fonts + allow 3rd party fonts for multiple domains: !*$font,third-party,domain=~example.com|~example2.net
'My rules' tab settings
If you are following the Firefox Configuration Guide for Privacy Freaks and Performance Buffs or otherwise using uBO on its own, and you have enabled the 'I am an advanced user' setting, you can optionally replace the default behind-the-scene rules on the 'My rules' tab with the the following, however understand that these filters can break some websites for which you may need to add exceptions by using uBlock's logger feature:
no-large-media: behind-the-scene true behind-the-scene * 1p-script block behind-the-scene * 3p block behind-the-scene * 3p-frame block behind-the-scene * 3p-script block behind-the-scene * image block behind-the-scene * inline-script block
If you are using the LocalCDN add-on you will need to add some rules to the 'My Rules' tab in the uBO Dashboard. The rules can be found in the preferences section of the LocalCDN add-on from where you will copy the rules specific to uBlock and paste them on a new, blank line in the 'Temporary rules' section of the 'My Rules' tab. Make sure to save and commit the changes. When adding the rules, be sure to remove any conflicting rules for the same domains if there are any (there won't be if you're starting fresh).
Dynamic filtering
If you are running uBO with its 'I am an advanced user' option enabled in order to activate dynamic filtering, i recommend setting the following rules in the 'Global rules' column of the popup interface:
If you decide to block '3rd-party' (all 3rd party content) globally, uBO will not be able to update its filter lists until you create a 'noop' rule for the Filter Lists settings page which you can do from the dashboard pop-up interface while viewing the Filter Lists page.
Recent changes
19-May-2023
- corrected footnote error in 'Filter Lists tab' section - thanks to 'Chris' (in the comments)
Comments
Note that both reader and my comments, while they may have been accurate at the time, might not be inaccurate today. This is a highly dynamic environment so please verify the accuracy of a comment should you wish to utilize it. Failing that, ask me and i'll give it a crack.
May I ask if the version of this guide that still featured uMatrix is available to read somewhere?
sorry, it is not – uM isn’t really being worked on anymore
Yes I know, that’s not why I’m asking, I’m not even asking if you’re maintaining a separate version of this guide. I found it on the Wayback Machine.
Hi.
Why do you suggest disabling cosmetic filtering?
“Parse and enforce cosmetic filters – disabled.
Ignore generic cosmetic filters – enabled.”
that’s just a suggestion – from what i understand cosmetic filtering adds substantial overhead to uBO and personally i don’t see any real benefit from it – in my case i block elements using CSS
“in my case i block elements using CSS”
Is it described somewhere in your instructions how to do this?
Firefox Tweaks and Fixes and Styles and Things
Thanks
Thank you for the awesome guide. I am making the change to enabling the “I am an advanced user” option to leverage uBlock’s dynamic filtering.
I have set the “Global rules” for “inline scripts”, “1st-party scripts”, “3rd-party scripts”, “3rd-party frames”, but it is unclear to me if JS should still be disabled globally in “Settings” or if these 4 global rules in the dynamic filter does the same thing. In the case of dynamic filtering however, instead of flipping the Java Script switch on a per site basis for example you edit the dynamic rules instead. I hope I am making sense.
I suspect disabling JS globallly is not required anymore with those 4 dynamic rules set, i just want to do a sanity check.
> …it is unclear to me if JS should still be disabled globally in “Settings”…
no, the global rules you set will do the job
> I suspect disabling JS globallly is not required anymore with those 4 dynamic rules set
correct
> In the case of dynamic filtering however, instead of flipping the Java Script switch on a per site basis for example you edit the dynamic rules instead.
if you haven’t read the uBlock wiki, please do so
i’m a little confused by your question – you need not “edit” anything, you click the appropriate rule scope on the main pop-up
you’re at 12bytes.org, so if you want to allow scripts to run here, in the right column (local) you would click the gray box – if you wanted to allow other sites to run scripts from here, which there’s no reason to do, then you click the gray box in the left column (global)
> you need not “edit” anything, you click the appropriate rule scope on the main pop-up
That is what i meant by editing the dynamic rules yes.
Thank you for clarifying!
> I have set the “Global rules” for “inline scripts”, “1st-party scripts”, “3rd-party scripts”, “3rd-party frames”,
by that i assume you mean the corresponding boxes in the left (global) column are all red which is correct for a default-deny scenario
in my experience, the general blocking of third-party fonts works very poorly and causes icons to no longer be displayed on various pages.
How about just adding this list instead?
# Third party fonts
https://fanboy.co.nz/fanboy-antifonts.txt
are you allowing 1st party fonts via the filter?
how does the fanboy list differ from blocking 3rd party? i would think that any less breakage with that list would be due to missing rules but i’m not familiar with filter syntax so i’m not really sure what he’s doing there
blocking 3rd and allowing 1st still breaks some sites (where web developers are too stupid to self-host their fonts), but not a lot for me personally – i tend to just mouse-over the broken characters to discover what they link to if i need to
Yes, allowing first party, only blocking third party, and as you wrote, it does indeed break some sites.
Maybe you’re right and it might be only the missing rules.
it’s an annoyance for sure and it’s the “modern” web dev that’s to blame, at least in part – one thing you can do is complain to the site owner, but i think the mass adoption of ad blockers is also putting a lot of pressure on devs to hopefully clean up their act but it may be too late for that
i think the web is going to split at some point between the corporate garbage and an “underground” web – of course this has already taken place with Tor, IPFS, etc., but it isn’t widely adopted… yet
i want to start to get on that bandwagon by converting this site to a static site (pure html and css) and, when it’s time, stick it on IPFS or some other P2P distributed infrastructure
you should look into this, those aren’t that ‘annoying’ :) https://forums.comodo.com/general-discussion-off-topic-anything-and-everything/extensions-t127841.0.html;msg914092#msg914092
wow, you’ve done some serious filtering there!
it’s not me…I’m not that good:) but I like how it works.
Hallo! What’s the deal with cosmetic filtering? I see that you suggest disabling it, but why? Its description seems quite useful to me.
hallo back! if cosmetic filtering is useful to you, by all means, go ahead and enable it, but i prefer to inject CSS where needed to hide crap i don’t want to see
from the Dashboard: Filter lists page:
Hallo! In the “Settings” tab, footnote 3, you say “Disable hyperlink auditing” may remain disabled (in other words: hyperlink auditing will be allowed) as long as dom.security.https_only_mode is enabled in the Firefox settings. That means, someone who uses arkenfox’ user.js will be tended to uncheck “Disable hyperlink auditing”. The question is: How is the dom.security.https_only_mode setting linked to hyperlink auditing? If I read the description in uBlock Origin’s wiki, I fail to establish why enabling dom.security.https_only_mode would render “Disable hyperlink auditing” redundant.
> How is the dom.security.https_only_mode setting linked to hyperlink auditing?
it isn’t – over time i added 1 or 2 additional footnotes and added or removed information in the settings table as changes were made to uBO and somewhere in there the footnote numbers in the table fell out of sync with the footnotes
thanks for pointing this out – it’s been corrected
I’ve noticed that you have the setting ‘Disable Hyperlink auditing’ set to ‘disabled’. Why? Afaik it is enabled by default. If you uncheck it, it will allow ping-tracking afaik.
“Checking this will prevent hyperlink auditing.” https://github.com/gorhill/uBlock/wiki/Dashboard:-Settings#disable-hyperlink-auditing
hyperlink auditing is disabled by default in Firefox (browser.send_pings), however i did change the recommendation to ‘enabled’ in uBO since it doesn’t hurt
ClearURLs for uBo (unofficial) pointing to the wrong footnote – 5 instead of 4.
3 – Enabling this list will hide a lot of those idiotic cookie notices however this list is already included in the Fanboy’s Annoyance.
However, Fanboy’s Annoyance isn’t set to enabled, which it should?
thanks Chris – footnote error corrected – as for cookies, i left that list disabled intentionally due to Firefox’s ability to segregate storage, however maybe i should re-evaluate that – also Firefox is supposed to offer an option in the near future to block these retarded cookie notices
the last part was actually about the fact that you mention the “Fanboy’s Annoyance” under Footnotes No. 3, but this is not enabled at all, according to your list? I think it was in the past.
Good on mozilla if they block those retarded notices in the future without any extentions.
yeah, i understand how #3 footnote could be a little confusing so i changed the wording – and yes, i probably did have the list enabled before at one point
these are only suggested settings to use as a starting point though – people can of course do what they want with the these options
again, thanks for letting me know about this