I can second this. Recently migrated from NoScript to uMatrix. I was finally confident enough to put NoScript to "globally allow all" mode this week and use uMatrix alone for controlling scripting permissions. (After reading this disabled NoScript altogether.)
uMatrix allows more fine-grained control than NoScript. It's basically based on three contexts (scopes): host, domain and global, but my experience is I only ever use the global and domain scopes. I would recommend starting by globally white-listing the popular CDNs (so scripts on all sites delivered e.g. through Google's CDN are always executed and <script> snippets to integrate Google widgets work).
Then, for a majority of trusted sites it's enough to just white-list the local domain (allow executing scripts from example.com when you are visiting example.com sites). Scripts included on foobar.org from example.com still remain blocked – this is the crucial difference between global and local scopes that NoScript doesn't lend to.
I would recommend always allowing XHR and iframes in the site-local scope. IIRC this is not in the default config but since XHR anyway requires scripting you can then easily control both XHR / scripting by just white-listing the site for scripting. So this is my uMatrix base configuration currently and a good starting point for migrating from NoScript:
I.e. CSS / images allowed from all sources (except those blocked explicitly). Cookies, frames and XHR allowed from the same site you are currently visiting. Only scripting must be allowed per-site, just like with NoScript.
uMatrix allows more fine-grained control than NoScript. It's basically based on three contexts (scopes): host, domain and global, but my experience is I only ever use the global and domain scopes. I would recommend starting by globally white-listing the popular CDNs (so scripts on all sites delivered e.g. through Google's CDN are always executed and <script> snippets to integrate Google widgets work).
Then, for a majority of trusted sites it's enough to just white-list the local domain (allow executing scripts from example.com when you are visiting example.com sites). Scripts included on foobar.org from example.com still remain blocked – this is the crucial difference between global and local scopes that NoScript doesn't lend to.
I would recommend always allowing XHR and iframes in the site-local scope. IIRC this is not in the default config but since XHR anyway requires scripting you can then easily control both XHR / scripting by just white-listing the site for scripting. So this is my uMatrix base configuration currently and a good starting point for migrating from NoScript:
I.e. CSS / images allowed from all sources (except those blocked explicitly). Cookies, frames and XHR allowed from the same site you are currently visiting. Only scripting must be allowed per-site, just like with NoScript.