RequestPolicy rules combine 3 items:
- The origin is a domain from where cross-site requests originate.
- Commonly, this is the site you are currently browsing when the cross-site request is done.
- A destination is the domain/group of domains that is the target of a cross-site request.
- Commonly, this can be a CDN, a separate/special domain for static contents or scripts used on a site, or an advertising/metrics/statistics network.
- The policy is the action that RequestPolicy will apply to a cross-site request, depending on it's origin and destination.
- It can be block or allow.
Note: When both an allow and a block rule match a request, the user's default rule is used. (A priority system between rules is considered in issue 491)
The origin and destination components of a rule can have the following properties. All properties are optional. An empty rule property will not be considered when matching against requests.
- Scheme: The URL's scheme (protocol). For example, "http" or "https".
- Host: The URL's host. For example,
example.com(domain name),192.30.252.128(IPv4 address), orfe80:0000:0000:0000:0202:b3ff:fe1e:8329(IPv6 address). - Note: For domain names, you can use a wildcard
*to indicate any or no subdomain. For example,*.example.comwill matchexample.com,www.example.com, ora.b.c.example.com. Wildcards are only supported as the leftmost label of a hostname. Wildcards are not supported anywhere else in the name and cannot be mixed with other characters. - Port: The URL's port. For example,
81or8080. This may also be*to indicate that any ports should match. By default, rules that do not specify ports only match the default port for the request's scheme (eg.80forhttp).