[HN Gopher] uBlock Origin Lite now available on Firefox
___________________________________________________________________
uBlock Origin Lite now available on Firefox
Author : tech234a
Score : 185 points
Date : 2023-08-21 21:23 UTC (1 hours ago)
(HTM) web link (addons.mozilla.org)
(TXT) w3m dump (addons.mozilla.org)
| kwstas wrote:
| Cool to have this available in FF too. Other than less
| permissions I can also compare the behaviour directly with chrome
| now.
| thisisthenewme wrote:
| FWIW, Firefox and uBlock on my Android phone will always keep me
| on that ecosystem. My desire to go into the Apple ecosystem
| (because of supposed privacy protections) faded as soon as I
| learned I can't really have a good ad blocking solution there.
| lnxg33k1 wrote:
| Mh yeah I am on iOS and at home I have pihole and on the road I
| have mullvad with ad/tracking/etc. blocking, and can't
| complain, I never see ads, I think right now all use the same
| adblock lists more or less so staying in a ecosystem for that
| seems, I mean everyone do their choices, but there are harder
| things to overcome
| [deleted]
| kmlx wrote:
| there are many good ad blocking solutions on desktop and mobile
| safari.
| Nextgrid wrote:
| They are equivalent to "Manifest V3" blockers (like this
| one). It's nowhere as good as _original_ uBlock Origin.
| dharmab wrote:
| No, there are full ad blocker solutions on iOS:
| https://browser.kagi.com/faq.html
| hnarn wrote:
| I'm not saying that it's as good technically, but I use AdGuard
| for Safari together with NextDNS and it seems to do the trick.
| Probably just using NextDNS would go a long way.
| metadat wrote:
| Is AdGuard a proprietary product? I recall looking into it
| and being a bit turned off once I learned it's not FOSS.
| Nextgrid wrote:
| Most repos here show GPLv3 as the license:
| https://github.com/AdguardTeam
| metadat wrote:
| I'd be delighted to be mistaken, because Safari on iPhone
| sucks with all the ads.
| SSLy wrote:
| the iOS one is closed. Linux and browser exts are open.
| Scoundreller wrote:
| I use these:
|
| https://www.reddit.com/r/Adblock/comments/koowte/encrypted_d.
| ..
|
| I like how I don't need a separate app (just install the
| profile) but I do wonder if I need to implicitly trust the
| website that has the profiles for download.
|
| So far so good though.
|
| I use the mullvad ones. Sometimes it breaks public wifi
| signins, so I switch to a less restrictive one in those
| situations (usually CIRA, which is the Canadian domain
| registrar)
|
| The really nice thing about DNS profiles is that they're
| system wide, so it works against in-app ads too.
| isykt wrote:
| What Adblock features are missing on iOS?
| Zak wrote:
| Browser extensions, which can block HTML elements based on
| arbitrary selectors rather than just origin domain.
| Nextgrid wrote:
| Safari does actually support CSS selectors in its content
| blocking API. However, see my other comment on this very
| subthread, it's nowhere near enough and is trivial for ads
| to bypass.
| Nextgrid wrote:
| iOS (and macOS Safari) only has the stupid "declarative
| blocking" functionality which is trivial for ads to bypass.
| In addition, it often breaks websites because it can't inject
| runtime code (like uBlock filters can) to substitute
| malicious JS payloads with neutered versions that still
| expose the same API so the rest of the JS doesn't error out.
| veave wrote:
| In theory you are right, in practice it works just as well.
| luuurker wrote:
| That depends a lot on the site. It works well on some,
| but on others it's just not enough.
|
| Safari/iOS blocking is closer to uBlock Origin than to
| DNS blocking, but is not as powerful as uBO and some
| sites "exploit" those limitations.
| vorpalhex wrote:
| No, it really does not. My iPad with safari and safari
| filters next to my android with firefox + ublock is
| nowhere near as comprehensive. Even news websites sneak
| ads into safari.
| CraigJPerry wrote:
| Got any example urls handy? I'm using AdGuard and i just
| don't recall getting ads anywhere i visit. I'm interested
| to see if any slip through.
|
| The only exception i can recall right now was youtube but
| SponsorBlock does great there in Safari.
| bandergirl wrote:
| That's false. iOS has had full-fledged extensions for years
| now. Nothing stops uBO from existing on Safari other than
| stubbornness.
|
| Most serious iOS content blockers ship both a native list
| (or multiple) and an active counterpart, usually focusing
| on YouTube ads.
|
| However I am aware that adblocking is still poor on Safari,
| maybe nobody just can match uBO
| blibble wrote:
| brave supports the ublock filters
| leokennis wrote:
| So you're trading in (supposed) privacy protection for a couple
| less ad impressions or broken site visits?
|
| I mean, to each their own principles but...
| fsckboy wrote:
| > _FWIW, Firefox and uBlock on my Android phone will always_
|
| _uBlock_ was the original name for the add-on that
| subsequently was ethically compromised /"sold out to"
| advertisers
|
| _uBlock Origin_ is the 2nd version written by the original
| author (gorhill) and is not compromised.
|
| Just wasn't sure which you are talking about
| lolinder wrote:
| I appreciate what you're trying to do here, but when I search
| for "uBlock" on Firefox's Add-ons, only uBlock Origin comes
| up in the first 6 pages. It looks like it's still available
| (and even "Featured") in the Chrome ecosystem, but in the
| context of Firefox it's no longer ambiguous which one they're
| referring to.
|
| https://addons.mozilla.org/en-
| US/firefox/search/?page=1&q=ub...
| dharmab wrote:
| I'm using Orion on iOS which has native ad blocking and
| supports a good number of Chrome and Firefox extensions. Even
| without uBO I have a virtually ad-free experience.
|
| https://browser.kagi.com/faq.html#safari
| nixass wrote:
| Every browser on iOS pretending not to be Safari is also huge
| no.
| dharmab wrote:
| Orion on iOS is not a Safari reskin. It uses WebKit, but
| the similarities end there.
| wahnfrieden wrote:
| More specifically it uses WKWebView. You can't compile
| WebKit yourself to include in an app, which means less
| flexibility than non-iOS WebKit apps and Chromium forks.
| Their complaint is valid ("reskinned safari" is just a
| casual way of saying this)
| NotYourLawyer wrote:
| If it uses webkit, then it 100% is a Safari reskin.
| bandergirl wrote:
| Again: every browser on iOS is a Safari reskin because it
| cannot be otherwise. Safari and WebKit are essentially
| the same thing (download WebKit on Mac to find out)
|
| Only "remote browsers" like Opera Mini can currently use
| something other than the system's webview.
| meruem wrote:
| I'm super impressed with orion as well. I use an iPad and
| Orion provides a decent support (still a WIP though) for
| Firefox/chrome desktop extensions to run in iOS. After Reddit
| axed third party support, I almost stopped browsing Reddit
| until I found out I can run RES with old.reddit inside Orion.
| This has been an absolute game changer for me.
| rc_kas wrote:
| How is this different that the uBlock Origin addon for Firefox
| that I have been running for the last 5 years?
| captn3m0 wrote:
| It uses browser provided APIs for filtering, instead of running
| script injection on every page. This improves security, and
| performance at the cost of some capability. The reduction in
| capability comes from the inability to do all kinds of cosmetic
| filtering, but it lets you enable this on a per site basis.
|
| Check the details on the extension page for more information.
| 38 wrote:
| > improves security, and performance
|
| > reduction in performance
|
| huh?
| captn3m0 wrote:
| Typo, reduction in capability. Corrected above.
| afterburner wrote:
| > The reduction in capability comes from the inability to do
| all kinds of cosmetic filtering
|
| Oh, that's too bad. The cosmetic filtering is incredible. I
| wonder how much I would be impacted by switching to Lite.
| Guess I'll try one day.
| mtzaldo wrote:
| I dont see it in firefox for android :(
| greazy wrote:
| I believe Firefox curates the installable extensions on
| android/mobile.
| eco wrote:
| They are going to finally crack open the full add-on library
| soon. Sometime after September if I remember correctly.
| FiloSottile wrote:
| This is the uBlock Origin edition based on the much-maligned
| WebExtensions Manifest V3, which implements blocking
| declaratively instead of allowing/requiring live request
| interception.
|
| Firefox--my daily driver--still supports the "main" uBlock Origin
| (and I'm a somewhat heavy user of features unavailable in Lite
| like custom filters), but I had been waiting for Lite to be
| available and immediately went ahead and replaced uBlock Origin
| with uBlock Origin Lite.
|
| The security win can't be understated: with its permission-less
| design (enabled by MV3) I am down to _zero_ third-party
| developers that can get compromised and silently push an update
| that compromises all my web sessions. Sure, attackers could still
| get into Mozilla, Apple (as I run macOS), or cause a backdoored
| update to be pushed via Homebrew (how I install unsandboxed
| applications when no web app is available, which thanks to the
| likes of WebUSB is getting less common), but unsandboxed browser
| extensions were clearly the lowest hanging fruit, so this update
| (and MV3) significantly raised my security posture (and
| transitively that of projects I have access to, and that of their
| users).
| Timshel wrote:
| The issue with v3 is when it's the only solution. Which is not
| the case here :
|
| > However, uBOL allows you to _explicitly_ grant extended
| permissions on specific sites of your choice so that it can
| better filter on those sites using cosmetic filtering and
| scriptlet injections.
|
| Which I would expect allow it to work as well as uBO.
| stefan_ wrote:
| > attackers could still get into Mozilla, Apple (as I run
| macOS), or cause a backdoored update to be pushed via Homebrew
| [..] but unsandboxed browser extensions were clearly the lowest
| hanging fruit
|
| This is a total non-sequitur. The source of all malicious
| browser extensions is Google, Apple and Mozilla, and none of
| them have demonstrated any willingness whatsoever to fix the
| problem, even when a mere grep across their distributed
| extension base can trivially identify all the various openly
| advertised trojan SDKs that cause millions of users to be
| tracked or have their internet connection reused for various
| shady proxy websites.
| e2le wrote:
| >I am down to zero third-party developers that can get
| compromised and silently push an update that compromises all my
| web sessions.
|
| It's my understanding that because uBlock Origin is a
| "recommended extension", it must undergo a formal code review
| each time a new update is published. A malicious update would
| not face zero obstacles.
|
| https://support.mozilla.org/en-US/kb/recommended-extensions-...
| Timshel wrote:
| The switch from full acces to white-listing for full blocking
| is just awesome imo.
|
| You can just decide for each case the tradeoff between
| advanced blocking and security.
| [deleted]
| dealuromanet wrote:
| What do you think about using Brave on Apple with its built-in
| ad-blocking?
| sneak wrote:
| You could also just turn off extension autoupdate.
| huydotnet wrote:
| Turn off extension autoupdate sounds like a bad choice, not
| all updates are mallware injected, many of them may contains
| security updates anyway
| captn3m0 wrote:
| That only makes a difference if you're auditing each
| extension update. Switching to extensions with per-site
| permissions reduces the attack surface drastically and you
| don't have to worry about auditing or disabling updates.
| FiloSottile wrote:
| I considered that a few times, but eventually complex things
| like modern ad-blockers rot, so I would be forced to update
| every once in a while, and let's be honest: I am neither
| qualified nor prepared to audit the diff.
|
| I guess deferring updates would give me lead time to let
| others get targeted / detect an issue before it's likely I
| would get the update. Still, installing the permission-less
| version is so much simpler and reassuring.
| predictabl3 wrote:
| So can you tell Firefox to only allow MV3 (or MV3+sandboxed, I
| guess) extensions then? Or have you manually audited your list
| of extensions?
|
| I was sort of aware but your post clearly reminds me that
| Firefox extensions are probably my single biggest point of
| general vulnerability on my phone and computer, given how much
| is done in browser.
|
| Appreciate your original thoughts either way.
| sebzim4500 wrote:
| Hqng on, MV3 still lets extensions read web traffic, right? It
| just can't block it.
| minedwiz wrote:
| declarativeNetRequest (https://developer.chrome.com/docs/exte
| nsions/reference/decla...) involves loading a ruleset into
| the browser, which then does the blocking itself inside the
| network process.
| FiloSottile wrote:
| Firefox's implementation of MV3 allows both async permission-
| less blocking (declarativeNetRequest API) and permissioned
| synchronous blocking (webRequest API). uBO Lite uses the
| former to provide an ad-blocker without read/write
| permissions.
|
| You can still write a unsandboxed extension with MV3 (and in
| Firefox it will still be able to intercept requests, while in
| Chrome it will not be on the network hot path) but the point
| is that you can _also_ write a permission-less ad-blocker
| now, which is what I want.
| npace12 wrote:
| You need the webRequest API (that uBO Full is using) from
| manifest v2 to be able to read the traffic. Without it, you
| can just block/allow based on rules.
|
| Chrome is deprecating it with v3, Firefox supposedly no.
| npace12 wrote:
| One interesting thing I noticed while trying to port little-rat
| to FF, using the same declarativeNetRequest API as uBOL last
| week:
|
| In Chrom*, extensions can intercept calls from other extensions,
| while in Firefox, they can't. If anyone happens to have any
| insight, please let me know.
|
| EDIT: removed links as I'm being downvoted, not trying to
| promote, just would love to make it work in FF.
| [deleted]
| dingdingdang wrote:
| "uBOL is entirely declarative, meaning there is no need for a
| permanent uBOL process for the filtering to occur, and CSS/JS
| injection-based content filtering is performed reliably by the
| browser itself rather than by the extension."
| [deleted]
| pottertheotter wrote:
| I have a question about this. The page says that uBOL has
| "limited capabilities out of the box" due to it "not
| [requiring] broad 'read and modify data' permission". But you
| can give it broad permission ("Complete mode"). Does that mean
| that if someone uses uBOL in Complete mode (a) it will have the
| same capabilities as uBO", and (b) it will use less resources
| than uBOL (no permanent process)?
| tyingq wrote:
| _" hence its limited capabilities out of the box compared to
| uBlock Origin"_
| nextaccountic wrote:
| Does this mean that uBOL is less capable and can't block
| certain ads? Is this expected to be eventually remedied?
| dblohm7 wrote:
| The fully-capable version is regular uBlock Origin.
| Larrikin wrote:
| The remedy is to switch to Firefox and continue using the
| extensions that aren't being broken on purpose by a company
| abusing their monopoly position.
|
| But there will be a bunch of posts in this thread about
| people bemoaning Firefox because they have to have thousands
| of tabs open all at once everyday and Firefox renders them a
| second or two slower. There will also be people who will
| complain that the dev tools aren't exactly like what they
| learned in college/their boot camp so they can't spend dozens
| of minutes learning the Firefox tools so they can make their
| CRUD SPA can load megabytes of JSON outside of Chrome
| AshamedCaptain wrote:
| I don't particularly blame Mozilla/Firefox for this but it
| is obvious to me the writing is on the wall for the "non-
| lite" version of the extension, due to Chrome stealing all
| the manpower towards the lite version. The fact that the
| author is now publishing the "lite" extension also for
| Firefox itself looks as confirmation to me. The author's
| description even seems to praise Manifest v3 in the same
| way Google PR did.
|
| Who wouldn't? It's one less version to maintain, and you're
| not going to stop maintaining the one most people use.
| faeriechangling wrote:
| I'm not so pessimistic that no maintainer would be
| interested in maintaining the full fat uBo. I've got to
| imagine there's still quite a few people using the
| project.
|
| To some extent I have to ask - who cares that Chrome is
| more broadly used? That never stopped Firefox and its
| extensions from becoming popular in the first place. All
| it took for Firefox to rise was the competition being
| crap, and well the competition is becoming crap.
| Chromium's monopoly doesn't stop a few contrarian
| developers from continuing to keep their websites Firefox
| compatible.
| Karunamon wrote:
| All snark aside, Firefox is probably the last browser you
| should use if you care about extensions (or other
| functionality) not being broken on purpose or arbitrarily
| removed with no notice, recourse, or opportunity for
| feedback.
|
| Firefox has done this to me multiple times. As someone who
| uses a web browser as a tool for both business and
| pleasure, and as someone who does not appreciate flag days
| forced on me for no good reason, I am perfectly happy and
| have been encountered far fewer surprises with a chromium
| fork.
| Timshel wrote:
| The remediation is the ability to whitelist/grant full access
| to specific domain to allow for advanced blocking.
| Macha wrote:
| I don't believe the full version is planned to be replaced by
| this one. I think this is basically since they did the work
| to get this version that would work in Chrome after they
| reduce the permissions available to adblockers, they just
| launched it for firefox too in case anyone is really bothered
| by ublock's permissions.
| Macha wrote:
| So this is basically the manifest v3 version for Chrome, ported
| to Firefox?
| Timshel wrote:
| With the ability to whitelist domain to have full blocking.
| input_sh wrote:
| > MV3-based content blocker
|
| Yes.
| devit wrote:
| I assume Firefox doesn't have Chrome's arbitrary limit on
| the number of filtering rules, right?
| input_sh wrote:
| I do know that Firefox has no plans to deprecate
| webRequests API (that the non-lite version depends on),
| while also supporting declarativeNetRequest (that the
| lite version depends on) for compatibility.
|
| What I don't know is:
|
| 1) whether their implementation of declarativeNetRequest
| has that arbitrary limitation
|
| 2) whether uBO Lite ships the same (limited) filters in
| the Firefox release.
|
| I'm _guessing_ 2) is true for simplicity, but that 's
| purely a guess.
| eco wrote:
| While I was trying to find out what Firefox's limits are
| I came across this interesting issue on the W3C's
| webextensions repo:
| https://github.com/w3c/webextensions/issues/319
|
| 4 days ago the Chromium developers proposed upping the
| limit for certain types of declarativeNetRequest rules
| based on data AdGuard provided on real world rule lists.
| https://docs.google.com/document/d/1srkkCJkl4X2KOOUwnpDd-
| kvm...
| jxy wrote:
| Would this be ported to Safari?
| yankput wrote:
| The safari rules are even less capable that that, last time I
| checked.
| syntaxing wrote:
| Three questions, is this less resource intensive and does it
| still block YouTube ads?
|
| Also, since it uses manifest v3, how slim are the chances it'll
| be ported to safari?
| hendersoon wrote:
| Kind of a brilliant compromise, actually. By default it's a
| declarative content-blocker, but if you run into a specific site
| that shows ads you can enable the full-fat uBlock Origin
| featureset there.
___________________________________________________________________
(page generated 2023-08-21 23:00 UTC)