Whitelist for filetypes/paths #317
Comments
|
RequestPolicy/requestpolicy#61 and this one are closely related. If the user could allow whatever file extension to load cross-site, this would fix many usability issues: images, css, swfs/flvs would load properly without any user interaction. This is not necessarily secure, so there should be a warning when changing this setting. Still, only allowing images from specific/all destinations may be less dangerous than allowing a whole domain just to display images/css. I always install RP on workstations i build for other people, and they always end up totally disabling it because of these usability issues. This would be a major improvement. @jsamuel what is your view on this? |
|
So this issue is about supporting rules for file paths. As commented by @Eibwen in #152:
Detecting the real mimetype of a blocked file is not possible (see the full comments on #152), unless you allow the request in the first place. So there should be a clear warning about path-based rules in the "Create rule" section of Once this is done, it should be possible to allow requests to specific paths. However, considering the security/privacy implications, it should only be possible to do it manually from the "Create rule" section in the prefs (for advanced users) with that very clear warning. Hopefully if there are enough contributions to subscriptions, manually allowing domains wil be less and less needed. |
Thursday Jun 21, 2012 at 07:19 GMT
Originally opened as RequestPolicy/requestpolicy#317
I'd like to allow css files to be loaded from 3rd parties. I know this is a bad idea concerning privacy and security so the setting might need a warning.
The text was updated successfully, but these errors were encountered: