CSRF, snooping, RequestPolicy for Firefox


Mugi on RequestPolicy

Having been an avid user of NoScript, PermitCookies, Ghostery and AdBlock Plus to whitelist site elements and improve security and privacy, RequestPolicy has me really excited :).

Only the paranoid survive ~ Andrew S. Grove

RequestPolicy is an extension for Firefox and other compatible Mozilla browsers that helps to address the growing issue of cross-site request forgery (CSRF/XSRF) attacks which are actively being used by nefarious users to track which sites you visit, use existing session data and (to put it simply) masquerade as you. This allows them to perform actions on your behalf, which one can imagine would be catastrophic if we were talking about a bank or a voting page for our favourite K-On character.

What makes such attacks particularly worrying is unlike cross-site scripting attacks (XSS) which require a dynamic content vector such as ECMAScript or Flash, CSRF attacks can be executed simply by an unsuspecting user clicking a link, or even worse loading a page with a static element such as an image with a request in place of its source Earl.

Content loaded from an external source can also potentially be used to track the sites you visit, how often you visit them, and what specific pages you frequent. The behavioural advertising value of this data practically guarantees companies are performing this kind of activity. One could say they're Phorming ideas as we speak. Hey come on, that was funny, why aren't any of you laughing? Don't answer that.

For those of us with tin foil hats stapled to our heads (hey, we all have our reasons), these two issues are rather terrifying. A large percentage of sites predominantly consist of modifiable content loaded from other sites now, and all a CSRF attack would take is a single static element that even a seasoned internet user could be forgiven for missing. What's more worrying still is that this problem is potentially its old as the net itself, and the current trend towards decentralised sites will only make it worse. Mmm, cookies. And sunfish.

Mugi on RequestPolicy

This RequestPolicy extension thingy

In what has become the de facto accepted standard for Firefox security extensions, RequestPolicy places an icon in your statusbar (or the extensions bar in Firefox 4.x) which lets you allow certain cross-site requests temporarily, add them permanently to your whitelist, or keep them blocked (the default). This can aid in preventing some CSRF attacks, as well as potentially blocking images or other elements that are loaded externally to track your activities without your permission or knowledge, such as analytic or advertising tools.

As with the other extensions I described at the top of the post, RequestPolicy becomes more useful the longer you have it active given you're populating its whitelist over time. To help with the initial configuration, the developer includes a list of suggested sites which you can add once the extension is first installed.

I've been using 0.5.16 in Firefox 3.6.13 (version number soup) for close to a week with no issues :).

Link arms, don’t make them

Robert Auger has a page on CSRF attacks and some proof of concept code for those interested in learning the details: The Cross-Site Request Forgery (CSRF/XSRF) FAQ. Wikipedia's page is surprisingly lacking in this case, but still useful for a summary. Surprise surprise, my page here is not the be all, end all authority on this subject and I don't have all the details! ;D

The extension is available from the developer's website, or from Mozilla's addon page. The images are of Mugi-chan from K-On because… just because.

Author bio and support


Ruben Schade is a technical writer and infrastructure architect in Sydney, Australia who refers to himself in the third person in bios. Hi!

The site is powered by Hugo, FreeBSD, and OpenZFS on OrionVM, everyone’s favourite bespoke cloud infrastructure provider.

If you found this post helpful or entertaining, you can shout me a coffee or send a comment. Thanks ☺️.