NoScript, μMatrix, μBlock, GreasyMonkey and HTTPSEverywhere interaction

[KOLANICH]

Project description

There are 2 privacy-enchancing extensions for Firefox:
NoScript (develepment is done in private, no source in VCS publicly available, though requested, but there is release history, we can download all the releases and unpack them into a repo and make each release a commit. Maone have updated his repo)
μMatrix

and one ad-blocking

μBlock Origin sharing some code with μMatrix (I don't know why gorhill had decided to split it from μMatrix).

There is also a GreasyMonkey extension allowing you to customize websites with client-side JS code.

μMatrix and NoScript have partly overlapping and partly unique features:

• (en|dis)abling the following html5/js features:
  μMatrix and NoScript:
  • xhr/fetch
  • frame
  • script
  • media

μmatrix

• cookie
• css
  *image

noscript

• object
• font
• webgl

So if you wanna control everything you will have to use the both addons. And you have to synchronise the prefs.

• NoScript allows to write bits of javascripts to fix broken websites. μMatrix (or μΒlock, I don't remember) once had the similar feature (a file with js code was put into the official repo). These bits of JS are stored with much perversions. But greasymonkey can and likely be better used for this.

• NoScript has anti-xss and anti-csrf heiristics.

• XUL versions of NoScript have the features to detect and prevent clickjacking, to disable redirections arapped into noscript tags, and ABE - a kind of firewall to prevent attacks like csrf to local RPCs (though webext version doesn't have it, it is possible to implemet a large part of it), DNS rebinding (an option to threat own wan IP as local).

• both addons allow black- and whitelists, though noscript has no mechanisms to work with subscriptions.

Webextension API allows interaction between differrent addons

So I propose to
1 moduparize the extensions, encapsulate the following into separate extensions:

• subscriptions manager (GUI to configure subscribtions, each subscribtion and subscription item has own type, each type has list of extensions interacting with this type. Exposes api to create, enable, disable and updating subscriptions and modifying their metadata). BTW, HTTPSEverywhere addon also needs subscribtions mechanism. Can be created by forking NoScript and stripping everything except subscription management + adding the API.
• userscripts executor (GreasyMonkey, uses subscriptions manager to update the scripts and subscribtions to scripts, allows extensions to register own API to pass into a userscript and to register a callback function for a subscribtion which is called for every script matching the criteria to be run and returns true if the script should really to be run).
• privacy-preserving addon (GUI to configure blockers, uses lists manager to store user-configured rules, uses subscription managers to create a subscribtion to surrogates for GreasyMonkey, registers a callback function checking if additional closures like "all js on this site are blocked" match (noscript surrogates allowed to be run only on pages with js disabled to not to interfere with normal js) )
• lists manager (uses subscriptions manager to update the lists of blocking rules, parses them, interacts with specific content-blockers)
• blockers for every type of content and generic rule-based blocker

2 Replace surrogates with a subscribtion to greasymonkey scripts.

[garywill]

May I suggest two more privacy-enchancing addons?

smart-referer controls http header referer, which may leak to web server which page you come from.

WebAPI Manager prevents web to use some specified API, thus prevent WebGL/canvas fingerprint , webRTC LAN IP leak, hardward info and so on. It is highly customizble.

[KOLANICH]

You may, but ... there is already an issue for recommending extensions arkenfox/user.js#294

[jawz101]

I'm pretty sure uBlock supports all of these. Per this file:
https://github.com/gorhill/uBlock/blob/master/src/js/static-net-filtering.js#L80

*$data,first-party
*$data,third-party
#*$font,first-party
*$font,third-party
*$generichide,first-party
*$generichide,third-party
#*$image,first-party
#*$image,third-party
*$inline-font,first-party
*$inline-font,third-party
#*$inline-script,first-party
*$inline-script,third-party
*$main_frame,first-party
*$main_frame,third-party
*$media,first-party
*$media,third-party
*$no_type,first-party
*$no_type,third-party
*$object,first-party
*$object_subrequest
*$object_subrequest,first-party
*$object_subrequest,third-party
*$object,third-party
*$other,first-party
*$other,third-party
*$popunder,first-party
*$popunder,third-party
#*$popup,first-party
*$popup,third-party
*$redirect,first-party
*$redirect,third-party
#*$script,first-party
*$script,third-party
#*$stylesheet,first-party
#*$stylesheet,third-party
#*$sub_frame,first-party
*$sub_frame,third-party
*$unsupported,first-party
*$unsupported,third-party
*$webrtc,first-party
*$webrtc,third-party
*$websocket,first-party
*$websocket,third-party
#*$xmlhttprequest,first-party
*$xmlhttprequest,third-party

I've messed with adding some variations to My Filters and seeing how they play out. Over time I've whittled it down to a few and add some exceptions after watching the logs to fix breakages:

https://github.com/jawz101/MobileAdTrackers/blob/master/uBlockOriginMyFilters

[KOLANICH]

I'm pretty sure uBlock supports all of these.

This issue is not about it. uBlock has subscribtions, uMatrix also has them. The idea is to make a subscribtion manager and use it from all these addons and update addons and subscribtion manager separately. Consider a browser as an OS for websites and addons and a subscribtion manager addon as a specific kind of package manager.