Zed Lopez

RequestPolicy: Web Security the Right Way

Firefox remains my primary web browser of choice, principally because of the privacy extensions available, the most important of which are Cookie Monster and NoScript. But I’ve been frustrated by their limitations — I don’t want to just blacklist and whitelist, but to conditionally allow select 3rd party cookies to be set and scripts to be run depending on what the page is and what the 3rd party is. I want to be able to say that for paypal.com, requests to paypalobjects.com should be treated the same as paypal.com without globally whitelisting paypalobjects.com.

So I’m mortified it took me so long to find out about RequestPolicy, which simply denies cross-site requests in general unless they’re allowed, and supports allowing them on a per site basis.

It doesn’t do everything I’d like; I’d like a lot more granularity, which would require a more complex interface than its author is going for. But it’s better than anything I’ve seen.

And it’s weird for me to realize that blocking cookies becomes scarcely relevant with third-party requests denied by default. What I really wanted to avoid was advertising sites or javascript library providers being able to build a picture of my browsing history. Now I have to wonder if I even need Cookie Monster at all.