Iceweasel addon - RequestPolicy
Originally created by Tails on #5427 (Redmine)
I think it might be a good idea if RequestPolicy was installed in Iceweasel as default.
Wrt. RequestPolicy, the benefits would need to be carefully balanced against the increased complication of the end-user web experience (a strict default policy probably means broken websites, a non-strict default policy probably is useless). Not even speaking of auditing the addon for possible privacy / anonymity leaks. Until this is thought through and researched, I tend to think we shall follow what the Tor Browser Bundle, i.e. not ship this addon.
I’ve been using this extension in whitelist mode (only let through cross-domain requests I explicitly allow) for a while. It’s great. However, I would say the WWW is a bit more broken, with cross-domain requests disabled, than it is with JavaScript disabled. So I don’t think we could configure Tails to act like this by default. Maybe we could adopt the same strategy as we did for NoScript, i.e. install it, configure it to allow everything, and make it a two-clicks thing to switch to whitelist mode? That way, those who really want the additional protection can get it, and with persistence, one could get to save her whitelist (after being warned s/he’s saving some of his/her browsing history).
I’d also like to have RequestPolicy included, in "allow everything" mode by default. Even having it installed but disabled in about:addons would be an improvement over having to download it every time I boot up. The privacy (and speed) improvements when it’s fully active are significant.
This is still a good idea.
At the July dev meeting, we decided that for this to happen, this requires:
- someone to verify how it integrates with the browser and checks it’s safe
- someone who commits to maintain it in Tails on the long run