Rated 4 out of 5 stars

by Sam Archer on Feb. 27, 2016 ·

Congratulations on building an incredibly handy and mandatory tool for the Firefox community, your efforts are sincerely appreciated.

I just need to highlight one small point of interest which I feel deserves some clarity. It might be a bug or it might just be me misconfiguring something.

(Step-1) I have disabled all Subscription Policies because I would like to create my own on the fly if and when needed which works just fine.

(Step-2) Under Default Policy I have also ONLY selected “Block requests by default” and took the tick mark OUT from the “Allow requests to the same domain” box because I do not want ANY scripts to be allowed initially when I visit any website and therefore have full control over what eventually does get allowed.

When I visit www.github.com for example, the above settings are applied 100% correctly and I have to manually configure github.com to allow loading scripts from its own domain which is exactly what I want.

The problem however is when I visit www.google.com or www.yahoo.com for example. Somehow they are allowed to always load scripts from their own domain although I have explicitly disabled the options to do so.

My understanding is that the default behavior would always be executed in the absence of a policy rule and I have NO policy rules for Yahoo nor Google. So question time. Why is Google and Yahoo downloading scripts from their own domain when default policy clearly dictates otherwise and I have no policies set for them?

I clean installed the latest Firefox 44.0.2 32bit from scratch and installed the latest RequestPolicy Continued as the ONLY extension and still the problem persists. It is therefore not a conflict between extensions.

Once more, sincere gratitude for your efforts on a great security product.

This review is for a previous version of the add-on (1.0.beta11.1). 

by Martin Kimmerle (Developer) on March 2, 2016 ·

Hello Sam, thank you for your report.

It's correct: in your configuration of the default policy, requests from "https://www.google.com/" to "https://consent.google.com/" (different sub-domain) should be _blocked_. However, requests to the same sub-domain (e.g. "https://www.google.com/" to "https://www.google.com/") should be _allowed_. Does this match with the behavior you've observed?

Do you think the spelling "Allow requests to the same domain (www.example.com -> static.example.com)" is misleading? It could emphasize more that requests to the same subdomain are _allowed_.

You can communicate with me on github on a new issue, or via email.