Development Basics

the source code

getting the source code / building the addon

See Setting up a development environment and Working with the Source Code.

XPI files

For distribution, the source code is packaged into .xpi files. XPI files are just zip archives which you can extract like any other. However, if you want to work on the source code you should take the code from the repository, because the XPI's content and the code in the src/ directory are not exactly the same.

addon development basics


RequestPolicy adds XUL elements to every browser window, such as the menu button. There's a great XUL Tutorial on MDN.


When developing Mozilla Add-Ons you will stumble upon XPCOM components:

Development tools

There are some very useful tools for developing addons. To name some of them:

source code basics

The main source code lives in the src/ directory, unit tests in tests.

programming language

RequestPolicy is written in JavaScript. Some unit tests (Marionette) are written in Python.

entry points

When the addon is installed, the files install.rdf and chrome.manifest are parsed and bootstrap.js is executed. More infos:

From bootstrap.js RequestPolicy is started up.

„Content Policy“ implementation

RequestPolicy's blocking functionality bases mostly on the nsIContentPolicy interface. RequestPolicy implements this interface by an XPCOM component. The component's shouldLoad function will be called for each request to decide whether or not the resource at a given location should be loaded.

general topics


Each request has a destination URI, and often also an origin URI. For information about about URIs see STD 66 (Internet standard) – especially Appendix A. There's also some information on wikipedia.

This is the ABNF definition of an URI:

scheme ":" hier-part [ "?" query ] [ "#" fragment ]

The „scheme“ often is http or https. The „hier-part“ normally is the host in the form of // or //

domain names and the „Public Suffix List“

RequestPolicy treats domain names either as full domains (e.g. or regarding their „Base Domain“ (e.g. The Base Domain is determined using the „Public Suffix List“ (wikipedia, Therefore, for example, the Base Domain of is equally, not


Have a look at the MDN articles Security check basics and Same-origin policy



The following abbreviations are used