[Ext] RequestPolicy 0.5: control over cross-site requests

[Justin Samuel]

@ghostintheruins

Thanks for reporting this. I haven't had a chance to look at it yet. The ticket for it is here: https://www.requestpolicy.com/dev/ticket/85 --- I'm months behind on features I meant to have added and bugs I meant to have fixed, so unless this one is easily repeatable and highly frustrating, it might be a while before I get to it.

@magdev

This week or this coming weekend I'll setup a public https location for cloning the hg repo. Thanks for pointing this out.

Regarding whether the XPI is open source, the only code-related file in there that isn't source code is nsIRequestPolicy.xpt, which is just nsIRequestPolicy.idl run through xpidl. So, I consider the XPI to be very open source, especially as the XPI includes the IDL file which isn't actually needed for the extension to run. That is, it includes the source of the one compiled file that needs to be shipped. --- I don't mean to be pedantic, I just think it's important for people reading this thread to understand that the XPI really is open source. It is possible to create extensions that contain binary executable code. RequestPolicy does not contain any such binaries, just a preprocessed form of an Interface Definition Language file.

[IE Sux Mega]

However, contrary to what the GPL license is about (i.e. easy access to source code), there seems to be no way to download the source code.

The XPI release package itself is not open source as it contains some binary (or object) files, such as XPT.

The only way to see the source code is to "browse" it in the Trac system. However, it's practically impossible to download it from there.

Hi Paul [AKA magdev],

When one installs any Firefox extension, one is in effect downloading the source-code.

Let's take the RequestPolicy as an example.

Download the RequestPolicy extension from any browser except Firefox (e.g. Internet Explorer) at:
https://addons.mozilla.org/en-US/firefox/downloads/latest/9727/addon-9727-latest.xpi?src=addondetail

All XPI Firefox extensions are actually ZIP files that can be unpacked with your favorite ZIP extractor. One will find the majority of files are JavaScript, image, or CSS files. Some files within the XPI files are JAR files. They too can be unpacked with your favorite ZIP extractor.

All the resultant files generally can be viewed in a text editor to view the source code.

As far as the XPT you mention, Justin Samuel, in the post above has answered this.

[magdev]

However, contrary to what the GPL license is about (i.e. easy access to source code), there seems to be no way to download the source code.

The XPI release package itself is not open source as it contains some binary (or object) files, such as XPT.

The only way to see the source code is to "browse" it in the Trac system. However, it's practically impossible to download it from there.

Hi Paul [AKA magdev],

When one installs any Firefox extension, one is in effect downloading the source-code.

Let's take the RequestPolicy as an example.

Download the RequestPolicy extension from any browser except Firefox (e.g. Internet Explorer) at:
https://addons.mozilla.org/en-US/firefox/downloads/latest/9727/addon-9727-latest.xpi?src=addondetail

All XPI Firefox extensions are actually ZIP files that can be unpacked with your favorite ZIP extractor. One will find the majority of files are JavaScript, image, or CSS files. Some files within the XPI files are JAR files. They too can be unpacked with your favorite ZIP extractor.

All the resultant files generally can be viewed in a text editor to view the source code.

As far as the XPT you mention, Justin Samuel, in the post above has answered this.

If you read my post again, I'm sure you'll see that I knew how to extract an XPI file.

Hint: I knew what was inside (for example, the XPT file, which is the output of a compiler). That's why I said that the XPI he provides is NOT open source. Period.

[Justin Samuel]

Hi magdev,

You can now clone the RequestPolicy mercurial repository using:

hg clone https://www.requestpolicy.com/hg/requestpolicy

I do politely disagree with your definition of open source. However, I doubt either of us will change the other's mind over a forum thread. I'd like to talk about this more if we ever cross paths in person. If you happen to know I might be around somewhere you might be, do get a hold of me and maybe we can chat it out over coffee.

Thanks again for pointing out the hg repo wasn't directly accessible.

[eibwen]

The dev page on the website does not have much content, so:

Judging by the AMO version history -- is this project active? At least currently?
Several updates in Nov08 to Jan09, then sporadic monthly updates, with a few additional in Jun09, and the latest Feb10...
The last committed change in the Trac Browse Source was 3 months ago...
Yet multiple recent bug reports and/or feature requests...

I wouldn't mind submitting an occasional patch, particularly in support of BLACKLIST capability; however, additional documentation (or at least pointers) would be greatly appreciated. I have briefly looked through the source, but I can't seem to conclusively identify the function(s) inspecting and allowing/rejecting the requests...

Perhaps _examineHttpResponse? Albeit, that seems a bit of a misnomer if it denies requests; however, nothing else seems as relevant. Presuming request policy actually denies requests and not responses or the function name has a different meaning?

[Justin Samuel]

Hi eibwen,

This project is definitely still active. I have just been comically busy the past few months. In a few weeks I aim to have regular to time to work on RP again. Also, note that most of the tickets that have been being opened and not closed are actually opened by me. Maybe the confusion is that it's not clear that I'm the developer. The fact that I'm opening plenty of tickets should hopefully be a sign that I don't want to lose track of issues and ideas even though there's not time to address all of them at the moment.

The primary places where requests are rejected are in shouldLoad and _examineHttpResponse. I have accepted patches in the past, but it's worth warning you that I'm inclined to be fairly picky about major changes (which I consider adding proper blacklist functionality to be). This isn't to be difficult, but is necessary in balancing the interests of a fairly diverse user base and keeping the code secure and maintainable. On the large list of things to do is to make it easier for others to contribute as well as easier for me to get feedback before and during implementation of features.

Along those lines, I believe I need to create a spec that defines the purposes of RP, existing functionality, intended features, known limitations, etc. From there I intend to make the development decisions more transparent. That's not to say development direction will be a democracy-of-the-vocal-few, but that ideas can be properly laid out and there would be an clear example path for people wanting to propose and later implement features without risk of wasted time.

It's worth keeping in mind that RP is, in my mind, a fairly new project. If memory serves, it has been live on AMO for less than a year. In that time it has been focusing mostly on stability/compatibility and correctly implementing core functionality. It's clear that areas such as documentation and testing are lacking. Thus, there's still a fair bit of reason to not be adding new features in order to ensure maintainability as the project grows. However, as with all projects, the answer lies in finding a balance between expanding and solidifying what already exists.

[eibwen]

Thoughts on including formal documentation inline?

Wikipedia lists several "Documentation Generators" that are compatible with Javascript, which could be used to create code documentation for the dev page.

Perhaps JSDoc?
http://jsdoc.sourceforge.net/ -- original Perl Implementation, now superseded by:
http://code.google.com/p/jsdoc-toolkit/ -- Javascript Implementation with Extensions

I wouldn't mind submitting documentation patches while reading through the code.

[CRogerBlair]

Hi, Justin.
I find RequestPolicy very helpful to my peace of mind when surfing, but I do have a problem with it--it won't allow a live bookmark ("Latest Headlines" from the BBC) to update. I've tried adding bbc.co.uk to my whitelist, but that doesn't help. I've also gone through you previous postings her, but haven't found any help (at least that I can understand). What do I need to do to allow the live bookmark to work?
Thanks.

[Justin Samuel]

Hi CRogerBlair,

Thanks for reporting this. I've opened a ticket for this here:

https://www.requestpolicy.com/dev/ticket/102

I believe this is caused by a more fundamental bug in RP where redirects from privileged (non-filtered) requests aren't allowed like the original requests were. I plan to have this fixed in the next release, which I'm hoping to work on next week.

[Justin Samuel]

A new beta of RequestPolicy, 0.5.14b3, is now available here:

https://www.requestpolicy.com/releases/ ... 5.14b3.xpi

Bugs fixed:
* Refresh headers that specified delay seconds were blocked.
* Redirects from privileged code were blocked (this fixes blocking of some Adblock Plus subscription updates as well as live bookmarks that redirect). Thanks to Wladimir Palant for the solution to this.
* User-allowed redirects blocked in Firefox 3.7a5pre and SeaMonkey 2.1a.

Enhancements:
* Minor speed improvements.
* Added new translations: eo, sv-SE, zh-TW.

More details at https://www.requestpolicy.com/dev/query ... one=0.5.14

Unless major bugs are found or new bugs were introduced with these changes, I intend this to be submitted to AMO as 0.5.14 within a week or two. Any feedback before then is much appreciated.

With these fixes out of the way, I will be focusing more on major features such as blacklists and wildcard rules.

[CRogerBlair]

Justin, thanks for working on the redirects problem. I tried to install your beta, but every time I restart FF and look at the add-ons, the beta hasn't installed yet. This happens every time I restart FF to incorporate the beta. What am I doing wrong?

[Justin Samuel]

Hmm. Here are two options:
1) Try installing it in a clean profile.
2) Try saving the file locally and then using "Open file" to install it.

[CRogerBlair]

Justin, I've gotten it to install, and it seems to work. Apparently, my "restart" doesn't quite work; I had to close Firefox, kill the Firefox task (whic was still running), and start Firefox again from scratch. I'm not sure why "restart didn't completely work, but I got it working nonetheless. Many thanks for the update.

[Justin Samuel]

Great, let me know if you run into any new bugs.

[ritzman]

I'm new to RP. I just installed 0.5.13. I restarted FF (3.6.3; WinXP), and about one third of my open tabs would not load. I restarted FF again, and the same tabs would not load. Next, I disabled RP, restarted FF, and all the tabs loaded. Feature or bug? I'm guessing the later.