Welcome to Firefox Add-ons.
Choose from thousands of extra features and styles to make Firefox your own.Close
Good addon, but Rated 3 out of 5 stars
needs some improvement. I also use the GoogleEnhancer addon which just adds a favicon image tag in front of every Google result - absolutely no threat, but all favicons are blocked because they are just coming from a 3rd party server. All GooglePreview thumbnails are blocked too. The default policy is too restrictive I.M.O.
So it seems that I would need to whitelist every 3rd party request or at least need to whithelist the whole domain.
I think your addon should be more selective.
GoogleEnhancer is actually dangerous
Thanks for trying out RequestPolicy. I think there are some important things to understand about the extensions you gave as examples.
1) GoogleEnhancer (an addon you are the author of)
There is a large privacy loss problem with how your addon works. RequestPolicy actually protects users from that. It's not a bug, it's a feature, making RequestPolicy users safe in the way they expected by using RequestPolicy.
Part of the privacy loss comes from the fact that when using GoogleEnhancer, every single website in every google search result may get told the referrer. e.g., in searching for the term "something very personal", the following Referer header will often be sent to every single site in the search result when obtaining the favicons:
So, as a result, these sites know your ip address and what you were searching for, even if you didn't click that link.
Even if you have disabled sending of the Referer header, those sites still have a record of you making a request to their servers, which is something many people may not want. It might get them in trouble with their job, their country's laws, etc.
Further, any site in the google search result could attack you by responding to the favicon request with a redirect to a url such as:
which your browser would then follow (this is a CSRF attack, by the way). The example above, one of many CSRF attacks the attacker could do, would not only result in that request being made by your browser but would also show in your Google Web History if you have that enabled (there's an open CSRF vulnerability with Google's Web History that I don't believe Google has any intention of fixing).
Making GooglePreview work with RequestPolicy is as simple as selecting the item "Allow requests from google.com to googlepreview.com" from the RequestPolicy menu and you never have to think about it again. This only has to be done once, not even once per session. Not only is this option clearly visible in the RequestPolicy menu when you are looking at search results, but the missing images are even indicated with a red graphic and hovering the cursor over them tells you which domain the blocked images were from.
Thanks for your feedback. I hope that you can now see the importance of RequestPolicy, especially for an extension like GoogleEnhancer which the users of that extension may not realize is subjecting them to privacy loss and increased risk of attack.