Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
uBlock Origin Lite now available on Firefox (addons.mozilla.org)
675 points by tech234a on Aug 21, 2023 | hide | past | favorite | 328 comments


This is the uBlock Origin edition based on the much-maligned WebExtensions Manifest V3, which implements blocking declaratively instead of allowing/requiring live request interception.

Firefox—my daily driver—still supports the "main" uBlock Origin (and I'm a somewhat heavy user of features unavailable in Lite like custom filters), but I had been waiting for Lite to be available and immediately went ahead and replaced uBlock Origin with uBlock Origin Lite.

The security win can't be understated: with its permission-less design (enabled by MV3) I am down to zero third-party developers that can get compromised and silently push an update that compromises all my web sessions. Sure, attackers could still get into Mozilla, Apple (as I run macOS), or cause a backdoored update to be pushed via Homebrew (how I install unsandboxed applications when no web app is available, which thanks to the likes of WebUSB is getting less common), but unsandboxed browser extensions were clearly the lowest hanging fruit, so this update (and MV3) significantly raised my security posture (and transitively that of projects I have access to, and that of their users).


>I am down to zero third-party developers that can get compromised and silently push an update that compromises all my web sessions.

It's my understanding that because uBlock Origin is a "recommended extension", it must undergo a formal code review each time a new update is published. A malicious update would not face zero obstacles.

https://support.mozilla.org/en-US/kb/recommended-extensions-...


The switch from full acces to white-listing for full blocking is just awesome imo.

You can just decide for each case the tradeoff between advanced blocking and security.


That tradeoff is already possible with the normal uBlock Origin; it just has a different (preferable IMO) default.

The only apparent upside to this version is if you don't trust Raymond Hill to refrain from spying on your browsing sessions via his add-on. By every other metric this seems like a downgrade.


If you use a non-declarative adblocker, you're not just trusting the developer, but also all the third-party filter lists you've subscribed to. These filters have powerful capabilities and can even exfiltrate website data [1], and they are updated in real time, so if a bad actor pushed a malicious update (e.g. by gaining access to any EasyList contributor account), you would most likely be affected.

However, it's true some websites (like YouTube) are especially problematic and a declarative adblocker is not enough. What you can do is combine both approaches: use a declarative adblocker (uBlock Origin Lite) as a baseline, and selectively enable non-declarative adblockers (uBlock Origin) for specific websites (see [2] for a detailed overview).

I like this layered approach because it gets you the best of both worlds: the security and performance of a declarative adblocker, and the functionality of a non-declarative adblocker when you need it, without compromising your entire browsing session.

[1] https://portswigger.net/research/ublock-i-exfiltrate-exploit...

[2] https://seirdy.one/posts/2022/06/04/layered-content-blocking...


Why do you think so?

Say I open HN on my morning coffee and open 5 links in new tabs. They don't have to be to sites I've opened before. I will be tracked until i go to each tab and add it to uBlock Origin.

How is that an improvement?


It truly does seem like a misinformed take on security, believing that being actively tracked is better than the possibility of being tracked if uBlock Origin were ever to be compromised.


Those evil hackers always compromise open source code first, never the ads that no one is reviewing!


I'm unsure of how it exactly differs and whether there are features missing. I will admit that if I were to install uBOL today, I would be worried that it would be less capable and my browsing experience less-safe.


There are many features missing, more prone to anti-adblock/ads-reinsertion (problems with `redirect-rule` and unable to fast updates) and ads/trackers/popups can slip through if cannot be caught by regex filters.


also:

- one thing that is much less powerful is cosmetic filters, which means ads may be replaced with gray squares if uBOL can't remove them entirely

- less filters overall, because the limits on how many filters are possible are pretty strict

- extension updates will be both larger and much more frequent because filter lists can no longer be updated separately from the extension


Why is there a filter limit at all? Why did Firefox add that? Can config change it?


> Why did Firefox add that?

They didn't, Google did. It is part of MV3 specs, afaik.


But Firefox still didn't have to implement the limit.


Then don't use the downgraded version of the ad blocker? What is the point of having two versions of MV3 when you can use a superior adblocker on Firefox anyway?


Google doesn't make Firefox. I flatly don't understand why Mozilla has that limit.


Filters aren't free


They are quite often better than free, blocking unwanted content that would consume more memory and CPU time than the filter itself.


Filters take a minuscule amount of resources. E.g. Even if you had to loop over a list with thousands of entries this would be unlikely to matter, and can in fact even be optimized quite significantly with various algorithms. However, because a database is most likely used, this is not even an issue, and the resource use will in fact be truly minimal.

I can not give you an exact number, but it is massively bigger than the number of trackers / elements that any usable web page can realistically implement. Probably you can do several thousands database calls in less than a second due to indexing; and that can be further optimized by doing it in batches, bringing it up to tens of thousands, if not in the hundreds on modern PCs. It is literally not an issue.


Is the limit still around 30,000 or is it higher? That could be 600,000 filter checks on a page load with 20 requests.

I'm sure it's fast but if people want unlimited number of rules that number could start exploding.


Hmm, it looks like the uBO "Enter element picker mode" feature is not available. I've found that pretty useful occasionally in the past on websites where uBO doesn't catch an ad.


Actually every extension on AMO must go through manual inspection to push as auto update. You may push new version to market without manual inspection. But it won't auto update to users' computers until then.

So human review really isn't the real difference on firefox's side. Because it is required since day one


> When a developer submits an extension to addons.mozilla.org, it’s scanned for a set of common issues. It may also be subject to human review.

-- https://support.mozilla.org/en-US/kb/tips-assessing-safety-e...

*May* is important here. That is also what I remembered changing years ago.


Do you have a source for this? I always thought they long ago stopped manual inspections for most extensions.


I literally wrote one. And it had been taken down due to reviewer unable to reproduce the achieve I uploaded (it turns out to be a \r\n \n line ending issue. Thanks windows and git).


I maintain one as well, and had it approved despite the source having a bug, so that doesn’t sound like much of a source.


I don't think they ever care about whether your extension has bug or not. They probably only review whether your extension has weird minified code or dependencies.


It was a bug that prevented building it. If they just look at the source code without building it, they’ll have no idea if it’s the same code at all, and it would be useless.


That's weird. Probably it depends on reviewer? Or probably the reviewer figured out how to compile your source some way? In my experience, the reproducible requirement is always forced.


See my other comment [0], manual reviews have been optional for a long time. There was quite the outcry when they stopped reviewing everything.

[0]: https://news.ycombinator.com/item?id=37218820


Ok, when adding a new extension to the store. But “recommended extensions” get manually reviewed whenever they update.


I'm pretty sure that once you factor in the security reduction from ad blocking being less effective, switching from uBO to uBOL is actually a net worsening of security posture.


If you're getting targeted with major browser zero-days, ads are the least of your concern.


Then you should be running more powerful tools like noscript and the full version of this, not a pared down version. Or a significantly more locked down version of Firefox on qubesOS.

Manifestv3 will have negligible improvements on potential security risks and will significantly decrease overall security.


Why do you assume you need to be targetted to be a victim of being pwned by ads?


Because exploits that can break out via ads are not usually worth burning on randos?


Targeted ads let you make sure they don’t get deployed on randos.


In what way does ad blocking improve your security? It significantly improves your user experience and slightly improves privacy, but it doesn't have anything to do with security, unless you click on random "download" links, which I assume people on HN don't do


You assume that modern day browsers are even remotely secure. They still suffer from significant security bugs every now and then. Reducing the amount of third party java script you run is a security improvement.


Exfiltration of data is a security issue and ads tend to grab any info they can, even if it just loading their ressources. Not a security issue many large tech companies like to focus on for obvious reasons.


You’d be shocked at how many people (smart people included) are fooled by stupid ads and misleading website alerts and notifications. I used to do customer support for a large tech company, and people get sucked into giving up passwords or PII All. The. Time. by convincing ads. Some of these actors even deliberately style the ads to look like system alerts!

Yah, probably not a lot of HN users falling for it, but I was constantly surprised by the demographic. I’d regularly see smart, accomplished people get bamboozled by ads. It’s wild.


Ads can be a malware delivery vehicle.


Fewer requests = fewer potential attack vectors, especially when most of the blocked requests are executable JS code.


You could just disable automatic updates on extensions. uBlock origin is a featured extension, so it's already audited.

MV3 is safer, but so is running no adblocker at all. There is a tradeoff. I get much more ads on Safari+AdGuard (iPhone) which uses MV3 or some similar declarative approach, than on Firefox+uBlock-Origin where I get basically none.

I still prefer to trust one extension like uBlock Origin, just like I trust other software packages on my system, and to really fend off all the web tracking nonsense.


It seems like this issue could also be sidestepped by simply not silently pulling updates, especially in the case of something like browser extensions where the extension is sandboxed (so the potential negative impact of not immediately getting out a "critical security update" is bounded) but the developer is not fully trusted. Have we normalised micromanagement of the user by software vendors so far that this is no longer a default that anyone would consider?


> not silently pulling updates

a regular user would not have the capability to audit an update. A power user, with entirely too much time on their hands, could of course, but one should not be designing systems based on such niche scenarios.


The scenario is: don't enable automatic updates. How long will a compromise exist before someone notices? Often, not very long at all. It's entirely common to avoid an issue because you haven't bothered to update. It's also part of why corpos have their own repository mirrors too since dev supply chain attacks have gotten more common and no one's going to audit their dozens/hundreds of NPM dependencies every update.


You don't need to audit the update, simply don't update until there's some actual benefit to it.


The counter move is announcing some "security fixes" (of course without any further detail) in each and every update. Now you do not know if you are increasing security by applying the update or if you are decreasing it...


"Security fixes" just means the developer wanted to list what actually changed (which would be "added more telemetry, fixed analytics client ID persistence, made sidebar blue match logo" or something) but the PM insists on using the same generic message each time. Safe to ignore those updates!


I don't get out of bed for anything without a CVE so I can confirm I actually have a threat from the vulnerability, often times they're things where you'd need to use an obscure feature or local privilege escalations on single user systems, etc.


If they never publish any details of security issues (and certainly no CVE score), can you safely assume that you would never receive a genuinely important security fix? How would it feel later on, when your system was compromised and support is pointing to the update with the security fixes?

Yes, maybe that is some weird kind of fear of missing out (on security), but I have a hard time ignoring security fixes, even without details.


But one should be designing systems, unlike today where there is bad design of forced autoupdates For example, they could be a system of distributed code reviews where an update is offered to the users only after some review


A regular user would also not not care about "web sessions", "permissions", "silent updates", and all the other techno-mumbo-jumbo they will file away in their folder of Do Not Care.

Essentially, there's an issue of hypocrisy in the threat model and type of user proposed.


For me this security scenario isn't relevant at all. It reminds me of the dysfunctional situation on mobile OS. Sure, theoretically a plugin could get compromised and an update would be malicious. That is true for any software I run on my machine.

But it also comes with costs. The browser is less customizable and further locked down. That reduces possibilities without netting advantages for me. Overall this is security FUD in my opinion. And the negatives can be observed in mobile OS.


Right, I would rather have a slightly less "secure" computer that I control than a super secure walled garden client.


> I am down to zero third-party developers that can get compromised and silently push an update that compromises all my web sessions

Yeah, but is this really a risk for anyone who isn't the sort to have installed Bonzi Buddy back in the day?

That attack surface, compared to that of brew, npm, pip, gem, etc., is miniscule. And browser plugins don't yank in obscure dependencies at install time.

I only run uBlock, and I suspect I'm in the majority here, and my choice of browser is predicated on the availability of a non-crippled ad blocker, because malicious ads are the primary threat.


> I only run uBlock,

(as noted by fsckboy): uBlock was the original name for the add-on that subsequently was ethically compromised/"sold out to" advertisers

uBlock Origin is the 2nd version written by the original author (gorhill) and is not compromised.


The issue with v3 is when it's the only solution. Which is not the case here :

> However, uBOL allows you to explicitly grant extended permissions on specific sites of your choice so that it can better filter on those sites using cosmetic filtering and scriptlet injections.

Which I would expect allow it to work as well as uBO.


> Which I would expect allow it to work as well as uBO.

Note that there are still some adblocker workarounds that will foil MV3, such as CNAMEs. uBO will always be more effective than MV3, unless some substantial improvements are made to MV3.


Note that CNAMEs is literally caused by GDPR, and the pathway every single ad or tracking company seems to go sooner or later.

For people not understanding how it works: you can set a CNAME entry on your tracker.domain.tld to bypass all Browser's third-party tracking preventions, and make it look like it's a normal subdomain of your website.

You need to make a CNAME tracker database manually by resolving the reverse entries for known IPs. Usually there is hundreds or thousands of CNAME entries pointing to the same IP address.

The AdGuard team also made a database for this, in case anyone needs it for UBOL [1]

Most, if not all of those trackers use assets that they serve from there (like a tracking pixel gif socket), so I highly doubt that uBOL will catch those; because the cat and mouse game is now in the ad tracker's favor and it is impossible to keep up now. And that was the intended purpose. We now have to play our hand with marked cards.

[1] https://github.com/AdguardTeam/cname-trackers


> Note that CNAMEs is literally caused by GDPR

nonsense

GDPR is not technology specific weather you use aliases or not makes not difference (neither weather you use cookies or other e.g. heuristic methods for fingerprinting btw.)


> Note that CNAMEs is literally caused by GDPR

No. The migration to CNAMEs has to do with the phasing out of third party cookies. The GDPR literally does not care about how the technology works.


> Note that CNAMEs is literally caused by GDPR

How so?


> How so?

Because it shifts the contractual obligations and the "legitimate interest" of data to a seemingly first party, which all companies seem to think they can get away with.

Well, until the tracked subjects do a reverse DNS lookup anyways.


Adding a CNAME does not make tracking first-party. You can simply report them to the relevant DPO.


no it doesn't CNAME is just an alias nothing more and even if it would make it first party it still wouldn't make it legal, like at all

you are allowed to track some information first party for certain purposes without user agreement (e.g. fingerprinting for DDOS protection) but you are ONLY allowed to use it for that purpose and have to use _as little data as possible, store it as short as possible_ etc. You also still have to inform the user about it, give them a way to delete it (through because you also have to keep that data as little and as short as possible you often delete it faster then the time you have to process such deletion requests so that tends to be a non issue)

this section of GDPR pretty much never applies to anything ad related ever, because even if you collected some fingerprints for DDOS protection you MUST NOT use them for ads, not are you allowed to pass them to anyone else especially not if that entity does use them for something else.

pretty much nothing in the law text of GDPR ever implied you might get away with aliasing tracker domains, actually very clearly the opposite

generally GDPR is not technology specific, so pretty much any case of "this technical trick to work around GDPR limitations" is pretty much not legal as long as the trick is not to not collect data


Don't need to mansplain DNS RFCs and GDPR to me, explain it to the companies that use CNAME trackers, and maybe their marketing departments.

I am just stating the trend of ad tracker technologies, and how useless the Datenschutzbehoerde is in practice, from the perspective of someone that builds a browser network that tries to uncover these types of constellations.


then maybe formulate your comment better

because from what you posted above it clearly seemed you don't understand GDPR

people which don't know anything about the topic might come to believe that using CNAME is an actually legally working workaround instead of just a way to hinder ad-blockers


These "it's the fault of GDPR" posts feel like the comic book caricatures where angry citizens rant that Batman is the cause for all the crimes in Gotham City.


No, it won't work as well as uBO. Many features from uBO are missing in uBOL even in full mode, more prone to anti-adblock/ads-reinsertion (problems with `redirect-rule` and unable to fast updates) and ads/trackers/popups can slip through if cannot be caught by regex filters.


> The security win can't be understated: with its permission-less design (enabled by MV3) I am down to zero third-party developers that can get compromised and silently push an update that compromises all my web sessions.

Can you or someone else elaborate way it would be more secure? I dont quite follow or see the benefit.


Look at the security on mobile OS. It is perfectly secure for Apple and Google. But seriously, the benefit is theoretical and only with the assumption that you believe Apple and Google to treat your data better than a third party. Brave assumption in my opinion.


I don't like the goal of giving less power to extensions. Extensions have traditionally generated independent innovation, when they're allowed to. They're an escape hatch.


And the security problems of malicious ads slipping through at higher rates aren’t an issue?


>I am down to zero third-party developers that can get compromised and silently push an update that compromises all my web sessions.

Why would you even have autoupdates in the first place if that is your threat model?


>as I run macOS

How is the FDE story on macOS? Isn't it closed source - how can you tolerate that as a cryptographer? (Not saying Linux is perfect, cryptsetup doesn't have a secure AEAD mode)


An AEAD mode on a physical disk doesn't make a lot of sense. You are mapping disk blocks to disk blocks (in the case of cryptsetup, literally via devicemapper) and so you have two choices: a) alter the sector size to something weird so you can fit in tags per sector, likely breaking a lot of code that can't cope with this or b) just use XTS and accept that you can't have AEAD.

It isn't like the average hard disk permits padding oracles and chosen plaintext/ciphertext attacks to be mounted easily, except of course if you are storing disk images in the cloud, but then you're using the wrong tool anyhow - do crypto at the file level where you aren't constrained by sector sizes.


> you're using the wrong tool anyhow - do crypto at the file level where you aren't constrained by sector sizes.

Really, I'd say that 99% of the uses of block device encryption would be better served by using a filesystem that supports encryption natively. The remaining 1% is for block devices that handle the encryption in the hardware.


Apple’s crypto implementation is.


And what's the use if you don't know they're not compiling against a backdoored version under the hood?


That's a different question.


No, you're just moving the goalpost (and you're pretty bad at it too)


Perhaps I’m bad at it because I wasn’t doing it at all?

You asked how someone can trust a crypto implementation that isn’t open source. I replied to the to it directly: it actually is open source. Personally I see the source being available largely irrelevant but I replied to exactly what you asked for.

Your second question is an entirely different topic, which is how you can trust that something isn’t backdoored. Notably, this has nothing to do with whether source is available. How I would typically do that is by inspecting the compiled artifacts themselves, which is the same whether the code is available or not. Of course, this requires that the OS or the AP or the crypto engine isn’t backdoored, for which there exist more involved verification processes. Whether this is possible to do in general is a difficult research area. It is, however, completely divorced from your view on how this works because auditing the properties you’re looking for does not rely on source code at least in a traditional sense.


Hqng on, MV3 still lets extensions read web traffic, right? It just can't block it.


Firefox's implementation of MV3 allows both async permission-less blocking (declarativeNetRequest API) and permissioned synchronous blocking (webRequest API). uBO Lite uses the former to provide an ad-blocker without read/write permissions.

You can still write a unsandboxed extension with MV3 (and in Firefox it will still be able to intercept requests, while in Chrome it will not be on the network hot path) but the point is that you can also write a permission-less ad-blocker now, which is what I want.


declarativeNetRequest (https://developer.chrome.com/docs/extensions/reference/decla...) involves loading a ruleset into the browser, which then does the blocking itself inside the network process.


You need the webRequest API (that uBO Full is using) from manifest v2 to be able to read the traffic. Without it, you can just block/allow based on rules.

Chrome is deprecating it with v3, Firefox supposedly no.


Unless I'm misunderstanding the docs, the webRequest permission isn't going anywhere, just the webRequestBlocking one. So it doesn't sound like there has been any security win here.


Yeah, I think you're correct. The security win is that you can block without needing the permissions for webRequest which are "can read and modify everything you do"


If you sideload an extension, you can achieve your 0 third-party silent autoupdate goal without compromising on any functionality (though this misfeature should be a per extension toggle at the browser level)


In Firefox, you can disable automatic updates per-extension. So you don't need to sideload to achieve this.


Even better, thanks for the correction


You could also just turn off extension autoupdate.


I considered that a few times, but eventually complex things like modern ad-blockers rot, so I would be forced to update every once in a while, and let's be honest: I am neither qualified nor prepared to audit the diff.

I guess deferring updates would give me lead time to let others get targeted / detect an issue before it's likely I would get the update. Still, installing the permission-less version is so much simpler and reassuring.


I rely on the latter. I am much more concerned about supply chain attacks of mass exploitation than I am about 0day in my Signal client or my browser extensions.

If there is something big enough to warrant quick update, my HN addiction will make sure I find out about it before it is a 1day.

There really isn't a great configuration for browser security rn, is there? The gold standard I think is Qubes, which afaict is not practical.


That only makes a difference if you’re auditing each extension update. Switching to extensions with per-site permissions reduces the attack surface drastically and you don’t have to worry about auditing or disabling updates.


Turn off extension autoupdate sounds like a bad choice, not all updates are mallware injected, many of them may contains security updates anyway


So can you tell Firefox to only allow MV3 (or MV3+sandboxed, I guess) extensions then? Or have you manually audited your list of extensions?

I was sort of aware but your post clearly reminds me that Firefox extensions are probably my single biggest point of general vulnerability on my phone and computer, given how much is done in browser.

Appreciate your original thoughts either way.


If you don’t trust the OG ublock what makes you think you can trust the Lite ublock?


the fact that it cannot do a lot of untrustworthy things under the new v3 policy, like remote execute code, that is literally the point.


The point is to neuter extensions to the point where they can't effectively block ads.


Can uBOL be autoupdated to a v2 extension? That would negate this point.


It would only partially negate the point. Any new permissions would trigger a prompt for the user to accept the additional permissions before installing the update. Also there is some aspect of human review for updates to extensions on the Mozilla Addons site.


At that point it would request the global "read and modify all sites" permission, which makes it kinda obvious.


Lack of custom filters is an immediate no-go.


Is there any benefit to ublock origin full fat Vs lite? I've been using it for years on Firefox and android but it sounds like I should switch?


What do you think about using Brave on Apple with its built-in ad-blocking?


Brave just shows a different set of ads.


That's only if you opt-in to the Brave ads.


You use Mac. You are already being attacked by Apple. Both on the permissions to run the computing you want, and your data being harvested by them.

Good on you nonetheless to check one less, but the one still open is much larger, so the fight goes on.


> attackers could still get into Mozilla, Apple (as I run macOS), or cause a backdoored update to be pushed via Homebrew [..] but unsandboxed browser extensions were clearly the lowest hanging fruit

This is a total non-sequitur. The source of all malicious browser extensions is Google, Apple and Mozilla, and none of them have demonstrated any willingness whatsoever to fix the problem, even when a mere grep across their distributed extension base can trivially identify all the various openly advertised trojan SDKs that cause millions of users to be tracked or have their internet connection reused for various shady proxy websites.


You have a different definition of "malicious" than the general public. In fact most of us on HN do. That shouldn't be dictating what browser vendors think of as malicious extensions. Consider an extension that tracks your browsing in exchange for giving you promo codes to get 5% off on some purchase. Plenty of users have considered this kind of trade off and decided that the 5% discount is worth the privacy impact. Most HNers would consider it malicious. But if browser vendors start to block these extensions we would sooner hear news reports of tech companies being overly paternalistic.

You are not speaking for all users and you know it.


No informed user would consent to a Trojan however.


Just like nobody informed is using a smartphone or cloud anything


I'm not clear to what you mean.


The person I replied to said no informed user would go with a Trojan. I disagreed, citing the popularity of modern phones and cloud storage.


One thing I've noticed is that for years uBlock used to say 7% of all data requests was blocked; in this past year it's climbed to 8%. So almost 10% of data transferred is useless to me as it consists of ads, trackers and annoyances.

I wonder in my lifetime how much bandwidth and energy I've saved if a blocker has blocked around 10% of all data requests.

I'll stick with the full version on Firefox.


It's far more than that. uBO is only counting the initial requests. Each of these would load up an entire ad ecosystem that sends follow-on requests and downloads resources. If you look at the total number of requests prevented it would doubtless be far higher.


My one says 26% was blocked. It's shocking.


26% here too. Mind boggling


I'm surprised to hear it's so little.


It sounds like 7-8% of requests. If that's video ads it can be 50% of the actual data transferred?


But then, if you mostly watch videos (or take a video call in your browser), the ads — both video and non-video — can fall to 1% of the actual data transferred.

As each person's internet usage is different, the percentage of requests blocked seems to me a better measurement than the percentage of the actual data transferred.


It is, i was just nitpicking on mixing # of requests and data volume.


not entirely sure if that was a question because it is formed like a statement, but, yes.


Seems low. My pihole (and I’m not trying to compare products just mentioning what I use) routinely blocks about 25% and we don’t tend to go to any shady sites.


true, the ammount of data, energy, attention and time safed by adblockers cannot be understated


One interesting thing I noticed while trying to port little-rat to FF, using the same declarativeNetRequest API as uBOL last week:

In Chrom*, extensions can intercept calls from other extensions, while in Firefox, they can't. If anyone happens to have any insight, please let me know.

EDIT: removed links as I'm being downvoted, not trying to promote, just would love to make it work in FF.


How is this different that the uBlock Origin addon for Firefox that I have been running for the last 5 years?


It uses browser provided APIs for filtering, instead of running script injection on every page. This improves security, and performance at the cost of some capability. The reduction in capability comes from the inability to do all kinds of cosmetic filtering, but it lets you enable this on a per site basis.

Check the details on the extension page for more information.


> The reduction in capability comes from the inability to do all kinds of cosmetic filtering

Oh, that's too bad. The cosmetic filtering is incredible. I wonder how much I would be impacted by switching to Lite. Guess I'll try one day.


It's definitely jankier without cosmetic filters. You end up with content holes and weird layouts when trackers or ads don't load -- much like browsing on bad wifi. You still avoid (most) ads.

The new method will almost certainly allow site/ad network operators to work around the block filters more easily than they could uBlock Origin.


Are there stats on performance differences?

Anecdotally, I find that blocking ads and associated garbage massively improves page loading, and FF performs fine even with hundreds of tabs open


Would be nice to see benchmarks, I agree. Will take a stab at it, if I remember #ideas.


"Cosmetic filtering" sounds unimportant, but it's what most people expect from ad blockers. It's a bizarre term.


Yeah I personally prefer "element hiding" as the (once) good old ABP calls them.


> improves security, and performance

> reduction in performance

huh?


Typo, reduction in capability. Corrected above.


thank you for the information


The biggest loss is the ability to add custom Block Element rules, and currently filter lists must be selected from a pre-set list.


Actually as a volunteer for the project, I personally consider the lack of regex filters, `redirect-rule` and unable to fast updates are more severe than "hiding elements" ability.


I'm going to use it and not the original uBlock Origin for a week and see how it goes. Only sure way to tell.


Three questions, is this less resource intensive and does it still block YouTube ads?

Also, since it uses manifest v3, how slim are the chances it’ll be ported to safari?


Can you run both versions? Here's my config for uBlock Origin:

    ||accounts.google.com/gsi/*$xhr,script,3p

    ##.ytp-endscreen-content
    youtube.com##.ytp-scroll-min.ytp-pause-overlay
    youtube.com##.ytp-ce-covering-shadow-top
    youtube.com##.ytp-pause-overlay
    youtube.com##.ytp-ce-covering-overlay
    youtube.com##.ytp-ce-element

    ! 2021-06-10 https://www.statista.com
    statista.com##.vertical-align-content.default.otCenterRounded

    instagram.com##.RnEpo
    instagram.com##body:style(overflow: auto !important)

    ! 2023-07-08 https://www.roadandtrack.com
    www.roadandtrack.com##journey-modal-meter
YouTube ads are blocked, as are those pervasive sign-in requests from Google.


This new addon can't do any cosmetic filtering. It doesn't run any code on the page, only declares filters for network requests.


I guess a year late Google might release sone ad CDN on their domain that embedds third party ads and then you are out of luck. Same as Microsoft already did that with news. They try to embed themselves as gatekeepers here too.


Manifest v3 extensions have access to DOM via the content script (same as Manifest v2). Why would they not do cosmetic filtering? Is that something uBlock Origin developers announced?


Presumably because, as the addon name suggests, it is a 'lite' blocker. Declarative network blocking is much more efficient than script injections, so that is used exclusively.

If you want cosmetic filtering, the original uBO is always available.


Safari still has a limited implementation of Manifest v3, so that might affect the timeline. E.g. declarativeNetRequest API, which all adblockers use heavily, is missing very important functionality like redirects.

If this extension doesn't use the missing features then porting is as simple as running a single command to generate an Xcode project and then building the extension executable.


Beginners question, would you happen to know what the Xcode command is?


This Apple Developer documentation page describes the command in detail: https://developer.apple.com/documentation/safariservices/saf...


Whoa, I didn't even know they had a converter. Thanks!


Safari already has a long list of content blockers which blocks ads by supplying a list of urls to the browser. I use Ka Block! for iOS and it works well enough.


I tried it and after a short time I came across websites that locked me out and told me to disable my adblocker. Even at the highest block level it doesn't change anything. With the normal uBlock Origin version, most sites just work and don't even show the anti adblock notice. An ad blocker that is not able to bypass the annoying anti adblock measures is useless garbage.


I was a Firefox user since Phoenix/Firebird and only recently switched to Brave for performance (although I think I'm going back, given the recent performance gains).

I have also been using uBlock Origin heavily since the start.

I'm not sure I fully understand the purpose of this. If this is a Manifest V3 thing, I thought Mozilla wasn't adopting it ... so why would uBlock need to adopt it on Firefox?

I'm clearly missing something.


I believe the plan is to support it without forcing it, unlike Chrome which plans to force it.


Firefox is also moving to Manifest V3, but a more "relaxed" version that still allows a lot of what is being removed in Chrome.

What seems to have happened here, is that uBO decided that, since they now have a declarative version for Chrome, they may as well release it for FF also (but with a few improvements, apparently).


I think it's a smart move on FF's part (a more relaxed V3). If Chrome goes too heavy-handed with anti-adblockers in V3, people might leave Chrome. Yes, they might leave Chrome for a different Chromium browser, but if they get too heavy-handed there, Firefox and its forks are the last large alternative left.


Unpopular take.

Wouldn't it be more ethical to not visit ad supported websites in the first place? Instead of removing the source of their income while still consuming their content?

Someone should make an extension "SiteBlock Origin": Everytime it detects the presence of an ad, the whole website gets blocked, not just the ad. That would be ethically consistent.


No.

The ethical principles written clearly by World Wide Web Consortium are for users, NOT for websites:

> 2.12 People should be able to render web content as they want

> People must be able to change web pages according to their needs. For example, people should be able to install style sheets, assistive browser extensions, and blockers of unwanted content or scripts or auto-played videos. We will build features and write specifications that respect peoples' agency, and will create user agents to represent those preferences on the web user's behalf.

https://www.w3.org/TR/ethical-web-principles/#render

---

> Everytime it detects the presence of an ad, the whole website gets blocked, not just the ad. That would be ethically consistent.

By the time the extension knows if there's ads or nots, the trackers/fingerprinting connections are already loaded to users' machines.

Written in literature, it sounds awesome. In practice with real programming, it's awful.


they're talking about ethics, and you're talking about authority aka what the w3c recommends


And if rendering contents as client users want is unethical, that authority section won't ever need to exist.


This is not always unethical. We are only talking about ad blocking here.


Despite being called an ethical web principle, that really doesn't make it ethical.


Don't know why there's no reply button under your other reply. (Ah ok, I see it now, looks like HN needs to wait a bit before that button appears).

For me, it's ethical. Loading trackers/malicious connections/contents on my own machine is unethical. That's it. I don't run those on your server, why do you run them on my devices?

What I said is simple: there's ethical pricinples standing by users' sides, and nothing for websites.

If you think it's unethical, you do you. I won't participate in arguing about your personal preferences.


You can continue to reply through your profile.

Loading malicious content certainly is unethical. I'm not disputing that, I run an ad-blocker and I advocate to everyone that they should.

However, that isn't what we're talking about, we're talking about blocking ads as a concept. It is pretty indisputably unethical as it breaks the social contract of the service delivery.

The fact that is easy to do, has no punishment, and is incredibly low stakes doesn't make it ethical.


Ads aren’t neutral, informative pieces of information. Most are there to manipulate you, often subconsciously. Eg, all the product placement in tv and movies is subliminal advertising, or the car ads meant to make you think something is high status without ever using a logical argument. Looks what ads have done to our culture over the last 30 years, and the environmental and financial consequences connected to it


> blocking ads as a concept

Problem is, ads now are trackers. Of course, there are few ads that are not. I also won't mind if the ads are static images (that are not generated from/linked to 3rd-party/trackers) and unable to click on. Thing is, those are just rare, and in practice blockers can't block them by default, because they are not distinguishable with other contents. So in general, those are not blocked, and blocking "ads" (the ads that are trackers) is still ethical to me.

And just FYI, blockers have the rule that don't block self-promotions (self-advertisements) by default.


> It is pretty indisputably unethical as it breaks the social contract of the service delivery.

I would dispute that there is such a social contract, any more than there is a social contract that if you download a patch to fix DRM, you are implicitly agreeing to install the virus it comes with.

Ad-funded businesses are engaging in market dumping, subsidizing their offerings by poisoning the minds of billions of people, and creating anxiety, insecurity, and dissatisfaction in the process. If someone gives you something for free covered in lead dust, and you accept it but clean the dust off first before touching it, I don't see the ethical quandary. Particularly when you know their widget cost them a fraction of a penny, and they were being paid to give you the poison.

Like Bill Hicks said, these people are Satan's little helpers. Engaging with Satan and undermining him may be unwise, but it's not unethical.

As others have pointed out, these people also have a level of stalking going on that I don't think the average person (or even a relatively informed person) can grasp, and so there's no possibility for a social contract to exist there.


Since you like analogies...

There is a supermarket that at the checkout has a bowl of candy that operates on the honour system.

If you push a button next to the bowl of candy an ad will play and you can take a piece of candy. The candy itself costs a fraction of a cent to the business and the business doesn't care to put anyone in place to monitor compliance with button pushing.

This system is known by everyone and operating in this way for decades so there is no deception towards the person at the supermarket.

Is it ethical to take a piece of candy without pushing the button?


In the supermarket analogy, it's more like saying you forgot your shoppers card and having the checkout person scan one for you, or using 867-5309 as your phone number. And no, it's still not unethical. The unethical actor here is Kroger buying every major grocery chain, and adding 20% to your bill if you don't agree to be tracked. Normal humans in the loop, employees included, will happily support you undermining their system.


That's not what I asked, is it unethical to take the candy?


No, it isn't. In practice no human will care whether you push the button. The social understanding is that it's fine to just take the free candy. In fact, the employees probably don't want to hear the ad again, so it is an ethical imperative to not push the button and subject them to that.


There is probably some human who sold the ad space to somebody, and who is monitoring how many button presses there are. And they will probably put pressure on the supermarket to make sure customers are reminded that they have to push the button if they want candy. Sure, the employees are probably sick of the ad, but the people who don't have to hear the ad don't care about them :)


I'd take the candy without watching the ad, for the same reason I refuse to use loyalty cards. Both the ads and loyalty cards are worth more to the supermarket than they are to me. They're basically ripping me off while pretending to give me something gratis.

(Actually, in reality I'd ignore the candy since I don't need more sugar.)


i think eipi10_hn's point is that from the very beginning of designing/imagining the web, those involved wanted to make it a user-controlled experience. so the disconnect here is between two views: a) there is an obligation to support sites by watching ads or b) content providers should know defining principles of this medium dictate that users can block/change/etc so they support content with blockable ads at their own risk. Under b) users blocking ads is ethical whereas sites trying to circumvent ad-blocking are acting unethically. Both stances have merits it seems to me.


In this glorious 21st century where privacy is dead and big govt and tech have the right to monitor and monetize you as they please, Bill Hicks' take on marketing is the only correct one.

I wouldn't have this opinion if user-hostile web advertising and tracking hadn't driven me to it.


What is "it" here?


That blocking ads is ethical.


I ran without an adblocker for a long time with a similar sort of reasoning. What got me to finally install an adblocker is an increase in malvertising. Going to legitimate sites with third party ads resulted in drive by downloads, fake update warnings, fake AV warnings, attempts to get you to install shady extensions, etc. I disable the adblocker for websites that use better ad sourcing methods.

Ex. https://support.mozilla.org/en-US/kb/i-found-fake-firefox-up...


I think this is a key to the argument for ad-block. If it was literally just banner ads without tracking, sure, go right ahead. Modern web advertising is so much more than that (aggressive tracking, data collection without consent, or worse).

I miss getting those banner ads for decreasing my mortgage rates as a 14 year old who doesn't even pay rent yet


Unfortunately “better ad sourcing methods” require a lot of human capital to support (direct-sold ads, constant monitoring of inventory, being able to afford higher bid floors, etc.) or ultimately access to better advertisers by having a large amount of traffic.

All of these are features of larger publishers, unfortunately, which means that smaller publishers suffer more malvertising. So you’re basically just supporting large publishers. Which is definitely better than supporting none, so I still commend you :)


Yeah. Why would we ever want people to have jobs when the executive branch can just pocket those wages for themselves instead.


> Wouldn't it be more ethical to not visit ad supported websites in the first place? Instead of removing the source of their income while still consuming their content?

That's fundamentally not how the web works. If you want me to pay for content, you need to get me to agree to pay for content. Just requesting a page, which I have no way beforehand of knowing contains ads, is not me agreeing to pay for the content. If you didn't want me to view the content without paying for it, why did you send me the content?

This is morally equivalent to the fake monk scam[1] in NYC where a fake Buddhist monk gives you a prayer bracelet and then demands that you pay them for it. You don't get to give people things and then demand that they pay for it when that was never agreed upon. Even if the payment is with their attention.

This is all setting aside the ethical blight that advertising, by its very nature, poses in the first place. Advertising is just lying--either literally, or by omission through presenting a one-sided view of products. There is never a case where advertising is ethical.

Note that the NYT has mostly stopped serving up content to people who haven't agreed to pay for it, and they're doing quite well financially lately.

[1] https://tricycle.org/article/monk-scam/


I don't think it is that unpopular of a take. Generally speaking, Ads and subscriptions pay for the website.

The issue I personally have is:

1) When the Ads themselves contain malware.

2) Eat up all your bandwidth/mobile data.

2.1) Have auto-playing videos / popups.

1) is somewhat rare. But it is something that has happened multiple times with major websites and services.

If I remember correctly, the Washington Post and Yahoo have previously had this issue. Google's Advertisement platform has repeatedly allowed malware to spread via their advertisement system. (Both on Mobile devices, and desktop devices, but usually more focused on mobile devices.)

2) is something I have to deal with everyday on the phone. When on a train filled to the brim, a lot of times the connection speed drops precipitously. In short, I don't have bandwidth to spend on an Ad, especially a video Ad. So I block them all, and usually try not to browse any image or video heavy sites.

2.1) is really just a quality of life thing.


The contract of the web is:

- I ask for a resource - you give it to me - any linked resources (stylesheets, scripts, images etc) are up to me to request

Therefore there is no "ethical" conundrum in blocking ads. The ad industry brought this on themselves by trying to push malware, spam and actively trying to make the web worse.


Agreed. Advert blocking wasn’t a necessity until adverts became intrusive, tracking and targeting became pervasive, and every site flooded with cookie banners.

I remember when AdWords was just a humble bar of contextual text links, absolutely manageable. Not so much the case now.


It’s an arms race. The utopian hyper-civilized ethics are replaced when your adversary are doing everything possible to turn you into a product. Tracking, fingerprinting, creating shadow profiles for you, etc etc, etc without any meaningful consent.

If the adversaries followed idealized ethics, they would respect DNT header, for one.

That said, actively avoiding those actors who are unethical is commendable. It’s just very difficult to do in practice, since basic communication with eg neighbors, parents, friends are mainly through these channels.


This is an interesting argument. I own my computer and network, should I not be allowed to control what content is or is not allowed in my network? I guess the corollary that would follow from MY argument is that they should be permitted to block me from accessing their site if they see I'm not permitting ads


Exactly, users are the ones who should allow and block what contents to be served to their devices, NOT the websites.

> 2.12 People should be able to render web content as they want

> People must be able to change web pages according to their needs. For example, people should be able to install style sheets, assistive browser extensions, and blockers of unwanted content or scripts or auto-played videos. We will build features and write specifications that respect peoples' agency, and will create user agents to represent those preferences on the web user's behalf.

https://www.w3.org/TR/ethical-web-principles/#render

Don't fall for what ads companies/corporations are trying to shape users' thoughts.


>I guess the corollary that would follow from MY argument is that they should be permitted to block me from accessing their site if they see I'm not permitting ads

That's pretty much what Medium and many general news sites are doing. I haven't paid for one yet, but I can respect the move if it means they don't need to rely on clickbait to build a customer base.


Judging by all the titles on medium, click bait is still an important part of revenue, it's just not driving ads consumption but subscriptions


People don’t block ads because they want to deprive websites of income. They block ads because they have been driven to it, by the ads themselves.

This could be avoided if websites served ads responsibly: no JS, no animations, no video, no audio, no tracking, no scam merchants, no tricks, no manipulation, no unskippable ads, no dishonesty.

Almost no websites do this, so I have no ethical qualms giving of the ads the banhammer.

Once websites start respecting their users, then we can have this conversation about ethics, but not a second before.


Why some sites are blocked from net due to having just a link to a «bad» website, while many other sites and ad networks receive zero punishes for their active attempts to scam victims or harm victim computers?


Examples?


Google «Copyright liability for hyperlinking».


Ah, I thought it's related to uBO.


Fair point and I do pay for ad free browsing in a few sites. But consider

1. sites that don't have any other model. e.g. my favorite game news website is Gematsu, but holy heck is the ads crazy intrusive. On mobile we are talking full screen video ads that have a tiny X to remove... for maybe 1 minute. I've expressed interest multiple times to donate or otherwise do something to directly fund the site but nothing has come up. And even if I did move on to make a point, this model isn't something that has spread to many, if any, modern gaming news site (and I've long since left Reddit, a topic in and of itself). Do I just give up on gaming news and let clickbait Youtubers inform me instead of written articles?

2. Exploratory purposes. I'm not going to know which and what websites do or do not have ad support, and most of my browsing when searching is very casual. I wouldn't feel too compelled to neither turn off my ad block nor pay a sub for some place I googled up once 3 months ago for a quick answer. I don't quite have an answer for this one.

3. ublock isn't simply blocking ads. trackers, certain cookies, overly large media elements, java script, remote fonts, even individual pieces of HTML elements you specify in a CSS manner. It's so much more powerful and privacy-oriented than a simple ad blocker. If it closed off any site with any of these issues there simply wouldn't be an interet to browse.

It's a compromise at the end of the day, and I can only look out for myself at some point. I'm not necessarily trying to teach websites a lesson per se.


> If it closed off any site with any of these issues there simply wouldn't be an internet to browse.

That's actually not true. It's just that it's much harder to find that internet, because search engines are controlled by advertisers.


Well sure, it's not going to literally block every single website (to my surprise, HN on fact seems to lack all of the above factors. Or at least UBlock cannot trace them. Kudos). But so much of the internet is closed down that I essentially cannot rely on anything that isn't a small personal blog (that is NOT hosted by any of the major web deployment platforms. e.g. WordPress).

I'd need to roll my own email provider (and deal with that fallout since I'm now "spam". Ironic), cannot apply to 99% of job portals (employer nor job boards), cannot use most of my productivity apps on the web, and I still can't access most major news, subscription or not.If I was still in school there's a non-zero chance I can access my class portals.

I can replace most of these, but not all.


I agree, blocking all sites that have ads, dark patterns, etc. isn't really pragmatic given the current state of the internet.

All I'm saying is that there are sites that don't do these things. That's an important reminder because I'd like people to support those sites when possible (but again, I agree that's not always possible).


Running ublock is like not looking at ad. Would you support TV that requires you to focus on ad while it's running?


I don't think it's quite the same because ads don't care if you are "focusing on the ad". Well, they kinda do, but not by any useful metric (idling on a computer =/= engaging with the ad).

It's more equivalent to changing the channel during a commercial, which seems to be what the GP is implying as an action.


Which works great until most channels conveniently have commercials running at the same times


I'd use that. As it is, I often back out from sites that ask me to disable my adblocker, and often do the same when the cookie-choice pop-up is present; it's a helpful check on how I'm spending my time. I'm absolutely spoiled for choice there, and as with a meal of mostly minimally-processed plants, I feel best after reading a book. Which is not to say I never eat/read the snack/article that is quickly but momentarily diverting.


As my hair grays I have reached the determination that for-profit advertising itself is systematically unethical. Maybe it was ethical many, many decades ago; here today any moral values it once had are long gone.

To that end any mechanism that reduces the presence and effect of advertising is a moral imperative.


> for-profit advertising itself is systematically unethical

Very interesting. Can you please expand a bit more on why do you think this is the case?


Not oc, but I share some of this sentiment. Modern advertising is heavily based on behavioral science, psychological and especially emotional manipulation. This is on top of extreme methods to hijack your attention at all cost. It might sound like hyperbole but if you read marketing case studies you realize this isn't only the norm, it's something they take pride in, especially when it appears to work (which it does).

In my view, blocking this isn't just morally just, it's absolutely necessary. I deliberately choose not to partake in this and not be a target for manipulation to the best of my ability.

Maybe there was a time when advertising was more about creating awareness instead of feeling and making you want the product, but advertising changed dramatically over the 20th century. There's quite a lot of reading material out there if you're interested.


Also not oc, but…

Without advertising, “content marketing”, and paid placements/reviews people would buy things when they desire or need them.

They’d ask friends, compare specs, and read/watch reviews before determining what to buy.

That is: without ads, people would gravitate towards buying what fits their needs best. They would make generally rational choices given the information available.

Advertising’s job is to subvert those rational choices and make people buy something, whether it’s the best option or not. In fact, even when they don’t actually want or need anything at all.

It causes people exposed to it to spend money unnecessarily, and on the wrong products and downright bad products. Some are more susceptible than others, but in the end it’s an illegitimate tax levied every time you buy something. Even if you didn’t respond to advertising when making a purchase, advertising is so ubiquitous and necessary in most markets that the price you paid probably contributed to the advertising the manufacturer had to deploy to keep up with the arms race.

There’s nothing ethical or necessary about any of this.

Ideally there would be legislation that would force business models to change, but while there is not, ad blocking is absolutely an imperative.


"That is: without ads, people would gravitate towards buying what fits their needs best. They would make generally rational choices given the information available."

Not to sound snarky, būt have you met humans?If sociology and economics have shown anything, itš that human do NO make rational consumption choices


I agree with the sentiment but I’d wager the choices they make are more rational without ads than with, which is all the argument needs.


The web is, in theory, an open venue, and somebody publishing on the web is not unlike somebody performing in the street. It is not your duty, as the consumer, to ensure the producer’s income—particularly not at the expense of your privacy. The producer has something to say, and you the consumer are willing to hear it: that may just as well be the extent of your relationship. How, or even whether, the producer monetizes this state of affairs is not the consumer’s responsibility, though some consumers (who can) may choose to patronize the producer.


If the site offers an ad-free paid subscription model, that's reasonable. I mean, it'd be much better just to redirect to the sign-up page. However, if the site is so user hostile that they think bombarding users with invasive ads is the only way to monetise, well that's on them.


Even better: if it offers a way to pay a few cents to read _this one article_. I don't want to subscribe to hundreds of websites for reading a single article every so often.


I don't care about the ethics here because the ad companies, the parasites they are, don't give a shit about ethics. They track every single possible thing there is to track about a person and sell that information to anyone with a couple of bucks to spend.

Funnily enough, of all websites out there one of the best is still 4chan when it comes to ads. They have 2 banners, one at the top of the page, one at the very bottom of the page. These are static banners, at most a gif, with no tracking pixels or fingerprinting capabilities or any other similar form of horrid, unethical behavior. No embedded ads masquerading as regular content, nothing that blocks interaction on the page, just simple banners that target the site's particular niche like anime or cheap junk from Japan.

But as long as websites aren't using this model of ads and are instead opting for something disgusting like https://fingerprint.com then you won't see an iota of sympathy or care for "ethical" behavior from me.


Not visiting cost them nothing. No serve, no cost.

Viewing the ad made them money.

Visiting and not viewing the ad lost them money. They paid for the server but made no money.

Only one of these three options is painful enough for them to get the point. It’s harsh i know, writers need to eat, but they need to understand I won’t “pay” them with my eyeballs unless the site is usable in return at a bare minimum.


IMO showing advertising itself is unethical and there’s no right to force anyone to see an advertisement, no matter how much some companies would like there to be.

Any content you make available publicly is fair game to be remixed, reformatted, summarised, and yes, ad-blocked.

It’s not the user’s job to make someone’s business model work.


In the end I just dont care about being ethical to these companies. It’s like screwing over my drug dealer.


Advertising is unethical. If you publicly provide data I have no ethical contract to be forced to use that data in a certain way. If you want to force ads then use a different delivery mechanism and at that point I will gladly entirely avoid it


> Wouldn't it be more ethical to not visit ad supported websites in the first place?

There is a negative feedback loop where most third party content is only published on the most popular sites, so it becomes impossible to entirely avoid these sites even if the companies behind them are cancer.

> That would be ethically consistent.

Don't drag ethics into a mud fight with billion dollar companies. I lived through ads that faked download buttons, faked virus alerts, provided links to fake "official" download sites with malware or directly tried to infect your computer. The only ethical thing you can do with the ad industry is rob those rotten sociopaths blind.


no, the web wasn't intended to be such a commercial hellscape. if you want to make money ethically you should come up with your own way to reach people.


That's already what I am somehow doing. I always think twice before opening a link.

Reddit mastodon lemmy etc already sanitize websites I read, and often I just read the comments, not the article.

Often people quote important parts of the article in the comments.

Ad blockers is like an antibiotic, I use them but I also try to not expose myself to germs.


I'll be ethical about ads when the ads are ethical about me :)


Oh no. He caught us.

Oh well...


This seems to do network-level filtering based on the provided filter lists.

If I have a Pi-Hole / Adguard Home running in my network and use it as a DNS, that would mean this extension is useless for me (give I use the same and more filter lists)?


Cool to have this available in FF too. Other than less permissions I can also compare the behaviour directly with chrome now.


Is there any upside to mv3 in terms of ublock/adblocker usage detection?

I understand the significant security implications (whether or not you agree with mv3), but found myself wondering if the permissionless model might make it harder to detect a user adjusting the page at a different point in the request/response/draw cycle.


TIL it can be installed into Thunderbird [1], awesome. Is this thanks to the MV3?

https://addons.mozilla.org/en-US/firefox/addon/ublock-origin...


why don't we block ads at the operating system level instead at the browser level? If we are talking about having more security and performance wouldn't it more sense? Not sure I understand how ublock origin works anyone have a summary on this?


The operating system level does not have as much information as the browser so it would be much less effective. You could do domain-level blocking (mostly) but miss lots of granularity on URLs, types of requests, contexts of request (what's the URL of the parent frame?), etc.

Also it would be impossible to perform cosmetics injections (scriptlets, alterations of the DOM, etc.)

It might already provide a good base-line but definitely not enough for all cases (e.g. YouTube ads, etc.)


Most of the network streams are encrypted at the os level.


But this would make Windows 10+ unable to boot =[


Why operating system level and not network level? See Pi-Hole (or NextDNS, Adguard DNS)


because the operating system can't see what's going on inside the connection or even know about the semantics of individual elements, the user-agent does that.

the value of dns/ip level blocking is diminishing as resource density per host increases due to ipv4 shortage and should be completely inpractical with ipv6 due to adress space size.


> why don't we block ads at the operating system level instead at the browser level?

sure, we do that, too: https://github.com/StevenBlack/hosts


I use out-of-the-box defaults for uBO -- would I notice any difference with uBO Lite?


Someone should make a hardware equivalent, something like a Rpi that sits between your wifi router and modem, that just blocks any advertising JS.

Yes, pi-hole exists, but i get the feeling that's considered "too nerdy". I mean something that's about the size of a rubik's cube, ethernet in/out, power, and works out of the box with zero configuration needed.


That would require decrypting connections to HTTPS websites and would require deploying a root certificate to all client devices on the network, which is probably more complicated than installing a browser extension.


At minimum you'd need to install another SSL certificate in your browser to allow it to intercept HTTPS.


I just configured my Router to use AdGuard's DNS over TLS. No additional device needed that you need to maintain, yet all sorts of advertising domains are blocked.

Still, that alone is not as effective as an extension that sits in the browser, that understands and can see the contents of the HTTP requests and responses.


NextDNS is what I use after running into various networking issues with RPi.


My favorite use of uBlock Origin is opting-in to allow javascript per site. I miss this functionality on moble.


Firefox for Android can install uBlock Origin and do this.


I dont see it in firefox for android :(


I believe Firefox curates the installable extensions on android/mobile.


They are going to finally crack open the full add-on library soon. Sometime after September if I remember correctly.


Yep!

> In the coming months Mozilla will launch support for an open ecosystem of extensions on Firefox for Android on addons.mozilla.org (AMO). We’ll announce a definite launch date in early September, but it’s safe to expect a roll-out before the year’s end.

https://blog.mozilla.org/addons/2023/08/10/prepare-your-fire...


You can already install any addon by creating a collection but its a pain in the ass...


Don't use Firefox on Android. Use Firefox Nightly instead.


>Use Firefox Nightly instead.

Don't. Use Fennec instead https://f-droid.org/en/packages/org.mozilla.fennec_fdroid/


Would this be ported to Safari?


The safari rules are even less capable that that, last time I checked.


Ongoing discussion: https://github.com/uBlockOrigin/uBOL-home/issues/52


Interesting.

I tried to make a Safari extension and it is a really ridiculous experience. You need to write basically two “wrapper” native Swift/ObjC apps, in addition to the javascript extension. I thought they were making fun of me.

And in addition to THAT nonsense, the extension is far less powerful than in other browsers (random things not implemented).


If you're worried about blocking ads, Safari is not the browser to use. Just use something better.


I use Safari every day and don’t see any ads.


Do you visit websites with it?


Safari users keep repeating this, but it's simply not true: go open http://twitter.com and see for yourself.


The people responding to me don’t really seem interested in reality, so I’m not interested in engaging with them.

For anyone who is: Safari has Adblock extensions that work as well as any other browser, and they work on mobile Safari too.

Install AdGuard.


Kind of a brilliant compromise, actually. By default it's a declarative content-blocker, but if you run into a specific site that shows ads you can enable the full-fat uBlock Origin featureset there.


No, it's not full-fat uBO. It's more prone to anti-adblock/ads-reinsertion (problems with `redirect-rule` and unable to fast updates) and ads/trackers/popups can slip through if cannot be caught by regex filters.


Now its time to revive uBO for Safari, same model imho.


I'm looking forward to using it on safari


FWIW, Firefox and uBlock on my Android phone will always keep me on that ecosystem. My desire to go into the Apple ecosystem (because of supposed privacy protections) faded as soon as I learned I can't really have a good ad blocking solution there.


> FWIW, Firefox and uBlock on my Android phone will always

uBlock was the original name for the add-on that subsequently was ethically compromised/"sold out to" advertisers

uBlock Origin is the 2nd version written by the original author (gorhill) and is not compromised.

Just wasn't sure which you are talking about


I appreciate what you're trying to do here, but when I search for "uBlock" on Firefox's Add-ons, only uBlock Origin comes up in the first 6 pages. It looks like it's still available (and even "Featured") in the Chrome ecosystem, but in the context of Firefox it's no longer ambiguous which one they're referring to.

https://addons.mozilla.org/en-US/firefox/search/?page=1&q=ub...


It's good to know people are unlikely to get the wrong one.

It's still called uBlock Origin, and in general I don't think keeping track contextually of when you can get away with a name collision is a great way to do things, and this is an area of privacy concern so I think many of the people interested in the space would like to remain educated about it.


I'm using Orion on iOS which has native ad blocking and supports a good number of Chrome and Firefox extensions. Even without uBO I have a virtually ad-free experience.

https://browser.kagi.com/faq.html#safari


I’m super impressed with orion as well. I use an iPad and Orion provides a decent support (still a WIP though) for Firefox/chrome desktop extensions to run in iOS. After Reddit axed third party support, I almost stopped browsing Reddit until I found out I can run RES with old.reddit inside Orion. This has been an absolute game changer for me.


Every browser on iOS pretending not to be Safari is also huge no.


Orion on iOS is not a Safari reskin. It uses WebKit, but the similarities end there.


Again: every browser on iOS is a Safari reskin because it cannot be otherwise. Safari and WebKit are essentially the same thing (download WebKit on Mac to find out)

Only “remote browsers” like Opera Mini can currently use something other than the system’s webview.


If it uses webkit, then it 100% is a Safari reskin.


How is adding ad-blocking a reskin?


More specifically it uses WKWebView. You can’t compile WebKit yourself to include in an app, which means less flexibility than non-iOS WebKit apps and Chromium forks. Their complaint is valid (“reskinned safari” is just a casual way of saying this)


I’m not saying that it’s as good technically, but I use AdGuard for Safari together with NextDNS and it seems to do the trick. Probably just using NextDNS would go a long way.


I use these:

https://www.reddit.com/r/Adblock/comments/koowte/encrypted_d...

I like how I don’t need a separate app (just install the profile) but I do wonder if I need to implicitly trust the website that has the profiles for download.

So far so good though.

I use the mullvad ones. Sometimes it breaks public wifi signins, so I switch to a less restrictive one in those situations (usually CIRA, which is the Canadian domain registrar)

The really nice thing about DNS profiles is that they’re system wide, so it works against in-app ads too.


Is AdGuard a proprietary product? I recall looking into it and being a bit turned off once I learned it's not FOSS.


Most repos here show GPLv3 as the license: https://github.com/AdguardTeam


I'd be delighted to be mistaken, because Safari on iPhone sucks with all the ads.


the iOS one is closed. Linux and browser exts are open.


Could you possibly be referring to the AdguardForiOS code with the GPLv3 license?

https://github.com/AdguardTeam/AdguardForiOS/blob/master/COP...


Huh, I didn't know. But it seems like the repo lags behind what's on the appstore by two minor versions.

Honestly, no idea.


What Adblock features are missing on iOS?


iOS (and macOS Safari) only has the stupid "declarative blocking" functionality which is trivial for ads to bypass. In addition, it often breaks websites because it can't inject runtime code (like uBlock filters can) to substitute malicious JS payloads with neutered versions that still expose the same API so the rest of the JS doesn't error out.


That’s false. iOS has had full-fledged extensions for years now. Nothing stops uBO from existing on Safari other than stubbornness.

Most serious iOS content blockers ship both a native list (or multiple) and an active counterpart, usually focusing on YouTube ads.

However I am aware that adblocking is still poor on Safari, maybe nobody just can match uBO


You are mistaken. Safari removed the APIs necessary for an uBlock port (there used to be one), see https://github.com/el1t/uBlock-Safari/issues/158.

Injecting code via Web Extensions is too late for reliable blocking - by then, either the malicious JS you are trying to defuse has already ran (if it wasn't blocked declaratively), or if not then the rest of the page's JS depending on it has already exploded and "fixing" it after the fact (by substituting a neutered shim via Web Extensions) doesn't fix the rest of the page.


In theory you are right, in practice it works just as well.


That depends a lot on the site. It works well on some, but on others it's just not enough.

Safari/iOS blocking is closer to uBlock Origin than to DNS blocking, but is not as powerful as uBO and some sites "exploit" those limitations.


No, it really does not. My iPad with safari and safari filters next to my android with firefox + ublock is nowhere near as comprehensive. Even news websites sneak ads into safari.


Got any example urls handy? I’m using AdGuard and i just don’t recall getting ads anywhere i visit. I’m interested to see if any slip through.

The only exception i can recall right now was youtube but SponsorBlock does great there in Safari.


Browser extensions, which can block HTML elements based on arbitrary selectors rather than just origin domain.


Safari does actually support CSS selectors in its content blocking API. However, see my other comment on this very subthread, it's nowhere near enough and is trivial for ads to bypass.


there are many good ad blocking solutions on desktop and mobile safari.


They are equivalent to "Manifest V3" blockers (like this one). It's nowhere as good as original uBlock Origin.


No, there are full ad blocker solutions on iOS: https://browser.kagi.com/faq.html


Mh yeah I am on iOS and at home I have pihole and on the road I have mullvad with ad/tracking/etc. blocking, and can't complain, I never see ads, I think right now all use the same adblock lists more or less so staying in a ecosystem for that seems, I mean everyone do their choices, but there are harder things to overcome


brave supports the ublock filters


So you’re trading in (supposed) privacy protection for a couple less ad impressions or broken site visits?

I mean, to each their own principles but…


Why is gorhill entertaining Manifest V3 when it's explicitly meant to kill ad-blocking?

We need an opinionated browser that isn't bought-and-paid-for opposition like Mozilla is to Google, and standards committees who aren't beholden to corporate profits. The Web is supposed to be for everyone, not just Google.


IMO releasing an MV3 version that people can actually try and see how much it is being crippled might make them realize how shitty it's going to be if Google wipes out every other web browser not based on Blink.


Now the best hope you get is Ladybird


"uBOL is entirely declarative, meaning there is no need for a permanent uBOL process for the filtering to occur, and CSS/JS injection-based content filtering is performed reliably by the browser itself rather than by the extension."


So this is basically the manifest v3 version for Chrome, ported to Firefox?


> MV3-based content blocker

Yes.


I assume Firefox doesn't have Chrome's arbitrary limit on the number of filtering rules, right?


I do know that Firefox has no plans to deprecate webRequests API (that the non-lite version depends on), while also supporting declarativeNetRequest (that the lite version depends on) for compatibility.

What I don't know is:

1) whether their implementation of declarativeNetRequest has that arbitrary limitation

2) whether uBO Lite ships the same (limited) filters in the Firefox release.

I'm guessing 2) is true for simplicity, but that's purely a guess.


While I was trying to find out what Firefox's limits are I came across this interesting issue on the W3C's webextensions repo: https://github.com/w3c/webextensions/issues/319

4 days ago the Chromium developers proposed upping the limit for certain types of declarativeNetRequest rules based on data AdGuard provided on real world rule lists. https://docs.google.com/document/d/1srkkCJkl4X2KOOUwnpDd-kvm...


With the ability to whitelist domain to have full blocking.


Does this mean that uBOL is less capable and can't block certain ads? Is this expected to be eventually remedied?


I don't believe the full version is planned to be replaced by this one. I think this is basically since they did the work to get this version that would work in Chrome after they reduce the permissions available to adblockers, they just launched it for firefox too in case anyone is really bothered by ublock's permissions.


The remedy is to switch to Firefox and continue using the extensions that aren't being broken on purpose by a company abusing their monopoly position.

But there will be a bunch of posts in this thread about people bemoaning Firefox because they have to have thousands of tabs open all at once everyday and Firefox renders them a second or two slower. There will also be people who will complain that the dev tools aren't exactly like what they learned in college/their boot camp so they can't spend dozens of minutes learning the Firefox tools so they can make their CRUD SPA can load megabytes of JSON outside of Chrome


I don't particularly blame Mozilla/Firefox for this but it is obvious to me the writing is on the wall for the "non-lite" version of the extension, due to Chrome stealing all the manpower towards the lite version. The fact that the author is now publishing the "lite" extension also for Firefox itself looks as confirmation to me. The author's description even seems to praise Manifest v3 in the same way Google PR did.

Who wouldn't? It's one less version to maintain, and you're not going to stop maintaining the one most people use.


> The author's description even seems to praise Manifest v3 in the same way Google PR did.

No, it simply declares the goal of that add-on: to fully comply with declarative ways of MV3 AND its limitations, and no uBO extended features that need workarounds to be implemented.

He's more strict to Lite than full version:

- https://github.com/uBlockOrigin/uBOL-home/issues/17

- https://github.com/uBlockOrigin/uBOL-home/issues/6#issuecomm...


I'm not so pessimistic that no maintainer would be interested in maintaining the full fat uBo. I've got to imagine there's still quite a few people using the project.

To some extent I have to ask - who cares that Chrome is more broadly used? That never stopped Firefox and its extensions from becoming popular in the first place. All it took for Firefox to rise was the competition being crap, and well the competition is becoming crap. Chromium's monopoly doesn't stop a few contrarian developers from continuing to keep their websites Firefox compatible.


Google pushes Chrome across all its web properties. Between Chrome itself and its soft forks I see little reason for hope. Especially since Mozilla gets so much hate from power users such as those here.


All snark aside, Firefox is probably the last browser you should use if you care about extensions (or other functionality) not being broken on purpose or arbitrarily removed with no notice, recourse, or opportunity for feedback.

Firefox has done this to me multiple times. As someone who uses a web browser as a tool for both business and pleasure, and as someone who does not appreciate flag days forced on me for no good reason, I am perfectly happy and have been encountered far fewer surprises with a chromium fork.


Thing is, Firefox doesn't break extensions with malice. I'll take a hundred "oops, our update broke some extensions", or, more fairly, "we broke a lot of extensions to provide orders-of-magnitude better performance", over a single instance of "Fuck your AdBlocker, it's cutting into our profit margins".

That latter category of breakage, which Firefox has never done, and has no motive to, is the reason I will never use the shameless antitrust-case-in-waiting Chrome, or any of it's pseudo-independent offspring.


Sufficiently advanced indifference is indistinguishable from malice.


Do you have an example of an addon this has happened to you for? I've had the opposite experience (stuff breaking on Chrome and well, never had an issue with it on Firefox).


The fully-capable version is regular uBlock Origin.


The purpose of Manifest V3 is to be less capable. uBOL, implementing this, is less capable by design.

This won't be remedied because it is the point of Manifest V3. Google is an ad company. The next step is the Web Integrity API, where the website can block you if you have even uBOL.


The remediation is the ability to whitelist/grant full access to specific domain to allow for advanced blocking.


I have a question about this. The page says that uBOL has "limited capabilities out of the box" due to it "not [requiring] broad 'read and modify data' permission". But you can give it broad permission ("Complete mode"). Does that mean that if someone uses uBOL in Complete mode (a) it will have the same capabilities as uBO", and (b) it will use less resources than uBOL (no permanent process)?


(a) No, uBOL will still have many missing capabilities comparing uBO even in full mode, more prone to anti-adblock/ads-reinsertion (problems with `redirect-rule` and unable to fast updates) and ads/trackers/popups can slip through if cannot be caught by regex filters.


"hence its limited capabilities out of the box compared to uBlock Origin"


uBlock origin is probably the best project to be created in the last decade. The amount of websites that are unusable with ads is crazy.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: