Over the last few days I’ve had the pleasure of corresponding with Justin Samuel, who has recently authored a new module called RequestPolicy that has some pretty wide reaching security implications for anyone who is concerned with cross domain related exploits. Here’s a snippet of our conversation:
RequestPolicy gives users full control over the cross-site requests made by their browser. It has a default deny policy and allows easy whitelisting of origins, destinations, and origins-to-destinations.
The website is here:
You can probably imagine the various security issues this helps with (not just CSRF, but that’s a big one). We have a security page here with some details:
I see RequestPolicy as fulfilling an essential role for privacy and security in our browsers. I believe that a truly secure Firefox install is running at a minimum both RequestPolicy and NoScript. (RequestPolicy is not a competitor to NoScript, obviously, but unfortunately a large number of people immediately think this because they are unaware of threats that aren’t from scripts and objects.)
Justin has a bunch of things on his to-do wishlist, including improvements to the UI, more granular control over what gets blocked, a blacklist of subnets (similar to localrodeo), and so on. Of course there are a few small issues that I ran into almost immediately, like the fact that subdomains are always allowed, which means an attacker could subvert that protection by assigning a subdomain to RFC1918 (assuming LocalRodeo wasn’t installed) or to a target domain that required no cookies to be submitted for the exploit to function since the wrong hostname would be sent. So perhaps for the time being a combination of LocalRodeo, NoScript and RequestPolicy is the safest bet.
It’s also fairly easy to detect that this module is installed, and for most users, it will be a very tough user experience to get used to, unless they whitelist everything. Still, very cool module to prevent most of the crossdomain/cross website client side hacking, and I bet it will become even better with time!