Back to Top

Wednesday, October 28, 2009

RequestPolicy Firefox Plugin – the ultimate NoScript

3236129283_d61fb9c429_b I recently found out about the following Firefox plugin/addon: RequestPolicy (via this blogpost) – see also the Firefox addon page. Its function is to whitelist all kinds of cross-domain requests, including scripts, style-sheets, images, objects (Flash, Java, Silverlight), etc. Anything in a webpage hosted on the domain A can reference other content from domain A, but if it references content from other domains, it must be present in the RequestPolicy whitelist. There are three types on entries which can be added to the whitelist:

  • source (ie. pages on domain S can reference anything)
  • destination (ie. anything can reference domain D)
  • source-to-destination (ie. pages on domain S can reference resources on domain D)

There are still some glitches to work out, but all in all it is a good tool for the security conscious. So is it worth it? It depends. If you are not a power-user who has some knowledge HTML (ie. how CSS, HTML, JS and plugin objects fit together to form the page), I would recommend against it (because you will have the experience of webpages “not working for no good reason”). It takes some initial training (just like NoScript), but after that it is pretty invisible (even though not as invisible as NoScript, because it blocks images / style-sheets).


Does it make you more secure? Yes, but just in the “you don’t have to outrun the bear”: once the attacker has enough control to insert a linked resource (script, iframe, etc) in a page, s/he almost certainly has enough control to insert the attack script directly in the page, rather than linking to it. The current practice of linking to a centralized place is mostly because the attackers want to have centralized control (for example to add new exploits) and statistics. Would such a whitelisting solution to become widely used, they could switch with very little effort to the “insert everything into the page” model. Still, such a solution shouldn’t be underestimated, since it gives an almost perfect protection under the current conditions.

Update: If leaving digital trails is something you like to avoid, take into consideration that the fact that a given site is present in the whitelist of addons such as NoScript or RequestPolicy can be considered proof that you've visited the given site (unless it is on the default list of the respective addon). Just something to consider from a privacy standpoint. Life is a series of compromises and everyone has to decide for herself how to make them.

Picture taken from Luke Hoagland's photostream with permission.

1 comment:

  1. Just recently came across RequestPolicy, and I think that in combination with NoScript, it makes a browser near-bulletproof. Unfortunately it's quite invasive, as you mentioned (can't even follow Google search result links without approval!), but the NoScript-inspired interface makes it easy to train.

    A few comments about the degree of security that RequestPolicy provides:
    - Attackers often subvert advertising to get their content into otherwise-legitimate sites, which is a lot easier than embedding their content in the page and getting a legitimate site to host and serve malware. They also like to steal session cookies, login details, etc, and send them to the attacker's site - which RequestPolicy will block. I think that attackers will have a harder time than you suggest in making the switch to all-embedded attacks.
    - For those situations where you've visited the actual site that hosts the malware, NoScript can provide the knockout punch to stop the scripts in their tracks. After all, malware sites probably aren't on your NoScript whitelist. RequestPolicy stops sites from subverting your trust relationship with legitimate sites, forcing them to serve content under their true colors.