Is uBlock Origin safe to use?

uBlock Origin has a risk level of CRITICAL with an overall risk score of 9.1/10. Our scan detected 95 security findings. This extension has significant security concerns — review the full report before installing.

What permissions does uBlock Origin request?

uBlock Origin requests the following permissions: alarms, contextMenus, privacy, storage, tabs, unlimitedStorage, webNavigation, webRequest, webRequestBlocking, . It also requests host access to: , http://*/*, https://*/*, https://easylist.to/*, https://*.fanboy.co.nz/*, https://filterlists.com/*, https://forums.lanik.us/*, https://github.com/*, https://*.github.io/*, https://github.com/uBlockOrigin/*, https://ublockorigin.github.io/*, https://*.reddit.com/r/uBlockOrigin/*.

What is uBlock Origin's risk score?

uBlock Origin has an overall risk score of 9.1/10 (CRITICAL). Breakdown: Permissions 10.0/10, Code 10.0/10, Combinations 10.0/10, CSP 1.0/10.

ExtSafe

uBlock OriginSecurity Analysis

Chromev1.69.0MV2February 16, 2026 at 12:36 PM

9.1CRITICAL

9.1 CRITICAL

This extension shows critical risk indicators. It requests highly sensitive permissions combined with suspicious code patterns. Proceed with extreme caution.

Based on 22 permissions including high-risk ones, 78 code findings, 3 dangerous combinations.

Dangerous Combinations(3)

HIGHTab tracking + external communication

Extension tracks open tabs and communicates with external servers — potential browsing surveillance.

tabs+external network request

CRITICALNetwork interception + external communication

Extension intercepts network traffic and sends data externally — potential man-in-the-middle behavior.

webRequest/webRequestBlocking+external network request

CRITICALAll-sites access + keyboard capture

Extension has access to all sites and captures keyboard input — behavior consistent with a keylogger.

<all_urls>+keylogger_pattern

Permissions

10.0/10

Code

10.0/10

Combinations

10.0/10

Manifest/CSP

1.0/10

Permissions(21 analyzed)

Code Findings(17 patterns, 78 total)

Content Security Policy

CSP Present(1 issue)

LOW

object-srcobject-src not restricted

object-src is not set to 'none'. Plugins like Flash can be embedded, which may allow code execution.

Manifest Analysis(0 findings)

Resolved from __MSG_* i18n placeholders:

Description: Finally, an efficient blocker. Easy on CPU and memory.

No manifest-level concerns found.

External Domains(69)

$domain=...${fakehostname${hn${s${targetframehostname*adguard.combehind-the-scenebugs.chromium.orgbugzilla.mozilla.orgcdn.cliqz.comcode.google.comcodemirror.netcrowdin.comcs.chromium.orgdatatracker.ietf.orgdevelopers.google.comdocs.python.orgdom.spec.whatwg.orgen.wikipedia.orgflagpedia.netfontawesome.comforums.lanik.usgist.github.comgithub.comgoessner.netgorhill.github.iogroups.google.comhtml.spec.whatwg.orgissues.chromium.orgjakearchibald.comjsperf.comlz4.github.iomarijnhaverbeke.nlmathiasbynens.bemozilla.orgmths.bepages.cloudflare.compages.github.comphp.netpublicsuffix.orgraymondhill.netsearchfox.orgstackoverflow.comstatically.iosubscribe.adblockplus.orgtools.ietf.orgtwiki.orgublock0.invalidublockorigin.github.iounicode.orgw3c.github.ioweb.archive.orgwhotracks.mewww.apache.orgwww.chromium.orgwww.cpubenchmark.netwww.cse.yorku.cawww.davidkrmela.comwww.example.orgwww.gnu.orgwww.javascriptkit.comwww.jsdelivr.comwww.mathertel.dewww.mozilla.orgwww.opensource.orgwww.reddit.comwww.unicode.orgwww.upsieutoc.com