لطفا منتظر باشید ...
Hack 11. Drop Miscellaneous Security Blocks
If your computing environment is secure, then
Firefox''s own security is of limited use.
To systematically address every single security restriction,
you''ll have to read all the hacks in this chapter;
it''s just too complex for one hack. This hack
describes many common quick fixes. You might also want to read [Hack #7].
2.2.1. Supply Passwords Automatically
You don''t need to constantly reassert your login
credentials; you can get Firefox to do it for you. NTLM and dial-up
passwords are described in [Hack #14] and [Hack #26] respectively; here, we cover
web form passwords and cookies.
The Password Manager is turned on
automatically when Firefox starts; all you get is a first-time
warning when you use it. Setting a master password serves no purpose
if you''re trying to defeat security, so the Password
Manager saves you that hassle by default. You can stop the remembered
passwords from ever expiring by setting this
preference:
security.password_lifetime /* set to 0 (days), default is 30 (days) */
Session IDs are like passwords: they''re sent by web
sites that want to keep track of you as you move between web pages.
Usually they''re stored as
cookies:
the correct jargon for web-based session IDs. Cookies are sent
between Firefox and the web server as a simple string of plain text
in a special HTTP header line. If you have an extension installed
that''s an HTTP header diagnostic [Hack #51], you can see cookies go to
and fro. Firefox has cookie support turned on by default. If you want
to configure cookie processing explicitly, use these preferences:
network.cookie.alwaysAcceptSessionCookies /* set to true */
network.cookie.cookieBehavior /* set to 0 = Accept All */
network.cookie.lifetimePolicy /* set to 0 = until expiry */
The following preferences are bits of rubbish left over from attempts
to migrate from an old Mozilla or Netscape version to Firefox and
should be ignored:
network.cookie.lifetime.enabled
network.cookie.lifetime.behavior
2.2.2. Allow Foreign Code to Run
One of the great challenges of the Web is the existence of untrusted
downloadable code. With the exception of sandboxed Java applets and
properly authenticated code bundles, such things are almost certainly
insecure. Firefox won''t accept them by default, but
you can turn support back on.
2.2.2.1 Turn on ActiveX
One way to do so is to reignite the native
ActiveX
support inside the Microsoft Windows port of Mozilla (and therefore
Firefox). To turn absolutely everything on and make everything
scriptableeven those ActiveX controls flagged as
"do not script me"set these
preferences:
security.class.allowByDefault /* true (default) */
security.xpconnect.activex.global.hosting_flags /* 31 = bits 00011111 */
These affect the behavior of a bit of Mozilla that implements the
interface called nsIActiveXSecurityPolicy. For
more on that interface, look for a file named
nsIActiveXSecurityPolicy.idl at http://lxr.mozilla.org. If the first of these
preferences is set to false, ActiveX objects must
be allowed or disallowed on a case-by-case basis with preferences
like this:
capability.policy.default.ClassID.CIDclassid" /* set to "AllAccess" */
In this example, classid must be a UUID
identifier for the ActiveX object, written in this format:
6BF52A52-394A-11D3-B153-00C04F79FAA6
If objects marked "don''t script
me" aren''t wanted, set the same
preference this way:
security.xpconnect.activex.global.hosting_flags /* 15 = bits 00001111 */
Whatever hijinks Windows goes through to decide whether a COM object
should be scriptable or not, Mozilla also goes through. That includes
observing operating-system-maintained blacklists and so on.
To run such a control, use the HTML <OBJECT>
or legacy <EMBED> tag that specifies the
control''s URL and class identifier.
That''s the same as in Internet Explorer.
2.2.2.2 Turn on more plug-in and helper support
Plug-ins are another form of foreign code. The
following two security preferences make
plug-in access a bit easier to deal
with (the first is set by default):
security.xpconnect.plugin.unrestricted /* true by default */
plugin.expose_full_path /* set to true */
Having Firefox pass control of a URL directly to the operating system
is a dangerous arrangement. For example, URLs prefixed with the
shell: scheme can be passed to Windows (which has
a poor track record of handling them securely). To turn on that
behavior, set this preference:
network.protocols.useSystemDefaults /* set to true */
For selective enablement of URL schemes, change the matching
preference. All such preferences have this format:
network.protocol-handler.external.scheme
where scheme stands for the particular
scheme. So, for the shell: scheme, this is the
right setting:
network.protocol-handler.external.shell /* set to true */
Of course, another way to activate code in a downloaded object is to
associate its file type with a suitable application.
That''s done at the operating-system level, though,
not in Firefox. An example is associating Microsoft Excel files
containing Visual Basic macros with the Excel program. Firefox will
notice such configuration changes the next time it starts up.
2.2.3. Drop Browser Security Hobbles
When a web page displays, Firefox wraps it up inside some
security restrictions. These are
designed to prevent the page from taking over the
user''s computer, which is most commonly attempted
with pages that contain JavaScript scripts. Preferences allow you to
drop some, but not all, of these restrictions. All of the preferences
that begin with the following prefix control access to scriptable
features of the DOM 0 web page object model:
dom.anything
Type dom into the Filter box in the JavaScript
events available in modal pop-up windows:
user_pref("dom.popup_allowed_events", "mousedown
mouseup click dblclick mouseover
mouseout mousemove contextmenu keydown keyup keypress
focus blur load beforeunload
unload abort error submit reset change select input paint text
popupshowing
popupshown popuphiding popuphidden close command croadcast
commandupdate
dragenter dragover dragexit dragdrop draggesture resize scroll
overflow
underflow overflowchanged DOMSubtreeModified
DOMNodeInserted
DOMNodeRemoved DOMNodeRemovedFromDocument
DOMNodeInsertedIntoDocument
DOMAttrModified DOMCharacterDataModified popupBlocked
DOMActivate DOMFocusIn
DOMFocusOut");
|
Of all the security hobbles that Firefox enforces on web pages,
there''s one that''s nearly
impossible to remove: the creation of windows smaller than 100 100
pixels in size. The only way to do so is to use a fully trusted
script, either one signed with a digital certificate or one installed
in the chrome.
2.2.4. Remove Profile Salting
Firefox user profiles are salted: the names of
profile
directories include randomly generated directory names, such as
f8p09nj2.slt. This is a security measure
designed to prevent hostile web sites from guessing the name of your
profile and then feeding Firefox data that might have security cracks
in it. It also makes administering and moving profiles harder than it
might otherwise be. You can remove these salted names by using the
-CreateProfile command-line option and this dirty
hack. Follow these steps, which create a dummy profile located in
C:\tmp\test:
mkdir C:\tmp
mkdir C:\tmp\test
echo "garbage" > c:\tmp\test\prefs.js
firefox -CreateProfile "test c:\tmp"
The echo command just creates a file that Firefox
will sense at startup time. That''s enough to fool it
into using the C:\tmp\test directory as an
existing profile for the new profile named test.
2.2.5. Update Firefox Automatically
Set these preferences to ensure that Firefox, extensions, and themes
are all updated without the user having to do
anything:
extensions.update.autoUpdate /* set to true */
extensions.update.severity.threshold /* set to 0 (lowest severity) */
app.update.autoUpdateEnabled /* set to true */
app.update.enabled /* set to true */
It''s also possible to automatically download
configuration data [Hack #29],
proxy information [Hack #15] and
certificate revocation lists [Hack #17] . None of those things require
user intervention.
