See Setting up a development environment and Working with the Source Code.
For distribution, the source code is packaged into
.xpi files. XPI files are just
zip archives which you can extract like any other. However, if you want to work on the source code you should take the code from the repository, because the XPI's content and the code in the
src/ directory are not exactly the same.
RequestPolicy adds XUL elements to every browser window, such as the menu button. There's a great XUL Tutorial on MDN.
When developing Mozilla Add-Ons you will stumble upon XPCOM components:
There are some very useful tools for developing addons. To name some of them:
The main source code lives in the
src/ directory, unit tests in
When the addon is installed, the files
chrome.manifest are parsed and
bootstrap.js is executed. More infos:
install.rdf: docs. It specifies the addon's ID, name, description and version string, as well as the web browsers'
chrome.manifest: docs, tutorial. It specifies the
bootstrap.js RequestPolicy is started up.
RequestPolicy's blocking functionality bases mostly on the
nsIContentPolicy interface. RequestPolicy implements this interface by an XPCOM component. The component's
shouldLoad function will be called for each request to decide whether or not the resource at a given location should be loaded.
Each request has a destination URI, and often also an origin URI. For information about about URIs see STD 66 (Internet standard) – especially Appendix A. There's also some information on wikipedia.
This is the ABNF definition of an URI:
scheme ":" hier-part [ "?" query ] [ "#" fragment ]
The „scheme“ often is
https. The „hier-part“ normally is the host in the form of
RequestPolicy treats domain names either as full domains (e.g.
www.example.com) or regarding their „Base Domain“ (e.g.
example.com). The Base Domain is determined using the „Public Suffix List“ (wikipedia, publicsuffix.org). Therefore, for example, the Base Domain of
xyz.cloudfront.net is equally
Have a look at the MDN articles Security check basics and Same-origin policy
ruleset: a list of rules. can be empty.
rule: contains some selection specification (e.g.
destination) and a
policy: whether requests matching a rule are allowed or blocked
The following abbreviations are used
RPC: RequestPolicy Continued
e10s: Electrolysis (aka multiprocess firefox)