There's one big prob with ExExceptions - the description is wrong, very misleading:
"You can specify which websites are allowed to load various objects."
Not true.
Perhaps the original author didn't know it better, but actually I don't know a better wording either, which doesn't sound just as confusing
But from this line every user will wrongly believe that the specified domains were about those in the URLBAR, defining "top-down" what this domain is allowed to load or not. But in reality it's Mozilla's fault, in their infinite wisdom they have it all backwards - their exception system works bottom-up: not the target-domain in the urlbar is the specified one, but the source-domain of every single page element! If a domain is blacklisted (blocked), it means that elements FROM this domain are blocked on all websites. If a domain is whitelisted (allow), it means elements FROM this domain are allowed on all websites too, not just on their own.
Exceptions are not meant "for" a target domain, but "from" which source domain page elements come.
That's not ExExceptions fault, this addon is merely an easier GUI to fill Mozilla's permissions.sqlite file, the blocking itself is done by the native engine.
That sounds all very confusing, but everyone can do this
simple little test:
Block images for "kmeleonbrowser.org", then reload this forum page...
Oops - of course I mean "from" kmeleonbrowser.org!!
Now look at the green bar: the KM-logo and the flags are hosted on "kmeleonbrowser" - those are blocked. But the 2 sourceforge icons are still showing - those images are loaded "from" sourceforge.net!
Or allow youtube.com only site frames (subdocument=3): that does not mean that "on" youtube 3rd party iFrames were blocked. They are not. Instead it means, that no other websites are allowed to embed iframes "from" youtube.
That said, at least Mozilla's
DEFAULT permissions work as one expects naturally.
For those the domain of the current page matters. A little self-test:
permissions.default.image = 3 (same domain)
Reload the forum and look at the green bar - now the 2 images loaded from sourceforge are blocked!
But there's yet another unexpected complication:
iFrames!
permissions.default.subdocument = 1,2,3
As far as I know frames are little websites inside other websites. Regarding permissions, that probably means they are fully independant? If a user isn't aware that half the page he views is in reality another website, that can produce confusing blocking behaviour too...
My personal css userstyle is set to mark all iframes with a dotted light blue line, very handy, even more so because I have all 3rd party iframes blocked by default (reduces all that FB&Co tracking everywhere!) If anyone wants that marking too:
iframe { border: dotted 2px cyan ! important; }