On September 18, 2020, the original developer for the popular browser extension uMatrix announced he won't be spending any more time on the project. It was a content and script blocker with fine control over all domains connected to the current website. This is why it seems to be a good time to suggest both to former uMatrix users and to anyone new to script blocking to try the established extension NoScript.
Download it for Firefox or Chrome from the webstore. A popular alternative to NoScript is ScriptSafe, which works similarly. First of all, be aware that using a script blocker will require some work. You will have to unbreak many websites when first visiting them but on the other hand script blocking is maybe THE best method for online security and privacy. There is a reason why NoScript is installed by default in high security environments like the Tor web browser. Javascript, especially from external websites, can be dangerous and is often used for tracking and surveillance by advertising networks. Adblockers usually rely on a fixed blacklist for blocking content but if a possibly malicious domain isn't on there, it doesn't get blocked. But script blockers give you the control to only allow content you want. Let's get an overview over the interface when clicking the NoScript icon: The first thing you will see is a list of all connected domains to the current website. In the top left are buttons for closing the window, reloading the current website and the options page of NoScript. The extension works by selectively allowing or blocking domains either completely or partly. In the beginning, domains will have the default setting applied. This means "frame", embedded websites inside the current website, "fetch", an HTML5 interface for embedding content and "other", anything NoScript cannot categorize, will be blocked from this domain. You can change the default behavior in the settings. Now you can change the domains you trust: Either trust temporarily until you restart the browser with the second button or permanently with the third button. Trusting means allowing all content from that domain. You can also choose to explicitly untrust a domain with the crossed out icon which of course disables all content from that domain. The last icon allows to make finer adjustments per domain:
I already explained "frame", "fetch" and "other". "Script" matches all Javascript elements, "object" matches plugin objects like Flash or Java, "media" matches HTML5 audio and video elements embedded in the site, "font" matches remote fonts, "webgl" is an interface for hardware accelerated 3D graphics inside the browser and "ping" is a feature in Firefox to track clicks on hyperlinks. The lock icon to the right controls whether to match encrypted connections only and if you are unsure about a site, you can click it to display several services for rating the trustworthiness of a specific website. The top right has buttons for disabling restrictions globally for all websites, disabling restrictions for only the current tab, which is useful for quickly unbreaking websites, setting all domains on the current website to "temporarily trusted" and revoking those temporary permissions again. The settings page of NoScript displays the per-site permissions of all websites changed. There are several popular websites listed by default. Besides the appearance settings, the advanced options are self explanatory except for the cross site scripting setting which tries to prevent attacks where malicious Javascript code is injected into a vulnerable whitelisted site, therefore bypassing the whitelist. NoScript also allows for importing and exporting of settings and permissions. If you have a long list of permissions already, use this feature to back them up. If you have any problems, try to get them solved in the comments or go to the extensive FAQ section on noscript.net.
Let's end with a practical example: If the website has loaded and you notice elements missing, try to figure out which domain could be responsible. I will first try to set the top-level domain to "temporarily trusted". If the website is still not displayed correctly, try other domains that could be the cause. Once the website is displayed correctly, change the respective trust to "permanent". I hope this was helpful to you and I'll see you next time.