Team LiB
Previous Section Next Section

Hack 11. Drop Miscellaneous Security Blocks

If your computing environment is secure, then Firefox's own security is of limited use.

To systematically address every single security restriction, you'll have to read all the hacks in this chapter; it's just too complex for one hack. This hack describes many common quick fixes. You might also want to read [Hack #7].

2.2.1. Supply Passwords Automatically

You don't need to constantly reassert your login credentials; you can get Firefox to do it for you. NTLM and dial-up passwords are described in [Hack #14] and [Hack #26] respectively; here, we cover web form passwords and cookies.

The Password Manager is turned on automatically when Firefox starts; all you get is a first-time warning when you use it. Setting a master password serves no purpose if you're trying to defeat security, so the Password Manager saves you that hassle by default. You can stop the remembered passwords from ever expiring by setting this preference:

security.password_lifetime /* set to 0 (days), default is 30 (days) */

Session IDs are like passwords: they're sent by web sites that want to keep track of you as you move between web pages. Usually they're stored as cookies: the correct jargon for web-based session IDs. Cookies are sent between Firefox and the web server as a simple string of plain text in a special HTTP header line. If you have an extension installed that's an HTTP header diagnostic [Hack #51], you can see cookies go to and fro. Firefox has cookie support turned on by default. If you want to configure cookie processing explicitly, use these preferences:

network.cookie.alwaysAcceptSessionCookies /* set to true */
network.cookie.cookieBehavior             /* set to 0 = Accept All */
network.cookie.lifetimePolicy             /* set to 0 = until expiry */

The following preferences are bits of rubbish left over from attempts to migrate from an old Mozilla or Netscape version to Firefox and should be ignored:

network.cookie.lifetime.enabled
network.cookie.lifetime.behavior

2.2.2. Allow Foreign Code to Run

One of the great challenges of the Web is the existence of untrusted downloadable code. With the exception of sandboxed Java applets and properly authenticated code bundles, such things are almost certainly insecure. Firefox won't accept them by default, but you can turn support back on.

2.2.2.1 Turn on ActiveX

One way to do so is to reignite the native ActiveX support inside the Microsoft Windows port of Mozilla (and therefore Firefox). To turn absolutely everything on and make everything scriptableeven those ActiveX controls flagged as "do not script me"set these preferences:

security.class.allowByDefault                   /* true (default)     */
security.xpconnect.activex.global.hosting_flags /* 31 = bits 00011111 */

These affect the behavior of a bit of Mozilla that implements the interface called nsIActiveXSecurityPolicy. For more on that interface, look for a file named nsIActiveXSecurityPolicy.idl at http://lxr.mozilla.org. If the first of these preferences is set to false, ActiveX objects must be allowed or disallowed on a case-by-case basis with preferences like this:

capability.policy.default.ClassID.CIDclassid" /* set to "AllAccess" */

In this example, classid must be a UUID identifier for the ActiveX object, written in this format:

6BF52A52-394A-11D3-B153-00C04F79FAA6

If objects marked "don't script me" aren't wanted, set the same preference this way:

security.xpconnect.activex.global.hosting_flags /* 15 = bits 00001111 */

Whatever hijinks Windows goes through to decide whether a COM object should be scriptable or not, Mozilla also goes through. That includes observing operating-system-maintained blacklists and so on.

To run such a control, use the HTML <OBJECT> or legacy <EMBED> tag that specifies the control's URL and class identifier. That's the same as in Internet Explorer.

2.2.2.2 Turn on more plug-in and helper support

Plug-ins are another form of foreign code. The following two security preferences make plug-in access a bit easier to deal with (the first is set by default):

security.xpconnect.plugin.unrestricted     /* true by default */
plugin.expose_full_path                    /* set to true */

Having Firefox pass control of a URL directly to the operating system is a dangerous arrangement. For example, URLs prefixed with the shell: scheme can be passed to Windows (which has a poor track record of handling them securely). To turn on that behavior, set this preference:

network.protocols.useSystemDefaults        /* set to true */

For selective enablement of URL schemes, change the matching preference. All such preferences have this format:

network.protocol-handler.external.scheme

where scheme stands for the particular scheme. So, for the shell: scheme, this is the right setting:

network.protocol-handler.external.shell          /* set to true */

Of course, another way to activate code in a downloaded object is to associate its file type with a suitable application. That's done at the operating-system level, though, not in Firefox. An example is associating Microsoft Excel files containing Visual Basic macros with the Excel program. Firefox will notice such configuration changes the next time it starts up.

2.2.3. Drop Browser Security Hobbles

When a web page displays, Firefox wraps it up inside some security restrictions. These are designed to prevent the page from taking over the user's computer, which is most commonly attempted with pages that contain JavaScript scripts. Preferences allow you to drop some, but not all, of these restrictions. All of the preferences that begin with the following prefix control access to scriptable features of the DOM 0 web page object model:

dom.anything

Type dom into the Filter box in the about:config window to see them all. Set most of them to TRue to re-enable the matching feature. These preferences match checkbox features in the Firefox Options dialog box in the Web Features panel.

A few of these preferences rate special mention. This one stops scripts from ever being aborted by Firefox:

dom.max_script_run_time                 /* set to 0 (seconds) or a big number */

Set to 0 (zero), no script will ever be aborted. An infinitely running script can tie up the CPU, which can in turn cause a denial-of-service attack, preventing the user from controlling the browser. Better to choose a very big number, just in case.

This next preference turns off limits on pop-up-window generation:

dom.popup_maximum   /* set to 0 popups or a big number */

Finally, this preference makes all JavaScript events available in modal pop-up windows:

user_pref("dom.popup_allowed_events", "mousedown mouseup click dblclick mouseover 
mouseout mousemove contextmenu keydown keyup keypress focus blur load beforeunload 
unload abort error submit reset change select input paint text popupshowing 
popupshown popuphiding popuphidden close command croadcast commandupdate 
dragenter dragover dragexit dragdrop draggesture resize scroll overflow 
underflow overflowchanged DOMSubtreeModified DOMNodeInserted 
DOMNodeRemoved DOMNodeRemovedFromDocument DOMNodeInsertedIntoDocument 
DOMAttrModified DOMCharacterDataModified popupBlocked DOMActivate DOMFocusIn 
DOMFocusOut");

The example string shown here is excessivejust pick the events you're interested inbut it serves to illustrate all DOM-like events that Firefox knows about.


Of all the security hobbles that Firefox enforces on web pages, there's one that's nearly impossible to remove: the creation of windows smaller than 100 100 pixels in size. The only way to do so is to use a fully trusted script, either one signed with a digital certificate or one installed in the chrome.

2.2.4. Remove Profile Salting

Firefox user profiles are salted: the names of profile directories include randomly generated directory names, such as f8p09nj2.slt. This is a security measure designed to prevent hostile web sites from guessing the name of your profile and then feeding Firefox data that might have security cracks in it. It also makes administering and moving profiles harder than it might otherwise be. You can remove these salted names by using the -CreateProfile command-line option and this dirty hack. Follow these steps, which create a dummy profile located in C:\tmp\test:

mkdir C:\tmp
mkdir C:\tmp\test
echo "garbage" > c:\tmp\test\prefs.js
firefox -CreateProfile "test c:\tmp"

The echo command just creates a file that Firefox will sense at startup time. That's enough to fool it into using the C:\tmp\test directory as an existing profile for the new profile named test.

2.2.5. Update Firefox Automatically

Set these preferences to ensure that Firefox, extensions, and themes are all updated without the user having to do anything:

extensions.update.autoUpdate            /* set to true */
extensions.update.severity.threshold    /* set to 0 (lowest severity) */
app.update.autoUpdateEnabled            /* set to true */
app.update.enabled                      /* set to true */

It's also possible to automatically download configuration data [Hack #29], proxy information [Hack #15] and certificate revocation lists [Hack #17] . None of those things require user intervention.

    Team LiB
    Previous Section Next Section