Firefox Hacks [Electronic resources] نسخه متنی

Hack 13. Stop All Secret Network Activity

Send packets across the Internet only when they
come from user actions.

Firefox has a mind of its own. It sometimes connects to other
computers across the Internet without asking you first. Not only is
this a privacy issue, but it can also be awkward. For example, the
browser might be installed on test equipment that is network-enabled
only intermittently. If you are performing network diagnostics,
that's another time when you don't
want any unexpected chatter on the line. Finally, if you
configuration-control all of your installed software, then you
probably prefer that Firefox not upgrade itself automatically either.
Here's how to stop all of that
stuff.

2.4.1. Stop Secret Updates

Firefox periodically (daily) checks the
Mozilla Update web site (http://update.mozilla.org) to see
what's new. If there are critical patches, the home
page displayed at startup is replaced with a warning page. If there
are any patches at all, an icon appears on the menu bar. To turn off
that functionality, set these
preferences:

app.update.enabled             /* default is false */
app.update.autoUpdateEnabled   /* set to false. default = true */

The second preference stops Firefox from polling the web server to
see if there's anything new to report to the user.

These two additional preferences do the same job as the previous
preferences, but they control update checks for extensions, plug-ins,
and themes rather than checks for the core Firefox product:

extensions.update.enabled             /* default is false */
extensions.update.autoUpdateEnabled   /* set to false. default = true */

Firefox also performs trivial updates of site icons, the small icons
that appear next to URLs. Generally, they provide brand marks for web
sites. Figure 2-1 shows a browser window with three
site icons marked out.

Figure 2-1. Site icons displayed in the browser window

The Google site icon (the rightmost one) is retrieved from a local
copy. The other two are drawn from their original web sites.
That's fine for the URL that the user typed into the
Location bar, but if the Bookmarks toolbar contains a lot of
bookmarks that have site icons, Firefox will download them from all
over the place in order to make the toolbar look pretty. Site icons
can also be downloaded if the sidebar is displayed. To turn off icon
retrieval, set these preferences:

browser.chrome.site_icons /* set to false. default = true */
browser.chrome.favicons   /* set to false. default = true */

Configuration
updates
are another class of updates that Firefox might perform, if the
browser is run under the following conditions. None of these occur in
the standard install, but they're all configurable
options:

If web proxies are in place [Hack #15]

If there are custom configuration files [Hack #29]

If Certificate Revocation Lists (CRLs) or Online Certificate Status
Protocol (OSCP) is configured [Hack #17]

There are also update issues that are separate from the main Firefox
installation. You can never be sure what update behavior an
extension
or plug-in might introduce of its own accord. Extensions are free to
contact any web site. If the extension comes from a trusted source,
then a consumer review of the extension's intent
should suffice. If that's not enough, the extension
source code itself must be reviewed for use of any Mozilla XPCOM
objects that are
network-oriented.

Be particularly careful if an extension adds compiled libraries to
the Firefox install. Such code can't be trusted as
is; you need to inspect its original source as well. If the compiled
source is supplied with the extension, that is still not enough for
trust, because the compiled files could have originated from other
source. Trust only the provider, not the files.

Finally, the following preference has nothing to do with Firefox. It
is used only by the Mozilla Application Suite's
Smart Browsing feature. If you see it, ignore it:

browser.related.autoload /* 0 = always, 1 = after first use, 2 = never */

2.4.2. Stop Secret Submissions

In all quality web browsers, an unsigned web page cannot submit an
HTML form to a web site without the user being involved. There are
many special cases that need to be avoided if this rule is to be
enforced, and there's no way to toggle checking for
these cases on or off for an unsigned page.

Firefox, however, also supports submission to web sites using SOAP,
WSDL, and XML-RPC. A rule called the Same Origin
policy allows web pages to
"phone home" to their server of
origin without asking the user. The only way to stop this activity is
to disable
JavaScript
access to the web page objects that provide these services, and the
only way to do that is to use capability-based permissions [Hack #20] . Here's an
example that disables the invoke() and
asyncInvoke() methods of the
SOAPCall object:

capability.policy.default.SOAPCall.invoke      /* set to "NoAccess" */
capability.policy.default.SOAPCall.invokeAsync /* set to "NoAccess" */

Such capability settings are required for each object that offers a
network-enabled call interface. So, as another example,
WebServiceProxyFactory.createProxy() and its
equivalents also require capability preferences.

A further, trivial example of secret submission is the use of cookies
by a web site. If being tracked by a cookie bothers you, you can turn
cookie support off this way:

network.cookie.cookieBehaviour         /* set to 2 (none), default = 0 (all) */

Finally, there is the case of
Java
applets. Applets can "phone home"
just as web services can. There's no way to stop
this, short of disabling Java entirely. You can disable specific
ports [Hack #16] if you want.

As for the update case, you can never be sure what submission
behavior an extension or plug-in might introduce.

2.4.3. Stop Not-So-Secret Background Downloads

If you've become addicted to
tabbed browsing, you might spend a lot
of time looking at one web page, while lots of other web pages are
loaded into the tabs that are behind the current
tab. The most convenient arrangement is to have those tabs load their
pages while they're still hidden. When you change
tabs, it's likely that the web page in the tab will
be ready to view. This convenience is the default arrangement.

The convenience comes at a cost, though. If you maintain,
say,
five tabs, your demand for web page data is up to five times the
demand of a single browser page. If all of those tabs are busy
loading, then the front page will get only one-fifth of the share of
the connection. So you might have to wait longer to view it.
Furthermore, just by opening tabs, you demand more web page data from
your ISPthe same amount as if you were opening five separate
windows. In the case of tabs, though, people often open tabs
just in case. That means extra download activity
for content that's not actually a high priority for
the user. Some call that waste.

There are two
preferences
that will reduce the tab download burden on your Internet connection
at the cost of convenience:

browser.tabs.loadInBackground            /* Set to false, default = true */
browser.tabs.loadBookmarksInBackground   /* false = default */

The first preference turns off URL loading for tabs that
aren't in front. If you change tabs, so that the
current one is no longer displayed, the matching page for the new
front tab will then start to load. The second preference has to do
with bookmark groups. If you store a set of tabs as a bookmark group,
you can recall all of those tabs with a single click. By default,
those tabs won't start to download, which is what
you probably prefer.

There is currently no way to make the Download Manager back off and use only a
smaller chunk of your Internet connection. So far, it will always
grab all the bandwidth it can get. That means downloads are
reasonably fast, but it also means that viewing web pages is always
slowed down if downloading is going on.