1.3.10

Closed as fixed:

Firefox

• No web page found issue

Core

• Custom recipes don't show up when visiting corresponding host

1.3.8

Closed as fixed:

• Ruleset pane size miscalculated
• Placeholder in logger "Network error" message is not replaced
• Shared Workers

1.3.6

Changes:

CodeMirror's MergeView has been integrated into the "My rules" pane, this should make it easier to manage your ruleset.

Improved the visuals and behavior of Recipes icon (the puzzle icon) in popup panel.

Closed as fixed:

• CSP error notification -> Conflicting with uBlock Origin?

1.3.4

New

[Status: experimental] A new button ("puzzle" piece icon) is available in the popup panel: uMatrix will offer you the ability to import community-contributed ruleset recipes which are relevant to the current page (see #30). Hopefully there will be many contributions to populate ruleset recipes ready to be used to unbreak sites. I wasn't planning to release this feature at this point, but there were other good changes languishing in beta which I wanted to publish. Some early documentation here.

A tooltip has been added to the global scope selector (*) in the popup panel.

A new setting has been added in the Settings pane: "Disable tooltips".

Changes

The setting "Show the number of distinct requests on the icon" has been changed to "Show the number of blocked resources on the icon": the number of blocked resources is much more useful than the number of distinct resources. This will make it clear now that uMatrix is still blocking stuff even after you think you had configured it to no longer block stuff (example: #938).

The icon badge is back to being enabled by default with new installations of uMatrix.

Closed as fixed:

• Ability to enforce _escaped_fragment_=
• Report more accurately that resources are being blocked following page load
• [Performance] Implement ability to snapshot memory to improve load times
• When first installing uMatrix, the setting "Auto-update hosts files" is disabled by default

1.3.2

Closed as fixed:

• uMatrix does not report inline styles

1.3.0

Notes:

Regarding the issue "uMatrix is causing iframe data to be mangled in the latest version of chrome":

I don't know what causes this -- uMatrix merely just add or modify a response header, as allowed by the extensions API. Until the root cause of the issue is resolved, you can mitigate it by changing the advanced setting disableCSPReportInjection to true in the new "More" dashboard pane.

Fixed:

• noscript tags improperly rendered in XML-based HTML documents (report).

Closed as fixed:

• No way to configure advanced settings in uMatrix/webext
• Pages can detect uMatrix's presence with pure CSS

1.2.0

Changes

Appearance

More choices of text size for the matrix UI in the Settings pane (text size dictates the popup panel size).

Per-scope switches

New switch: "Forbid web workers"

Purpose should be obvious.

Note that nuisance coin miners typically use web workers, so forbidding web workers globally might be a good idea, though mind that there are legitimate use for web workers. Keep in mind many of these miners are launched as 1st-party, so the new switch allows you to forbid them even when you allow 1st-party scripts.

Update: blocking web workers everywhere by default should lower quite significantly the probability of falling prey to exploits taking advantage of Meltdown/Spectre vulnerabilities through your browser (assuming your browser is vulnerable). Mind that often sites legitimately do need web workers to work properly -- so if you forbid web workers in the global scope, don't forget about this when you are puzzled as to why a web site is still broken despite you allowing the needed resources.

uMatrix is able to detect when a web worker is being instantiated. However, this does not work for Firefox 57-58, but works fine in Firefox 59 (Nightly). The reason is that SecurityViolationPolicyEvent has been implemented just recently in Nightly.

So this means if you are using uMatrix with Firefox 57-58, uMatrix will be unable to report to you whether web workers are used by a page, though you will be able to block these fine with the new per-scope switch. With Nightly, use (or attempt to use) web workers is properly reported in the logger and in the popup panel.

Per-scope switches redesigned and renamed

"Strict HTTPS" has been renamed "Forbid mixed content": I see too many instances of people thinking this feature is a replacement for HTTPS Everywhere: it is not.

The new visual will now convey whether a switch is relevant for the current document. A dot in the toggle button means that the switch is relevant, i.e. uMatrix may affect the page if the switch is toggled on.

• Forbid mixed content: a dot means that mixed content has been detected on the page.
• Forbid web workers: a dot means that web workers have been detected on the page (as mentioned above, the detection does not work for Firefox 57-58).
• Spoof referer header: a dot means that 3rd-party referrer information has been seen in network traffic.
• Spoof <noscript> tags: a dot means <noscript> tags have been detected in the current page.

I added info links to each per-scope switch: the links are pages from Mozilla Developer Network, so this gives a chance for the page to load in the user locale.

Logger

Ability to open the logger in the sidebar. Sidebar API is only available in Firefox and Opera (I didn't try the feature in Opera yet):

Note that since the logger is unified, should you open additional logger views, these will be left unused, until the first view is closed. By design.

Closed as fixed:

• Possible to improve image placeholders? Sometimes they are just too tiny (1px)

1.1.20

Changes

Settings

A new option in the Settings pane, as requested in #335:

• Collapse placeholder of blacklisted elements

Checked by default.

The purpose of this new setting should be obvious: it makes it possible to collapse discriminately elements according to whether they were blocked as a result of a hostname being blacklisted or as a result of a more generic block rule.

For example, 3rd-party iframes are blocked by default. But you may not want embedded Youtube videos to be collapsed, while on the other hand you may want embedded ads from some blacklisted origins to be visually collapsed. The new settings allows to distinguish between blocked and blacklisted.

Logger

The logger will now inform when uMatrix removes/modifies HTTP headers:

As seen above, the uppercase COOKIE entry means that an outgoing Cookie header was removed, and the uppercase REFERER entrie means that an outgoing Referer header was modified from https://news.ycombinator.com/ to https://danluu.com/. These are reported only for network request of type doc, so as to not spam logger output since referrer spoofing and cookie header removal can occur for every single network request.

Accepted pull requests:

• Fix noscript spoof setting not being saved on change

Closed as fixed:

Core

• Blocked images download but only briefly display when loaded directly
• Remove Referer instead of spoofing it for non-GET requests
• SVGs not interact properly if scripts are blocked (though it says 0 scripts in the page)
• Script not detected on cgit commit page
• Collapse placeholders for blacklisted hostnames

1.1.18

Changes

Since version 1.1.14, the minimum version for Chromium/Chrome is version 45.

Closed as fixed:

Core

• Completed fix to "<noscript> is ignored when uMatrix blocks JavaScript"
  • Automatic redirect when there is a meta http-equiv="refresh" ...> tag present.

1.1.16

Closed as fixed:

Firefox

• uMatrix dropdown renders as empty and inactive
  • This was affecting people who completely forbid cookies on all sites.