Mozilla's configurable security policies allow users to set up security policies for the browser, and also have different security policies for different Internet sites. The ideas for configurable security policies come from a number of sources. Bell Labs researchers Vinod Anupam and Alain Mayer have written papers and contributed code to Mozilla. The infamous bug 858 serves as a wish list for this sort of functionality. Finally, IE's zones employ some of this idea.
Suppose you're annoyed by pop-up advertisements and want to prevent all web pages from opening new browser windows. You can do this by adding the following line to your Mozilla preferences file (prefs.js):
user_pref("capability.policy.strict.sites", "http://www.evil.org http://www.annoying.com");
The preference "capability.policy.strict.sites" defines the web sites to which the strict policy is applied. The value of that preference is a list of sites (protocol and hostname only), separated by spaces. The final three lines define the strict policy. For these sites, the example above will disallow access to window.alert(), window.confirm(), and window.prompt().
Note that since we haven't defined whether sites under the strict policy can open new windows with window.open(), the default policy still applies.
Suppose we've also discovered that in blocking access to window.open(), we've prevented a script on www.usefulsite.net from working. We can allow this page to bypass the window.open restriction by setting the Window.open policy back to its default value, sameOrigin:
The name of the policy can be anything you want; we used strict and trustable in this example, but you could name it blacklist or mypolicy or anything else. Be sure the policy name on the sites line matches the name on the other lines which define the policy for those sites.
There are three special security levels:
- noAccess: web sites can never access this property or call this function.
- sameOrigin (default): web sites can access this property, but only for pages on the same site. See this document for an explanation of how Mozilla determines whether two pages have the same origin.
- allAccess: a web site can access this property within the same site and on any other site.
If the security level is not one of the three above, it is treated as a privilege name, and a script can access it only if the script is signed and the user grants the privilege to the script through a dialog.
You can specify a policy that applies only to reading a property, or only to changing its value, by adding .get or .set after the property name. This allows you to specify one policy for reading a property and another for changing its value. See below for some examples that block pages from setting values but not from reading them.
Setting Class.property.get and Class.property.set to the same level is equivalent to setting Class.property to that level. Calling a function is always considered a get.
- A policy consists of a sites line and one or more policy lines. The sites line must be omitted for the default policy, but it must be present for all others.
- The sites line has this format:
.sites"," "); is any combination of letters and numbers, starting with a letter.
is a list of URLs separated by spaces. Each URL in the list can either be of the form protocol:, which will apply the policy to all URLs with the given protocol (such as http:), or protocol://host which will apply to a particular host (for example, http://www.annoyingsite.myisp.com). Don't include the path portion of the URL (the / after the host name or anything after it).
- A policy line has this format:
. . ","allAccess | noAccess | sameOrigin | "); must be the same as the policy name on the sites line.
- The pref values (allAccess, etc.) are described above.
user_pref("capability.policy.default.Window.innerWidth.set", "noAccess"); user_pref("capability.policy.default.Window.innerHeight.set", "noAccess"); user_pref("capability.policy.default.Window.outerWidth.set", "noAccess"); user_pref("capability.policy.default.Window.outerHeight.set", "noAccess"); user_pref("capability.policy.default.Window.sizeToContent", "noAccess"); user_pref("capability.policy.default.Window.resizeTo", "noAccess"); user_pref("capability.policy.default.Window.resizeBy", "noAccess");
user_pref("capability.policy.default.Window.screenX.set", "noAccess"); user_pref("capability.policy.default.Window.screenY.set", "noAccess"); user_pref("capability.policy.default.Window.moveTo", "noAccess"); user_pref("capability.policy.default.Window.moveBy", "noAccess");
(Note: these lines don't block all of the ways a web page might find your screen reslution; they only block the most common ones. They don't prevent a web page from finding out how big its window is.)
user_pref("capability.policy.default.Screen.top", "noAccess"); user_pref("capability.policy.default.Screen.left", "noAccess"); user_pref("capability.policy.default.Screen.width", "noAccess"); user_pref("capability.policy.default.Screen.height", "noAccess"); user_pref("capability.policy.default.Screen.pixelDepth", "noAccess"); user_pref("capability.policy.default.Screen.colorDepth", "noAccess"); user_pref("capability.policy.default.Screen.availWidth", "noAccess"); user_pref("capability.policy.default.Screen.availHeight", "noAccess"); user_pref("capability.policy.default.Screen.availLeft", "noAccess"); user_pref("capability.policy.default.Screen.availTop", "noAccess");
Some web pages create "blind links" by changing the status bar text when you hover over the link, preventing the link address from being show in the status bar. This line will turn most blind links into normal links.