Cookie consent banners are the worst thing about the modern web. Crumb makes them go away.
It's a Firefox port of the Hush philosophy — same source-of-truth, same declarative approach, same trust model. Tiny, open, and built for people who trust extensions less the more they do.
The original was acquired by Avast, now owned by Gen Digital — the same conglomerate behind Avast, AVG, and Norton, with a documented history of harvesting user data and selling it. It hasn't shipped a meaningful update in two years and recent reviews say it no longer blocks reliably.
Crumb is built today against a fresh upstream snapshot, has no parent company, no telemetry, no remote configuration, and the entire build pipeline is on GitHub under MIT. If you don't trust the binary, read the source, refresh the filter list yourself, and rebuild from it.
| Crumb | Hush | |
|---|---|---|
| No auto-clicking, no scripted UI interaction | ✅ | ✅ |
| Zero telemetry, zero remote calls | ✅ | ✅ |
| Open source, MIT | ✅ | ✅ |
| Bundled Fanboy's Cookie Monster + curated overlay | ✅ | ✅ |
| Minimal, event-driven runtime | ✅ | ✅ |
| Platform | Firefox | Safari |
Or load it manually from source — see Build below.
Three filter outputs are generated from source lists at build time:
extension/data/dnr-rules.json— adeclarativeNetRequeststatic ruleset that blocks consent-management scripts at the network layer.extension/data/generic.css— element-hide rules with no domain scope, injected on every page viacontent_scripts.extension/data/cosmetic.js— a{ hostname: "selectors" }lookup table consumed by the content script.
The runtime is intentionally small and event-driven:
- Content script (
inject.js) — walks parent domains of the current host, inserts a single<style>atdocument_start, and once it confirms a banner was hidden, restoresbody { overflow }so the page can scroll past common scroll-lock tricks. - Background script (
background.js) — a per-tab message router for the toolbar badge. No timers, no polling, no remote calls. - Popup (
popup.html) — a read-only status panel showing version, current site, whether a per-host or generic rule fired, the number of elements hidden, and two links. No toggles, no options, no settings to misconfigure.
Source-of-truth lives in data/ and follows the same layout as Hush:
| File | Purpose |
|---|---|
data/vendor/fanboy-cookiemonster.txt |
Pinned snapshot of Fanboy's Cookie Monster |
data/generic.txt |
Element-hide rules with no domain scope |
data/site-specific.txt |
Per-domain element-hide and network rules |
data/third-party.txt |
Cross-site network blocks |
data/ignored.txt |
Subtractive — lines here are stripped from sources before parsing |
npm install
npm run fetch # refresh the Fanboy snapshot from upstream
npm run build # writes extension/data/{dnr-rules.json,generic.css,cosmetic.js}
npm run dev # web-ext run — launches Firefox with the extension loaded
npm run test # parser unit tests
npm run lint # web-ext lint
npm run package # minified build + zipped artifact in web-ext-artifacts/Open an issue with the URL and, if you can, a CSS selector for the banner element (right-click → Inspect). Most fixes are a one-line addition to data/site-specific.txt.
- Filter list strategy and curated overlay structure are adapted from Hush by Joel Arvidsson (MIT).
- Fanboy's Cookie Monster by Ryan Brown (CC BY 3.0).
MIT — see LICENSE.