Open source Firefox extension to control cross-site requests.

Detecting RequestPolicy

It is possible for a website to detect that a user has RequestPolicy installed. There are at least two ways to do this, neither of which are specific to RequestPolicy (that is, it's an issue for many other extensions, as well).

  1. A website can look at which interfaces are available through Components.interfaces.

    This is a known privacy bug in Mozilla/Firefox (bug 429070) that seems likely to be fixed in 2012. Essentially, any extension that provides an XPCOM interface is identifiable through JavaScript. A site can test for RequestPolicy using the following JavaScript:

    if ("nsIRequestPolicy" in Components.interfaces) {
        alert("RequestPolicy is installed.");
    }
    

    The above approach will not work if JavaScript is disabled.

  2. A website can look at which cross-site requests are blocked and make an educated guess that RequestPolicy is doing the blocking.

    More generally, a fingerprinting risk exists for users of any extension that modifies the behavior of the web browser on a web page or the content of the web page itself.

© 2008-2012 Justin Samuel