[Ext] RequestPolicy 0.5: control over cross-site requests

[Justin Samuel]

I have a beta of the next version ready as 0.5.9b1. It can be found here for those who'd like to try it:

https://www.requestpolicy.com/releases/ ... .5.9b1.xpi

List of changes:

https://www.requestpolicy.com/dev/query ... tone=0.5.9

Unless problems are found with the changes made in this version (or unrelated critical issues are discovered), this will become the 0.5.9 release in a few days.

If you have a chance to try it, please let me know of any issues you find. Thanks!

[fung0]

I love the whole idea of RequestPolicy, but without wildcards in the whitelist, it seems kind of unusable.

Maybe I'm doing this wrong, but when I try to access my Linksys Media Hub's main config page, I get a list of about 50 blocked 'destinations,' ALL of which are essentially just internal 'requests' from-to the same local address on my home network. Going through and whitelisting each of these individually is insanely laborious, and probably wouldn't work anyway, since this page is clearly going to come up with other 'destinations' over time, if I actually select any menu items.

Is there a workaround for this situation, or am I going to have to disable RequestPolicy until wildcards make it into the feature list?

[fung0]

Okay, now it seems to be recognizing this very long list as "Allowed." So, problem resolved, I guess... even though I'm not sure what I did. I still say a wildcard would be SO much simpler...

[Herrminator]

I get a list of about 50 blocked 'destinations,' ALL of which are essentially just internal 'requests' from-to the same local address on my home network.

It also happens with all references to 'localhost' or to 'mypcsname' (no domain included).
If you include the domain (e.g. 'mypcsname.mydom.loc'), everything works as intended.

I'm Using v. 0.5.9, almost sure it didn't happen with 0.5.8.

Regards!

[navjotjsingh]

I want this option:

Say I have a site mysite.com and I have installed Google Ananlytics on it. Now I want to allow all requests to Google Analytics except from MySite.com since I would like to exclude my own visits.

This would be a great addon for this. Please consider this feature suggestion.

[Justin Samuel]

Okay, now it seems to be recognizing this very long list as "Allowed." So, problem resolved, I guess... even though I'm not sure what I did. I still say a wildcard would be SO much simpler...

Hi, I'm not sure if this was a bug you were seeing or just a missing feature. If you were being shown individual paths for the same domain in the menu (e.g. "/some/path?id=123" and "/other/path"), then this would have been a bug, possibly this one fixed in 0.5.9:

https://www.requestpolicy.com/dev/ticket/39

So, the reason you may not see that could very well be due to this being fixed in 0.5.9.

If this was just a case of many subdomains (which it doesn't sound like it is the case), then it's a missing feature. Wildcards definitely are needed. I have a ticket for that here:

https://www.requestpolicy.com/dev/ticket/8

After I get 0.5.10 released, assuming no major bugs come up, I'll be deciding where to focus on the next enhancement. My personal top priority for major features is a subscription whitelist system, but wildcards are still essential and probably the most often requested feature from current users who don't give up on RequestPolicy due to it being too much work (which is what the subscription whitelist would try to address).

[Justin Samuel]

I get a list of about 50 blocked 'destinations,' ALL of which are essentially just internal 'requests' from-to the same local address on my home network.

It also happens with all references to 'localhost' or to 'mypcsname' (no domain included).
If you include the domain (e.g. 'mypcsname.mydom.loc'), everything works as intended.

I'm Using v. 0.5.9, almost sure it didn't happen with 0.5.8.

Regards!

Actually, you and fung0 found a good-sized bug I introduced in 0.5.9. I've opened a ticket for it here:

https://www.requestpolicy.com/dev/ticket/44

Thanks for finding this! It will be fixed in 0.5.10. (By the way, 0.5.9 will not be public on AMO because it got rejected by the AMO editor who reviewed it for a different reason. See https://www.requestpolicy.com/dev/ticket/42)

[Justin Samuel]

I want this option:

Say I have a site mysite.com and I have installed Google Ananlytics on it. Now I want to allow all requests to Google Analytics except from MySite.com since I would like to exclude my own visits.

This would be a great addon for this. Please consider this feature suggestion.

I've added a note about this to https://www.requestpolicy.com/dev/ticket/6, which is the ticket for adding the blacklist. I hadn't known of a specific situation where this type of blacklisting could be useful so I'm glad you mentioned it.

[Justin Samuel]

A beta of 0.5.10 is available here:

https://www.requestpolicy.com/releases/ ... 5.10b2.xpi

Unless there are important bugs found in this beta, this will become 0.5.10.

Here are the release notes (most importantly to users, this fixes the bug in 0.5.9 with single-word hostnames when using the "base domain" strictness level -- thanks again to fung0 and Herrminator for discovering that):

https://www.requestpolicy.com/dev/query ... one=0.5.10

Thanks to anyone who wants to try the beta!

[Justin Samuel]

The final release of 0.5.10 is available here and will soon be submitted to AMO:
https://www.requestpolicy.com/releases/ ... 0.5.10.xpi

The changes are listed here (not including translation updates):
https://www.requestpolicy.com/dev/query ... one=0.5.10

Thanks again for everyone's feedback and bug finding!

[fung0]

Version 0.5.10 is looking good. No problems accessing my Media Hub server, though the RequestPolicy right-click menu still needlessly shows a whole bunch of individual 192.168.1.xxx allowed destinations. Disconcerting, but not a problem.

More importantly, 0.5.10 seems to eliminate a similar issue viewing my Zotero snapshots, with RequestPolicy blocking all destinations in the local Zotero folder. My saved Zotero pages now look much better, though they still do suffer from a few missing pieces. (I'm not sure how all this stuff is stored, so it may be that I need to do some more tinkering.)

Big thanks, Justin, for staying on the case with all these details! I've been constantly astounded at how much sneaky cross-site communication RequestPolicy blocks in my daily surfing. Makes me very glad it's in there, doing its job!

[Justin Samuel]

Thanks, fung0, for the report of the problem/conflict with Zotero. I've created a ticket for this here:

https://www.requestpolicy.com/dev/ticket/52

I recently released 0.5.12 which should fix the problem with IP address hostnames.

And, of course, you're very welcome. I'm looking forward to having time in a few months to really focus on big usability improvements and long-awaited features which should result in more people being able to block super sneaky privacy-decreasing destinations like z.digg.com.

[bjm_]

Hi Justin Samuel
Question re> Recently released version 0.5.12. What has to occur for Firefox to accept and offer via update to add-ons version 0.5.12. Do I have to wait for Firefox to approve new version. May I install new version now. I usually wait for FF to update my Extensions. Is waiting for FF the accepted recommended practice for Request Policy. Anyway to speed up FF approval.
Regards
bjm_

[Justin Samuel]

I'm very sorry for the slow response. This version, 0.5.12, is about ten places from the top of the extension updates review queue on AMO. So, hopefully it will be reviewed this week.

Status of Request Policy in general: I haven't had a chance to do much in the past month to address the growing list of features, bug reports, and extension conflicts. In late December I'll start to tackle these again. My biggest priorities will be wildcards in whitelist entries and the ability to "subscribe" to whitelists provided from a trusted source.

[bjm_]

Good day Justin'
Thank you for the info re > This version, 0.5.12, is about ten places from the top of the extension updates review queue on AMO. So, hopefully it will be reviewed this week. < I hope you understood I was in no way suggesting the delay was related to you. Just was unsure what others do with RP updates. Wait for AMO or just grab em'. As you mention bug reports and extension conflict... I'll wait for FF . Please excuse my duplicate email contact. Happy Holiday to you and yours.
Regards
bjm_