Requests not consistently blocked

[Patputki]

Hello,

I noticed that when loading a page it sometimes first loads everything normally as if RequestPolicy was not installed. But then one second later RP starts blocking (for example some pictures). But this is too late! It should block immediately before any connection to other sites happens, otherwise this addon makes no sense! I'm talking about version 1.0.beta8.1. Before I used the original version 0.5.28 from Justin Samuel which didn't have this issue. Or to be exact: I never noticed this behavior in the original version what doesn't eliminate the possibility that it happened unnoticed.

[myrdd]

Hi @Patputki thank you for your report. Before I'm going to check that I'd like to know whether you're using the official release or if you've created your own xpi file. In the latter case, which branch are you using?

I think this could be easily tested:

1. install RP into a profile
2. close that firefox instance
3. start firefox by specifying a URL to a page that should be opened after starting; that page should contain requests that should be blocked.

The solution would probably require to register RequestPolicy's policy implementation as soon as possible. Then we could say it should initially block all requests until RP's backend is ready. However, if we do so, some pages eventually might not load?

[Patputki]

Hi, I'm using the version you get by clicking the big green download button on this site: https://requestpolicycontinued.github.io/

In my opinion the only way this addon makes sense is if it is implemented in a way that makes it impossible for the browser to make the unwanted connections without RPs permission. Otherwise the "bad things" we want to prevent have sometimes already happend when RP steps in. I'm no expert for browser code or programing browser addons, but as my empirical experiene with the original RP and for example NoScript shows, it must be possible to implement it that way. These two addons I am using for years now and never had the issue that an unwanted connection (RP) or script (NoScript) loaded without my permission. How they do it, i don't know and can not tell you ;-)

Thanks for dealing with this issue.

[nodiscc]

Do these unblocked requests show in the Request log ?

[myrdd]

In my opinion the only way this addon makes sense is if it is implemented in a way that makes it impossible for the browser to make the unwanted connections without RPs permission.

I completely agree with you.

Do these unblocked requests show in the Request log ?

I suppose not. If a request has not been catched by RequestPolicy it neither will show up in the Request Log.

[Patputki]

Sorry, I can not do extensive testing for now because a) I don't have the time for it until the middle of the next month and b) after automatic update the new version of firefox kicked out some of my security-addons and I neither want to load sites with "bad connections" without these addons, nor do I currently have the time to research how to get them runnig again. Even so I just now made a short quick test for you by loading an "infamous" website and watching the logfile. It shows that RP allowed some connections which ended with ".css" without my permission. I don't know, what this means and if this is a bad thing or not. Like myrdd said, there might have been additional connections, which are not in the log file, because RP didn't notice them. More I can not do for now. Like I said, in the past there have been some pictures, which first loaded unrestricted before RP decided to block them and replaced them with the red flag, so there definitively is some problem.

[myrdd]

@Patputki I don't expect you to test more. The task seems to be to find out whether and in which cases RP might leak requests on Firefox startup.

after automatic update the new version of firefox kicked out some of my security-addons

you might want to try the ESR version (currently Firefox 31)

[Patputki]

Thanks for the advice, but a downgrade back to firefox 34 already solved the problem. It's a known "bug" in version 35. Mozilla promisses to clear it in version 36.

Regarding the RP-issue: The problem is not restricted to the startup of firefox! It occurs when loading a new page, regardless how long firefox run till then.

[myrdd]

Can you provide a link about that bug?

[Patputki]

You mean a link to a page, where the problem happened? Sorry, can't remember. I was researching in the web, if an ebook version of the book "Einführung in die Informatik" from Heinz-Peter Gumm and Manfred Sommer exists. Within this research I visited a page with a list of books, but i can not remember which page this was. On this page the pictures of the book covers loaded but then about two seconds later disappered again and were replaced by the red flag of RP.

[myrdd]

Actually I were referring to you saying:

It's a known "bug" in version 35. Mozilla promisses to clear it in version 36.

Did you find a bug on https://bugzilla.mozilla.org/ ?

On this page the pictures of the book covers loaded but then about two seconds later disappered again and were replaced by the red flag of RP.

Now that's interesting. It could be a bug, but not necessarily. The image you've seen could have been from your cache. I can imagine other possible reasons in case javascript is activated.

Regardless of whether there is a bug or not, RequestPolicy should have a unit test for this issue. I've added the following item to the list in #487

check whether RequestPolicy starts up fast enough to catch all requests

[Patputki]

I have put "bug" in quotation marks, because it is not really a bug. Let's call it an unlucky attempt to implement new funktionality ;-) AdBlock Plus/Edge, Ghostery and some other addons stop functioning in firefox version 35 if "dom.indexedDB.enabled" is set to false, which is the case for many people whose browser configuration is geared to privacy settings. In a forum someone wrote, that he was in contact with someone of the Mozilla team and that this guy said, that in version 36 it will be possible again to run the addons with "dom.indexedDB.enabled" set to false.

Regarding the RP-issue: It wasn't one picture but every picture on the page and they couldn't have been in the cache, because it was the first time I loaded the page. Java script wasn't active too because of NoScript, if I remember rightly. I'm not absolutly shure for 100%.

To say it again: It was no problem of starting up to slow. Firefox and RP both were allready running a long time when I opened the page. Ok, I think you know, what you are doing. I wish you good luck with your project and will come back to this site someday to look if the bug is fixed. Until then I will use the original version of RP again. Thank you for spending time on creating freeware. Have a nice weekend :-)

[myrdd]

Alright, thanks for the explanation.

To say it again: It was no problem of starting up to slow. Firefox and RP both were allready running a long time when I opened the page.

Whoops, I've missed that. I think this makes this issue even more difficult to reproduce – I am not sure how to do this. I will focus on other issues for now and leave this issue labeled "unconfirmed".