Jack Wallen walks you through the process of locking down options with Firefox's about:config page to help secure the browser from user tampering.
Since the release of Firefox Quantum, have you made the change to Firefox in your company? If that's the case, are you concerned about users making changes to the browser that might go against company policy, or pose security risks? Although the average user might not know the about:config feature exists, there will be some that do. Even though completely disabling about:config isn't really an option, you can always lock down certain settings within about:config, and then deploy that newly configured browser.
I'm going to walk you through the process of doing just that. I'll demonstrate on the Linux platform (using Ubuntu 17.10 and Firefox 59). The process is similar on both Windows and macOS, although the specifics on file locations will vary.
You will need to download the latest version of Firefox from Mozilla and uninstall the version of Firefox that was included either via the default operating system installation or from with the OS package manager. You will also need to use the terminal window. Download the latest version of Firefox into the ~/Downloads directory.
Once you have everything ready, let's get to work.
Unpacking the file
The first thing we must do is unpack the downloaded file. Open up your terminal and change into the ~/Downloads directory with the command cd ~/Downloads. Unpack the file with the command tar xvfj firefox-*.bz2. This will create a new folder called firefox-XX (where XX is the release number). Within that folder is the sub-folder, firefox. Let's move that out of the parent folder with the following commands:
cd firefox-XX (where XX is the release number) mv firefox ../ cd ../
You should now see a folder named firefox. Change into that folder with the command cd firefox.
We are now ready to configure.
The first thing we must do is create a new file called mozilla.cfg. Issue the command nano mozilla.cfg. Within that file we're going to lock down the about:config preferences we don't want the users to be able to change. The first line of this file is always ignored, so we're going to simply add an empty comment, like so:
The next lines in the file will contain all of the configuration options. To lock a preference in about:config, a line will start with lockPref. Let's say, for example, we want to set the default homepage to the TechRepublic site. The configuration option for this would be:
To find out what other preferences you can set in this file, all you have to do is open up the about:config page. For example, you could lock down app.update.enabled (which would disable application updates) with this line:
You could also lock down the default browser check with this line:
Once you've added all of your configuration options, save and close that file.
Next issue the command (from within the current firefox directory) nano default/pref/autoconfig.js. Within that file, add the following contents:
// pref("general.config.obscure_value", 0); pref("general.config.filename", "mozilla.cfg");
Save and close that file.
Test your configurations
Open Firefox with the command ./firefox. When the browser opens, you should be able to see your configurations in place. You can check to make sure they've been locked by opening the about:config page (enter about:config into the address bar and hit Enter). Search for one of the options you've configured and it should appear as locked (Figure A).
Deploying the configured Firefox
Because this is Linux, the process is actually pretty easy. What we're going to do is move the firefox folder to /opt with the command sudo mv firefox /opt. Next we'll create a symbolic link to /usr/bin with the command ln -s /opt/firefox/firefox /usr/bin/firefox. At this point, a user can issue the command firefox from the command line to start up our newly configured (and locked down) version of Firefox. Once it starts, lock the icon to the desktop panel and you're good to go. Depending upon your Desktop Environment, you might have to manually create a desktop entry. To do that, open a terminal window and issue the command nano ~/.local/share/applications/firefox.desktop and add the following contents:
[Desktop Entry] Version=1.0 Name=Firefox GenericName=Firefox Comment=Firefox Exec=/usr/bin/firefox Terminal=false Icon=/opt/firefox/browser/chrome/icons/default/default48.png Type=Application Categories=Network;WebBrowser; MimeType=text/html;
Save and close that file. The newly created launcher should appear on your desktop or your GNOME Launcher.
And that's all there is to deploying a version of Firefox that includes locked down options within about:config. If you're looking to keep your users from tampering with Firefox, this might be your best route until Firefox for Enterprise is released.
- Mozilla's Firefox 59 can stop websites from spying on you (TechRepublic)
- How to enable Tracking Protection in Firefox Quantum (TechRepublic)
- Firefox 59 will prevent data leaks with improved private browsing sessions (TechRepublic)
- How to manage Firefox Quantum site permissions (TechRepublic)
- How to easily refresh your Firefox Quantum browser (TechRepublic)
- Firefox Quantum: A cheat sheet for professionals (TechRepublic)
- How to force Firefox to forget your browser history (TechRepublic Video)
- Think Firefox Quantum is fast? Try Firefox 58, out this week, says Mozilla (ZDNet)