Provide and maintain RequestPolicy whitelist

[quizilkend]

Hey!

I use Decentraleyes along with Requestpolicy. Right now it is necessary to whitelist the domains mentioned here by hand.
It would be useful, if there was a whitelist, which is updatet, with the progress of the Decentraleyes addon.

Best wishes,
Sammy

[Synzvato]

Hi, thanks for sharing your thoughts!

While I like the idea, it does not appear to be possible to maintain self-updating whitelists. RequestPolicy does allow users to import domains from a file, but this does not allow for pushing updates to clients. It's also not possible to remove old (obsolete) whitelist entries once imported.

This might help users with strict policies with the initial set-up:

[origins]
[destinations]
ajax.googleapis.com
ajax.aspnetcdn.com
ajax.microsoft.com
cdnjs.cloudflare.com
code.jquery.com
cdn.jsdelivr.net
yandex.st
libs.baidu.com
lib.sinaapp.com
upcdn.b0.upaiyun.com
[origins-to-destinations]

Am I missing something with regards to maintenance?

[stewie]

Respectfully, the proposed RP whitelist seems like an insecure (too trusting) approach.
I realize that might be the only approach available though, because can't guarantee which request observer will get first dibs.

When DE's "retrieve and cache missing" option is enabled, I would hope DE would raise an infobar announcing "page is requesting a not-yet-cached item from a recognized CDN. Allow/Deny". Upon 'Allow' buttonclick, DE would retrieve and permacache the item then trigger a page reload. It's reasonable to expect this will be a seldom-occurring interruption.

http://www.jsdelivr.com/about
For this CDN in particular, I'm hesitant to carte blanche "allow any missing".
http://blog.jsdelivr.com/
"A big focus was made on our combination feature. You can now visually create your combined URLs using the "Collection" functionality"
http://www.jsdelivr.com/free-open-source-cdn/javascript-cdn
"There are no popularity restrictions and all kinds of files are allowed, including JavaScript libraries, jQuery plugins, CSS frameworks, fonts and more."

Ultimately, after extended surfing, the local DE permacache could accumulate the entirety of
https://github.com/jsdelivr/jsdelivr/tree/master/files

https://github.com/jsdelivr/jsdelivr/archive/master.zip
1.6Gb zipfile
extracted contents: 123,500+ files, 5.0Gb files on disk
ouch
(and, does the jsdeliver "combinations, collections" feature introduce further permutations?)

[Synzvato]

@stewie Thanks for weighing in.

Respectfully, the proposed RP whitelist seems like an insecure (too trusting) approach.

Note that you can block requests for any missing resources from preferences, and then whitelist any domains of websites that break without the expected libraries. So, adding the CDN domains to your RequestPolicy whitelist does not necessarily mean allowing all requests for missing resources.

[Synzvato]

Closing this issue for now (since there now is a static RequestPolicy whitelist). I will be sure to re-open this issue if anyone has a strategy for continued maintenance.