Ublock allows you to block websocket requests. eg.
*$websocket
will block all websocket connections. You probably want to operate on a whitelist on a site by site basis. Blocking localhost or 127.0.0.1 isn't reliable because sites can use dns rebinding attacks to bypass your filters.
Ublock origin says it supports ABP filter rules which allow for whitelisting sites which seems like it should allow something approximating:
~site.com$websocket
*,~site.com$websocket
However this seems like it's invalid syntax because switching your example to this opens all websocket use back up tested via https://websocketstest.com/
Thanks for the information and all that you do. I had found the linked section from UBO to https://help.eyeo.com/en/adblockplus/how-to-write-filters#el... and assumed that *$websocket was <all_domains><separator><rule> similar to how other filters seem to work but I haven't delved too deeply in the rule syntax. Appreciate the correction.
Was thinking the same, maybe creating a service account for the browsers, I believe they do need some level of elevation but then using the firewall rules disabling everything expect http/s ports.. Websockets and others might be an issue, might need to be updated on an adhoc basis though and shouldnt be the reposonsibilty of the users.
I do this by running my browser in its own network namespace, with NAT to the outside world. A couple more firewall rules explicitly add forwarding for specific localhost ports.
specifically, websockets are blocked by the "XHR" component on the popup panel, which also blocks XmlRPC and the Fetch API. as a rule, you could block all XHR requests everywhere with:
* * xhr block
What I actually do is block everything but first-party requests, apart from CSS and images:
i actually allow xhr on third-party requests once i enabled third-party requests, which makes it possible to "enable" a bunch of site with two clicks (popup panel then click on "all").
