Firefox Hacks | O'Reilly Media

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Firefox is a software application for interacting with the Web. This chapter gets you up and running with Firefox. You probably know how to surf the Web already. This chapter is a sort of boot camp for the Firefox user interface. You'll learn where all the basic knobs and levers are. You'll also see many interesting nook and crannies. There are no significant programming tasks in this chapter; it's all just learning to fly.

Before starting our journey, there are a few things you need to know: how to find Firefox files, how to install an extension, and how to set a preference. You don't need this information to read a web page, but it's vital for most of the hacks in this book.

After installation, Firefox puts its files in two important directories. The first is the install area , also known as the application area , which gets the general-purpose bits, such as the Firefox programs themselves. The second is the profile area , which gets user-specific information, such as bookmarks. Table 1-1 lists the default locations of these two areas on different operating systems.

Table 1-1: Default locations for Firefox installation and profiles
Operating system	Default install area	Default profile area
Single-user Windows 95/98/Me	C:\Program Files\Mozilla Firefox	C:\Windows\Application Data\Mozilla\Firefox

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Firefox is a software application for interacting with the Web. This chapter gets you up and running with Firefox. You probably know how to surf the Web already. This chapter is a sort of boot camp for the Firefox user interface. You'll learn where all the basic knobs and levers are. You'll also see many interesting nook and crannies. There are no significant programming tasks in this chapter; it's all just learning to fly.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Before starting our journey, there are a few things you need to know: how to find Firefox files, how to install an extension, and how to set a preference. You don't need this information to read a web page, but it's vital for most of the hacks in this book.

After installation, Firefox puts its files in two important directories. The first is the install area , also known as the application area , which gets the general-purpose bits, such as the Firefox programs themselves. The second is the profile area , which gets user-specific information, such as bookmarks. Table 1-1 lists the default locations of these two areas on different operating systems.

Table 1-1: Default locations for Firefox installation and profiles
Operating system	Default install area	Default profile area
Single-user Windows 95/98/Me	C:\Program Files\Mozilla Firefox	C:\Windows\Application Data\Mozilla\Firefox
Multi-user Windows 95/98/Me	C:\Program Files\Mozilla Firefox	C:\Windows\Profiles\ %USERNAME% \Application data\Mozilla\Firefox

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Displaying a web page is like painting and hanging a picture: there are plenty of options.

Web pages that display only one way are called printouts . Firefox lets you display and view the content of a web page in a number of different ways. You also get to choose decorations for your windows. This hack shows 10 different ways you can display web content in Firefox.

By default, web pages appear inside a frame with a menu bar and toolbars above and a status bar below. Those bars provide user control and feedback. The whole browser window is a single XML document written in Mozilla's XUL dialect of XML. The web page appears inside an XUL <iframe>. Scripts running inside the web page can't reach out into XUL, so those bars are mostly untouchable. Most bars can be disabled from the View menu. Figure 1-3 shows a normal Firefox window with the sidebar made visible.

Figure 1-3: Firefox browser window with sidebar

The source code window is for web developers and hackers only. Choose View→Page Source or press Ctrl-U to display the source code for the current page. If the page is a <frameset> page, you see only the frameset definition. You can change line-wrap and syntax-coloring options from the View menu in the new window.

Web pages can contain logic that opens other windows (usually pop ups). Web designers typically do so with the infamous window.open() scripting feature. (Technically, this is a DOM 0 browser feature available from JavaScript only.) These new windows can be opened with specific menu bars and toolbars disabled. Security hobbles prevent some uses of this feature.

If you mitigate security restrictions, then everything is possible. See Rapid Application Development with Mozilla by Nigel McFarlane (Prentice Hall PTR) for a more detailed treatment of Mozilla and Firefox's

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

There are a million ways to move from the current web page to the next one. This hack describes 10 such ways.

Here's how to surf, Firefox style. Chapter 4 covers many ways to use extensions to increase the pleasure and convenience of surfing the Web. This hack explains what Firefox can do without modification.

It's not rocket science: left-click on a link, and the current page is replaced with the link's page. If you right-click (Command-click on the Mac), you can open that new page in a new window or a new tab, or you can put the link itself into a bookmark or into the copy-and-paste buffer.

Click any bookmark or bookmark menu item on the Bookmarks toolbar, and you're off to the link that bookmark represents. Bookmarks are complex little beasties, though. See [Hack #3] for a way to get through your many bookmarks. See [Hack #33] if you want to become a bookmark power user.

You can type all kinds of things into the Location bar where the URL of the current page is displayed. If you start typing a URL, Firefox will auto-complete it, providing you with a drop-down list of candidates. Firefox can even complete an unknown URL for you if you press the right combination of Control, Shift, and Enter keys. Press Enter or click the Location bar icon to start the page fetch.

There are many history mechanisms beyond the big Forward and Back buttons. See [Hack #3] for an introduction to Firefox's history features.

The standard Xerox PARC/Apple Macintosh cut, copy, and paste keyboard combinations are available in Firefox. They are Ctrl-X, Ctrl-C, and Ctrl-V, respectively. You can copy a URL from a non-Firefox application and paste it into the Location bar. (You can give that bar's input field the focus by clicking on it.) You can also copy a link's URL by calling up the context menu with the mouse. You can copy and paste that URL within Firefox or into another application.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Search both the Web and the browser environment with Firefox.

This hack explains how to find the stuff you've forgotten, left behind, or yet to discover. It starts with local information in the browser and works its way out to searching the furthest corners of the Web.

You can search the content of a displayed web page. To do so, Firefox provides the Find toolbar. It appears at the bottom of the browser window, above the status bar. Figure 1-5 shows most of the features.

Figure 1-5: The Find toolbar and associated menu items

This toolbar is activated by the Edit→Find or Edit→Find Again menu options or by the Ctrl-F (Command-F on the Mac), Ctrl-G (Command-G on the Mac), or Shift-F3 hotkeys. Here's a rundown of how it works:

The Find toolbar starts out disabled but gains the focus and the caret in the toolbar text field when you click on it.
Type a string and Firefox automatically begins searching the current page, starting from the page's focused form field, or from the top of the page if no field is selected.
Firefox searches all frames but not all tabs. A security feature terminates searching if the page is too big to search in five seconds.
If nothing is found, the textbox goes red. "Phrase not found" appears, and a sound is issued.
If something is found, you can navigate between items with toolbar arrows or Ctrl-G (Command-G on Mac) and Shift-F3.
You can highlight found items with the Highlight toggle button.
Press Ctrl-F (Command-F on Mac) again and the current search string is selected for replacement. Dismiss the toolbar by clicking the small cross icon located at its right end.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

This hack explains the mystery icons that sometimes appear on Firefox toolbars.

It's up to you whether you take advice or not. Firefox delivers a number of passive warnings and cautions to you in the various toolbars of the browser window. Here's a rundown of what those things mean.

If you choose one of the many themes offered by Firefox's Theme Manager, then all the icons will likely appear different. Their locations will be the same, though.

This hack describes only the Firefox-specific icons that are different from standard browser icons:

	This is the standard icon for a Mozilla Extension, Plugin, or Theme. Extensions are small add-on pieces of logic (or whole applications) that can be run or used as part of general web activity. If you have installed one or more extensions into Firefox, then something is going to work differently from the default behavior.
	This icon sometimes appears at the bottom-right edge of the status bar. It tells you that the web page you're looking at has an RSS feed that complements its normal HTML content. You can hover your cursor over the icon to see the status of the feed. Click on the icon to capture the feed as a set of Firefox Live Bookmarks

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Driving Firefox from the keyboard is both the same as and different from other browsers.

This hack shows you which keyboard moves come standard with Firefox. There are many extensions that modify the available set of keystrokes and key chords. You can also hack the keyboard set yourself in a number of ways [Hack #77] .

Many Firefox keyboard combinations are the same as those of Internet Explorer. In particular, menu navigation uses the same combination of arrow keys and Alt as most Windows applications, and navigation within text-editing fields supports the same keystrokes as most text editors (Ctrl-left arrow to move one word left, for example). Scrolling keys such as Page Up and Page Down work as you'd expect, too. Table 1-2 shows the major keys used by both browsers.

On the Macintosh, substitute Command for Ctrl and Option for Alt.

Table 1-2: Keyboard shortcuts common to Firefox and Internet Explorer
Key combination	Use
Ctrl-A	Select all content
Ctrl-C	Copy current selection
Ctrl-D	Add a bookmark
Ctrl-H	Display the History sidebar
Ctrl-I (and Ctrl-B)	Open Bookmarks sidebar
Ctrl-N

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Don't put up with blank walls. You can wallpaper Firefox back into your life.

The menus, toolbars, and dialog boxes that Firefox provides can all be changed. Collectively, they are called the chrome . You can change the content of the chrome, which includes the set of widgets that are made visible in the window. Alternatively, you can change just the appearance of the chrome. In that case, the buttons and other widgets stay the same, but the graphics, text, and colors that decorate them are all different.

To change chrome content, install an extension from the Tools→Extensions menu. Extensions are small pieces of programs, not too different from a Java Applet or a Microsoft Excel macro. Some are very sophisticated and are effectively whole applications. This book is full of discussions about which extension does what. Chapter 4 Chapter 4, Web Surfing Enhancements, is a good starting point. We won't go into detail about extensions here. We'll just cover the install process with the simpler example of adding themes, which is done the same way.

To change the wallpaper style of Firefox's chrome, install a new theme. A theme is a bundle of plain content with no program logic. Both extensions and themes are available by default through the trusted http://update.mozilla.org content portal, which provides security and safety. Even in the wild, themes are overall much safer than extensions. At most, they make Firefox illegible and unworkable, whereas a truly wild extension can make Firefox curl up and die completely.

A theme is made out of a set of skins . A skin is a cluster of files associated with a single application or application subsystem. There's a single skin called the global skin that applies to all applications. A sensible theme creator will always provide a global skin in his theme. A creative theme maker will also supply skins for common applications run by Firefox (such as the browser and the DOM Inspector). If applications change, then skins must change to catch up. So, an actively maintained theme is more desirable than one that's been created and left to rot.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Don't like to be bothered? Here's how to shut Firefox up and how to deal with the consequences.

After first installation, Firefox intermittently throws up a series of dialog boxes. For a first-time user, these can be confusing. Here's how to shut them up if you don't like them. Also here's how to make them appear, so that you can shut them up if you're installing Firefox for someone else.

Figure 1-11 shows the first dialog presented.

Figure 1-11: Import Settings startup dialog box

By the time you read this, Firefox will be able to import from a number of other browsers, so the Import Wizard might look a bit more detailed than it is shown here, especially if it detects other browsers on your computer. You can cancel this import process safely. It can be repeated at any time after installation from the File→Import... menu.

Importing is a safe process unless you have sophisticated favelets or bookmarklets stored in your other browsers. Web developers are the main users of these small diagnostic helpers. In general, if you choose to import, there are two consequences. First, the bookmarks toolbar might be loaded with old stuff that might confuse Granny. Second, the surfing you did last week with that other browser might be copied into Firefox. That could be awkward if Granny isn't aware of your personal style and spots it.

Once Firefox starts, it confronts you with the dialog shown in Figure 1-12.

Figure 1-12: Default Browser selection dialog box

On Windows, this makes small changes to the Registry. It's harmless to make Firefox the default browser. If you have accidental viruses, spyware, or other nasties on your computer, it might improve security to make Firefox the default. Don't click Yes or leave the checkbox ticked if temporary product evaluation is your goal. If you want Firefox to be the default, but you still want Internet Explorer to work, see

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Paranoid about Firefox's tendency to store things about web pages? Reset your browser back to zero.

You might be confident that Firefox can reset itself for you, or you might only be happy if you scrub the decks for yourself. You can do it either way. A further decision you're faced with is this: do you want to clear out just the data that Firefox has stored, or do you also want to clear out all modifications to the browser since it was first installed?

To clear, flush, and reset everything from inside the browser, proceed as follows:

Leave just one Firefox browser window open. Change the URL of the currently viewed page to the URL about:blank and display it.
Display the Options dialog box using the Tools→Options or Edit→Preferences menu items. Click on the Privacy icon. Click the Clear All button at the base of the window. That clears just about everything associated with web pages.

For web development activity, that's all you really need to do.

If you want to hack further into the state of the browser, you certainly can. To go much, much further, proceed as follows:

Click the General icon in the Options dialog box. Then click the Fonts and Colors button. Uncheck all checkboxes except Underline Links and click OK.
Back at the previous dialog, click the Languages button. Remove all languages except [en] and possibly [en-us]. Click OK.
Back at the main Options dialog box, click the Web Features icon. Three buttons appear at the top right, labeled Allowed Sites, Allowed Sites, and Exceptions. Click each of these buttons and delete any records that are shown.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Don't wait for the Web. Firefox can go faster if you just tune it up a bit.

Here are a few steps you can perform to speed up Firefox. Back to performance basics first, though: the user is the slowest thing attached to the computer. Better use of Firefox's features will speed up the user, so be sure to read the rest of the hacks in this chapter.

Any dial-up modem you use is the slowest network hardware you have, so tune it wisely. Make sure any modem connection is running as close as possible to the maximum speed for POTS (plain old telephone system) phone lines. That line is usually a 64 Kb service (unless you're stuck on an ancient analog exchange). No one gets every drop of 64 Kb out of it, unless they pay a fortune for ISDN, but you should get 53.3 Kb at least.

If you're on Windows, your modem driver and chipset should support the latest compression standards now available. Update the modem and the modem's Windows driver directly from the chipset manufacturer. Look on the modem card to see who made the chips; don't bother with who made the card. If you buy a cutoff switch that lets you isolate your answering machine, fax, and telephone gear while you're on the Internet, then you won't strain the line voltage as much, and you'll have less noise causing error-correction delays.

If your connection is still slow, ring your telephone provider and complain that their voltages and noise filters are all wrong—they can test and adjust from their end. Ring Microsoft and complain that Windows hasn't tuned your PPP connection correctly. Ring your ISP and complain that their modem bank isn't negotiating the best possible speed. None of that will do you much good, but it's nice to vent sometimes. Move to broadband.

If you're stuck on dial-up, the biggest performance plus you can get from Firefox without using caching is to turn images off [Hack #35] . That's in the Options dialog box under Web Features. Turning off images might reduce your web experience to an unacceptable low, so it's a dramatic step. You can also change the following preference [Section 1.2.3, in the introduction to this chapter], which ensures that web pages are checked for updates only once per browsing session, instead of every time you look at them:

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

You can start Firefox without using the mouse.

How is Firefox started? This hack describes all the command-line options. To see command-line options, most technical people instinctively open a command-line window, such as an xterm (Linux) or an MS-DOS or cmd window (Windows). Then they type program /? or program --help, depending on the operating system. The latter option works everywhere except in Windows, because Firefox doesn't provide console-based help there. So Windows is a special case: help information isn't automatically spat out there. To see command-line options on Windows, you have to go further with a DOS or cmd box. On Windows, start up a command line (Start→Programs→MS-DOS Prompt) and follow these steps:

            C:
cd "Program Files"
cd Firefox
            firefox --help > help.txt
            type help.txt

The help options will appear in the newly created file help.txt. This advice goes for all options that provide command-line output, such as -version. You don't need to redirect anything on other platforms.

On Windows, you can use / (forward slash) or // (double forward slash) as the command-line switch prefix. On all platforms, Firefox-specific options can be preceded with - (minus) or -- (minus, minus). These two command lines are the same on Windows, but only the first one will work on Linux:

firefox -console --jsconsole http://www.example.com
firefox --console /jsconsole http://www.example.com

On Unix/Linux, some X11 options are supported. X11 X resources aren't supported, because the Unix/Linux port uses the Gtk configuration system. Table 1-4 describes the user-oriented options.

Table 1-4: User-oriented command-line options
Option	Windows?

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

This chapter describes how to change the default security arrangements in Firefox. Security is a big subject, and it has plenty of baggage all of its own. One person's safety is another's prison. One person's privacy is another person's isolation. Changing security options amounts to changing who you are or aren't willing to deal with. It also amounts to deciding how much you're willing to let third parties know when you're browsing the Web.

When you install Firefox, the default security settings give you a safe web browser. It is quite hard to create large holes by accidentally changing options. Firefox has also been closely inspected for internal problems. As a result, the browser and its underlying Mozilla technology have an excellent security track record. Rarely is a new security problem uncovered. When that happens, it is usually fixed within a day. The Firefox Update Manager informs you of new security patches, if any are made available.

If you don't care about security at all, you can simply remove many of the hurdles that Firefox puts in your way. Security is a complex matter, though. Sometimes, doing away with security means just that: leaving the browser's resources open to any exploitation. Some security regimes, however, don't give you that option. In such cases, the best you can do is reply "I don't care" every time you're engaged over security. There are even rare cases in which there's nothing at all that you can do to escape security limitations. It's a case-by-case environment.

Security concerns and installation processes are two related but different things. This chapter discusses security only. Chapter 3 describes gritty modifications to the Firefox install process. Chapter 7 and Chapter 8 describe a form of programming that's also a blend of installation and security. See those chapters to go further with the chrome.

If your computing environment is secure, then Firefox's own security is of limited use.

To systematically address every single security restriction, you'll have to read all the hacks in this chapter; it's just too complex for one hack. This hack describes many common quick fixes. You might also want to read

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

This chapter describes how to change the default security arrangements in Firefox. Security is a big subject, and it has plenty of baggage all of its own. One person's safety is another's prison. One person's privacy is another person's isolation. Changing security options amounts to changing who you are or aren't willing to deal with. It also amounts to deciding how much you're willing to let third parties know when you're browsing the Web.

When you install Firefox, the default security settings give you a safe web browser. It is quite hard to create large holes by accidentally changing options. Firefox has also been closely inspected for internal problems. As a result, the browser and its underlying Mozilla technology have an excellent security track record. Rarely is a new security problem uncovered. When that happens, it is usually fixed within a day. The Firefox Update Manager informs you of new security patches, if any are made available.

If you don't care about security at all, you can simply remove many of the hurdles that Firefox puts in your way. Security is a complex matter, though. Sometimes, doing away with security means just that: leaving the browser's resources open to any exploitation. Some security regimes, however, don't give you that option. In such cases, the best you can do is reply "I don't care" every time you're engaged over security. There are even rare cases in which there's nothing at all that you can do to escape security limitations. It's a case-by-case environment.

Security concerns and installation processes are two related but different things. This chapter discusses security only. Chapter 3 describes gritty modifications to the Firefox install process. Chapter 7 and Chapter 8 describe a form of programming that's also a blend of installation and security. See those chapters to go further with the chrome.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

If your computing environment is secure, then Firefox's own security is of limited use.

To systematically address every single security restriction, you'll have to read all the hacks in this chapter; it's just too complex for one hack. This hack describes many common quick fixes. You might also want to read [Hack #7] .

You don't need to constantly reassert your login credentials; you can get Firefox to do it for you. NTLM and dial-up passwords are described in [Hack #14] and [Hack #26] respectively; here, we cover web form passwords and cookies.

The Password Manager is turned on automatically when Firefox starts; all you get is a first-time warning when you use it. Setting a master password serves no purpose if you're trying to defeat security, so the Password Manager saves you that hassle by default. You can stop the remembered passwords from ever expiring by setting this preference:

security.password_lifetime /* set to 0 (days), default is 30 (days) */

Session IDs are like passwords: they're sent by web sites that want to keep track of you as you move between web pages. Usually they're stored as cookies : the correct jargon for web-based session IDs. Cookies are sent between Firefox and the web server as a simple string of plain text in a special HTTP header line. If you have an extension installed that's an HTTP header diagnostic [Hack #51] , you can see cookies go to and fro. Firefox has cookie support turned on by default. If you want to configure cookie processing explicitly, use these preferences:

network.cookie.alwaysAcceptSessionCookies /* set to true */
network.cookie.cookieBehavior             /* set to 0 = Accept All */
network.cookie.lifetimePolicy             /* set to 0 = until expiry */

The following preferences are bits of rubbish left over from attempts to migrate from an old Mozilla or Netscape version to Firefox and should be ignored:

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Set up Firefox for nontechnical people.

First of all, the Firefox product is designed with nontechnical people in mind. Most of its fancy features are hidden behind unusual key presses or buried in menus. From the beginning, it's pretty safe and secure. For the dazed and disoriented, though, safety doesn't just mean safe from web villains and privacy attacks; it also means being safe from confusion. Struggling users can easily harm themselves accidentally when confused, so that's something to avoid. Here are some of the configuration changes that you can apply to make life safer for struggling users:

Turn on automated patch updating.
Turn off password and form auto-complete features.
Leave on standard caching options, so that pages are always fresh.
Change the default download directory to the desktop if the operating system is Linux.
Download language packs and plug-ins when you install, and turn off subsequent plug-in detection.
Configure the Popup Manager to accept pop-ups from web sites the user trusts, such as banks and finance companies, and then turn off the pop-up blocker alert bar so that it never appears.

To turn on automated patch updates, see [Hack #13] . Auto-complete features can be turned off in the Options panel. To change the default download directory on Linux, change the directory preference from something like this:

browser.download.defaultFolder         /* was /home/nrm */

to this:

browser.download.defaultFolder    /* to /home/nrm/Desktop */

which is the location of the desktop under GNOME 2.x.

If your mother is Italian or Chinese, you might need support for non-English web sites. To prepare any required language packs and plug-ins, the hard way to proceed is to rebundle Firefox with the needed packs included in the install bundle. That's not recommended unless you plan on doing hundreds of installs. It's massive extra preparation for a marginally faster install result.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Send packets across the Internet only when they come from user actions.

Firefox has a mind of its own. It sometimes connects to other computers across the Internet without asking you first. Not only is this a privacy issue, but it can also be awkward. For example, the browser might be installed on test equipment that is network-enabled only intermittently. If you are performing network diagnostics, that's another time when you don't want any unexpected chatter on the line. Finally, if you configuration-control all of your installed software, then you probably prefer that Firefox not upgrade itself automatically either. Here's how to stop all of that stuff.

Firefox periodically (daily) checks the Mozilla Update web site (http://update.mozilla.org) to see what's new. If there are critical patches, the home page displayed at startup is replaced with a warning page. If there are any patches at all, an icon appears on the menu bar. To turn off that functionality, set these preferences:

app.update.enabled             /* default is false */
app.update.autoUpdateEnabled   /* set to false. default = true */

The second preference stops Firefox from polling the web server to see if there's anything new to report to the user.

These two additional preferences do the same job as the previous preferences, but they control update checks for extensions, plug-ins, and themes rather than checks for the core Firefox product:

extensions.update.enabled             /* default is false */
extensions.update.autoUpdateEnabled   /* set to false. default = true */

Firefox also performs trivial updates of site icons, the small icons that appear next to URLs. Generally, they provide brand marks for web sites. Figure 2-1 shows a browser window with three site icons marked out.

Figure 2-1: Site icons displayed in the browser window

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

If your web content is hidden behind a security regime, here's how to get through.

This hack explains how to stop Firefox from prompting the user for already supplied login details. In other words, Firefox can be part of a single sign-on environment, where several servers, applications, and/or services share login details. Firefox understands several kinds of server requests for user credentials.

Single sign-on servers are usually found in an Intranet environment. They provide a method of controlling who can access remote servers and the services that they provide, and they can reduce user frustration. Such arrangements are not the same as Secure Socket Layer (SSL). Although SSL and Secure HTTP swap credentials with SSL-enabled servers, those kinds of credentials (digital certificates and digital signatures) are mostly organization-based, not user-based.

The good news is that single sign-on is a no-brainer in Firefox for the simple case. The simple case isn't that much fun, though, so let's explore the subject a bit before we come back to it. Note that special server-oriented configuration files [Hack #29] can also be set up to perform server login actions. In that case, the server is an LDAP server.

In conceptual terms, single sign-on is a constraint enforced by servers. The server demands special information from the client (for example, a web browser) and refuses to process any request until that information is forthcoming. If a weak security regime (system of identification) is in place, the client might just send operating system login details as plain text to the server. If a strong security regime is in place, the client and server play complicated information games with each other that keep login details secret from everyone.

To understand single sign-on technology in detail requires a great deal of study. This section provides a brief overview only.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Make Firefox automatically discover the settings it should use for accessing the Web.

The Web is full of proxy and cache servers. Firefox only has to reach the one nearest to you in order to provide connectivity. If your environment includes web servers hidden behind complex security arrangements, this hack will help you point Firefox at the right proxies.

There are four strategies for proxy access: none, static, PAC, and WPAD. Setting up proxies is not the same thing as implementing full server control of Firefox configuration items [Hack #29] . However, it does have some features that are similar to remote configuration.

The Firefox Options dialog box is the starting point for proxy configuration. The General panel holds the Connection configuration item. Depending on your desktop arrangements, such as if your window is slightly too small, you might not see that item. To fix that and expose the Connection Settings... button, just enlarge the window by dragging its bottom right corner outward.

Figure 2-2 shows the Connection Settings subdialog.

Figure 2-2: Proxy connections dialog box

The four radio buttons in Figure 2-2 are alternative values for a single preference:

network.proxy.type  /* an integer, default = 0 */

Table 2-1 shows the relationship between the dialog options, preference values, and their associated standards.

Table 2-1: Dialog options, preference values, and associated standards
Radio option	network.proxy.type

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

You can configure Firefox network access down to the last detail if you want.

This hack explains how to chop off pieces of network access at the backend of the Firefox browser. This is done with preferences. Doing so provides strong protection against malicious web attacks, but it offers only weak security against user tampering. That's because, in the normal case, users can undo network-access changes via the about:config system. There is a way to serve these preferences up more securely using a server [Hack #29] . You can also configure proxy arrangements [Hack #15] .

Firefox ports are allowed or disallowed using a multi-tiered system. In highest to lowest priority, these are the rules:

Always allow any port that Firefox absolutely must have to get its job done. The primary example is access to DNS via port 53.
Always allow some ports for their standard uses. Here's the current list:
```
389, 636 (LDAP), 70 (gopher), 21, 22 (FTP), 79 (finger), 13 (datetime)
```
Allow all ports specified in Firefox's override list (a whitelist). You can indicate these ports by setting the following preference to a string containing a comma-separated list of port numbers that should be allowed (do not use spaces):
```
network.security.ports.banned.override /* unset by default */
```
Disallow all ports specified in Firefox's blacklist. You can indicate these ports by setting the following preference to a string containing a comma-separated list of port numbers that should not be allowed (do not use spaces):
```
network.security.ports.banned       /* unset by default */
```
Allow any port not covered by the other rules.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Who gives Firefox trustworthy advice? You can change that set of advisors.

All content from a web site that advertises itself as secure has to be checked. Secure content must be accompanied by a digital signature and by a certificate that says whom the digital signature belongs to. The certificate must originate from a Certificate Authority (an organization) that Firefox knows. This hack explains how to change the certificates and Certificate Authorities (CAs) that Firefox knows about.

The Firefox Options dialog box lets you manage digital certificates. Click the Advanced icon to display that panel, expand the Certificates item, and click the Manage Certificates... button. Figure 2-3 shows that window, with the fourth tab in front.

Figure 2-3: Default certificate authority certificates in Firefox

If you click on any of the rows labeled Builtin Object Token, you can then examine the certificate by pressing the View button or limit its use via the Edit button. All of the certificates listed are bundled with the standard Firefox install. There's little reason to delete them, but you can if you want. If you do so, that will restrict the number of secure web sites that Firefox can successfully visit.

You can also list these certificates from outside Firefox. Copy these files from the current Firefox profile to a temporary directory:

cert8.db key3.db secmod.db

All three files (cert8.db, key2.db, and secmod.db) are required. To see their contents, use signtool [Hack #18] , like this:

               signtool -L -d"."

These three files contain, respectively, certificates, public-key encryption keys, and a list of security modules that provide enabling regimes for browser security. An enabling regime is just a starting point for security. The alphabet soup that describes such regimes includes PKCS #11 and PSM standards. Implementations of those standards make up the default (built-in) security regime for Firefox. Other regimes that could be added (via additional software libraries) include systems that support smart cards and dongles.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Content delivered to Firefox can request special privileges from the user.

Normal Firefox content, whether it's HTML, XHTML or XUL, runs inside a sandbox that stops it from doing anything risky, such as modifying files stored on the local disk. This hack explains how to ask the user for permission to escape the sandbox. If permission is given, the content (usually scripts) can do whatever it likes. You can also arrange matters so that the user is never asked for permission [Hack #19] .

The design ideas behind granting permission are trust and identity. If the web page content is to have full control over the browser, there must be trust between the browser user and the content creator—two real, live people. Access to technical features is secondary to this human principle. In the conservative world of security, trust can be assured only if identity can be properly determined. Here are the identity constraints built into Firefox:

The browser user always knows whom a content maker requesting trust is.
The browser user can always physically track down a content maker that requested trust.
The browser user is always free to reject a request for trust.

The Firefox user can drop these constraints if they so choose. When presented with information about a content maker, the user can tell Firefox to trust that content maker in the future. That puts identity information about the content maker in files in the user profile area. Firefox will always validate signed content, but it can do so silently if the user directs it to do so.

Validating signed content is done automatically by Firefox. Making signed content is a task for a web site content creator.

These identity constraints are supported by technology—digital certificates and digital signing—and by a special sandbox-breaking API that only works when trust is in place. They also demand some old-fashioned paperwork. A real, live person called a Certificate Authority (CA) is required. Little of that infrastructure is obvious or meaningful to an end user confronted by a permission request, though.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Control secure uses of Firefox completely with an overriding master certificate.

Web site content can request trusted access to Firefox by presenting content that is digitally signed [Hack #18] . Trusted access lets the content break out of the web page sandbox. The user must manually confirm that they trust the signed content presented before this can happen. This hack explains how to avoid that manual confirmation.

Firefox supports the use of a master certificate . Such a certificate is different than the master password that can be set in the Options dialog box in the following ways:

Master password: Stored in the Firefox user profile area: one piece of data per user profile. Provides an overall security check per profile and privacy for each user.
Master certificate: Stored in the Firefox install area: one JAR file only. Provides an overall security check for one or more remote websites and secure access to the browser for those web sites.

In other words, a master password keeps other users out; a master certificate lets web sites in. Since all this information is stored on the same computer as Firefox, both are subject to change from anyone who can log in to the computer.

A typical use of a master certificate is for a vendor, distributor, or deployer to bundle it with a Mozilla-based product. This gives a distributor a back door through which they can control the browser's security status. This back door can be exploited for different reasons, depending on the web environment:

In a conservative environment: It allows the distributor to create a community of trusted web sites that all have secure access to the user's browser. Such a community can aggregate value-added services in the user's browser.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|

Table of Contents