search

RequestPolicyContinued / requestpolicy

a web browser extension that gives you control over cross-site requests. Available for XUL/XPCOM-based browsers.
https://github.com/RequestPolicyContinued/requestpolicy/wiki
Other
252 stars 35 forks source link

Rule semantics: Survey & Discussion #802

Open myrdd opened 8 years ago

myrdd commented 8 years ago

In this issue I'd like to present the rule semantics, and open them for discussion. This specification does not yet represent RP's current behavior, but it will be implemented. Still, I'd like to hear your comments.

TL;DR: Take a look at screenshots 1 and 2 below.

Below you'll see two tables: the first one is a reduced version of the second one.

The reduced table:

SCHEME HOST PORT
undefined http(s) or ftp "*" or none default port
null no host & no port [1][2]
"" empty host [3]
"*" any scheme any host [4] any port

The more complete table:

SCHEME HOST PORT PATH PREFIX
undefined http(s) or ftp any host ("*") or no host (none) default port (if applicable) any path
null invalid [5] no host & no port [1][2] invalid [5] invalid [5]
"" invalid [5] empty host [3] invalid [5] any path
"*" any scheme any host [4] any port any path
else specific scheme specific host specific port specific path-prefix

Notes

Each rule has a site specification for the origin and another one for the destination. If any of the fields (scheme, host, port, etc.) is unspecified, its value is undefined. Let's talk about some undefined fields.

scheme = undefined

If the scheme of a site specification is undefined, the specification will only match URIs with HTTP, HTTPS and FTP schemes. Those are the most typical protocols/schemes, so the user usually doesn't see this behavior.

The behavior of scheme = undefined separates common internet protocols from other schemes such as file, about, chrome and resource. For instance, requests from http://gre/ to resource://gre/ are blocked, even if a rule allowing gre -> gre exists.

port = undefined

Similarly, if the port is undefined, the site specification will only apply to URIs with a default port. Since the mayor part of websites uses the default port, this shouldn't affect many users.

Non-default ports are often used by applications installed on the local computer or the local network. Since port = undefined means default port, more fine-grained control is possible – even in base domain and full domain strictness (see #474).

Conclusions

Conclusions for the menu

The menu translates any URI of a tab into a shorter string. For example, https://www.example.com/foo will become *.example.com in base-domain strictness. If any of those URIs has a non-default port, the menu will also show that port number. For instance, http://www.example.com:8080/ will become *.example.com:8080 in base-domain strictness. Consequently, the menu will also allow to add/remove such rules (issue #473). Screenshot 1 below shows how the menu will look like.

If an URI has a non-internet scheme/protocol, base-domain and full-domain strictness will fall back to full-address strictness for that URI. An example is shown in screenshot 2 below. In the screenshot, RP is configured for full-domain strictness, and the resource://gre/* URIs are displayed full-address.

Conclusions for the "Your Policy" page

The Your Policy settings page contains a list of all active rules. Screenshot 3 (below) shows how the list currently looks like. For origin-only rules, the destination field is empty; vice versa for dest-only rules. While it is correct that “nothing has been specified”, an empty origin/dest cell hides the details implied by above rule semantics.

@nodiscc has suggested (#560) to display a wildcard (*) instead of an empty field. I like that idea, so I think I'll implement it.

[Explanation] If you've read this post carefully you might think displaying * is not fully accurate: If the host is undefined, it allows both * and none. But at the same time, the scheme is undefined, meaning only http(s) and ftp are allowed, meaning there is always a host. So IMHO displaying * is accurate enough.

Screenshots

Screenshot 1: if the port is non-default, it will be displayed in the menu

Screenshot 2: the menu shows resource://gre (full-address), while actually base-domain strictness is configured

Screenshot 3: current display of “active rules”

myrdd commented 8 years ago

A case where the proposed new behavior of scheme = undefined is counterintuitive: When viewing an image directly (e.g. https://github.com/favicon.ico), allowing “all requests from .github.com” won't allow the `resource://gre/` requests (see screenshot 2). In contrast, allowing “all requests to resource://gre” would work.