211 reviews for this add-on
  • Ran the tests and passed no problem for me. I think some optional AI could be included to automatically allow web page elements to make surfing a little less painfull. Otherwise this is a great addon, love it!

  • i recently posted a review stating that when you have request policy installed and enabled when you do a browser security test at browserscope.org "the sts test" http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security the test will not complete and does not work but when request policy is installed but disabled the test fails. when request policy is not installed the sts test passes. just stating the obvious that request policy could be a target for a man in the middle attack. on my last post this security flaw was acknowledged by request policy then my post mysteriously disappeared.

    Developer response

    Hi. My previous reply did not acknowledge a security flaw (there is not one). RequestPolicy's blocking of requests can make some Browserscope tests fail but that doesn't mean there is a security flaw. Rather, some tests may not have been able to run. Please see this ticket for more information: https://github.com/RequestPolicy/requestpolicy/issues/251 --- Thanks!

  • Agree with the other five-star
    reviews. Absolutely excellent add-on....

  • This add-on is simply amazing. It adds a layer of security while browsing by allowing you to pick which third party scripts you would like to run. It may be tricky to configure at first but once that initial stage has passed there's not much to do.

    This add-on allows you to be back in control while browsing and that has got to be a great thing. I applaud the creator of this add-on and thank him for helping to give the web back to the people.

  • I find this plugin as important as noscript. Using requestpolicy makes surfing extremely secure as the addon will only pull side resources from the domain you actually view. I've seen many times browsers to get hijacked while posting in forums simply because someone linked an outside resource script as an avatar and the forum s/w allowed it. Having requestpolicy solves such problems. It's one of the top security plugins for FF.

  • Wauw... I love this addon, indispensable for anyone wanting an ounce of privacy. anno 2011 virtually EVERY site has Cross Links*, and most of them to google! even the most inconspicuous blogs or friend's homepages.
    * had to open about 50 sites before i found one without cross links!

    Note: Most pages work fine without cross links. The sites (eg. site.com) that need cross links usually have an site.img.com site.media.com etc. domain to store their images or media. Just choose Allow -domain- from the dropdown menu when you click the red flag... And the site works every consecutive time you load it.

    I understand website publishers would like statistics on who's visiting their pages and that google provided this service for free. But my golly! Did no-one think of the consequences of google knowing each and every ip adres browsing habit all over the globe? Even when buying an airticket on klm.com or reading newssites, google knows where you are! with request policy, I'm back in control of what companies harvest which sites i visit.

  • A great security enhancement for the advanced user!

    BTW, could you please add compatibility for newer SeaMonkey versions? It works perfectly up to 2.4a!

  • I don't see how the casual user is supposed to use this in any sensible way. Some sites redirect almost their entire content. A site like ebay might have 50 things blocked. How can anyone decipher which redirects are dangerous and which are not? The temptation is to just let everything through. Technically it works well and does not impact performance. This is more for the serious computer gearhead.

  • ¡¡Great addon!!. First, you will know how the web is working and sharing information about you; second, it will give you plenty of control about cross referencing. On other hand, I like to see the source code to see what the author is doing.

  • Great addon in theory, maybe works too well. I have used NoScript and I do know that this addon and NoScript both block different elements and should be used together. However this addon requires too much customisation . Also it would be useful to have an option to allow requests to/from a particular domain; at the moment both are separate options (unidirectional). One good point of this addon is that is has a small memory footprint compared to other security addons.

    If someone could produce a whitelist (much like Easylist for Adblock Plus) - this would cut down on the tedious initial customisation of the addon and I would be more inclined to use it. However, I do recommend this for the more paranoid Firefox user if they can handle tweaking from the outset. I'll stick to my trusted 5 security addons of NoScript, Adblock Plus, Ghostery, BetterPrivacy and CookieCuller for now.

  • This works too well and totally destroys your browsing experience through disabling everything. Who wants to spend countless minutes adjusting settings to get the info they need on each and every page? Guessing what to enable and what to disable is tedious. When this gets smarter, I'll try it again.

  • It is mega-awesome extension that brings extra security! Unlike with the other browsers, I AM IN CHARGE OF MY BROWSER!

  • great power but tripped up gui

    __NEED__ to be able to approve all [seemingly random] subdomains of a given domain

  • This add-on is very interesting as it gives information about existing cross-site request, it should be in the future a good companion to "NoScript" and "Ghostery".

    However at this time, the default behavior is to forbid all cross-site Request except the you have allowed manually : it is too much work to allow them one by one for all sites (some sites does not work well if you don't).

    I will test it again if in future version the default behavior could be changed to allow everything except the one you forbid manually.

  • I've been waiting for FF4 thanks

  • I really like this addon. It does take some time to get permissions set up, but it's worth the effort.

    Unfortunately I had to disable it because of an incompatibility with the Update Scanner addon that I rely on. However, the developer has it on his bug list, so once he gets that resolved I plan to turn it back on.

    Developer response

    There has been a recent improvement in the conflict between Update Scanner and RequestPolicy. As of RequestPolicy version 0.5.17, when you click a link from an Update Scanner webpage version/diff the link click is allowed instead of being blocked.

    The major remaining conflict with Update Scanner, the blocking of cross-site requests for additional content requested by a webpage version/diff, can be worked around by allowing all requests from the origin "about:blank". This does mean that sites can intentionally bypass RequestPolicy, however you'll get the privacy/security benefits of RequestPolicy in most cases. I still hope to figure out a better solution.

  • Whitelisting is a completely impractical way to solve this problem. Almost every site you go to will host it's images or javascript on a different domain name (e.g. cdn4.whatever.example.com, images.cdn89.whatever.example.com) and those will fail to load. All I wanted to do was *blacklist* facebook and those fixed position bars at the bottom, but apparently adblock (without the default easylist) is the best way to do this.

  • this tool makes you feel you are finally controlling yourself. It's amazing how many websites are collecting your data without you knowing it.
    Be ware, you may think it's inconvenient at first. But with no time, you will get used to it. Just manage your whitelist well

  • this is a brilliant plug-in given its intended scope. provides the fine degree of control needed to block the various nosy parkers on the net.

  • I give it only 3 stars, because this addon quite aggressively works into only one direction and blocks ANY off-site requests.
    An approach to provide a blacklist with suspicious ad-servers, click-tracking etc is not available.
    Instead, each site has to be dealt with separately. And this can be very time-consuming (although better for "paranoid security": For example Google Maps - 2 additional permissions required...
    The provided white-lists upon 1st time installation are very limited.
    It is also annoying, that there are no place-holders for any content blocked. So for example Paypal-donate and pay-buttons and lots of more stuff will just disappear by default. Still I do not know if technically it is actually possible to show place-holders for everything...

    Another thing that disturbs me is the handling of redirects. Why this feature cannot be turned off in the GUI? It is just a bit frustrating...

    Finally - before making any "checkout" on an online shopping site and paying by CC / home banking, this add-on should be disabled, as what the script does, can cause big problems here. In my case probably a session-cookie expired after re-initiating a redirect originally blocked by the addon... My card was charged, but merchant did not get the required info. I had to solve this issue manually by e-mail... Quite annoying.

    Still interesting to see which content is requested by the different sites.

  • I think RequestPolicy is a "must have" add-on for anyone who is at all security-conscious.

    Without RequestPolicy, it's amazing how a simple-looking website can actually be connecting you to a whole bunch of other sites too, sometimes undesirable sites that you have *no* idea about and not the type of site that you'd actually knowingly click on.

    But with the RequestPolicy add-on installed, you get advance warning and you can decline to allow those sites on a case-by-case basis. Or, you can opt to allow whichever sites are necessary to make the main site work right.

    You can choose to make those settings permanent, so that the next time you visit that site, the site will in all likelihood "just work" without having to go through the whole process again.

    Or, if for some reason you don't want to keep permanent records (anywhere) of the sites you visit, you can opt to make the RequestPolicy settings temporary and then when you're done visiting that site, you can "revoke" the settings for that particular site.

    RequestPolicy has an easy-to-use "Export" button which lets you save a backup copy of your RequestPolicy settings to a file at a location of your choosing. You can name this file whatever you want - I put a date on mine for easier future reference. Then, at some future time, you can click the RequestPolicy "Import" button and select whichever of your backup files you want, to restore Request Policy's settings to that previous state. I used the "Import" button recently after I installed a new version of Linux and new version of Firefox, and it worked really great - instead of having to go through the trial-and-error process of the various websites I visit, I just clicked "Import" and voila, there were all my settings, restored and ready to use. :)

    True, you need a bit of patience sometimes when first visiting some new sites, especially the way some websites nowadays try to connect you to so many other things. Sometimes those things are necessary to make the site work, and sometimes they're not. It can take a bit of trial-of-error to figure out exactly which additional sites you need to allow to make some poorly-designed irritating website work correctly. That said, the worst that can happen is that you'll have to make a few extra clicks and take a few seconds to decide *which* sites to allow (that's where the trial-and-error part comes in) - but it's not *that* much hassle, really. Well worth it, considering that it allows you to (in my opinion) keep your computer safer by having the option to not connect to sites that you didn't actually click on, unless you specifically allow them.

    RequestPolicy probably isn't something that the stereotypical techno-phobic senile grandma could handle, but for the rest of us, I highly recommend it.

    - Firefox 3.6.x on Linux.
    - RequestPolicy plays nicely with the other add-ons I use:
    - The add-ons I have installed are, in alphabetical order: NoScript, RequestPolicy, Small Screen Renderer, User Agent Switcher, and WebDeveloper.

  • A great security tool. Sometimes a nuisance to keep adding new sites to the approved list, but it has prevented me from going to unintended bad sites several times, and blocks ads. I wouldn't surf without it. It's good to know what material is being pulled into a page before it's too late. Especially Javascript where unknown danger may lurk.
    I would like to see it enhanced to allow CSS sheets to be accessed without prior approval, possibly images too.

  • I think Request Policy needs 2 features:
    - Allow all image load
    - A hotkey to On/Off request policy quickly.

    Thank so much!

  • Satisfied

    This is needed.

    Instead of exporting to file (all the domains learned) it would be helpful to add to bookmarks. Similar to NoScript.

  • Since i have this addon i won't life without pls continue this good work