uBlock Origin | Inhji.de

uBlock Origin is the only Adblocker that offers sufficient control to block most Ads, Tracking and Malware.

By default, it will run in a blacklist-mode, where it uses lists of known bad domains which will be blocked. Everything else will be allowed. This leaves a lot of room for trackers, because every new domain will not be blocked until it appears on a block-list.

Another approach is to block EVERYTHING by default and operate a whitelist of known good domains. This is what this post talks about.

Block ALL Third-Party Scripts

The base for all of this is the assumption that by blocking Third-Party scripts, we block 99% of the bad domains. This, of course assumes, that First-Party Scripts are trustworthy, which is not always the case. This trade-off ensures that most simpler websites work just fine.

1* * 3p-script block

Allow some well-known CDNs

Next, we maintain a list of well-known domains that are mostly harmless. A large chunk of them are CDNs. This list will vary depending on what sites you are regularly using. For example, I pay a lot of my stuff with PayPal, so I explicitly allow some Third-Party domains which are necessary to use PayPal.

1* 3dsecure-atruvia.de * noop
2* ajax.googleapis.com * noop
3* akadns.net * noop
4* akamai.net * noop
5* akamaiedge.net * noop
6* ajax.aspnetcdn.com * noop
7* b-cdn.net * noop
8* braintree-api.com * noop
9* braintreegateway.com * noop
10* cdn.cloudflare.net * noop
11* cloudapp.net * noop
12* cdnjs.cloudflare.com * noop
13* challenges.cloudflare.com * noop
14* cloudfront.net * noop
15* cookielaw.org * block
16* cdn.db.io * noop
17* deltacdn.net * noop
18* discourse-cdn.com * noop
19* fastly.net * noop
20* fb-t-msedge.net * noop
21* youtube-ui.l.google.com * noop
22* googlevideo.com * noop
23* gstatic.com * noop
24* hcaptcha.com * noop
25* here.com * noop
26* jquery.com * noop
27* cdn.jsdelivr.net * noop
28* l-msedge.net * noop
29* maps.googleapis.com * noop
30* msedge.net * noop
31* cdn.oaistatic.com * noop
32* cdn.office.net * noop
33* pay1.de * noop
34* paypalobjects.com * noop
35* polyfill.io * noop
36* cdn.shopify.com * noop
37* softr-files.com * noop
38* squarespace.com * noop
39* sstatic.net * noop
40* static.microsoft * noop
41* t-msedge.net * noop
42* unpkg.com * noop
43* vimeocdn.com * noop
44* visualstudio.com * noop
45* website-files.com * noop
46* youtube-nocookie.com * noop
47* youtube.com * noop
48* ytimg.com * noop

Allow everything else on a per-site basis

Everything else will be allowed on a per-site basis. This is the most annoying part, as for every new site you visit, you have to go through the process of selectively allowing trustworthy-looking domains, reload the page, check if everything works, if not, repeat. You can get used to it.

Screenshot uBlock Origin Settings for Azure DevOps

This is what my Block settings for Azure DevOps look like. For auth, I whitelisted some domains for every page, others are specific to Azure DevOps.

Conclusion

This strategy is by no means painless or set-and-forget. It requires time to setup and to maintain, whenever you visit a new site. If you are someone who mostly visits the same sites or have no problem putting in a bit of effort every day to avoid being tracked, this might be for you.