Hack 11. Drop Miscellaneous Security Blocks
If your computing environment is secure, then Firefox's own security is of limited use.
To systematically address every single security restriction, you'll have to read all the hacks in this chapter; it's just too complex for one hack. This hack describes many common quick fixes. You might also want to read [Hack #7].
2.2.1. Supply Passwords Automatically
You don't need to constantly reassert your login credentials; you can get Firefox to do it for you. NTLM and dial-up passwords are described in [Hack #14] and [Hack #26] respectively; here, we cover web form passwords and cookies.
The Password Manager is turned on automatically when Firefox starts; all you get is a first-time warning when you use it. Setting a master password serves no purpose if you're trying to defeat security, so the Password Manager saves you that hassle by default. You can stop the remembered passwords from ever expiring by setting this preference:
security.password_lifetime /* set to 0 (days), default is 30 (days) */
Session IDs are like passwords: they're sent by web sites that want to keep track of you as you move between web pages. Usually they're stored as cookies: the correct jargon for web-based session IDs. Cookies are sent between Firefox and the web server as a simple string of plain text in a special HTTP header line. If you have an extension installed that's an HTTP header diagnostic [Hack #51], you can see cookies go to and fro. Firefox has cookie support turned on by default. If you want to configure cookie processing explicitly, use these preferences:
network.cookie.alwaysAcceptSessionCookies /* set to true */ network.cookie.cookieBehavior /* set to 0 = Accept All */ network.cookie.lifetimePolicy /* set to 0 = until expiry */
The following preferences are bits of rubbish left over from attempts to migrate from an old Mozilla or Netscape version to Firefox and should be ignored:
2.2.2. Allow Foreign Code to Run
One of the great challenges of the Web is the existence of untrusted downloadable code. With the exception of sandboxed Java applets and properly authenticated code bundles, such things are almost certainly insecure. Firefox won't accept them by default, but you can turn support back on.
22.214.171.124 Turn on ActiveX
One way to do so is to reignite the native ActiveX support inside the Microsoft Windows port of Mozilla (and therefore Firefox). To turn absolutely everything on and make everything scriptableeven those ActiveX controls flagged as "do not script me"set these preferences:
security.class.allowByDefault /* true (default) */ security.xpconnect.activex.global.hosting_flags /* 31 = bits 00011111 */
These affect the behavior of a bit of Mozilla that implements the interface called nsIActiveXSecurityPolicy. For more on that interface, look for a file named nsIActiveXSecurityPolicy.idl at http://lxr.mozilla.org. If the first of these preferences is set to false, ActiveX objects must be allowed or disallowed on a case-by-case basis with preferences like this:
capability.policy.default.ClassID.CIDclassid" /* set to "AllAccess" */
In this example, classid must be a UUID identifier for the ActiveX object, written in this format:
If objects marked "don't script me" aren't wanted, set the same preference this way:
security.xpconnect.activex.global.hosting_flags /* 15 = bits 00001111 */
Whatever hijinks Windows goes through to decide whether a COM object should be scriptable or not, Mozilla also goes through. That includes observing operating-system-maintained blacklists and so on.
To run such a control, use the HTML <OBJECT> or legacy <EMBED> tag that specifies the control's URL and class identifier. That's the same as in Internet Explorer.
126.96.36.199 Turn on more plug-in and helper support
security.xpconnect.plugin.unrestricted /* true by default */ plugin.expose_full_path /* set to true */
Having Firefox pass control of a URL directly to the operating system is a dangerous arrangement. For example, URLs prefixed with the shell: scheme can be passed to Windows (which has a poor track record of handling them securely). To turn on that behavior, set this preference:
network.protocols.useSystemDefaults /* set to true */
For selective enablement of URL schemes, change the matching preference. All such preferences have this format:
where scheme stands for the particular scheme. So, for the shell: scheme, this is the right setting:
network.protocol-handler.external.shell /* set to true */
Of course, another way to activate code in a downloaded object is to associate its file type with a suitable application. That's done at the operating-system level, though, not in Firefox. An example is associating Microsoft Excel files containing Visual Basic macros with the Excel program. Firefox will notice such configuration changes the next time it starts up.
2.2.3. Drop Browser Security Hobbles
Type dom into the Filter box in the about:config window to see them all. Set most of them to TRue to re-enable the matching feature. These preferences match checkbox features in the Firefox Options dialog box in the Web Features panel.
A few of these preferences rate special mention. This one stops scripts from ever being aborted by Firefox:
dom.max_script_run_time /* set to 0 (seconds) or a big number */
Set to 0 (zero), no script will ever be aborted. An infinitely running script can tie up the CPU, which can in turn cause a denial-of-service attack, preventing the user from controlling the browser. Better to choose a very big number, just in case.
This next preference turns off limits on pop-up-window generation:
dom.popup_maximum /* set to 0 popups or a big number */
user_pref("dom.popup_allowed_events", "mousedown mouseup click dblclick mouseover mouseout mousemove contextmenu keydown keyup keypress focus blur load beforeunload unload abort error submit reset change select input paint text popupshowing popupshown popuphiding popuphidden close command croadcast commandupdate dragenter dragover dragexit dragdrop draggesture resize scroll overflow underflow overflowchanged DOMSubtreeModified DOMNodeInserted DOMNodeRemoved DOMNodeRemovedFromDocument DOMNodeInsertedIntoDocument DOMAttrModified DOMCharacterDataModified popupBlocked DOMActivate DOMFocusIn DOMFocusOut");
Of all the security hobbles that Firefox enforces on web pages, there's one that's nearly impossible to remove: the creation of windows smaller than 100 100 pixels in size. The only way to do so is to use a fully trusted script, either one signed with a digital certificate or one installed in the chrome.
2.2.4. Remove Profile Salting
Firefox user profiles are salted: the names of profile directories include randomly generated directory names, such as f8p09nj2.slt. This is a security measure designed to prevent hostile web sites from guessing the name of your profile and then feeding Firefox data that might have security cracks in it. It also makes administering and moving profiles harder than it might otherwise be. You can remove these salted names by using the -CreateProfile command-line option and this dirty hack. Follow these steps, which create a dummy profile located in C:\tmp\test:
mkdir C:\tmp mkdir C:\tmp\test echo "garbage" > c:\tmp\test\prefs.js firefox -CreateProfile "test c:\tmp"
The echo command just creates a file that Firefox will sense at startup time. That's enough to fool it into using the C:\tmp\test directory as an existing profile for the new profile named test.
2.2.5. Update Firefox Automatically
extensions.update.autoUpdate /* set to true */ extensions.update.severity.threshold /* set to 0 (lowest severity) */ app.update.autoUpdateEnabled /* set to true */ app.update.enabled /* set to true */