Web Content Blocker Tier List

Jul. 14, 2022 [technology] [privacy-security]

Using the web without a content blocker is a bit like sniffing chloroform rags around Epstein island. They’re both great ways for well-connected psychopaths to have their way with you. But, really, I am completely serious when I say that I wouldn’t even use the web in current year if content blocking tools didn’t exist. Which is why I advise anybody, technical or otherwise, to at least install some such addon for their browsers.

You’re trying to tell me I can stop bullets?

Few are great, most not so much. I rate them here based on their effectiveness in their default-deny capacity to strip pages down to plain HTML, their granularity and how well they convey information about web requests/page elements.

Tier Addon Notes
S uMatrix Unrivaled web firewalling.
A uBlock Origin (Advanced User Mode), xiMatrix Excellent and contains advanced features, but makes unfortunate design concessions. Would handily enter S tier if minor shortcomings addressed.
B NoScript Security Suite Highly granular and informative but unable to completely block style sheets and neglects to block cookies per-site. Has a suboptimal interface that dark patterns users toward whitelisting domains.
C HTML Content Blocker, JShelter, uBlock Origin (Basic User Mode) Reasonably capable of de-fanging sites but rather limited in scope.
D Trace, Adblocker Ultimate, Adguard AdBlocker Low capability. Heavily blocklist oriented rather than by class of request. Default deny infeasible.
F Adblock Plus, Privacy Badger, Ghostery, Firefox Enhanced Tracking Protection (Strict) Garbage tier. Major shortcomings.

Detailed Rationale

Despite being in maintenance mode, uMatrix maintains exceptional effectiveness against a wide class of web requests. It is basically a full browser firewall which can discriminate requests globally or per-domain/subdomain and each request class can be blocked individually from one another. Unfortunately, if uMatrix ever falls out of viability, we would lose an almost irreplaceable tool.

uBlock Origin (Advanced User Mode):
Almost as capable as uMatrix in whole-site default deny, but fails miserably when tasked with any finer granularity such as blocking javascript from one third party domain exclusively. Its inadequate toggle grid poorly conveys information about web requests. uBlock Origin is supposedly capable of higher precision by manually writing noop rules in textual custom rulesets but this is a completely impractical and unrealistic way to try and compete with uMatrix’s brilliant switchboard grid. There are unique capabilities it has such as cname uncloaking and the element zapper. Basic User Mode would place uBlock around C tier.

Inspired by uMatrix and seems to aim to take up the torch. It can block by request type, domain and subdomain (in the grid directly) while global scope very wisely starts out as default deny. It can also handle remote fonts, a feature even uMatrix does not have. However, xiMatrix is missing controls for blocking cookies and fails to distinguish between image and video content. It is very early in development and does not even have a reload page option yet. It otherwise holds great potential.

NoScript Security Suite:
Like uMatrix, also capable of discriminating globally and per-domain/subdomain. It is also capable of blocking elements not individually covered by uMatrix such as webgl. Unfortunately, it doesn’t seem to be able to strip all requests from a domain as it maintains rather permissive css rules. NoScript also defaults to very permissive site templates (probably for normies) which need to be removed or overridden before global default deny can be enabled. Custom rules default to “ANY SITE” scope. I also want to mention a sordid past with development occasionally betraying users, which they have hopefullly now put behind them.

HTML Content Blocker:
I was pleasantly surprised at the simplicity of HTML Content Blocker relative to how effective can be. It is hampered by being only global in scope and only capable of dealing with just five request types; js, css, img, obj, media. Fast and simple but that’s all there really is to say about it.

Has global scope settings with only per-site whitelisting. JShelter does a pretty good job of breaking down requests into network, script and static attributes blocking. Unfortunately, like NoScript, is incapable of bringing a site to raw HTML. It is very categorically mediocre.

Trace is a bit of a glorified browser settings tweaker with a blocklist stuffed in. It does succeed in blocking script and other requests but doesn’t fully inform the user as to what or provide any control over it outside of generic whitelisting. Some additional marks against it are the site being cuckflared (and, by extension, the blocklist updates) and the code being marked “All Rights Reserved”, despite being posted on a git repository. Don’t expect much development activity.

Adblocker Ultimate:
Very blocklist oriented but at least has an element picker. Default allow with no possibility to default deny. Low tier.

Adguard AdBlocker:
One redeeming quality of Adguard is its dedicated logger window which shows requests by category and can be filtered by all, tab, etc. It may be possible, albiet clunky, to write custom rules based off logger information. Otherwise it’s like Adblocker Ultimate.

Adblock Plus:
Adblock Plus is still up to their old antics with whitelisting “acceptable” partner ads, which has now been made opt-out. Can be configured in the global settings to block social icons, cookies and push notifications. Barely helpful for anyone who knows how to configure their browser.

Privacy Badger:
Can block by domain, but idiotically forces users to wait until the third party domain has been recognized on other sites or for the user to manually block after the damage has already been done. “The domain does not appear to be tracking you: \www.googletagservices.com” lol. Even though it is possible to block things manually (and clumsily), I think this addon is just meant to be a set-and-forget helper for grandmas.

Advertises a “block by default” option but still fails massively by letting various resources through. You can restrict things on a per-site basis and Ghostery does a moderate job at informing what has been blocked vs allowed in the detail view. Supports blocklists. Has a setting “A/B tests” which is opt-out data collection. I would never expect anyone to rely on Ghostery.

Firefox Enhanced Tracking Protection (Stict settings, built-in):
Per-site toggle and enabled by default. Although it is list based with no interactive way of discriminating by web request type. You can only look at the block statistics history. It’s probably supposed to be overly simple but ETP is pretty pathetic on its own as a content blocker.

*Testing criteria was for self described general web blockers so addons such as LibreJS have been excluded.