4.1 Extensions · ghacksuserjs/ghacks-user.js Wiki · GitHub

This list covers privacy and security related extensions only. While we believe these are the very best of the best, this can be subjective depending on your needs. We are also not saying you have to use all these extensions.

Relevant Links

• #655 Submissions | #350 Prefs & Extensions | #664 CSP issues

CSP

• FULLY fixed in ESR78.1+ and FF78+

• CSP: When multiple extensions use CSP injection to modify headers, only one wins and predicting the winner is like rolling a dice. Some CSP items (this is not an exhaustive list) to be aware of are highlighted below.

---

Extensions (in no particular order...)

• uBlock Origin ✔ Privacy | GitHub
  • CSP: Uncheck Dashboard > Settings > Block remote fonts. Font rules use CSP, use Request Control instead. Other CSP issues include filter lists that use $csp= (and there are lot of them)
• uMatrix ✔ Privacy | GitHub
  • CSP: uMatrix uses CSP for $inline and for web workers (maybe others)
• HTTPS Everywhere ✔ Privacy | GitHub
  • CSP: Uncheck Toolbar Icon > Encrypt All Sites Eligible (EASE)
• CanvasBlocker ✔ Privacy | GitHub
  • CSP: Uncheck Misc > Block data URL pages
• Decentraleyes ✔ Privacy | GitLab | GitHub Archive
  • uBlock Origin users should add the following noop rules if required
• Temporary Containers ✔ Privacy (stated on AMO) | GitHub
  • This can achieve almost everything First Party Isolation (FPI) does without breaking cross-domain logins. And (with or without FPI), in a hardened TC setup, this can even isolate repeat visits to the same domain, which FPI alone cannot.
  • Required reading: [1] AMO description [2] Article [3] TC's Wiki
• CSS Exfil Protection | GitHub | Homepage + Test
• Smart Referer ✔ Privacy | GitLab | GitHub Archive
• Header Editor | GitHub
  • Allows you to run Rules to modify headers such as blocking ETags
  • ETag Stoppa | GitHub Use this if you don't want a full-on header extension
• Neat URL ✔ Privacy | GitHub
• Skip Redirect | GitHub
• ClearURLs ✔ Privacy (stated on AMO) | GitLab | GitHub Archive
• Request Control | GitHub | Manual | Testing links
• Redirector ✔ Privacy | GitHub

---

Extensions [Tools]

These extensions will not mask or alter any data sent or received, but may be useful depending on your needs

• uBO-Scope | GitHub
• True Sight ✔ Privacy | GitHub
  • Why would you want to detect CDNs? Read this.
• mozlz4-edit | Github
  • inspect and/or edit *.lz4, *.mozlz4, *.jsonlz4, *.baklz4 and *.json files within FF
• CRX Viewer | GitHub
• Compare-UserJS
  • Not an extension, but an excellent tool to compare user.js files and output the diffs in detailed breakdown - by our very own incomparable claustromaniac
• Enterprise Policy Generator | GitHub
  • For ESR60+ and Enterprise Policies

---

Don't Bother...

• Cookie extensions
  • ❗️ Functionality for extensions may be missing for clearing IndexedDB, Service Workers cache, or cache by host. Clearing cookies & localStorage on their own, and leaving orphaned persistent data is a false sense of privacy
    • see 1340511 for progress on this
      • FF77+ 1551301 IDB 1632990 Service Workers cache
      • FF78+ 1636784 cache
  • Use FPI (First Party Isolation) and/or Temporary Containers
• NoScript
  • ❗️ CSP: "NoScript uses some trickery to ensure its CSP headers are injected" gorhill
• Privacy Badger
  • Is easily detected and additional blocking via hueristics is redundant or negligible when using uBlock Origin (depending on your configuration)
• Ghostery, Disconnect
  • They add nothing uBlock Origin doesn't already cover

---

⚠️ Anti-Fingerprinting Extensions... F&%K NO!

• DON'T BOTHER to USE extension features to CHANGE any RFP protections
  • Exception: where you can whitelist a site for functionality and you know the risks

This is not about the merits of randomizing vs lowering entropy: this is about using the best options available. We support RFP (privacy.resistFingerprinting) as far superior (in the metrics it so far covers)

• It is trivial to detect RFP and when you change a RFP metric, you lose your "herd immunity"
  • i.e.: you just added more entropy, very likely unique, compared to the already tiny group of RFP users
  • Ask yourself why Tor Project recommends you do not change Tor Browser settings and you do not install extensions
• RFP is robust and vetted by experts (Mozilla, Tor Project, researchers)
• RFP is an enforced set where all users should be [1] the same: i.e. uniform, in the same "buckets", or exhibiting the same behavior
  • [1] Don't fiddle with prefs unless you know what they do
• Extensions aren't robust: either lacking APIs, or are poorly designed, or miss all methods, or it's snake oil (impossible)
  • e.g.: spoof OS? You can't (RFP can do what it likes as it's an enforced set of users)
  • e.g.: spoof user agent, timezone, locale, or language? navigator properties leak via workers and can leak via other methods such as window.open and iframes
  • e.g.: spoof screen? css leaks and matchmedia can leak
  • e.g.: spoof language/locale? Practically impossible, and if (that's a massive "if") it were perfect, then it's no different to setting that as your preferred website language in options
• Extensions can often be detected
  • e.g. script injection and function names
  • e.g. if not uniquely, then by their behavior and characteristic patterns
  • note: RFP doesn't care if it can be detected, because all users are the "same"

If you don't use RFP, then you're on your own. And don't rely on entropy figures from test sites. The datasets are not real world, very small, and tainted by both the type of visitors, and by their constant tweaking and re-visits which further poison the results and artificially inflate rare results: e.g. on Panopticlick [May 2020]

• e.g.: why are 1 in 6.25 (16%) results returning a white canvas (which is statistically only an RFP solution), and 1 in 6.16 (16%) returning a Firefox 68 Windows user agent, and yet Firefox (and Tor Browser) only comprise approx 5% worldwide, in total - actual ESR68 users on Windows, and actual RFP users would both be a tiny fraction of that
• e.g.: why are 1 in 1.85 (54%) results returning no plugins, when chrome (at 67% market share) and others by default reveal plugin data
• remember: very, very, very few users use anti-fingerprinting measures

It takes large real world studies to get the number of results per metric, and it takes a controlled one (one result per browser) to get the distribution in order to get reliable entropy figures. Don't believe the BS.