4.1 Extensions
Preferences alone are not enough. Extensions can be more powerful, such as offering whitelists/blacklists and more granular control. This may allow you to set a preference at a deny-all
level, but get back functionality on sites where you need it. An extension can also solve issues where the browser itself has no current solution. This list covers privacy and security related extensions only. While we believe these are the very best of the best, this can be subjective depending on your needs. We are also not saying you have to use all these extensions.
In no particular order...
β CSP: When multiple extensions use CSP injection to modify headers, only one wins and predicting the winner is like rolling a dice. Some CSP items to be aware of are highlighted below.
-
uBlock Origin β Privacy | GitHub
- β CSP: Uncheck
Dashboard > Settings > Block remote fonts
. Font rules use CSP [unsure about font filters]. Use Request Control instead.
- β CSP: Uncheck
-
Privacy Badger β Privacy | GitHub
- Uses heuristics to learn and to build local blocking lists. Your mileage will depend on what other blocking extensions you use and their configurations, but it certainly can't hurt.
-
uMatrix β Privacy | GitHub
- β CSP: uMatrix uses CSP for
$inline
and for web workers (maybe others)
- β CSP: uMatrix uses CSP for
-
HTTPS Everywhere β Privacy | GitHub
- β CSP: Uncheck
Toolbar Icon > Encrypt All Sites Eligible (EASE)
- β CSP: Uncheck
-
CanvasBlocker β Privacy | GitHub
- β CSP: Uncheck
Misc > Block data URL pages
- β CSP: Uncheck
-
Decentraleyes β Privacy | GitLab | GitHub Archive
- β¨ uBlock Origin users should add the following rules if required
-
Temporary Containers β Privacy (stated on AMO) | GitHub
- This can achieve almost everything First Party Isolation (FPI) does without breaking cross-domain logins. And (with or without FPI), in a hardened TC setup, this can even isolate repeat visits to the same domain, which FPI alone cannot.
- Required reading: [1] AMO description [2] Article [3] TC's Wiki
- CSS Exfil Protection | GitHub | Homepage + Test
- Smart Referer β Privacy | GitLab | GitHub Archive
-
Header Editor | GitHub
- Allows you to run Rules to modify headers such as blocking ETags
- ETag Stoppa | GitHub Use this if you don't want a full-on header extension
- Neat URL β Privacy | GitHub
- Skip Redirect | GitHub
- ClearURLs β Privacy (stated on AMO) | GitLab | GitHub Archive
-
Violentmonkey β Privacy | GitHub
- Allows you to run User Scripts which can do neat things. There are Web Extension API limitations, such as handling strict CSP and @run-at document-start. So TEST your scripts!
- window.opener be gone | see #401
- Request Control | GitHub | Manual | Testing links
- Redirector β Privacy | GitHub
These extensions will not mask or alter any data sent or received, but may be useful depending on your needs
- uBO-Scope | GitHub
-
True Sight β Privacy | GitHub
- Why would you want to detect CDNs? Read this.
-
mozlz4-edit | Github
- inspect and/or edit
*.lz4
,*.mozlz4
,*.jsonlz4
,*.baklz4
and*.json
files within FF
- inspect and/or edit
- CRX Viewer | GitHub
-
Compare-UserJS
- Not an extension, but an excellent tool to compare user.js files and output the diffs in detailed breakdown - by our very own incomparable claustromaniac π
-
Enterprise Policy Generator | GitHub
- For ESR60+ and Enterprise Policies
- Cookie extensions
- βοΈ APIs do not exist to allow clearing IndexedDB, Service Workers cache, appCache, or cache by host. Clearing cookies & localStorage on their own, and leaving orphaned persistent data is a false sense of privacy
- Use FPI (First Party Isolation) and/or Temporary Containers
- NoScript
- βοΈ CSP: "NoScript uses some trickery to ensure its CSP headers are injected" gorhill
- Ghostery, Disconnect
- They add nothing uBlock Origin doesn't already cover
- Chameleon, Privacy Possum or any other extension that raises entropy
- We support lowering entropy. This is best left to privacy.resistFingerprinting