Frequently Asked Questions

What are cross-site requests?

Cross-site requests are requests that your browser is told to make by a website you are visiting to a completely different website. Though usually legitimate requests, they often result in advertising companies and other websites knowing your browsing habits, including specific pages you view throughout the day.

Cross-site requests are also used in attacks on users who are browsing the web. Among the attacks that cross-site requests are used in, they are particularly dangerous with Cross-Site Request Forgery (CSRF) attacks where your browser is told to make a request to another website and that other website thinks you (the person) meant to make the request.

What are the privacy benefits of using RequestPolicy?

Privacy details can be found on the privacy benefits page.

What are the security benefits of using RequestPolicy?

Security details can be found on the security benefits page.

Is RequestPolicy an alternative or competitor to NoScript?

No! :)

NoScript is a tool that gives you a default deny policy for JavaScript, Java, Flash and other plugins. NoScript allows you to whitelist scripts and objects from domains you trust.

RequestPolicy is a tool that gives you a default deny policy for cross-site requests. RequestPolicy allows you to whitelist cross-site requests you trust.

How does RequestPolicy help you where NoScript does not? RequestPolicy will protect you from various attacks that NoScript will not (such as CSRF attacks, though there some special cases that NoScript protects against) and will give you greater privacy while browsing.

Also, RequestPolicy will give you finer-grained control over JavaScript and plugins when you use it with NoScript. For example, if you whitelist a domain with NoScript to allow it to run JavaScript, then that domain will also be allowed to run JavaScript when you are on any other site that you have whitelisted with NoScript. RequestPolicy makes sure that when it is JavaScript from a third-party site, it will still be restricted unless you have allowed those cross-site requests.

Conversely, NoScript gives you protection that RequestPolicy does not. RequestPolicy will not keep you safe from malicious JavaScript or vulnerable plugins on the current site you are visiting, So, NoScript is absolutely essential for browser security.

Having two separate tools that each do their specific jobs well is the best approach. NoScript is an amazing extension and is absolutely essential (like RequestPolicy) to using Firefox securely. It is best to use both RequestPolicy and NoScript.

Which kinds of requests are blocked?

By default, any request the browser makes from the current site a user is on to a third-party site is blocked. Users can then whitelist specific sites (with various levels of granularity) to allow requests they approve of. The types of requests that are blocked include:

Content of the current page that is from a different site.

Various tags in an HTML page tell the browser that more content is needed to display the current page. Normally, the browser immediately makes requests to third-party sites to obtain this content. The content can include images, JavaScript files, style sheet files, and many others.

Redirections from the current site to a different site.

Redirects tell your browser to load an entirely different website address than the one you are on or requested. Redirections can be caused by JavaScript, META refresh tags, and Location headers.

Content a page tells your browser to "prefetch".

Some browsers, such as Firefox, allow any webpage to tell your browser to load other pages in the background. This is intended to allow a website to improve your browsing experience by guessing which pages you are likely to visit next so that those pages will load faster when you visit them.

In Firefox 3.1, DNS prefetching was also added. DNS prefetching is where your browser tries to speed up future requests by resolving the IP address of every link on webpages you visit (just in case you decide to click on them).

For more information on link prefetching in Mozilla browsers (such as Firefox), see the Mozilla link prefetching FAQ.

For more information on DNS prefetching in Mozilla browsers (such as Firefox), see the Pat McManus' blog post.

How are sites classified as "third-party sites"?

A site is considered a third-party site if its registered domain name is different than the registered domain of the page that initiated the request. For example, the domains:

  • example.com
  • www.example.com
  • a.b.c.example.com

all have the same registered domain name (example.com) and so are considered the same site.

There is some risk posed by this default, but this level of granularity is the one with the optimal tradeoff of usability for privacy and security according to the needs of most users.

If you want protection against attacks that use subdomains, you can enable more strict site classificiation through the RequestPolicy preferences. Instead of classifying sites as the same based on the registered domain, you can choose to base it on the full domain (e.g. a.b.c.example.com) or even on the complete protocol + domain + port (e.g. http://a.b.c.example.com:81).

What changes to my browser are left behind after uninstalling RequestPolicy?

Prefetching is left disabled in your browser after uninstalling RequestPolicy. This is true whether you had it enabled initially or not (you probably did). There are two different types of prefetching: web page prefetching and DNS prefetching.

  • To turn web page prefetching back on, type about:config in your address bar and change the value of network.prefetch-next to true.
  • To turn DNS prefetching back on, type about:config in your address bar and change the value of network.dns.disablePrefetch to false. If you don't see this item at all, then DNS prefetching is still enabled if it is supported in your browser version.