Blocks over 3 billion ads and trackers, letting you browse the web more efficiently and securely, with minimal impact on CPU and memory usage. Suitable for anyone looking to enhance their online privacy and reduce distractions. Benefits most those who value a clutter-free browsing experience.
Overview
IMPORTANT: uBlock Origin is completely unrelated to the site "ublock.org".
uBlock Origin is not an "ad blocker", it's a wide-spectrum content blocker with CPU and memory efficiency as a primary feature.
***
Out of the box, these lists of filters are loaded and enforced:
- uBlock Origin filter lists
- EasyList (ads)
- EasyPrivacy (tracking)
- Peter Lowe’s Ad server list (ads and tracking)
- Online Malicious URL Blocklist
More lists are available for you to select if you wish:
- Annoyances (cookie warnings, overlays, etc.)
- hosts-based lists
- And many others
Additionally, you can point-and-click to block JavaScript locally or globally, create your own global or local rules to override entries from filter lists, and many more advanced features.
***
Free.
Open source with public license (GPLv3)
For users by users.
If ever you really do want to contribute something, think about the people working hard to maintain the filter lists you are using, which were made available to use by all for free.
***
Documentation:
https://github.com/gorhill/uBlock#ublock-origin
Project change log:
https://github.com/gorhill/uBlock/releases
Contributors @ Github:
https://github.com/gorhill/uBlock/graphs/contributors
Contributors @ Crowdin:
https://crowdin.net/project/ublock
Tags
Privacy Practices
✓
Not being sold to third parties, outside of the approved use cases
✓
Not being used or transferred for purposes that are unrelated to the item's core functionality
✓
Not being used or transferred to determine creditworthiness or for lending purposes
v1.69.0
Info
Scanned Mar 4, 2026
Permissions
alarms
contextMenus
privacy
storage
tabs
unlimitedStorage
webNavigation
webRequest
webRequestBlocking
<all_urls>
Code Patterns Detected
eval() used — can execute arbitrary code
Dynamic JS import
String.fromCharCode (obfuscation)
charCodeAt (obfuscation)
Makes XHR requests
Uses Fetch API
Creates script elements dynamically
Reads browser storage
Writes to browser storage
Removes from browser storage
Captures keystrokes
Runs on ALL websites
Broad host permissions
Creates context menu items
Creates iframe elements
Uses postMessage for cross-origin comms
Sets up event listeners
External Connections
github.com
www.gnu.org
developer.mozilla.org
www.reddit.com
codemirror.net
bugzilla.mozilla.org
www.cse.yorku.ca
www.w3.org
en.wikipedia.org
bugs.chromium.org
stackoverflow.com
searchfox.org
+8 more
Package Contents
651 files · 13.8MB
▾📁_locales3.6MB
▾📁ar52KB
▾📁az49KB
▾📁be55KB
▾📁bg56KB
▾📁bn63KB
▾📁br_FR48KB
▾📁bs48KB
▾📁ca49KB
▾📁cs48KB
▾📁cv47KB
▾📁cy47KB
▾📁da47KB
▾📁de48KB
▾📁el59KB
▾📁en46KB
▾📁en_GB46KB
▾📁eo47KB
▾📁es48KB
▾📁et47KB
▾📁eu48KB
▾📁fa55KB
▾📁fi48KB
▾📁fil49KB
▾📁fr49KB
▾📁fy47KB
▾📁gl48KB
▾📁gu46KB
▾📁he50KB
▾📁hi61KB
▾📁hr48KB
▾📁hu49KB
▾📁hy56KB
▾📁id47KB
▾📁it48KB
▾📁ja51KB
▾📁ka63KB
▾📁kk50KB
▾📁kn52KB
▾📁ko48KB
▾📁lt48KB
▾📁lv49KB
▾📁mk55KB
▾📁ml65KB
▾📁mr50KB
▾📁ms47KB
▾📁nb47KB
▾📁nl48KB
▾📁no47KB
▾📁oc47KB
▾📁pa56KB
▾📁pl48KB
▾📁pt_BR48KB
▾📁pt_PT48KB
▾📁ro48KB
▾📁ru56KB
▾📁si61KB
▾📁sk48KB
▾📁sl48KB
▾📁so48KB
▾📁sq47KB
▾📁sr55KB
▾📁sv48KB
▾📁sw47KB
▾📁ta64KB
▾📁te62KB
▾📁th60KB
▾📁tr48KB
▾📁uk56KB
▾📁ur48KB
▾📁vi50KB
▾📁zh_CN46KB
▾📁zh_TW46KB
▾📁_metadata83KB
{}verified_contents.json83KB
▾📁assets6.1MB
▾📁thirdparties4.1MB
▾📁easylist3.4MB
📄easylist.txt2MB
📄easyprivacy.txt1.4MB
▾📁pgl.yoyo.org93KB
▾📁as93KB
📄README.md1KB
📄serverlist91KB
▾📁publicsuffix.org322KB
▾📁list322KB
📄effective_tld_names.dat322KB
▾📁urlhaus-filter277KB
📄LICENSE.md6KB
📄urlhaus-filter-online.txt270KB
▾📁ublock2MB
📄badlists.txt5KB
📄badware.min.txt140KB
📄filters.min.txt1.5MB
📄privacy.min.txt112KB
📄quick-fixes.min.txt45KB
📄unbreak.min.txt166KB
{}assets.json37KB
▾📁css402KB
▾📁fonts276KB
▾📁Inter225KB
🔤Inter-Regular.woff2109KB
🔤Inter-SemiBold.woff2112KB
📄LICENSE.txt4KB
▾📁Metropolis51KB
🔤Metropolis-Regular.woff224KB
🔤Metropolis-SemiBold.woff226KB
📄README.md617B
📄UNLICENSE1KB
▾📁themes17KB
🎨1p-filters.css624B
🎨3p-filters.css6KB
🎨about.css38B
🎨advanced-settings.css491B
🎨asset-viewer.css2KB
🎨click2load.css1KB
🎨cloud-ui.css2KB
🎨code-viewer.css1KB
🎨codemirror.css9KB
🎨common.css9KB
🎨dashboard-common.css1KB
🎨dashboard.css3KB
🎨devtools.css363B
🎨document-blocked.css4KB
🎨dom-inspector.css863B
🎨dyna-rules.css2KB
🎨epicker-ui.css7KB
🎨fa-icons.css4KB
🎨logger-ui-inspector.css3KB
🎨logger-ui.css27KB
🎨popup-fenix.css21KB
🎨settings.css2KB
🎨support.css2KB
🎨whitelist.css365B
▾📁img198KB
▾📁flags-of-the-world124KB
📄README278B
🖼ad.png672B
🖼ae.png115B
🖼af.png934B
🖼ag.png603B
🖼ai.png770B
🖼al.png508B
🖼am.png106B
🖼ao.png430B
🖼aq.png407B
🖼ar.png345B
🖼as.png1KB
🖼at.png94B
🖼au.png565B
🖼aw.png249B
🖼ax.png178B
🖼az.png238B
🖼ba.png385B
🖼bb.png291B
🖼bd.png282B
🖼be.png115B
🖼bf.png236B
🖼bg.png105B
🖼bh.png326B
🖼bi.png651B
🖼bj.png122B
🖼bl.png2KB
🖼bm.png1KB
🖼bn.png1KB
🖼bo.png107B
🖼bq.png619B
🖼br.png714B
🖼bs.png304B
🖼bt.png1KB
🖼bv.png122B
🖼bw.png108B
🖼by.png454B
🖼bz.png1KB
🖼ca.png430B
🖼cc.png618B
🖼cd.png489B
🖼cf.png214B
🖼cg.png196B
🖼ch.png124B
🖼ci.png103B
🖼ck.png803B
🖼cl.png207B
🖼cm.png201B
🖼cn.png265B
🖼co.png103B
🖼cr.png419B
🖼cu.png439B
🖼cv.png385B
🖼cw.png234B
🖼cx.png750B
🖼cy.png445B
🖼cz.png277B
🖼de.png105B
🖼dj.png503B
🖼dk.png139B
🖼dm.png573B
🖼do.png392B
🖼dz.png358B
🖼ec.png1KB
🖼ee.png107B
🖼eg.png286B
🖼eh.png404B
🖼er.png649B
🖼es.png755B
🖼et.png616B
🖼fi.png140B
🖼fj.png1KB
🖼fk.png1KB
🖼fm.png254B
🖼fo.png124B
🖼fr.png104B
🖼ga.png102B
🖼gb-eng.png134B
🖼gb-nir.png745B
🖼gb-sct.png428B
🖼gb-wls.png2KB
🖼gb.png489B
🖼gd.png615B
🖼ge.png311B
🖼gf.png418B
🖼gg.png170B
🖼gh.png228B
🖼gi.png874B
🖼gl.png341B
🖼gm.png131B
🖼gn.png104B
🖼gp.png993B
🖼gq.png547B
🖼gr.png180B
🖼gs.png2KB
🖼gt.png485B
🖼gu.png691B
🖼gw.png226B
🖼gy.png509B
🖼hk.png398B
🖼hm.png571B
🖼hn.png206B
🖼hr.png707B
🖼ht.png466B
🖼hu.png106B
🖼id.png92B
🖼ie.png105B
🖼il.png273B
🖼im.png819B
🖼in.png225B
🖼io.png2KB
🖼iq.png256B
🖼ir.png533B
🖼is.png174B
🖼it.png104B
🖼je.png965B
🖼jm.png351B
🖼jo.png299B
🖼jp.png245B
🖼ke.png523B
🖼kg.png518B
🖼kh.png598B
🖼ki.png1KB
🖼km.png525B
🖼kn.png657B
🖼kp.png360B
🖼kr.png683B
🖼kw.png227B
🖼ky.png1KB
🖼kz.png626B
🖼la.png223B
🖼lb.png361B
🖼lc.png620B
🖼li.png403B
🖼lk.png911B
🖼lr.png277B
🖼ls.png297B
🖼lt.png105B
🖼lu.png105B
🖼lv.png107B
🖼ly.png218B
🖼ma.png219B
🖼mc.png93B
🖼md.png761B
🖼me.png720B
🖼mf.png104B
🖼mg.png105B
🖼mh.png864B
🖼mk.png578B
🖼ml.png103B
🖼mm.png389B
🖼mn.png329B
🖼mo.png440B
🖼mp.png2KB
🖼mq.png656B
🖼mr.png374B
🖼ms.png981B
🖼mt.png209B
🖼mu.png109B
🖼mv.png201B
🖼mw.png315B
🖼mx.png822B
🖼my.png450B
🖼mz.png751B
🖼na.png584B
🖼nc.png664B
🖼ne.png190B
🖼nf.png522B
🖼ng.png97B
🖼ni.png336B
🖼nl.png105B
🖼no.png122B
🖼np.png1KB
🖼nr.png205B
🖼nu.png510B
🖼nz.png608B
🖼om.png291B
🖼pa.png318B
🖼pe.png97B
🖼pf.png816B
🖼pg.png589B
🖼ph.png616B
🖼pk.png355B
🖼pl.png94B
🖼pm.png3KB
🖼pn.png2KB
🖼pr.png456B
🖼ps.png297B
🖼pt.png1KB
🖼pw.png300B
🖼py.png320B
🖼qa.png213B
🖼re.png620B
🖼ro.png103B
🖼rs.png1KB
🖼ru.png105B
🖼rw.png255B
🖼sa.png433B
🖼sb.png574B
🖼sc.png470B
🖼sd.png295B
🖼se.png140B
🖼sg.png306B
🖼sh.png925B
🖼si.png303B
🖼sj.png122B
🖼sk.png454B
🖼sl.png105B
🖼sm.png1KB
🖼sn.png233B
🖼so.png271B
🖼sr.png247B
🖼ss.png475B
🖼st.png351B
🖼sv.png488B
🖼sx.png945B
🖼sy.png237B
🖼sz.png917B
🖼tc.png824B
🖼td.png104B
🖼tf.png377B
🖼tg.png292B
🖼th.png108B
🖼tj.png330B
🖼tk.png606B
🖼tl.png441B
🖼tm.png1KB
🖼tn.png306B
🖼to.png108B
🖼tr.png317B
🖼tt.png667B
🖼tv.png726B
🖼tw.png259B
🖼tz.png382B
🖼ua.png92B
🖼ug.png388B
🖼um.png539B
🖼us.png539B
🖼uy.png574B
🖼uz.png310B
🖼va.png750B
🖼vc.png317B
🖼ve.png268B
🖼vg.png1KB
🖼vi.png2KB
🖼vn.png282B
🖼vu.png662B
🖼wf.png260B
🖼ws.png255B
🖼xk.png453B
🖼ye.png105B
🖼yt.png1KB
🖼za.png387B
🖼zm.png297B
🖼zw.png617B
▾📁fontawesome40KB
📄LICENSE.txt1KB
🖼fontawesome-defs.svg39KB
🖼cloud.png5KB
🖼help16.png215B
🖼icon_128.png3KB
🖼icon_16-loading.png570B
🖼icon_16-off.png552B
🖼icon_16.png420B
🖼icon_32-loading.png1KB
🖼icon_32-off.png1KB
🖼icon_32.png1KB
🖼icon_64-loading.png4KB
🖼icon_64-off.png5KB
🖼icon_64.png3KB
🖼material-design.svg513B
🖼photon.svg4KB
🖼ublock-defs.svg2KB
🖼ublock.svg3KB
▾📁js2.2MB
▾📁codemirror77KB
📜search-thread.js6KB
📜search.js19KB
📜ubo-dynamic-filtering.js8KB
📜ubo-static-filtering.js46KB
▾📁resources261KB
📜attribute.js9KB
📜base.js1KB
📜cookie.js13KB
📜create-html.js5KB
📜href-sanitizer.js6KB
📜json-edit.js34KB
📜json-prune.js10KB
📜localstorage.js8KB
📜noeval.js2KB
📜object-prune.js9KB
📜parse-replace.js2KB
📜prevent-addeventlistener.js6KB
📜prevent-dialog.js2KB
📜prevent-fetch.js6KB
📜prevent-innerHTML.js3KB
📜prevent-settimeout.js8KB
📜proxy-apply.js4KB
📜replace-argument.js5KB
📜run-at.js3KB
📜safe-self.js8KB
📜scriptlets.js86KBlarge
📜set-constant.js10KB
📜shared.js1KB
📜spoof-css.js6KB
📜stack-trace.js5KB
📜utils.js8KB
▾📁scriptlets124KB
📜cosmetic-logger.js11KB
📜cosmetic-off.js1KB
📜cosmetic-on.js1KB
📜cosmetic-report.js4KB
📜dom-inspector.js26KB
📜dom-survey-elements.js2KB
📜dom-survey-scripts.js5KB
📜epicker.js44KB
📜load-3p-css.js2KB
📜load-large-media-all.js2KB
📜load-large-media-interactive.js10KB
📜noscript-spoof.js4KB
📜scriptlet-loglevel-1.js1KB
📜scriptlet-loglevel-2.js1KB
📜should-inject-contentscript.js1KB
📜subscriber.js4KB
📜updater.js4KB
▾📁wasm42KB
📄README.md726B
⚙biditrie.wasm999B
📄biditrie.wat21KB
⚙hntrie.wasm1KB
📄hntrie.wat19KB
📜1p-filters.js12KB
📜3p-filters.js33KB
📜about.js1KB
📜advanced-settings.js6KB
📜arglist-parser.js5KB
📜asset-viewer.js4KB
📜assets.js50KBlarge
📜background.js13KB
📜base64-custom.js5KB
📜benchmarks.js15KB
📜biditrie.js34KB
📜broadcast.js3KB
📜cachestorage.js24KB
📜click2load.js2KB
📜cloud-ui.js7KB
📜code-viewer.js9KB
📜commands.js6KB
📜console.js2KB
📜contentscript-extra.js22KB
📜contentscript.js45KB
📜contextmenu.js9KB
📜cosmetic-filtering.js32KB
📜dashboard-common.js7KB
📜dashboard.js5KB
📜devtools.js12KB
📜diff-updater.js10KB
📜document-blocked.js9KB
📜dom-inspector.js2KB
📜dom.js7KB
📜dyna-rules.js24KB
📜dynamic-net-filtering.js14KB
📜epicker-ui.js29KB
📜fa-icons.js47KB
📜filtering-context.js14KB
📜filtering-engines.js2KB
📜hnswitches.js9KB
📜hntrie.js28KB
📜html-filtering.js13KB
📜httpheader-filtering.js6KB
📜i18n.js13KB
📜is-webrtc-supported.js2KB
📜jsonpath.js19KB
📜logger-ui-inspector.js22KB
📜logger-ui.js101KBlarge
📜logger.js3KB
📜lz4.js6KB
📜messaging.js64KBlarge
📜mrucache.js2KB
📜pagestore.js39KB
📜popup-fenix.js51KBlarge
📜redirect-engine.js17KB
📜redirect-resources.js6KB
📜regex-analyzer.js8KB
📜reverselookup-worker.js12KB
📜reverselookup.js6KB
📜s14e-serializer.js38KB
📜scriptlet-filtering-core.js11KB
📜scriptlet-filtering.js13KB
📜settings.js10KB
📜start.js19KB
📜static-dnr-filtering.js18KB
📜static-ext-filtering-db.js9KB
📜static-ext-filtering.js6KB
📜static-filtering-io.js4KB
📜static-filtering-parser.js164KBlarge
📜static-net-filtering.js189KBlarge
📜storage.js61KBlarge
📜support.js11KB
📜tab.js42KB
📜tasks.js1KB
📜text-encode.js11KB
📜text-utils.js3KB
📜theme.js5KB
📜traffic.js45KB
📜ublock.js21KB
📜uri-utils.js6KB
📜url-net-filtering.js10KB
📜urlskip.js6KB
📜utils.js4KB
📜vapi-background-ext.js9KB
📜vapi-background.js62KBlarge
📜vapi-client.js8KB
📜vapi-common.js9KB
📜vapi.js2KB
📜webext.js8KB
📜whitelist.js8KB
▾📁lib1MB
▾📁codemirror613KB
▾📁addon116KB
▾📁comment9KB
▾📁display5KB
▾📁edit14KB
📜closebrackets.js7KB
📜matchbrackets.js7KB
▾📁fold10KB
📜foldcode.js5KB
🎨foldgutter.css435B
📜foldgutter.js5KB
▾📁hint19KB
🎨show-hint.css623B
📜show-hint.js19KB
▾📁merge40KB
🎨merge.css3KB
📜merge.js37KB
▾📁scroll5KB
▾📁search12KB
🎨matchesonscrollbar.css188B
📜searchcursor.js12KB
▾📁selection2KB
▾📁lib397KB
🎨codemirror.css9KB
📜codemirror.js389KBlarge
▾📁mode95KB
▾📁css39KB
▾📁htmlmixed6KB
▾📁javascript37KB
▾📁xml13KB
▾📁theme2KB
📄LICENSE1KB
📄README.md2KB
▾📁csstree165KB
📄LICENSE1KB
📜css-tree.js164KBlarge
▾📁diff11KB
📄README.md1KB
📜swatinem_diff.js10KB
▾📁hsluv4KB
📄LICENSE1KB
📄README121B
📜hsluv-0.1.0.min.js3KB
▾📁js-beautify103KB
📄LICENSE1KB
📄README143B
📜beautifier.min.js102KBlarge
▾📁lz445KB
📄README.md2KB
📜lz4-block-codec-any.js5KB
📜lz4-block-codec-js.js9KB
📜lz4-block-codec-wasm.js7KB
⚙lz4-block-codec.wasm1KB
📄lz4-block-codec.wat21KB
▾📁publicsuffixlist31KB
▾📁wasm10KB
📄README.md929B
⚙publicsuffixlist.wasm408B
📄publicsuffixlist.wat9KB
📜publicsuffixlist.js21KB
▾📁regexanalyzer71KB
📄CHANGES.md342B
📄README.md411B
📜regex.js70KBlarge
📜punycode.js13KB
▾📁web_accessible_resources77KB
🖼1x1.gif43B
🖼2x2.png68B
🖼32x32.png83B
🖼3x2.png68B
📄README.txt507B
📜adthrive_abd.js139B
📜amazon_ads.js2KB
📜amazon_apstag.js2KB
📜ampproject_v0.js1KB
📜chartbeat.js1KB
🌐click2load.html960B
🌐dom-inspector.html536B
📜doubleclick_instream_ad_status.js29B
📄empty0B
🌐epicker-ui.html3KB
📜fingerprint2.js2KB
📜fingerprint3.js1KB
📜google-analytics_analytics.js4KB
📜google-analytics_cx_api.js1KB
📜google-analytics_ga.js5KB
📜google-analytics_inpage_linkid.js1004B
📜google-ima.js15KB
📜googlesyndication_adsbygoogle.js4KB
📜googletagmanager_gtm.js1KB
📜googletagservices_gpt.js5KB
📜hd-main.js2KB
📜nitropay_ads.js1KB
📜nobab.js3KB
📜nobab2.js1KB
📜noeval-silent.js1KB
📜noeval.js1KB
📜nofab.js3KB
📄noop-0.1s.mp3813B
📄noop-0.5s.mp32KB
📄noop-1s.mp44KB
📄noop-vast2.xml28B
📄noop-vast3.xml28B
📄noop-vast4.xml28B
📄noop-vmap1.xml86B
🎨noop.css6B
🌐noop.html82B
📜noop.js38B
{}noop.json2B
📄noop.txt1B
📜outbrain-widget.js2KB
📜popads-dummy.js1KB
📜popads.js2KB
📜prebid-ads.js990B
📜scorecardresearch_beacon.js1KB
📜sensors-analytics.js1KB
🌐1p-filters.html4KB
🌐3p-filters.html7KB
📄LICENSE.txt34KB
🌐about.html5KB
🌐advanced-settings.html2KB
🌐asset-viewer.html2KB
🌐background.html269B
🌐blank.html245B
🌐cloud-ui.html1KB
🌐code-viewer.html2KB
🌐dashboard.html3KB
🌐devtools.html3KB
🌐document-blocked.html3KB
🌐dyna-rules.html4KB
🌐is-webrtc-supported.html169B
🌐logger-ui.html16KB
{}managed_storage.json2KB
{}manifest.json3KB
🌐no-dashboard.html901B
🌐popup-fenix.html9KB
🌐settings.html10KB
🌐support.html6KB
🌐whitelist.html3KB
What This Extension Does
uBlock Origin is a content blocker that efficiently blocks ads, tracking, and online malicious URLs. It's designed for users who want to protect their privacy while browsing the web. With over 15 million users, it's one of the most popular Chrome extensions.
Permissions Explained
- alarmsexpected: Allows uBlock Origin to schedule notifications and reminders.
Technical: Accesses Chrome's alarm API, enabling scheduled events and notifications. Potential attack surface: unauthorized access to user's calendar or scheduling data. - contextMenusexpected: Enables uBlock Origin to create custom context menu items for users.
Technical: Accesses Chrome's context menus API, allowing extension to inject custom menu items. Potential attack surface: unauthorized access to user's browsing history or bookmarks. - privacyexpected: Allows uBlock Origin to access and modify user's browsing data, including cookies and local storage.
Technical: Accesses Chrome's privacy API, enabling extension to read and write user's browsing data. Potential attack surface: unauthorized access or modification of sensitive user data. ⚠ 1 - storageexpected: Enables uBlock Origin to store and retrieve data locally on the user's device.
Technical: Accesses Chrome's storage API, allowing extension to read and write local storage. Potential attack surface: unauthorized access or modification of sensitive user data. - tabsexpected: Allows uBlock Origin to interact with open tabs and windows.
Technical: Accesses Chrome's tabs API, enabling extension to read and modify tab state. Potential attack surface: unauthorized access or modification of user's browsing history. - <all_urls>check this: Enables uBlock Origin to access all websites, including those with HTTPS encryption.
Technical: Accesses Chrome's <all_urls> permission, allowing extension to read and modify any website's content. Potential attack surface: unauthorized access or modification of sensitive user data. ⚠ 1 - webNavigationexpected: Allows uBlock Origin to intercept and modify web requests.
Technical: Accesses Chrome's webNavigation API, enabling extension to read and modify web requests. Potential attack surface: unauthorized access or modification of user's browsing data. - webRequestexpected: Enables uBlock Origin to intercept and modify web requests.
Technical: Accesses Chrome's webRequest API, allowing extension to read and modify web requests. Potential attack surface: unauthorized access or modification of user's browsing data. - webRequestBlockingexpected: Allows uBlock Origin to block web requests.
Technical: Accesses Chrome's webRequestBlocking API, enabling extension to block web requests. Potential attack surface: unauthorized blocking of legitimate websites or services. - unlimitedStoragecheck this: Enables uBlock Origin to store an unlimited amount of data locally on the user's device.
Technical: Accesses Chrome's unlimited storage permission, allowing extension to store large amounts of data. Potential attack surface: unauthorized access or modification of sensitive user data. ⚠ 1
Your Data
uBlock Origin accesses and stores user browsing data, including cookies and local storage. It also sends data to various domains, including GitHub and Crowdin.
Technical Details
domains
- github.com
- www.gnu.org
- developer.mozilla.org
- www.reddit.com
- codemirror.net
- bugzilla.mozilla.org
- www.cse.yorku.ca
- www.w3.org
- en.wikipedia.org
- bugs.chromium.org
- stackoverflow.com
- searchfox.org
data_types
- cookies
- tokens
- keystrokes
- page content
Code Findings
uBlock Origin uses eval(), which can execute arbitrary code. This may pose a risk if the extension is compromised or contains malicious code.
Technical: The eval() function is used in various JavaScript files, including uBlockOrigin.js and uBlockOrigin.contentScript.js. Potential attack surface: unauthorized execution of malicious code.
💡 Eval() can be used for legitimate purposes, such as dynamic code evaluation or debugging.
uBlock Origin dynamically imports JavaScript files, which may pose a risk if the extension is compromised or contains malicious code.
Technical: The extension uses dynamic import statements to load JavaScript files. Potential attack surface: unauthorized access to sensitive user data.
💡 Dynamic importing can be used for legitimate purposes, such as loading dependencies or modules.
uBlock Origin uses String.fromCharCode() and charCodeAt(), which may indicate obfuscation or code protection.
Technical: The extension uses these functions in various JavaScript files, including uBlockOrigin.js and uBlockOrigin.contentScript.js. Potential attack surface: unauthorized access to sensitive user data.
💡 These functions can be used for legitimate purposes, such as encoding or decoding strings.
uBlock Origin makes XMLHttpRequests to various domains, which may pose a risk if the extension is compromised or contains malicious code.
Technical: The extension uses the Fetch API and XMLHttpRequest objects to make requests to various domains. Potential attack surface: unauthorized access to sensitive user data.
💡 XHR requests can be used for legitimate purposes, such as loading resources or making API calls.
uBlock Origin creates script elements dynamically, which may pose a risk if the extension is compromised or contains malicious code.
Technical: The extension uses document.createElement() to create script elements. Potential attack surface: unauthorized execution of malicious code.
💡 Dynamic creation of script elements can be used for legitimate purposes, such as loading dependencies or modules.
uBlock Origin captures keystrokes, which may pose a significant risk to user privacy and security.
Technical: The extension uses keyboard event listeners to capture keystrokes. Potential attack surface: unauthorized access to sensitive user data.
💡 Keystroke capturing can be used for legitimate purposes, such as password management or form filling.
uBlock Origin has broad host permissions, which may pose a significant risk to user privacy and security.
Technical: The extension has the <all_urls> permission, allowing it to access all websites. Potential attack surface: unauthorized access or modification of sensitive user data.
💡 Broad host permissions can be used for legitimate purposes, such as content blocking or ad filtering.
Bottom Line
uBlock Origin is a popular and widely-used content blocker that efficiently blocks ads, tracking, and online malicious URLs. However, it has some concerning findings, including the use of eval(), dynamic JS import, and broad host permissions. Users should exercise caution when installing this extension and regularly review its behavior to ensure it aligns with their expectations.
