4.1 Extensions

🟩 FOREWORD

We recommend keeping extensions to a minimum: they have privileged access within your browser, require you to trust the developer, can make you stand out, and weaken site isolation.

This list covers privacy and security related extensions only. While we believe these are the very best of the best, this can be subjective depending on your needs. We are also not saying you have to use all these extensions.

🟪 RECOMMENDED

uBlock Origin ^{✔ Privacy} | GitHub
- ⭐ Setup your blocking mode
- ⭐ Import Actually Legitimate URL Shortener Tool | GitHub
- ⭐ Enable AdGuard URL Tracking Protection
Smart Referer ^{✔ Privacy} | GitLab | GitHub ^Archive
- Only needed if 1601 is too strict for you, and you override it to default 0 (so Smart Referer works)
- We recommend Strict mode and adding exceptions
Skip Redirect | GitHub
CanvasBlocker ^{✔ Privacy} | GitHub
- ⭐ non-RFP users only
  - Good protection against naive scripts, detectable with advanced scripts
  - Randomize canvas and audio, maybe webgl if you use that: the rest is not needed

🟪 MAYBE

Header Editor | GitHub
- Allows you to run rules to modify the request header and response header, cancel a request and redirect a request. Be careful not to alter your passive fingerprint
Request Control | GitHub | Manual | Testing links
Redirector ^{✔ Privacy} | GitHub

🟪 TOOLS

These extensions will not mask or alter any data sent or received, but may be useful depending on your needs

Behave | GitHub
- Monitors and warns if a web page; performs DNS Rebinding attacks to Private IPs, accesses Private IPs, does Port Scans
mozlz4-edit | Github
- Inspect and/or edit *.lz4, *.mozlz4, *.jsonlz4, *.baklz4 and *.json files within FF
CRX Viewer | GitHub
Enterprise Policy Generator | GitHub
- For ESR60+ and Enterprise Policies
Compare-UserJS
- Not an extension, but an tool to compare user.js files and output the diffs in detailed breakdown - by our very own claustromaniac 🐈

🟪 DON'T BOTHER

uMatrix
- ⚠️ No longer maintained, the last commit was April 2020 except for a one-off patch to fix a vulnerability
- Everything uMatrix did can be covered by prefs or other extensions: use uBlock Origin for any content blocking.
NoScript
- Redundant with uBlock Origin
Ghostery, Disconnect, Privacy Badger, etc
- Redundant with Total Cookie Protection (dFPI) or FPI
- Note: Privacy Badger no longer uses heuristics by default, and enabling it makes you easily detected
Neat URL, ClearURLs
- Redundant with uBlock Origin's removeparam and added lists. Any potential extra coverage provided by additional extensions is going to be minimal
HTTPS Everywhere
- Redundant with HTTPS-Only Mode and scheduled for deprecation
CSS Exfil Protection
- Practically zero threat and if the platform's CSS was compromised, you'd have bigger problems to worry about
LocalCDN, Decentraleyes
- Third parties are already isolated if you use Total Cookie Protection (dFPI) or FPI
- Replacing scripts on CDNs with local versions is not a comprehensive solution and is a form of enumerating badness. While it may work with some scripts that are included it doesn’t help with most other third party connections
- CDN extensions don't really improve privacy as far as sharing your IP address is concerned and their usage is fingerprintable as this Tor Project developer points out. They are the wrong tool for the job and are not a substitute for a good VPN or Tor Browser. Its worth noting the resources for Decentraleyes are hugely out of date and would not likely be used anyway
Temporary Containers, Cookie extensions
- Redundant with Total Cookie Protection (dFPI) or FPI
- ❗️Sanitizing in-session is a false sense of privacy. They do nothing for IP tracking. Even Tor Browser does not sanitize in-session e.g. when you request a new circuit. A new ID requires both full sanitizing and a new IP. The same applies to Firefox
- ❗️Cookie extensions lack APIs to work with Total Cookie Protection which will be the default
Anti-Fingerprinting Extensions
- Redundant with RFP which is the best solution
  - ⭐ For non-RFP users, we recommend CanvasBlocker (see above) as your next best option
- Most extensions cannot protect what they claim:
  - It's impossible (engine, OS, version)
  - It's not a lie (the sites expect and use a valid value)
  - It's dumb (randomizing is not very usable, and/or successfully spoofing is the same as setting that)
  - It's equivalency
  - It has too many methods (fonts: at least a dozen methods and counting)
  - ... and more
- Web Extensions lack APIs to properly protect metrics (without breaking basic functionality)
- Web Extensions are detectable, and often uniquely fingerprintable, when they touch the DOM (and sometimes when they don't)

Provide feedback

Saved searches