Updated: January 1, 2018
For those of you wondering, uMatrix is a point-and-click matrix-based privacy tool, offered in the form of a Web extension for both Firefox and Chrome, and it can be used to control what domains can do while you browse. In essence, it is somewhat similar to Noscript, although the primary focus is not specifically on blocking scripts.
After having written a tutorial on how to use the new WebExtension Noscript 10, I wanted to do the same with uMatrix. The main reasons are: 1) I am currently checking whether this add-on merits further use, also possibly as a backup and alternative to any issues that may arise with Noscript following the migration to the new WebExtensions framework 2) the usage model is not straightforward. So let's see what uMatrix can do. And how.
Setup & overview
Grab the extension and install it - tested with Firefox henceforth, although the same principle applies to Chrome. Once it's there, you will see a gray rectangle icon in your browser bar. Click it, then hit the tiny cogwheel in the top left corner, or go through the extensions menu to access the preferences.
Once you have the program installed, and before you start browsing, please open the extensions settings menu. We need to go through the features, and also make a few changes. There are four tabs to go through.
Under Settings, you can change font size, as well as make several other cosmetic changes. Nothing too important at this point. The second tab, labeled Privacy is far more interesting.
By default, uMatrix will clear browser cache every 60 minutes - this option is checked by default, and it is up to you to decide whether you want it or need it. I think it's an unnecessary overkill. Then, you can also purge local content stored by websites that you wish to block, spoof the HTTP referrer and user agent string, and also forbid so-called insecure content on HTTPS connections, like images loaded from an HTTP location.
Overall, I believe these options can be somewhat tricky to use, because they inherently change the browser behavior, and this may affect how servers see your browser and what kind of content they serve. You can play and test, but this really is for those with a heightened sense of security.
My rules are far more interesting. On the left, you have permanent rules, on the right, temporary ones. You can export/commit both ways. If you want to edit the temporary set, click Edit, use the right pane as any text editor, add or delete lines as you see fit, and then save and commit your rules to the permanent set if you're happy with the changes.
You will need to use the uMatrix syntax, and this one can take a bit getting used to. Most importantly perhaps, if you want to use this extension for script blocking, you should delete the default set of rules that allow 1st-level domains by default.
In my screenshot above, these are already gone. The set will look something like this:
You want to delete the last two lines in the temp set, save, then commit - this will make uMatrix deny scripts for all by default.
* 1st-party * allow
* 1st-party frame allow
The last tab allows you to se Hosts files to stop your browser from connecting to blacklisted hostfiles. This comes with its own overhead and penalty, so you can choose however you want to use this. I don't think this is necessary or beneficial.
How to use uMatrix
The interface is a little bit overwhelming.
Let's look at it top down, left to right. The little cogwheel button opens the settings menu (dashboard). Not very visible, but it does the job. You can also access the settings through the Add-ons window.
The blue cell is called scope selector, and it allows you to choose among loaded domains and then make (more permanent) adjustments as you see fit. In a way, it helps makes things easier to manage. By default, it will show the domain you've just browsed to, and you can switch among different subdomains, if there are any..
The power button toggles matrix filtering on and off - technically, it allows you block or allow all elements for the domain shown in the selected scope to the left. The three vertical dots button allows you to activate extra privacy options, like user agent and referrer spoofing, and strict HTTPS. Most of the time, you will not need this.
The third button from the left (the padlock symbol) allows you to commit temporary changes. Those will be changes in any of the fields for the selected domain in the blue cell, but we haven't made any yet. The eraser icon lets you revert all temporary permissions to the default state.
The reload button allows you to, well, reload the page after adjusting permissions. You can also hold the Shift button to bypass browser cache, and in some cases, you will actually need to do that.
The big back icon is a global revert button, and it will revert all temporary changes for all domains listed in the matrix. If you bungle up, or feel you got lost trying to get a page to load, you can click there. Of course, you can also always restart the browser, but that's a pain really.
The last icon opens a log console, where you can watch errors and warnings, if you care about the really technical side of things.
The top row of the table lists different categories of elements that you can allow or block, and also acts as a global toggle. If you click on these cells, the particular element, like script or media or alike, the specific action will be applied down the entire column. Much like Noscript, you can control media, script, frames, other instructions, and also cookies, images and CSS. Very similar in essence, although Noscript specifically lists out WebGL and fonts. Anyway.
The second row of the table allows you to apply permissions to the 1st party domain entries only rather than the entire column. This is useful if you want to apply scripts to the site you're visiting but not necessary all the third party junk, ad domains, cloud domains, and whatever.
A state showing CSS and images allowed for all, and scripts for 1st-party only.
Then, row after row, you will have domain names listed, starting with the site you're visiting, and everything else loaded. Each cell will also list the number of elements that match the particular category, like say 3 images, 1 CSS file, and 1 script, for instance.
Red, gold and green
UMatrix uses color coding to help you distinguish between toggle states of each cell. There's also an accessibility option for the color blind. Pale red and pale green indicate permanent block and allow settings, respectively. Temporary permissions match in color, but the intensity is greater - bright red and bright green.
You can click on the cell anywhere you want and then switch between desired states, or if you are keen of hand and precise of mouse, you can click the top vertical half of the cell to allow and the bottom half to block the particular element. This will save you time randomly clicking until you get to the desired state slash color.
Cell division, ha ha.
Now, I started playing with uMatrix, visiting various websites to see how well it works. As expected, with 1st-party domains blocked, it is very similar to Noscript. You can then fine-tune permissions. In some cases, you will need to go through several iterations of temporary allow actions until all the domains have loaded. You may also need to shift reload the domain. All in all, despite the nerdy nature and a busy interface, it works as expected.
Sometimes, you will need to bypass the browser cache, and load third-party scripts to get the necessary functionality.
Other useful references
You may find these resources valuable:
Umatrix is an interesting utility. It is more complex than Noscript, slightly more cumbersome to use, but it does offer additional functionality that people keen on privacy and extra-tight security may appreciate. The one big drawback is that the matrix model takes a while figuring out.
Hopefully, this guide was useful. I tried to cover all the basics, including the rich options menu, 1st-party rules editing to disable scripts, the overview of the matrix panel, the color code, the hierarchy-based behavior. If you have any questions, suggestions or corrections, shoot them over. Well, that would be all. Happy browsing.