Xombrero: A Minimalist Browser with Focus on Security

Xombrero, as it describes itself in its website, is a “minimalist Web browser with sophisticated security features designed-in,” and that just about sums it up. Unlike many minimalist browsers, such as Qutebrowser and Luakit, it actually has a familiar interface that allows users who are used to Firefox and the like to jump right in. For those who are looking for a lightweight keyboard-based browser, Xombrero is one interesting alternative you can check out.

According to its developer, Xombrero is built with the idea that the user should be in charge of making decisions about security. It tackles both cookies and scripting issues by providing both persistent and per-session controls for scripts and cookies, making it easy to thwart tracking and scripting attacks. In short, it doesn’t allow cookie and javascript by default, and you have to whitelist the trusted sites to allow per-session cookies and javascripts from those sites.

If secure and familiar isn’t enough, it’s also fast. This could be due to the fact that no javascripts are allowed by default, and that improves sites loading speeds.

Installation is simple enough. Many distributions have Xombrero ready to download straight from repository or package manager, including Ubuntu:

sudo apt-get install xombrero

Those who are proficient enough can grab the source code and compile it themselves, including options for OS X and FreeBSD.

Another great feature, like many other minimalist Web browsers, is the ability to browse the Net solely with the keyboard with Vim-like commands. No mouse required!

However, Xombrero does use different default shortcuts compared to favorite Firefox and Chrome add-ons such as Pentadactyl and Vimperator. For example, instead of a capital “H” to go back a page, the default shortcut is “Backspace.” This, of course, can be changed with custom shortcuts.

As amazing as minimalism can be, this does come with the usual text-only configuration which may turn some users off. Fortunately, they have an amazing man page which can be accessed in a browser by typing in :help.



Xombrero doesn’t allow cookies or javascript unless explicitly allowed. Thankfully this is simple to deal with. After navigating to a trusted website, type: :cookie save to allow cookies from that site or :js save to allow scripting.


Searching is done the same way as it is in Vim.  Press the “/” key, type in a search term and press Enter. All of the words that match the search term should be highlighted. Simply press “n” to search forward and “N” (note the capital) to search back. This will help immensely when searching the help page.

It also has a nifty contrast swap feature which can be used as a night mode by pressing “s.”


Saving browser session

To save a browsing session on exit, simply type “:wq” and Xombrero will save and close the current session. There are configuration options to make this happen automatically when closing the browser. This may sound like a broken record, but check the help file. There are a ton of amazing things that can be done with sessions.

Now for the fun part. To create a configuration file, open up a text editor and save as “xombrero.conf” in the home directory.

Many of the settings found in :help can be written here and set equal to either “1” (enable) or “0” (disable). To automatically save the current session on exit and enable whitelists, this is all that is needed in the config file:

session_autosave = 1
browser_mode = whitelist

Save the file, restart the browser, and from now on all the tabs will be remembered when Xombrero is closed. Even in the event of a power failure. Okay, maybe it’s not that fun, but here’s something that is – Scripts!

In some distributions, such as Void Linux, Xombrero may not be able to view YouTube out of the box. Thanks to the folks who work over at the Gentoo Wiki, we have a solution.

First create a file; let’s save it in the home directory and call it “youtube_watch.sh” with these contents:

mpv -vo x11 -fs `youtube-dl --skip-download -g $1`

Note: mplayer may also be used (just replace “mpv” with “mplayer”), but most users will find “mpv” easier thanks to the default GUI controls.

Open a terminal to change the permissions on the script we just created.

chmod 744 ~/youtube_watch.sh

Next let’s open that “xombrero.conf” back up and add these lines:

cmd_alias = yt,run_script ~/youtube_watch.sh
keybinding = yt,y

The first line of the code ties the alias “yt” to the script, so you can simply type :yt to activate the script. The second line allows us to simply press “y” to call it.

Let’s make sure mpv and youtube-dl are installed.  These should be available in most package repositories, but for Ubuntu:

sudo apt-get install mpv youtube-dl

Navigate to a YouTube video page, press “y” and the video should stream directly to mpv. Fantastic! Even playlists work. It also wouldn’t be that far-fetched to modify the script to download videos instead of simply streaming them for later offline viewing.  Keep in mind that this is just messing with “youtube-dl;” just imagine the scripting possibilities.

Keep in mind that Xombrero does target advanced users, but for someone who wants a fast, minimalist and secure Web browser that’s easy to get the hang of, Xombrero is a great alternative to the mainstream options.

With its plethora of customization options and vim-like command concept, this is a great opportunity for anyone who wants to enter the world of keyboard-driven Web browsing without being chucked into the deep end.

While there are many minimalist browsers to choose from, Xombrero is the only one that has sane enough defaults for anyone to jump right in.

Ever use Xombrero before? Checking it out right now? Let us know what you think about it in the comments below!

Leave a Reply

Yeah! You've decided to leave a comment. That's fantastic! Check out our comment policy here. Let's have a personal and meaningful conversation.