Hi ardvark,
To stay on topic, you can do a lot as a user to lockdown your Firefox browser to make it more secure:
Firefox exposes the the filesystem through the file:// URI, the configuration through the about:config URI, and finally it exposes the file system through resource://. Others have experienced similiar problems locking down firefox. Fortunately, the solution to this is a bit of javascript that uses regular expression to block URI types that are unwanted. This should be placed in the browser.js file which can be extracted from firefox's browser.jar archive.
if (location.match(/^file:/) ||
location.match(/^\//) ||
location.match(/^chrome:/) ||
location.match(/^resource:/) ||
(!location.match(/^about:blank/) &&
location.match(/^about:/))) {
loadURI("about:blank");
}
The browser.js file goes here: chrome/chromeFiles/content/browser.js
It is also possible to disable other unwanted protocols by adding the following lines to prefs.js
user_pref("network.protocol-handler.external.snews", false);
user_pref("network.protocol-handler.external.news", false);
user_pref("network.protocol-handler.external.irc", false);
user_pref("network.protocol-handler.external.mail", false);
user_pref("network.protocol-handler.external.mailto", false);
In order to completely disable the filepicker I edited the file filepicker.xul and commented out all the lines contained in the dialog tag. This was needed in order to ensure that users could not see the filesystem when picking a helper application or if they tried to run javascript from a website. A good example of this is the attachment button in most webmail applications. With these lines commented out only a blank window will be shown.
Further steps were required to lockdown firefox. The prefs.js, userChrome.css and history.dat files were made read-only and owned by root to prevent users from changing preferences in the event they somehow got access to those files. Making history.dat read-only prevents any history from being saved and ensures that features like URL saving in the URL entry bar are disabled permanently.
Finally, a few tweaks were made to the prefs.js file these are outlined below. Note these only include tweaks that were made directly using about:config other changes were made in the graphical configuration. Typeahead, cache, history, etc... were disabled. The homepage was set, etc...
user_pref("accessibility.typeaheadfind.autostart", false);
user_pref("applications.rlogin", "");
user_pref("applications.rlogin_with_user", "");
user_pref("applications.telnet", "");
user_pref("applications.tmp_dir, "");
user_pref("applications.tn3270", "");
user_pref("browser.cache.disk.enable", false);
user_pref("browser.cache.memory.enable", false);
user_pref("browser.throbber.url", "
http://www.uwaterloo.ca");
user_pref("network.cookie.enableForCurrentSessionOnly", true);
user_pref("security.warn_entering_secure", false);
user_pref("security.warn_entering_secure.show_once", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_leaving_secure", false);
user_pref("security.warn_leaving_secure.show_once", false);
user_pref("security.warn_submit_insecure", false);
user_pref("security.warn_submit_insecure.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show-once", false);
user_pref("update_notifications.enabled", false);
user_pref("browser.urlbar.autocomplete.enabled", false);
user_pref("browser.urlbar.showPopup", false);
user_pref("browser.urlbar.showSearch", false);
user_pref("extensions.kioskreset.inactivity.seconds", 600);
So there is a lot we can do as an educated user to tweak our Fx browser to make it more secure,
pol