"bundle" rules

[msxfm]

Issue by alexlehm
Saturday Sep 08, 2012 at 08:23 GMT
Originally opened as RequestPolicy/requestpolicy#338

---

I think it would be useful to have bundle rules for sites that use a specific toolkit or are hosted on a specific server that uses the same set of external domains.

E.g. when a site is hosted on blogspot.com but it using its own domain, there are 2 or 3 external domains always used, so I usually have to whitelist all three, it would be nice if this could be matched somehow so that you only have to whitelist one bundle.

[nodiscc]

@alexlehm Is this issue about adding rules from .blogspot. domains? I think this can be done before the 1.0 release

@myrdd what do you think?

[myrdd]

@nodiscc I think this not about wildcards, but @alexlehm rather means creating a "common name" for several names. For example, you could create a common name called "Github" which catches all origins and/or destinations containing *.githubusercontent.com and *.github.com.

This is a nice idea, but IMHO not relevant enough to be supported in 1.0, but we'll see.

The subscriptions label is correct insofar that this feature should be also available for subscriptions and we need to think about how to implement it.

suggestion

Here's an UI suggestion – an example with Youtube as common name. The menu could contain:

• origin: mypersonalwebblog.me (selected)
• destinations:
  • Youtube – 5 requests (selectable)
    • *.youtube.com – 2 requests (selectable)
    • *.ytimg.com – 3 requests (selectable)

As you can see, all three destination entries are selectable. If you select Youtube, rules will be created for that Common Name. If you select a specific domain, the rule will be created for that domain only.

[alexlehm]

For a blogspot blog, the domains usually include (e.g. my blog on my subdomain)
blog.lehmann.cx (origin)
blogger.com, blogblog.com, blogspot.com
The same shows on wordpress.com blogs with wordpress.com and wp.com (e.g. postsecret.com)

(not really a feature that is important, I can live with allowing the different domains once in a while)

[myrdd]

I suppose I understood your feature request correctly @alexlehm.

I guess we won't implement this feature before 1.0, so I'll change the milestone.

[nodiscc]

Related comment in #166 (comment)

[nodiscc]

Here is what bundles could look like in the UI:

This mechanism could replace the old allow_embedded subscription, allowing the user to whitelist/blacklist a whole set of domains in one click. The available actions would be the same as for normal domain-based rules (eg. Allow requests from *.domain.org to Media (bundle)). This would also allow managing subscriptions directly from the menu (eg. Block requests to Trackers (bundle)). Domains that are not part of a bundle are listed und the the section Other.

The disadvantage, UI-wise, is that it makes the menu larger vertically (4 more lines in this example). Sorting is also done by number of requests for each bundle instead of domains - except for Other that would always be placed over or below other bundles (in this example I placed it below, on top may be better)

Feedback welcome.

[nodiscc]

So far I thought of these possible bundles; they could be implemented as subscriptions first:

• CDNs: akamaihd, ajax.googleapis.com, cloudflare, bootstrapcdn, cloudfront.net, ...
• Media: vimeo, youtube, statickflickr, imgur, ytimg, yimg, ...
• Maps: google maps, openstreetmap, mapquest, ...
• Fonts: typekit, fonts.googleapis.com, fonts.gstatic.com ...
• Social: disqus, facebook, twitter, addthis, fbcdn ...
• Blogs: bp.blogspot.com, blogger.com, blogblog.com, tumblr.com, ...

Feel free to comment if you can think of more

[myrdd]

Thanks for your thoughts so far. I'd like to add:

user bundles & subscription bundles:
bundles should not only be available for subscriptions, but also for the user.

several bundles for a domain:
a domain should not be bound to a bundle, instead a domain could be in several bundles.
→ example: yimg might be in the bundles "Media" and "Google"

bundles containing other bundles:
we might consider bundles containing other bundles as well, e.g. you could make a sub-bundle of "Maps" which is the "Google Maps" bundle, which contains all the domains of Google Maps

conservative management of subscription bundles:
if bundles are distributed via subscriptions, I think we should keep name changes at a minimum. If names do not change, the users could override the bundles they've subscribed to, i.e. they could add or remove domains from a bundle just for their local copy.

rule: "allow requests to itself":
it might be useful to create rules like "allow all requests from bundle XY to itself". That should be not the default.

user bundles first:
I think that before we start with subscription bundles we should enable user bundles. Then we might cautiously add subscription bundles.

[nodiscc]

Hi @myrdd maybe there's a middle ground? Maybe there's no need to do a distinction between user bundles and subscription bundles:

Regarding subscriptions vs bundles: I think the "bundles" could be added to the subscriptions repo (lists of destinations). Take the maps bundle for example. Instead of only having the option to always allow requests to the Maps bundle from the subscriptions settings page, these subscriptions/bundles could be allowed directly in the menu, on a per-site basis. The ruleset is the same, but the users can choose to only enable it from one site.

Regarding bundles based on domains vs based on desired functionality, and sites in multiple bundles I think the point of bundles is to help users quickly choosing what to allow, based on what they expect to see on the page. Eg. if you expect to see a map when visiting a site, -> Allow requests to Maps (bundle) from thissite.net is the obvious option. For map services integration, most sites only use one map service, having a Google bundle for this has little usefulness. For blogs, if a site uses tumblr or blogspot as a backend, it only uses one of these; clicking on Allow requests to Blogs (bundle) from thissite.net solves the user's problem. etc. Also, we can't add a bundle for every organization/company that exists.

Regarding rule: "allow all requests from bundle XY to itself":, in what case could this be useful?

Regarding conservative management of subscription bundles I don't really understand this point, maybe you can clarify.

To sum up, a very usable way to put "bundles" is simply: add the ability to apply subscription rules on a per-site basis, from the menu. Users can still Allow all requests to maps providers from the subscriptions settings page, or from a new entry in the menu.

I hope you get the point, what do you think?