-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathFAQ.html
166 lines (166 loc) · 18.8 KB
/
FAQ.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="generator" content="pandoc">
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes">
<title></title>
<style type="text/css">code{white-space: pre;}</style>
<link rel="stylesheet" href="./github-markdown.css">
<!--[if lt IE 9]>
<script src="//cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.3/html5shiv-printshiv.min.js"></script>
<![endif]-->
<link rel="icon" type="image/x-icon" href="favicon.ico" />
</head>
<body>
<h2 id="frequently-asked-questions">Frequently Asked Questions</h2>
<!-- MarkdownTOC -->
<ul>
<li><a href="#limitations---what-requestpolicy-continued-cannot-help-with">Limitations - What RequestPolicy Continued cannot help with</a></li>
<li><a href="#which-kinds-of-requests-are-blocked">Which kinds of requests are blocked?</a></li>
<li><a href="#how-are-sites-classified-as-third-party-sites">How are sites classified as "third-party sites"?</a></li>
<li><a href="#what-changes-to-my-browser-are-left-behind-after-uninstalling-requestpolicy">What changes to my browser are left behind after uninstalling RequestPolicy?</a></li>
<li><a href="#can-websites-detect-that-you-are-using-requestpolicy">Can websites detect that you are using RequestPolicy?</a></li>
<li><a href="#other-browser-addons">Other browser addons</a></li>
<li><a href="#the-flag-icon-is-red-what-is-wrong">The flag icon is red! What is wrong?</a></li>
<li><a href="#how-to-deal-with-ajaxgoogleapiscom">How to deal with ajax.googleapis.com?</a></li>
<li><a href="#how-to-find-relevant-information-about-a-bug">How to find relevant information about a bug</a></li>
<li><a href="#how-do-i-change-the-keyboard-shortcut-to-open-the-menu">How do I change the keyboard shortcut to open the menu?</a></li>
<li><a href="#what-are-requestpolicys-configuration-settings-on-aboutconfig">What are RequestPolicy's configuration settings on <code>about:config</code>?</a></li>
</ul>
<!-- /MarkdownTOC -->
<hr />
<h3 id="limitations---what-requestpolicy-continued-cannot-help-with">Limitations - What RequestPolicy Continued cannot help with</h3>
<h4 id="browser-plugins">Browser plugins</h4>
<p>It's important to understand that RequestPolicy can only stop requests that the browser knows about. It is possible for browser plugins such as Flash, Java, and Silverlight to bypass the web browser in making requests. Even though some requests made by these plugins are controlled by RequestPolicy, it's good to be aware that third-party plugins such as these may bypass the browser and, therefore, also bypass RequestPolicy.</p>
<h4 id="javascript-based-attacks">Javascript-based attacks</h4>
<p>In addition to disallowing these plugins by default, there are also plenty of security reasons to disallow JavaScript on websites you visit unless you are sure you want to allow it. To help you control when plugins and JavaScript run on website you visit, we suggest using the NoScript Firefox extension. Using NoScript in addition to RequestPolicy will give you a highly secure browser.</p>
<h4 id="http-referer-headers">HTTP Referer headers</h4>
<p>When you follow a link from one page or site to another, your browser sends a Referer HTTP header to the server to tell the tagret site where you came from. Some sites abuse this information to violate visitors’ privacy and track them across the Web. In Firefox, you can disable the sending of the Referer header, or alter the information that is sent, using addons such as Smart Referer or RefControl.</p>
<p><sup>You can also manually alter what information is sent through the HTTP Referer header by going to <code>about:config</code> and tweaking the <code>network.http.referer.XOriginPolicy</code>, <code>network.http.referer.spoofSource</code>, <code>network.http.referer.trimmingPolicy</code> and <code>network.http.sendRefererHeader</code> preferences.</sup></p>
<hr />
<h3 id="which-kinds-of-requests-are-blocked">Which kinds of requests are blocked?</h3>
<p>By default, any request the browser makes from the current site a user is on to a third-party site is blocked. Users can then whitelist specific sites (with various levels of granularity) to allow requests they approve of.<br />
Request that are blocked include:</p>
<ul>
<li><strong>Content of the current page that is from a different site:</strong> Various tags in an HTML page tell the browser that more content is needed to display the current page. Normally, the browser immediately makes requests to third-party sites to obtain this content. The content can include images, JavaScript files, style sheet files, and many others.</li>
<li><strong>Redirections</strong> from the current site to a different site: Redirects tell your browser to load an entirely different website address than the one you are on or requested. Redirections can be caused by JavaScript, META refresh tags, and on headers.</li>
<li><strong>Prefetching:</strong> There are various types of prefetching, all of which aim at speeding up page loads. RequestPolicy by default disables those prefetching techniques completely. <a href="What-is-prefetching.html">Read about prefetching techniques</a>.</li>
</ul>
<p><em>Note that <strong>OCSP queries and CRL updates</strong> are not blocked. This means that RequestPolicy will not interfere with your browser's attempts to determine whether SSL certificates have been revoked.</em></p>
<hr />
<h3 id="how-are-sites-classified-as-third-party-sites">How are sites classified as "third-party sites"?</h3>
<p>A site is considered a third-party site if its registered domain name is different than the registered domain of the page that initiated the request. For example, the domains: <code>example.com, www.example.com, a.b.c.example.com</code> All have the same registered domain name (<code>example.com</code>) and so are considered the same site.</p>
<p><em>There is some risk posed by this default, but this level of granularity is the one with the optimal tradeoff of usability for privacy and security according to the needs of most users. Read <a href="Risk-of-trusting-subdomains.html">Risk of trusting subdomains</a> and untick <code>Allow requests to the same domain</code> if you want protection against attacks that use subdomains.</em></p>
<hr />
<h3 id="what-changes-to-my-browser-are-left-behind-after-uninstalling-requestpolicy">What changes to my browser are left behind after uninstalling RequestPolicy?</h3>
<p>By default, when you uninstall or disable RequestPolicy, all changes RequestPolicy made to your browser's settings will be undone. Primarily this means that your default prefetching settings are restored to the browser's default settings. That is, DNS and link prefetching will be re-enabled when you uninstall RequestPolicy.</p>
<p>However, if you have gone to RequestPolicy's preference window and under the Advanced preferences you have disabled the options to Restore default when RequestPolicy is uninstalled, then your browser's default prefetch settings will not be restored when you disable or uninstall RequestPolicy.</p>
<p><em>Privacy note: RequestPolicy will leave various RequestPolicy-specific settings and configuration files in your browser profile even after it has been uninstalled. For example, your whitelist will still be available to other people who have access to your computer. This is a known bug (see ticket #227). A future version of RequestPolicy will attempt to delete all RequestPolicy whitelist data, etc., when RequestPolicy is uninstalled. In the mean time, if you are looking to remove all RequestPolicy-related files and configurations, you should go to the page <a href="about:config" class="uri">about:config</a> in your browser and "reset" every preference that starts with "extensions.requestpolicy". Starting with RequestPolicy version 0.6, you also should delete the "requestpolicy" directory which was created in your browser's profile directory (if you used multiple browser profiles, you will need to locate the one where you had installed RequestPolicy). If you have questions about verifying that you have correctly removed RequestPolicy data, please don't hesitate to contact us.</em></p>
<hr />
<h3 id="can-websites-detect-that-you-are-using-requestpolicy">Can websites detect that you are using RequestPolicy?</h3>
<p>Yes. It may be possible for a website to detect that a user has RequestPolicy installed. The website can look at which cross-site requests are blocked and make an educated guess that RequestPolicy is doing the blocking.</p>
<p>More generally, a browser fingerprinting risk exists for users of any extension that modifies the behavior of the web browser on a web page or the content of the web page itself. Check Panopticlick from the Electronic Frontier Foundation to see what browser fingerprinting can reveal about you</p>
<hr />
<h3 id="other-browser-addons">Other browser addons</h3>
<h4 id="is-there-a-requestpolicy-for-chrome">Is there a RequestPolicy for Chrome?</h4>
<p><a href="https://github.com/gorhill/uBlock">uBlock</a> or <a href="https://github.com/gorhill/uMatrix">uMatrix</a> offer similar functionality.</p>
<h4 id="using-ublock-like-requestpolicy">Using uBlock like RequestPolicy</h4>
<p>If you want to use uBlock in the way RequestPolicy works, you should block anything third-party and then set a <strong><code>noop</code> (gray)</strong> rule on any domain you want to allow. Use <code>noop</code> instead of <code>allow</code> so that uBlock's static rules/lists still apply. Click the padlock to make the rules permanent.</p>
<p><img src="https://cloud.githubusercontent.com/assets/3950390/11353760/68a6566c-9246-11e5-99b6-030f7e1205c6.png" alt="" /></p>
<p>See <a href="https://github.com/RequestPolicyContinued/requestpolicy/issues/692#issuecomment-160327720">issue #692</a>.</p>
<h4 id="requestpolicy-and-noscript">RequestPolicy and NoScript</h4>
<blockquote>
<p>Is RequestPolicy an alternative or competitor to NoScript?</p>
</blockquote>
<p>No! :) NoScript is a tool that gives you a default deny policy for JavaScript, Java, Flash and other plugins. NoScript allows you to whitelist scripts and objects from domains you trust.</p>
<p>RequestPolicy is a tool that gives you a default deny policy for cross-site requests. RequestPolicy allows you to whitelist cross-site requests you trust.</p>
<p>RequestPolicy will protect you from various attacks that NoScript will not (such as CSRF attacks, though there some special cases that NoScript protects against) and will give you greater privacy while browsing.</p>
<p>Also, RequestPolicy will give you finer-grained control over JavaScript and plugins when you use it with NoScript. For example, if you whitelist a domain with NoScript to allow it to run JavaScript, then that domain will also be allowed to run JavaScript when you are on any other site that you have whitelisted with NoScript. RequestPolicy makes sure that when it is JavaScript from a third-party site, it will still be restricted unless you have allowed those cross-site requests.</p>
<p>Conversely, NoScript gives you protection that RequestPolicy does not. RequestPolicy will not keep you safe from malicious JavaScript or vulnerable plugins on the current site you are visiting, So, NoScript is absolutely essential for browser security.</p>
<p>Having two separate tools that each do their specific jobs well is the best approach. NoScript is an amazing extension and is absolutely essential (like RequestPolicy) to using Firefox securely. It is best to use both RequestPolicy and NoScript.</p>
<h4 id="other-browser-addons-you-may-be-interested-in">Other browser addons you may be interested in</h4>
<p>Some addons for Firefox can enhance your privacy and security when browsing the Web. For a list of quality addons, check <a href="https://prism-break.org/en/all/#web-browser-addons">PRISM Break's list of browser addons</a>.</p>
<hr />
<h3 id="the-flag-icon-is-red-what-is-wrong">The flag icon is red! What is wrong?</h3>
<p>Nothing (on your side) is wrong. RequestPolicy is actually doing it's job by blocking requests to other sites you didn't explicitely request. The website you're visiting is actually trying to force you to request data from other sites, which may be wrong for <a href="Privacy.html">privacy</a> and <a href="Security.html">security</a> reasons. You will need to allow automatically or manually these requests if the blocking breaks viewing the site. <a href="Quickstart.html">Learn how to use RequestPolicy now...</a></p>
<hr />
<h3 id="how-to-deal-with-ajax.googleapis.com">How to deal with ajax.googleapis.com?</h3>
<p>Many sites depend on jQuery served by Google</p>
<ul>
<li>Clear cookies regularly with addons like Self-Destructing Cookies</li>
<li>Spoof your referer with SmartReferer to prevent ajax.googleapis.com from knowing what page you visit when the request is done</li>
<li>Use your hosts file to redirect requests to jquery.js to a local file or a domain you control.</li>
<li>Ask the site administrator to host their js libs themselves (eg. reddit.com has an option for this)</li>
<li>Contribute to <a href="https://github.com/RequestPolicyContinued/subscriptions">subscriptions</a> to add a rule for sites that absolutely require calls to ajax.googleapis.com</li>
<li>Take the time to allow the request if necessary, or live with the broken site. RequestPolicy is about user control on cross-site requests.</li>
</ul>
<hr />
<h3 id="how-to-find-relevant-information-about-a-bug">How to find relevant information about a bug</h3>
<p>Sometimes a bug is not easily reproducible. You need to make the bug is caused by RequestPolicy Continued itself, not by another addon or incorrect configuration setting. Please do the following:</p>
<ul>
<li>Create a <a href="https://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-firefox-profiles">new, blank profile in Firefox</a>, with no addons installed.</li>
<li>Install the latest RequestPolicy Continued from <a href="https://addons.mozilla.org/en-US/firefox/addon/requestpolicy-continued/versions/beta" class="uri">https://addons.mozilla.org/en-US/firefox/addon/requestpolicy-continued/versions/beta</a></li>
<li>Navigate to your test page and try to reproduce the bug.</li>
</ul>
<p>If the problem still occurs with this setup, it is likely a RequestPolicy bug. If the addon works as expected with a blank Firefox profile, then something in your "regular" Firefox profile is causing this bug (another addon or preference). If so, please try the following:</p>
<ol>
<li>Start your normal Firefox profile.</li>
<li>Disable all addons, except RequestPolicy Continued. (you may need to restart Firefox)</li>
<li>Go to your test page, confirm that RequestPolicy works normally.</li>
<li>Re-enable another addon (just one), restart Firefox if needed, reload the test page.</li>
<li>If the bug stll not shows up, the addon you just enabled is not causing it.</li>
<li>Redo step 4 (enable another addon, restart Firefox if needed, reload the test page.) until you find the addon that is causing the bug to occur, and please report the addon name here.</li>
</ol>
<p>If disabling all addons didn't help, you can do the following:</p>
<ul>
<li>Check firefox' browser console</li>
<li><a href="Setting-up-a-development-environment.html#enable-logging">Enable RPC's logging</a> and start Fx from the terminal</li>
</ul>
<hr />
<h3 id="how-do-i-change-the-keyboard-shortcut-to-open-the-menu">How do I change the keyboard shortcut to open the menu?</h3>
<p>Keyboard shortcuts can be disabled, or changed. Go to <code>about:config</code> from you address bar, then edit the value for these preferences:</p>
<pre><code>extensions.requestpolicy.keyboardShortcuts.openMenu.enabled
extensions.requestpolicy.keyboardShortcuts.openMenu.combo</code></pre>
<p>To change the keyboard combination, set the <code>combo</code> pref. If the pref's value is <code>"default"</code>, the default combination is used. Otherwise the format is <code>"[modifiers] [key]"</code>. Modifiers must be separated by spaces. The <code>[key]</code> must be a single letter. There may be modifiers of any number, even zero. Available modifiers:</p>
<ul>
<li><strong>shift</strong>: The Shift key.</li>
<li><strong>alt</strong>: The Alt key. On the Macintosh, this is the Option key. On Macintosh this can only be used in conjunction with another modifier, since Alt-Letter combinations are reserved for entering special characters in text.</li>
<li><strong>meta</strong>: The Meta key. On the Macintosh, this is the Command key.</li>
<li><strong>control</strong>: The Control key.</li>
<li><strong>accel</strong>: The key used for keyboard shortcuts on the user's platform, which is Control on Windows and Linux, and Command on Mac. Usually, this would be the value you would use.</li>
</ul>
<p>If any problems should occur, you should see them in the <a href="https://developer.mozilla.org/en-US/docs/Tools/Browser_Console">Browser Console</a>.</p>
<hr />
<h3 id="what-are-requestpolicys-configuration-settings-on-aboutconfig">What are RequestPolicy's configuration settings on <code>about:config</code>?</h3>
<p>Here is a list of RequestPolicy's settings that can be edited by going to <code>about:config</code> in the address bar, along with their descriptions and possible values (TODO):</p>
<ul>
<li><code>extensions.requestpolicy.autoReload</code></li>
<li><code>extensions.requestpolicy.contextMenu</code></li>
<li>Boolean; if RequestPolicy should put an entry in the content-area context menu</li>
<li><code>extensions.requestpolicy.defaultPolicy.allow</code></li>
<li><code>extensions.requestpolicy.defaultPolicy.allowSameDomain</code></li>
<li><code>extensions.requestpolicy.indicateBlacklistedObjects</code></li>
<li><code>extensions.requestpolicy.indicateBlockedObjects</code></li>
<li><code>extensions.requestpolicy.initialSetupDialogShown</code></li>
<li><code>extensions.requestpolicy.keyboardShortcuts.openMenu.combo</code></li>
<li>The keyboard combination for opening the RequestPolicy menu. See the FAQ for details.</li>
<li><code>extensions.requestpolicy.keyboardShortcuts.openMenu.enabled</code></li>
<li>Set to <code>false</code> to disable the keyboard shortcut</li>
<li><code>extensions.requestpolicy.lastAppVersion</code></li>
<li><code>extensions.requestpolicy.lastVersion</code></li>
<li><code>extensions.requestpolicy.log</code></li>
<li><code>extensions.requestpolicy.log.level</code></li>
<li><code>extensions.requestpolicy.log.types</code></li>
<li><code>extensions.requestpolicy.menu.info.showNumRequests</code></li>
<li><code>extensions.requestpolicy.menu.sorting</code></li>
<li><code>extensions.requestpolicy.prefetch.dns.disableOnStartup</code></li>
<li><code>extensions.requestpolicy.prefetch.dns.restoreDefaultOnUninstall</code></li>
<li><code>extensions.requestpolicy.prefetch.link.disableOnStartup</code></li>
<li><code>extensions.requestpolicy.prefetch.link.restoreDefaultOnUninstall</code></li>
<li><code>extensions.requestpolicy.privateBrowsingPermanentWhitelisting</code></li>
<li><code>extensions.requestpolicy.startWithAllowAllEnabled</code></li>
<li><code>extensions.requestpolicy.welcomeWindowShown</code></li>
</ul>
</body>
</html>