How to Configure uBlock Origin: Beyond the Defaults

The default uBlock Origin install blocks ads. That's it. Install, forget, enjoy a cleaner web. For most people, that's fine.

For privacy, it's not enough.

The defaults leave third-party analytics running, social tracking pixels loading, and URL-embedded tracking parameters intact. uBO is capable of blocking all of that — but none of it happens automatically. This guide covers the specific configuration changes that actually matter: which filter lists to add, how medium mode works, and how to use the dynamic filtering panel without breaking your browser.

One prerequisite before anything else: you need the right extension.

Note for Chrome (Chromium) Users

In mid-2024, Google completed the transition to Manifest V3 for consumer Chrome users. The enterprise deadline followed in June 2025. The practical result: full uBlock Origin (MV2) is gone from the Chrome Web Store. Raymond Hill's explanation of what this means is worth reading in full, but the short version is that Chrome's declarativeNetRequest API — the MV3 replacement for webRequest — can't support the kind of dynamic, rule-based blocking that makes uBO effective.

uBlock Origin Lite (uBOL) exists as a separate MV3 project. Hill maintains it, but he's explicit: it's a different product, not uBO ported to MV3. No dynamic filtering. Significantly weaker tracker blocking. No scriptlet injection, which means certain cosmetic and anti-circumvention features simply don't work.

Hill's recommendation: use Firefox. So does Privacy Guides. So does this post, implicitly.

Firefox, Brave, and Edge all support the full MV2 extension. If you're on Chrome and serious about privacy, the honest advice is to switch. The rest of this guide assumes you're running Firefox.

uBlock vs. uBlock Origin — They're Not the Same Extension

Search for "uBlock" in any extension store and you'll see both. They are entirely different products.

"uBlock" (ublock.org) was acquired by AdBlock in July 2018 and joined the "Acceptable Ads" program in 2019. That means certain advertisers pay to have their ads whitelisted. It is not a privacy tool.

uBlock Origin has zero revenue relationships with advertisers. Everything that matches a filter rule gets blocked, full stop. Always install "uBlock Origin" by Raymond Hill — the author name is the only reliable disambiguator. On Firefox: addons.mozilla.org/en-US/firefox/addon/ublock-origin/.

Filter Lists: Keep the Defaults, Add Four More

uBO ships with a solid default set: uBlock Filters (and its sub-suites), EasyList, EasyPrivacy, Peter Lowe's list, and the Online Malicious URL Blocklist. Don't disable any of these.

Privacy Guides recommends four additions that cover ground the defaults don't:

AdGuard URL Tracking Protection (under the Privacy category) — strips tracking parameters from URLs. The ?utm_source=newsletter&fbclid=... strings you see appended to links? Those are tracking tokens. This list removes them before the request goes out.

Actually Legitimate URL Shortener Tool — resolves short URLs and strips embedded trackers from the destination. Useful if you ever click bit.ly or similar links.

EasyList Cookie / uBlock Annoyances — cookie consent banners. These are worth blocking on privacy grounds, not just aesthetic ones: the banner interaction is itself a data collection surface, and many "reject all" flows are deliberately designed to fail or route through additional consent layers.

Block Outside Intrusion into LAN — prevents malicious web pages from probing your local network. Blocks requests from external sites to RFC 1918 addresses (192.168.x.x, 10.x.x.x, etc.). A narrow but real attack vector.

A note from Privacy Guides worth taking seriously: more lists mean more attack surface. A malformed or malicious filter rule can be exploited, and more rules mean more breakage. The four additions above are the evidence-based minimum. Resist the urge to load twenty lists.

Medium Mode: Where It Gets Interesting

This is the setting most uBO guides skip, and it's the one that actually changes your threat model.

First, go to uBO Settings and check "I am an advanced user." This unlocks the dynamic filtering panel — without it, medium mode doesn't exist as a UI concept.

Then open the "My Rules" tab and add these two lines:

* * 3p-script block
* * 3p-frame block

Save and apply.

What just happened: every third-party JavaScript file is now blocked globally. Every third-party iframe too. Third-party images and CSS still load, so most pages will look roughly normal — but the analytics scripts, ad delivery code, Meta pixels, and social tracking iframes won't run.

The uBO wiki page on medium mode describes it as functionally similar to NoScript for third-party scripts. That's accurate. It's aggressive.

Sites will break. This is not a bug. It's the trade-off you're accepting.

The workflow: when something breaks, open the dynamic filtering panel (the ">>" button in the uBO popup), find the offending domain, and set a local noop rule for 3p-script on that site. Click the padlock to make it permanent. The next time you visit, it works. Over a few weeks, you build a personal whitelist of domains where you've chosen to relax the rules — and everywhere else stays locked down by default.

The Dynamic Filtering Panel: Color Coding and the Noop/Allow Distinction

The panel opens via the ">>" button in the uBO popup (only visible in advanced user mode). Three columns: resource type or domain name, global rules, local (per-site) rules.

Color coding is straightforward:

• Red — blocked
• Green — allowed
• Yellow — mixed (some sub-resources blocked, some allowed)
• Grey — no dynamic rule active; static filter lists are deciding

The rule types are where people make mistakes.

Noop (grey with no indicator in the panel) passes dynamic filtering for that resource — but static filter rules still apply. It also preserves scriptlet injection. This is the correct choice when you're fixing breakage. It says "don't block this via dynamic rules," not "allow everything from this domain."

Allow (green) overrides everything. Static filters, dynamic filters, scriptlet injection — all bypassed. If you click Allow on a domain to fix a broken page, you may have just re-enabled the tracker you were trying to block. The dynamic filtering guide is clear about this distinction; most users discover it the hard way.

When troubleshooting: reach for Noop first, always. Allow is for situations where you have deliberately decided to trust a domain fully.

Rules are session-temporary by default. Click the padlock to persist the current set. Ctrl+click an individual rule to persist just that one.

CNAME Uncloaking (Firefox Only)

One Firefox-specific feature worth knowing about: CNAME uncloaking. Some tracking services hide behind first-party subdomains using DNS CNAME records — the request looks like it's going to metrics.yoursite.com but actually resolves to a tracker's infrastructure. uBO uses Firefox's browser.dns.resolve() API to detect and block these. This API doesn't exist in Chrome.

It's one more concrete reason the Firefox + uBO combination is more capable than anything available on Chromium. If you want a full picture of what Firefox can do for privacy beyond extension choices, the Firefox hardening guide covers the browser-level settings that complement uBO's work.

Where This Fits

uBO with medium mode active is the most effective content blocker configuration you can run without breaking into custom proxy setups or DNS-level blocking. It addresses a lot of what browser fingerprinting defenses alone can't — fingerprinting techniques often rely on scripts that medium mode simply doesn't let execute.

The extension slot in your browser is also an attack surface. If you've never thought through which extensions you actually trust and why, the zero-trust playbook for browser extensions is worth reading alongside this one. uBO is the rare case where the extension you're adding actively reduces exposure rather than expanding it — but the habit of auditing what else is running matters.

Medium mode will cost you some friction in the first few weeks. That's real. After that, it runs quietly, and the whitelist you've built reflects actual decisions you've made rather than whatever defaults shipped with the extension.