Corporate Firefox Deployment This site outlines steps for corporate deployment of the Mozilla Firefox browser and autoconfig.


Tuesday, May 17, 2005

Amended firefox.cfg

////////////////////////////////////////////////////////////
//firefox.cfg lockprefs rxg
////////////////////////////////////////////////////////////

// Do NOT check for automatic updates
lockPref("app.update.enabled", false);
lockPref("extensions.update.enabled", false);
lockPref("app.update.autoUpdateEnabled", false);

// set proxy.pac file location
lockPref("network.proxy.autoconfig_url", "http://intranet/proxy.pac");
lockPref("network.proxy.type", 2);

// Turn off initial security warning
lockPref("security.warn_submit_insecure", false);

// Remove painting delay when loading pages. Value in milliseconds (default
is 250)
lockPref("nglayout.initialpaint.delay", 1);

lockPref("content.notify.backoffcount", 5);
lockPref("plugin.expose_full_path", true);

//Fast Computer Fast Connection
lockPref("content.interrupt.parsing", true);
lockPref("content.max.tokenizing.time", 2250000);
lockPref("content.notify.interval", 750000);
lockPref("content.notify.ontimer", true);
lockPref("content.switch.threshold", 750000);
lockPref("browser.cache.memory.capacity", 65536);

lockpref("network.http.pipelining", true);
lockpref("network.http.proxy.pipelining", true);
lockpref("network.http.pipelining.maxrequests", 16);

// No Web page should be able to redefine the browser's UI.
// Bug 107949 - Add pref for ignoring window feature options on
window.open()
// http://bugzilla.mozilla.org/show_bug.cgi?id=107949
lockPref("dom.disable_window_open_feature.close", true);
lockPref("dom.disable_window_open_feature.minimizable", true);
lockPref("dom.disable_window_open_feature.scrollbars", true);

// Bug 176304 - Option to disallow scripts from hiding toolbars
// http://bugzilla.mozilla.org/show_bug.cgi?id=176304
lockPref("dom.disable_window_open_feature.titlebar", true);
lockPref("dom.disable_window_open_feature.toolbar", true);
lockPref("dom.disable_window_open_feature.location", true);
lockPref("dom.disable_window_open_feature.directories", true);
lockPref("dom.disable_window_open_feature.personalbar", true);
lockPref("dom.disable_window_open_feature.menubar", true);
lockPref("dom.disable_window_open_feature.status", true);
lockPref("dom.disable_window_flip", true);
lockPref("dom.disable_window_status_change", true);
lockPref("dom.disable_window_move_resize", true);

// Bug 101509 - Pref to disable resizable=no
// http://bugzilla.mozilla.org/show_bug.cgi?id=101509
lockPref("dom.disable_window_open_feature.resizable", true);

// Resize frames
lockPref("layout.frames.force_resizability", true);

// Let remote content link to local (file://) content. This is needed for
intranets.
// http://bugzilla.mozilla.org/show_bug.cgi?id=84128#c20
lockPref("security.checkloaduri", false);

// Show error pages instead of popup errors. i.e. Unable to resolve.
// http://bugzilla.mozilla.org/show_bug.cgi?id=28586
lockPref("browser.xul.error_pages.enabled", true);

// Disable blinking text:
lockPref("browser.blink_allowed", false);

// Image animation mode: normal, once, none.
// This pref now has UI under Privacy & Security->Images.
lockPref("image.animation_mode", "once");

// Show pref UI to block images that don't come from the current server
// This is shown by default in Firefox.
lockPref("imageblocker.enable", true);

// Turn that annoying autocomplete popup REALLY off:
// (This actually has a UI but it's buried.)
lockPref("browser.urlbar.autocomplete.enabled", false);
lockPref("browser.urlbar.showPopup", false);
lockPref("browser.urlbar.showSearch", false);

// Turn off the download manager (0=download manager, 1=simple dialog?)
lockPref("browser.downloadmanager.behavior", 1);

// Enable the marquee tag (disabled by default):
lockPref("browser.display.enable_marquee", true);

// Enable image placeholders.
lockPref("browser.display.show_image_placeholders", false);

////////////////////////////////////////////////////////////
// Platform parity/UI issues
////////////////////////////////////////////////////////////

// Key modifier stuff: see bug 22515
// Windows-style access keys:
//lockPref("ui.key.accelKey", 17);
//lockPref("ui.key.menuAccessKey", 18);
//lockPref("ui.key.menuAccessKeyFocuses", true);

// Middle mouse prefs: true by default on Unix, false on other platforms.
lockPref("middlemouse.paste", false);
lockPref("middlemouse.openNewWindow", true);
lockPref("middlemouse.contentLoadURL", false);
lockPref("middlemouse.scrollbarPosition", false);

// Newline paste behavior: 0=paste unchanged, 1=paste only
// first line, 2=replace with spaces, 3=strip newlines
lockPref("editor.singleLine.pasteNewlines", 0);

////////////////////////////////////////////////////////////
// UI look-and-feel issues
////////////////////////////////////////////////////////////

// Tab focus model bit field:
// 1 focuses text controls, 2 focuses other form elements,
// 4 adds links.
// Most users will want 1, 3, or 7.
lockPref("accessibility.tabfocus", 1);

// Typeahead find configuration:
lockPref("accessibility.typeaheadfind", true);
lockPref("accessibility.typeaheadfind.linksonly", true);
lockPref("accessibility.typeaheadfind.startlinksonly", false);
lockPref("accessibility.typeaheadfind.timeout", 5000);

// Set select colors for text:
lockPref("ui.textSelectBackground", "navy");
lockPref("ui.textSelectForeground", "white");
// Select color for typeahead find is slightly different:
lockPref("ui.textSelectBackgroundAttention", "green");

////////////////////////////////////////////////////////////
// Control of popup windows
////////////////////////////////////////////////////////////

// Use configurable security policies to override popups, see
// http://www.mozilla.org/projects/security/components/ConfigPolicy.html

// Limit popups to the same site:
lockPref("capability.policy.default.Window.open","sameOrigin");

// Disable JS windows popping up without direct action from the user
lockPref("dom.disable_open_during_load", true);

// Open links from external apps into a new tab
// (Firefox 1.0 builds have a UI for this pref in the Options dialog)
lockPref("browser.link.open_external", 3);
// Force new windows into tabs
// (Firefox 1.0+ builds have a UI for this pref in the Options dialog)
lockPref("browser.link.open_newwindow", 3);
// Make the above pref apply only to targeted links, not window.open
lockPref("browser.link.open_newwindow.restriction", 1);
// Don't focus new tabs opened by left-click or external URL
lockPref("browser.tabs.loadDivertedInBackground", true);
// Don't focus new tabs opened by middle-click or ctrl-click
// (All recent Firefox and Suite builds have a UI for this pref)
lockPref("browser.tabs.loadInBackground", true);

// It is now possible to disable the JavaScript window.open() method
// when it is not called as a result of a mouse click.
// When the dom.disable_open_click_delay pref is set to a non-zero
// number, window.open will fail when called more than that number
// of milliseconds after a mouse click.
lockPref("dom.disable_open_click_delay", 1000);

////////////////////////////////////////////////////////////
// Miscellaneous stuff
////////////////////////////////////////////////////////////

// Wrap column for html output from the editor:
lockPref("editor.htmlWrapColumn", 72);

// Show JS warnings. This is also available in the Debug panel
// under Preferences.
lockPref("javascript.options.strict", true);

// Change default paper size from US-Letter to A4:
lockPref("print.postscript.paper_size", "A4");

Error in config file

Warning:
There are two errors in the config file.
In the top section (Originally from Ben Goodger at mozilla.):

// Do NOT check for automatic updates
lockPref("update.app.enabled", false);
lockPref("update.extensions.enabled", false);

Should read:
// Do NOT check for automatic updates
lockPref("app.update.enabled", false);
lockPref("extensions.update.enabled", false);

Thanks to Rob at Maroochy for pointing this out.

Friday, May 13, 2005

Hardware hacking

For those that ride bikes, and use Kryptonite locks,
as I do, beware that the locks can be picked with
a plastic ballpoint pen..

http://www.google.com/search?q=Kryptonite+pick

Back to the old padlock.

Firefox version 1.0.4 release 12 May 2005

Firefox version 1.0.4 has 3 critical patches.

Mozilla lists them here: http://www.mozilla.org/projects/security/known-vulnerabilities.html
Fixed in Firefox 1.0.4
* MFSA 2005-44 Privilege escalation via non-DOM property overrides
* MFSA 2005-43 "Wrapped" javascript: urls bypass security checks
* MFSA 2005-42 Code execution via javascript: IconURL
http://www.mozilla.org/projects/security/known-vulnerabilities.html
There has been some gleeful and hysterical publicity about them,
even before an exploit.

1.0.4. should be deployed rather than 1.0.3.

The changes in 1.0.4 are only
* Several security fixes.
* Fix to DHTML errors encountered at some web sites.
(the DHTML error was introduced in 1.0.3..)

Release Notes: http://www.mozilla.org/products/firefox/releases/1.0.4.html

Get Firefox version 1.0.4 here.

Functionally it's the same as 1.0.3. and the configuration files will
work for both.

Monday, May 09, 2005

Firefox tops 50 Million

Fifty million downloads of Firefox!
http://www.mozilla.org/products/firefox/

Our few thousand helped !

Sunday, May 08, 2005

Using both IE and Firefox via multiple proxies.

Of course today it is not feasible to completely do away with IE, as a
very few applications are written for IE4 html inventions or activex.

One way to keep IE is to use the Microsoft sanctioned way of limiting
browsing to "known good sites", a thankless and almost impossible task..

An easier way is to use multiple proxies.

Simply set up 2 proxies, limiting one to the essential IE sites only.
Point IE to the limited one, and all other browsing is via Firefox
through the unlimited proxy.

Set the proxy IPs in the clients via a proxy.pac and Group Policy.

A simple model would be two internal ISA proxies, with the IE one
limited to a select client destination set. Use ISA for reporting.
Both are then chained to the DMZ gateway proxy.
The DMZ proxy should also do the filtering and anti-virus.

Current versions of Java and ISA work together.

This model has been successfully utilised at a number of sites.

Firefox deployment in a corporate enviroment.

Firefox 1.0.3 browser Configuration

Configuration details for Firefox 1.0.3 browser to enable deployment and use within a corporate network, via proxies.

Using the mozilla.org distribution of the exe, additional configurations are added to allow access to proxies and to easy distribution to client PCs.

Prerequisites

  • Firefox 1.0.3.exe from www.mozilla.org/firefox
  • A perl installation to generate encoded cfg files.
  • A way to package (such as nsis)
  • A way to deploy the package.
Background
Firefox runs natively on the network, but needs a few settings for corporate usage, including turning off automatic updates, proxy settings, and minor but desirable issues such as network settings, security considerations such as popups, setting the default page and bookmarks etc.
A partial selection can be seen by reading the configuration files included on this website.
A full selection is found on the mozilla.org site.
Using "about:config" in the browser is also useful when deciding which directives to configure.

Firefox creates a profile for each user. Settings can be placed (by default) in the profile, but this is not desirable in a corporate environment, because it complicates and hinders the deployment process, as there may be multiple profiles on a PC, and the location of the live profile may not be predictable.
The process below puts the configuration files in the C:\Program Files structure and leaves the profile alone; this still allows user preferences to be saved in their profile.

Installation and configuration steps:


On a PC, remove the existing firefox in C:\Program Files\Firefox. (rename it if you wish to keep a backup). Be aware that older profiles will not work with later versions, but older bookmarks can always be imported.
Also remove the profile located in C:\Documents and Settings\user\Application Data\Mozilla (You may need to set explorer’s view folder options to see this directory.)
Run the mozilla version of firefox.exe. This will install the program into C:\Program Files\Mozilla Firefox
To make the relevant changes, change the files:
  • C:\Program Files\Mozilla Firefox\greprefs\all.js
The only line added is the following, which instructs the program where and which config file to use:
pref("general.config.filename", "firefox.cfg");
  • C:\Program Files\Mozilla Firefox\firefox.cfg (referenced above)
This file is generated by encoding from a text file called “firefox.txt”. The settings in this file have been tested thoroughly and were chosen with the assistance of the internet security community. The file is included on this website.

To generate a Firefox format file, the file must be encoded and renamed to “firefox.cfg”. The encoding is achieved by byte-shifting with an offset of 13. There are many byte-shifting programs for developers; the easiest way to accomplish this is to use the perl script “moz-byteshift.pl” from mozilla.org. The script is included on this website.

Note that a future change is possible, to have one global configuration published on a website, as the proxy settings are, by the use of the "autoadmin.global_config_url" directive. This is not included in this configuration at this time.

The settings in this file can also be included in the file “user.js” in the profile, which is distributed in the default profile, however it's position in the profile makes it unfeasible to use in a corporate environment.
  • C:\Program Files\Mozilla Firefox\chrome\en-US.jar
This is a jar archive with NO compression.
Set cosmetic changes in here. The only archive file that I change is:
\locale\global\brand.dtd – Set the window title here. (Changed from Mozilla Firefox to Firefox)
A version number could be also entered here to display in the window title.
This change is for cosmetic and identification purposes only.
Beware when changing the archive contents that a second copy of the file is not created in the archive root, instead of changing the live file.
To manipulate the en-US.jar file, rename a copy to en-US.zip, extract the contents, make changes, create a new zip of the structure, with NO compression, and rename back to en-US.jar

Auto-config.

moz-byteshift.pl

#!/usr/bin/perl

# moz-byteshift.pl
#Perl script to encode with a byte offset, used to create mozilla config
files:

# Byteshifting program for firefox's firefox.cfg files

# Mozilla uses a byteshift of 13
# To decode: moz-byteshift.pl -s -13 <firefox.cfg >firefox.cfg.txt
# To encode: moz-byteshift.pl -s 13 <firefox.cfg.txt >firefox.cfg

# To activate the firefox.cfg file, place the encoded firefox.cfg file
# into your C:\Program Files\Mozilla Firefox\ directory.
# Then add the following line to your
# C:\Program Files\Mozilla Firefox\greprefs\all.js file :
# pref("general.config.filename", "firefox.cfg");

use encoding 'latin1';
use strict;
use Getopt::Std;

use vars qw/$opt_s/;

getopts("s:");
if(!defined $opt_s) {
die "Missing shift\n";
}

my $buffer;
while(1) {
binmode(STDIN, ":raw");
my $n=sysread STDIN, $buffer, 1;
if($n == 0) {
last;
}
my $byte = unpack("c", $buffer);
$byte += 512 + $opt_s;
$buffer = pack("c", $byte);
binmode(STDOUT, ":raw");
syswrite STDOUT, $buffer, 1;
}

firefox.cfg

////////////////////////////////////////////////////////////

//firefox.cfg lockprefs rxg
////////////////////////////////////////////////////////////

// Do NOT check for automatic updates
lockPref("update.app.enabled", false);
lockPref("update.extensions.enabled", false);

// set proxy.pac file location
lockPref("network.proxy.autoconfig_url", "http://intranet/proxy.pac");
lockPref("network.proxy.type", 2);

// Turn off initial security warning
lockPref("security.warn_submit_insecure", false);

// Remove painting delay when loading pages. Value in milliseconds
(default is 250)
lockPref("nglayout.initialpaint.delay", 1);

// Boost connections for broadband
lockPref("network.http.max-connections", 24); //Default is 24
lockPref("network.http.max-connections-per-server", 24); //Default is 8
lockPref("network.http.max-persistent-connections-per-proxy", 16);
//Default is 4
lockPref("network.http.max-persistent-connections-per-server", 8);
//Default is 2

lockPref("network.http.pipelining", true);
lockPref("network.http.proxy.pipelining", true);
lockPref("network.http.pipelining.maxrequests", 16);
lockPref("content.notify.backoffcount", 5);
lockPref("plugin.expose_full_path", true);

//Fast Computer Fast Connection
lockPref("content.interrupt.parsing", true);
lockPref("content.max.tokenizing.time", 2250000);
lockPref("content.notify.interval", 750000);
lockPref("content.notify.ontimer", true);
lockPref("content.switch.threshold", 750000);
lockPref("browser.cache.memory.capacity", 65536);

// No Web page should be able to redefine the browser's UI.
// Bug 107949 - Add pref for ignoring window feature options on
window.open()
// http://bugzilla.mozilla.org/show_bug.cgi?id=107949
lockPref("dom.disable_window_open_feature.close", true);
lockPref("dom.disable_window_open_feature.minimizable", true);
lockPref("dom.disable_window_open_feature.scrollbars", true);

// Bug 176304 - Option to disallow scripts from hiding toolbars
// http://bugzilla.mozilla.org/show_bug.cgi?id=176304
lockPref("dom.disable_window_open_feature.titlebar", true);
lockPref("dom.disable_window_open_feature.toolbar", true);
lockPref("dom.disable_window_open_feature.location", true);
lockPref("dom.disable_window_open_feature.directories", true);
lockPref("dom.disable_window_open_feature.personalbar", true);
lockPref("dom.disable_window_open_feature.menubar", true);
lockPref("dom.disable_window_open_feature.status", true);
lockPref("dom.disable_window_flip", true);
lockPref("dom.disable_window_status_change", true);
lockPref("dom.disable_window_move_resize", true);

// Bug 101509 - Pref to disable resizable=no
// http://bugzilla.mozilla.org/show_bug.cgi?id=101509
lockPref("dom.disable_window_open_feature.resizable", true);

// Resize frames
lockPref("layout.frames.force_resizability", true);

// Let remote content link to local (file://) content. This is needed
for intranets.
// http://bugzilla.mozilla.org/show_bug.cgi?id=84128#c20
lockPref("security.checkloaduri", false);

// Show error pages instead of popup errors. i.e. Unable to resolve.
// http://bugzilla.mozilla.org/show_bug.cgi?id=28586
lockPref("browser.xul.error_pages.enabled", true);

// Disable blinking text:
lockPref("browser.blink_allowed", false);

// Image animation mode: normal, once, none.
// This pref now has UI under Privacy & Security->Images.
lockPref("image.animation_mode", "once");

// Show pref UI to block images that don't come from the current server
// This is shown by default in Firefox.
lockPref("imageblocker.enable", true);

// Turn that annoying autocomplete popup REALLY off:
// (This actually has a UI but it's buried.)
lockPref("browser.urlbar.autocomplete.enabled", false);
lockPref("browser.urlbar.showPopup", false);
lockPref("browser.urlbar.showSearch", false);

// Turn off the download manager (0=download manager, 1=simple dialog?)
lockPref("browser.downloadmanager.behavior", 1);

// Enable the marquee tag (disabled by default):
lockPref("browser.display.enable_marquee", true);

// Enable image placeholders.
lockPref("browser.display.show_image_placeholders", false);

////////////////////////////////////////////////////////////
// Platform parity/UI issues
////////////////////////////////////////////////////////////

// Key modifier stuff: see bug 22515
// Windows-style access keys:
//lockPref("ui.key.accelKey", 17);
//lockPref("ui.key.menuAccessKey", 18);
//lockPref("ui.key.menuAccessKeyFocuses", true);

// Middle mouse prefs: true by default on Unix, false on other platforms.
lockPref("middlemouse.paste", false);
lockPref("middlemouse.openNewWindow", true);
lockPref("middlemouse.contentLoadURL", false);
lockPref("middlemouse.scrollbarPosition", false);

// Newline paste behavior: 0=paste unchanged, 1=paste only
// first line, 2=replace with spaces, 3=strip newlines
lockPref("editor.singleLine.pasteNewlines", 0);

////////////////////////////////////////////////////////////
// UI look-and-feel issues
////////////////////////////////////////////////////////////

// Tab focus model bit field:
// 1 focuses text controls, 2 focuses other form elements,
// 4 adds links.
// Most users will want 1, 3, or 7.
lockPref("accessibility.tabfocus", 1);

// Typeahead find configuration:
lockPref("accessibility.typeaheadfind", true);
lockPref("accessibility.typeaheadfind.linksonly", true);
lockPref("accessibility.typeaheadfind.startlinksonly", false);
lockPref("accessibility.typeaheadfind.timeout", 5000);

// Set select colors for text:
lockPref("ui.textSelectBackground", "navy");
lockPref("ui.textSelectForeground", "white");
// Select color for typeahead find is slightly different:
lockPref("ui.textSelectBackgroundAttention", "green");

////////////////////////////////////////////////////////////
// Control of popup windows
////////////////////////////////////////////////////////////

// Use configurable security policies to override popups, see
// http://www.mozilla.org/projects/security/components/ConfigPolicy.html

// Limit popups to the same site:
lockPref("capability.policy.default.Window.open","sameOrigin");

// Disable JS windows popping up without direct action from the user
lockPref("dom.disable_open_during_load", true);

// Open links from external apps into a new tab
// (Firefox 1.0 builds have a UI for this pref in the Options dialog)
lockPref("browser.link.open_external", 3);
// Force new windows into tabs
// (Firefox 1.0+ builds have a UI for this pref in the Options dialog)
lockPref("browser.link.open_newwindow", 3);
// Make the above pref apply only to targeted links, not window.open
lockPref("browser.link.open_newwindow.restriction", 1);
// Don't focus new tabs opened by left-click or external URL
lockPref("browser.tabs.loadDivertedInBackground", true);
// Don't focus new tabs opened by middle-click or ctrl-click
// (All recent Firefox and Suite builds have a UI for this pref)
lockPref("browser.tabs.loadInBackground", true);

// It is now possible to disable the JavaScript window.open() method
// when it is not called as a result of a mouse click.
// When the dom.disable_open_click_delay pref is set to a non-zero
// number, window.open will fail when called more than that number
// of milliseconds after a mouse click.
lockPref("dom.disable_open_click_delay", 1000);

////////////////////////////////////////////////////////////
// Miscellaneous stuff
////////////////////////////////////////////////////////////

// Wrap column for html output from the editor:
lockPref("editor.htmlWrapColumn", 72);

// Show JS warnings. This is also available in the Debug panel
// under Preferences.
lockPref("javascript.options.strict", true);

// Change default paper size from US-Letter to A4:
lockPref("print.postscript.paper_size", "A4");