The Tin Hat

Request Policy Tutorial | Making Firefox More Private and Secure

Category: addons
A 4 Minute Read

Support The Tin Hat on Patreon! Just one dollar makes all the difference in helping me write more content!

Imagine if Google or Facebook knew about every website you visited and could track exactly how long you spent on each site. This isn't too far from reality, as a plethora of websites use services like Google Analytics or Facebook "Like Buttons". When websites implement tools like these they allow them to phone home. For example, if you visit a news website that has a Facebook Like Button next to each story, that Like Button lets Facebook know that you were there, whether you click it or not. The same principle applies for Google Analytics, and a multitude of other data-mining services. While individually this can be a moderate hit on privacy, it is exacerbated when almost every website you visit uses them, allowing third party corporations to essentially track you across most of the internet.

Fortunately, there's an add-on that stops Facebook buttons or Google Analytics from phoning home, called Request Policy.

Request Policy is a Firefox add-on that allows you to choose who you communicate with when you visit a website. For example, when visiting NHL.com without Request Policy I'm letting seven other websites know that I was there (I'm counting nhle.com as being synonymous as nhl.com, as they're owned by the same entity). The worst part of this is that most of these sites aren't required at all for the site to function. By adding Request Policy, I'm instead only letting NHL.com know that I'm there. This, of course, has huge benefits for personal privacy.

Request Policy

Request Policy also has some security benefits. The main benefit is to protect against Cross-Site Request Forgery attacks (CSRFs). These are attacks that tell your browser to request data from another site that you visited earlier. The example that Request Policy provides is this:

"When you are at a website, say evil-site.com, the content of the page that you are viewing can tell your browser to make a request to your-bank.com. When your-bank.com receives the request, it may not know that you didn't really intend to make that request!"

How Do You Use It?

Request Policy is, admittedly, an add-on that is more targeted for the intermediate to advanced user. A beginner may see the requested domains and be completely unsure of which are legitimate requests, and which are simply marketing tools. If you're up for the learning curve, however, Request Policy will bring you major benefits, and you will quickly gain an eye for which websites to enable and which to disable.

When you install Request Policy a small flag will appear at the bottom of your Firefox window. When you are at a site that isn't requesting anything else it will just be a flat gray. If, however, you are at a site which is requesting to contact third parties it will turn red. In order to choose which sites you want to allow or disallow, simply click the flag, and take a look at the list of blocked destinations. Hovering your mouse over one of those destinations will bring up a menu asking you whether you want to allow requests from the site you are selecting, or whether you want to allow requests to the site you are selecting for every other site that uses it. Generally, unless you are sure that the site is legitimate, only allow requests from the site you're on. You can also do this temporarily if you wish, which will clear the policy after you close your browser.

The most difficult part of using request policy is judging whether a third party should be allowed at all. Some third party websites are required for the site you are using to even function. Forbidding NHL.com to contact NHLE.com results in a huge white page that looks like it's from 1985. Allowing it turns the site into an organized and relatively enjoyable experience.

In the end, figuring out which sites to allow or deny requires some experience, though you will gain this relatively quickly. Here are some pointers to get you started:

  • Sites that request contact with other sites where the names are similar are usually fine. NHL and NHLE are a perfect example of this. Another example is Google.ca and Google.com. Be wary of abbreviated forms as well (ie. Google.com and GStatic.com (Google Static)).
  • Sites that request contact with their parent companies are also usually fine. Continuing with our hockey theme we see that Canucks.com requires contact with NHLE.com. Youtube is another example of this, where Youtube.com requires Google.com.
  • Sites with "cdn" in the name (Content Distribution Network), or sites with "wordpress" or "wp" in the name are also usually fine if you want the site to function.

Hopefully these tips help you get up on your feet when starting to use Request Policy. The add-on sharply illustrates just how connected the internet is, which you'll likely notice as you browse around finding various third party websites that seem to be everywhere. It can be easy to become frustrated when a site needs to access 17 third parties to even be usable. Just remember, Request Policy is a powerful add-on for your privacy, so work through it and figure out which sites want your data and which sites feed you content.


I personally use NordVPN and Digital Ocean.
Show some love by signing up using my affiliate links:
Or support me directly on Patreon

Help Me Out: Share, Follow, & Comment

Latest Posts

What is Device Fingerprinting?

Learn what browser fingerprinting is and how it canb e used to track you online.

How To Torrent Privately & Anonymously For Free

Learn the pros and cons of using a VPN to torrent, as well as how to use I2P to anonymously torrent for free!

VPN Drop Protection Using Simple Linux Firewall Rules

Learn how to protect against your VPN dropping using these simply Linux firewall rules

Ledger Nano S Review | Why You Need a Bitcoin Hardware Wallet

A review of the Ledger Nano S, and an explanation of why hardware wallets just make life better when using Bitcoin

What is Two Factor Authentication (2FA) And Why Use It?

What 2FA is, why you should use it, and why we need FIDO U2F.

Support The Tin Hat on Patreon!

The Tin Hat now has a few more ways to support the site.

What is a hash?

A simple explanation of what hashing is, and how hashes are used.

Trump's Toolbox | Future Attribute Screening Technology

FAST is a program that attempts to wirelessly detect whether youre a terrorist, and its in Trump's back pocket.

uBlock Origin, The Best AdBlock Alternative

For AdBlock (Plus) alternatives, look no further than uBlock Origin. This tutorial explains why, and how, you should use it.

I2P Browser Setup Tutorial | Using The Tor Browser For I2P

Learn how to browse I2P using the Tor Browser with this short guide

Privacy On Android | 2017 Android Privacy Guide

A tutorial on how to build privacy on your Android device. Learn what you need to do to stay safe and secure.

New I2P Portal For TheTinHat

TheTinHat has moved to a new server, with a new I2P hidden service to accompany it.

Rebranding 'The Dark Net'

Disassociating decentralized networks with the term 'darknets'.

In Defense of Browser-Based Email Encryption

Why I've reversed my opinion on Protonmail and Tutanota

Privacy Focused Blog Platform

A rundown of the tools I use to power my blog, hidden services.

A Lighter-weight Firefox

How I've set up a lightweight, yet still private browser.