[Tfug] RequestPolicy: a Firefox extension for controlling cross-site requests

Justin Samuel justin at justinsamuel.com
Mon Dec 1 07:47:40 MST 2008


Thanks for the bug report, Jude.

It looks like the problem is that an iframe with src at youtube.com is
getting a Location header back from a request and the Location is
something like http://v18.cache.googlevideo.com/. The bug here being
that RequestPolicy isn't showing you that there was a blocked
destination of googlevideo.com so you have no way of knowing something
was blocked.

One way to work around this for now is to "(Temporarily) Allow all
requests from youtube.com". I'll work on fixing it for the next
release so that people can have the option to "allow from youtube.com
to googlevideo.com".

If that doesn't work for you still, make sure you're running the
latest version of the extension, which is 0.1.8. Note that as the
extension is still listed as experimental at mozilla.org, you don't
get automatic updates.

As an aside, if you're ever curious to see extra debugging info, you
can start firefox from the command line, go to about:config, and set:

extensions.requestpolicy.log = true
extensions.requestpolicy.log.level = 900

With these set, you'll be able to see which individual requests are blocked.

Thanks again for letting me know about this!

Justin

On Sun, Nov 30, 2008 at 5:29 PM, Jude Nelson <judecn at gmail.com> wrote:
> Hey Justin,
>
> I've noticed that your plugin seems to interfere with YouTube, even when I
> enable all cross-site requests.  Whenever I enable the plugin, a lot of
> videos fail to begin streaming.  When I disable it, I get no problems.  Any
> thoughts?
>
> Regards,
> Jude
>
> On Sun, Nov 30, 2008 at 3:45 PM, Jude Nelson <judecn at gmail.com> wrote:
>>
>> Hey Justin,
>>
>> I've been working it over a few sites that I know request data from
>> other sites.  Looks good so far--it catches every cross-site request
>> that NoScript does.  I'll continue to use it throughout this week
>> instead of NoScript and see how it goes.
>>
>> Regards,
>> Jude
>>
>> PS:  TFUGers: this is my friend that I mentioned at one of our happy
>> hours earlier this year.
>>
>> On 11/28/08, Justin Samuel <justin at justinsamuel.com> wrote:
>> > Hey All,
>> >
>> > New to TFUG, had a friend mention that some TFUG'rs had expressed
>> > interest in the Firefox extension I'm developing, so I figured I'd
>> > spread the word now that it's ready for usage.
>> >
>> > The extension is called RequestPolicy. It is an implementation of my
>> > belief that we should have more control over cross-site requests while
>> > browsing. What is a cross-site request? It's where a webpage you are
>> > visiting tells your browser to make a request to another site, for
>> > example, to retrieve additional content/ads for display or to track
>> > visitors. Cross-site requests can even be used for attacks (e.g.
>> > Cross-Site Request Forgery [CSRF]).
>> >
>> > Why would we want to block certain cross site requests? There are both
>> > privacy and security reasons for doing so, as you either already know
>> > or can see from the brief description above. If either greater privacy
>> > or security in your browsing is desirable, RequestPolicy may be of
>> > interest to you. (Of course, if privacy and security are of interest
>> > to you in your browsing, you probably also want to be using other
>> > extensions such as NoScript. The two complement each other well.)
>> >
>> > The Mozilla add-on page for RequestPolicy is here (currently requires
>> > registration as the extension is still classified as experimental):
>> >
>> > https://addons.mozilla.org/en-US/firefox/addon/9727/
>> >
>> > Here's the extension's own website where you can also download it from
>> > (though, you don't get to download it through https as you do from
>> > mozilla.org):
>> >
>> > http://requestpolicy.com/
>> >
>> > On the extension's site you can also find a more detailed discussion
>> > of the privacy and security reasons for using RequestPolicy.
>> >
>> > If anyone has any questions, let me know. I'm very grateful in advance
>> > for any feedback, suggestions, or bug reports you can offer. I'd like
>> > to soon take off the pre-release status I have set for it at
>> > mozilla.org in order to make it available to more people, so you all
>> > may be the last line of defense in terms of bugs, etc.
>> >
>> > Thanks, and I hope to make it to a happy hour one of these times (I've
>> > known about them for a while, but most of my laziness has been the
>> > biking home afterwards part).
>> >
>> > Justin
>> >
>> > _______________________________________________
>> > Tucson Free Unix Group - tfug at tfug.org
>> > Subscription Options:
>> > http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>> >
>
>
> _______________________________________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>
>




More information about the tfug mailing list