RP silently blocks remote content with Protonmail

[Watilin]

Browser and Add-ons

• Browser: Firefox 55.0.2
• RequestPolicy version: 1.0.beta13.0
• No other add-ons

RequestPolicy settings:

• Default policy: "allow"

Steps to reproduce

1. Create a new browser profile
2. Install above add-ons
3. Configure the add-ons as described above
4. If not already done, register an account on protonmail.com – it’s free. Protonmail is an end-to-end encrypted email service and webclient.
5. Log in to protonmail.com
6. Select an email containing one or more images. If you don’t have one, send yourself an email containing, for example, https://github.com/favicon.ico
7. Protonmail blocks remote content by default, but exposes a button to unblock it. Click this button.

What happens?

No image appears in the email. The Request Policy icon does not turn red, and the menu does not mention anything blocked.

What should happen?

The menu should tell what content Request Policy has blocked, and offer a way to unblock it.

Another experiment makes it possible to be certain that Request Policy is what blocks the image once you click on Protonmail’s unblock button:

8. Select another email to hide your test email away
9. Completely disable Request Policy blocking (icon must turn orange)
10. Go back your test email, the unblock button should be back
11. Click the unblock button

Now you should see the images.

Due to the encrypted nature of Protonmail, I’m not sure how Request Policy determines what is remote content; yet it manages to block it somehow.

The workaround I’m using is to allow any request from Protonmail.com, but this lacks fine-grain tuning.

[myrdd]

Hi @Watilin, thank you for your detailed report. It would be great if you could post a screenshot of RPC's request log after reproducing step 7. Thank you. :)

[myrdd]

the request log is not documented yet, but you can see here how it works: #853

[Watilin]

Hi! Sorry for the waiting.

I’m bringing a full new report using Pale Moon, with a capture showing the request log as asked— in hope that this will shed some light on the situation.

Browser and Add-ons

• Browser: Pale Moon 27.6.1 (32bits)
• RequestPolicy version: 1.0.beta13.2
• No other add-ons

RequestPolicy settings:

• Default policy: "block" (allow same domain)

Please note: steps to reproduce and results are exactly the same as before, I’m just copy-pasting for convenience.

---

Steps to reproduce

1. Create a new browser profile
2. Install above add-ons
3. Configure the add-ons as described above
4. If not already done, register an account on protonmail.com – it’s free. Protonmail is an end-to-end encrypted email service and webclient.
5. Log in to protonmail.com
6. Select an email containing one or more images. If you don’t have one, send yourself an email containing, for example, https://github.com/favicon.ico
7. Protonmail blocks remote content by default, but exposes a button to unblock it. Click this button.

What happens?

No image appears in the email. The Request Policy icon does not turn red, and the menu does not mention anything blocked.

What should happen?

The menu should tell what content Request Policy has blocked, and offer a way to unblock it.

---

The blocked image does appear in the request log. There be the screen capture :)

[myrdd]

Confirmed, see also #867.
The problem is: The address bar shows a different url than the "origin" field in the request log.
You can work around this issue by reloading the page using Ctrl+R.
Please wait until the WebExtension porting is finished, maybe this issue will be fixed as a side effect of the WE port.