The Tin Hat

Request Policy Tutorial | Making Firefox More Private and Secure

Category: addons
A 4 Minute Read

Support The Tin Hat on Patreon! Just one dollar makes all the difference in helping me write more content!

Imagine if Google or Facebook knew about every website you visited and could track exactly how long you spent on each site. This isn't too far from reality, as a plethora of websites use services like Google Analytics or Facebook "Like Buttons". When websites implement tools like these they allow them to phone home. For example, if you visit a news website that has a Facebook Like Button next to each story, that Like Button lets Facebook know that you were there, whether you click it or not. The same principle applies for Google Analytics, and a multitude of other data-mining services. While individually this can be a moderate hit on privacy, it is exacerbated when almost every website you visit uses them, allowing third party corporations to essentially track you across most of the internet.

Fortunately, there's an add-on that stops Facebook buttons or Google Analytics from phoning home, called Request Policy.

Request Policy is a Firefox add-on that allows you to choose who you communicate with when you visit a website. For example, when visiting NHL.com without Request Policy I'm letting seven other websites know that I was there (I'm counting nhle.com as being synonymous as nhl.com, as they're owned by the same entity). The worst part of this is that most of these sites aren't required at all for the site to function. By adding Request Policy, I'm instead only letting NHL.com know that I'm there. This, of course, has huge benefits for personal privacy.

Request Policy

Request Policy also has some security benefits. The main benefit is to protect against Cross-Site Request Forgery attacks (CSRFs). These are attacks that tell your browser to request data from another site that you visited earlier. The example that Request Policy provides is this:

"When you are at a website, say evil-site.com, the content of the page that you are viewing can tell your browser to make a request to your-bank.com. When your-bank.com receives the request, it may not know that you didn't really intend to make that request!"

How Do You Use It?

Request Policy is, admittedly, an add-on that is more targeted for the intermediate to advanced user. A beginner may see the requested domains and be completely unsure of which are legitimate requests, and which are simply marketing tools. If you're up for the learning curve, however, Request Policy will bring you major benefits, and you will quickly gain an eye for which websites to enable and which to disable.

When you install Request Policy a small flag will appear at the bottom of your Firefox window. When you are at a site that isn't requesting anything else it will just be a flat gray. If, however, you are at a site which is requesting to contact third parties it will turn red. In order to choose which sites you want to allow or disallow, simply click the flag, and take a look at the list of blocked destinations. Hovering your mouse over one of those destinations will bring up a menu asking you whether you want to allow requests from the site you are selecting, or whether you want to allow requests to the site you are selecting for every other site that uses it. Generally, unless you are sure that the site is legitimate, only allow requests from the site you're on. You can also do this temporarily if you wish, which will clear the policy after you close your browser.

The most difficult part of using request policy is judging whether a third party should be allowed at all. Some third party websites are required for the site you are using to even function. Forbidding NHL.com to contact NHLE.com results in a huge white page that looks like it's from 1985. Allowing it turns the site into an organized and relatively enjoyable experience.

In the end, figuring out which sites to allow or deny requires some experience, though you will gain this relatively quickly. Here are some pointers to get you started:

  • Sites that request contact with other sites where the names are similar are usually fine. NHL and NHLE are a perfect example of this. Another example is Google.ca and Google.com. Be wary of abbreviated forms as well (ie. Google.com and GStatic.com (Google Static)).
  • Sites that request contact with their parent companies are also usually fine. Continuing with our hockey theme we see that Canucks.com requires contact with NHLE.com. Youtube is another example of this, where Youtube.com requires Google.com.
  • Sites with "cdn" in the name (Content Distribution Network), or sites with "wordpress" or "wp" in the name are also usually fine if you want the site to function.

Hopefully these tips help you get up on your feet when starting to use Request Policy. The add-on sharply illustrates just how connected the internet is, which you'll likely notice as you browse around finding various third party websites that seem to be everywhere. It can be easy to become frustrated when a site needs to access 17 third parties to even be usable. Just remember, Request Policy is a powerful add-on for your privacy, so work through it and figure out which sites want your data and which sites feed you content.

Help Me Out: Share, Follow, & Comment