[Ext] RequestPolicy 0.5: control over cross-site requests

Announce and Discuss the Latest Theme and Extension Releases.
Locked
User avatar
Justin Samuel
Posts: 111
Joined: December 31st, 2008, 8:02 am
Contact:

[Ext] RequestPolicy 0.5: control over cross-site requests

Post by Justin Samuel »

RequestPolicy - An extension that gives you control over which cross-site requests are allowed.

Improve the privacy of your browsing by not letting other sites know your browsing habits. Secure yourself from Cross-Site Request Forgery (CSRF), Clickjacking, and other attacks.

RequestPolicy works with Firefox 3+, SeaMonkey 2.0, Flock 2.0, Songbird 1+, and Fennec 1.0a2.

Get it from AMO

Learn more about RequestPolicy

Let me know your feature requests, suggestions, complaints, enthusiasm, and bug reports! Thanks!


See the old thread for version 0.4

New in 0.5.0:
  • Added preference for setting domain strictness (registered domain, full domain, or protocol + domain + port)
Justin Samuel @jstnsml
RequestPolicy: be in control of cross-site requests. Increase the privacy of your browsing and secure yourself from CSRF and other attacks. @RequestPolicy
Some Person
Posts: 20
Joined: June 7th, 2008, 11:46 pm

Re: [Ext] RequestPolicy 0.5: control over cross-site requests

Post by Some Person »

Justin, this sounds like a very fine addition. Is there any chance that it can be made compatible with Fx 2.0.0.20, for those of us who find 3.x distasteful?

Regards,
Some Person
User avatar
Justin Samuel
Posts: 111
Joined: December 31st, 2008, 8:02 am
Contact:

Re: [Ext] RequestPolicy 0.5: control over cross-site requests

Post by Justin Samuel »

Some Person wrote:Justin, this sounds like a very fine addition. Is there any chance that it can be made compatible with Fx 2.0.0.20, for those of us who find 3.x distasteful?

Thanks. There are a few things I know are Fx 3 specific. For example, the use of modules and some event listeners that probably would need to be changed. Those aren't very hard things to change, but it would take a little time.

For the moment, my interest is in adding some of the missing features and then I'll come back to considering Fx 2. My guess, though, is that by the time RequestPolicy is feature complete, the Fx 2 users will be a pretty small number, especially the percentage that use addons.

Plus, people with security in mind probably shouldn't be using Fx 2 because as of a few weeks ago there will be no more security updates for it. I see you are running the (supposedly) final version, but at some point in the next few months there may start to be security issues that aren't fixed and, even if you prefer Fx 2, you'll have to make a decision regarding security and what browser to use.
Justin Samuel @jstnsml
RequestPolicy: be in control of cross-site requests. Increase the privacy of your browsing and secure yourself from CSRF and other attacks. @RequestPolicy
Some Person
Posts: 20
Joined: June 7th, 2008, 11:46 pm

Re: [Ext] RequestPolicy 0.5: control over cross-site requests

Post by Some Person »

Justin, thanks for your reply. Threads elsewhere on this site indicate that there is some significant resistance to 3.x, and that those objections will not be accommodated completely. Without dragging that whole issue here, I'm guessing that there will still be a not-insignificant number of 2.x users for some time to come. (It's still better than the very latest IE, right? :wink:) I've already made my decision to stick with Fx2, using NoScript in full lockdown and additional security measures such as Sandboxie. Presumably Mozilla will be keeping statistics on how many copies of F2 are still running, so when you get up to full speed with RP, you might want to see if those numbers justify your offering a F2 version.

In any event, I'm always grateful to those who volunteer their time to help keep us safe, like Giorgio Maone and yourself. So whatever you decide, thanks for your time and efforts. Good Karma to you! -- S.P.
day_of_the_dodo
Posts: 1
Joined: February 8th, 2009, 6:31 am

Re: [Ext] RequestPolicy 0.5: control over cross-site requests

Post by day_of_the_dodo »

I back a FF2 version. The spirit of the FF3 changes
remind me of Netscape 4 and its subsequent slide
into oblivion.
If an unfixable security issue is going to emerge in
FF2 I will either wait for a hopefully better FF4 or
be off to K-Melon.
Beside I suppose people looking into the
requestpolicy add-on are largely those still
preferring FF2.
Pseudomonas
Posts: 2
Joined: April 5th, 2009, 2:35 am

Re: [Ext] RequestPolicy 0.5: control over cross-site requests

Post by Pseudomonas »

This is my new favourite add-on! :-) But I'm afraid I noticed a bug*: You can't update Firefox to the new version 3.08 whithout deactivating RequestPolicy.

* (Well, I guess it's actually a part of the feature, but in this case there should be the possibility to allow it.)
User avatar
Justin Samuel
Posts: 111
Joined: December 31st, 2008, 8:02 am
Contact:

Re: [Ext] RequestPolicy 0.5: control over cross-site requests

Post by Justin Samuel »

Pseudomonas wrote:I'm afraid I noticed a bug*: You can't update Firefox to the new version 3.08 whithout deactivating RequestPolicy.)

Thank you immensely for reporting this. I've just uploaded version 0.5.5 which should fix this (it permanently whitelists requests from downloads.mozilla.org to other sites, as those update requests appear to redirect now).
Justin Samuel @jstnsml
RequestPolicy: be in control of cross-site requests. Increase the privacy of your browsing and secure yourself from CSRF and other attacks. @RequestPolicy
Pseudomonas
Posts: 2
Joined: April 5th, 2009, 2:35 am

Re: [Ext] RequestPolicy 0.5: control over cross-site requests

Post by Pseudomonas »

Thanks a lot! :)
sjackson
Posts: 1
Joined: April 18th, 2009, 11:41 am

Re: [Ext] RequestPolicy 0.5: control over cross-site requests

Post by sjackson »

Justin, great extension. Will there be blocklist option, similar to NoScript's "untrusted" option?
User avatar
Justin Samuel
Posts: 111
Joined: December 31st, 2008, 8:02 am
Contact:

Re: [Ext] RequestPolicy 0.5: control over cross-site requests

Post by Justin Samuel »

sjackson wrote:Justin, great extension. Will there be blocklist option, similar to NoScript's "untrusted" option?


Thanks. I'll definitely be implementing a blacklist (ignore specific blocked domains) within a few months. I'd do it sooner, but school is keeping me too busy at the moment, so I only have time for bug fixes.
Justin Samuel @jstnsml
RequestPolicy: be in control of cross-site requests. Increase the privacy of your browsing and secure yourself from CSRF and other attacks. @RequestPolicy
zeiss
Posts: 5
Joined: December 2nd, 2007, 6:35 am

"Default allow" mode

Post by zeiss »

Hi,

Thanks for this useful extension!

My question is whether it is possible to provide a "default allow" mode, i.e. all requests would be allowed by default and only those added as denied would be blocked. I find it very time-consuming to add allowed requests for each and every site. I would prefer simply marking several known sites as blocked and allowing others to be passed by.
silverwav
Posts: 24
Joined: August 13th, 2008, 3:31 pm

Re: [Ext] RequestPolicy 0.5: control over cross-site requests

Post by silverwav »

Hi,

I find your extension very useful thanks, but I have found a problem.
I cannot save pages with firefox's own "Save As" function when I use it.

krimskrams wrote:
silverwav wrote:Hi I am having a problem with shelve and RequestPolicy 0.5.5

If I try to shelve this site: http://www.linuxjournal.com/content/why ... web-server


I now tested that extension and cannot save that page with firefox's own "Save As" function. When I close the window, there is an error message from RP in the Error Console.

It would seem to me that the RP addon sends something that should prepare the page or maybe retrieve all the data needed for that page into an infinite loop, which prevents FF from ever actually saving that document. I'd rather tell the RP addon developers.


The problem I have is described in full here:
viewtopic.php?f=48&t=772975&st=0&sk=t&sd=a&start=60
silverwav
Posts: 24
Joined: August 13th, 2008, 3:31 pm

Re: [Ext] RequestPolicy 0.5: control over cross-site requests

Post by silverwav »

Just replying to save the user agent string from my home machine to the bottom of this post - my original post was from another machine.

Cheers.
User avatar
Justin Samuel
Posts: 111
Joined: December 31st, 2008, 8:02 am
Contact:

Re: [Ext] RequestPolicy 0.5: control over cross-site requests

Post by Justin Samuel »

silverwav wrote:I cannot save pages with firefox's own "Save As" function when I use it.


This bug will be fixed in RequestPolicy 0.5.6 which I'll post to AMO in the next few days.

Thanks silverwav for reporting this as well as for testing the beta version of 0.5.6. (Also, thanks for following up by email when I didn't respond here. I've been a bit buried for the last few weeks and am just now getting caught up.)
Justin Samuel @jstnsml
RequestPolicy: be in control of cross-site requests. Increase the privacy of your browsing and secure yourself from CSRF and other attacks. @RequestPolicy
silverwav
Posts: 24
Joined: August 13th, 2008, 3:31 pm

Re: [Ext] RequestPolicy 0.5: control over cross-site requests

Post by silverwav »

Justin wrote:RequestPolicy 0.5.6 available here that should resolve this:

http://www.requestpolicy.com/releases/r ... .5.6b1.xpi


Tested and confirmed - this bug has been resolved.

Cheers Justin, very much appreciated.
Locked