Locking preferences: Difference between revisions

From MozillaZine Knowledge Base
Jump to navigationJump to search
(→‎Loading the lock file: simplified and updated notes)
(replace broken link to CCK2 Wizard. the new target is not hosted on mozilla.org.)
 
(9 intermediate revisions by 4 users not shown)
Line 1: Line 1:
This article describes how to prevent specific settings from being modified from inside Firefox or [[Mozilla Suite : FAQs : Status |Mozilla Suite / SeaMonkey]]. This is commonly known as locking preferences.
This article describes how to prevent specific settings from being modified from inside Firefox, Thunderbird, or SeaMonkey. This is commonly known as locking preferences.


If you're looking at a larger scale internal solution, you should consider using the [https://addons.mozilla.org/en-US/firefox/addon/cck/ Mozilla Client Customization Kit] for Firefox, which supports preference locking and much more-- all packaged in an easy to use installer.
If you're looking at a larger scale internal solution, you should consider using the [https://mike.kaply.com/cck2/ CCK2 Wizard] for Firefox, which supports preference locking and much more - all packaged in an easy to use installer.


== Guide ==
== Guide ==
=== Determining settings ===
=== Determining settings ===
* You must first determine which settings you want to lock. This can be done multiple ways:
* You must first determine which settings you want to lock. This can be done multiple ways:
** A mostly complete list describing available settings can be found online on the [[About:config_entries | about:config entries]] page.  
** A mostly complete list describing available settings can be found online on the [[About:config_entries | about:config entries]] page (along with [[mail and news settings]] specific to Thunderbird and SeaMonkey).  
** Preference settings, both user-specified and default values,  are displayed in the [[about:config]] window while Firefox or Mozilla Suite is running. Settings shown here are updated as you change them in the browser.
** Preference settings, both user-specified and default values,  are displayed in the [[about:config]] window while Firefox or SeaMonkey is running (in Thunderbird you have to invoke the Config Editor from the Advanced preferences), Settings shown here are updated as you change them in the browser.
** When the browser closes, it saves user-specified settings to the [[prefs.js file]] in the [[Profile_folder | profile folder]].
** When the browser closes, it saves user-specified settings to the [[prefs.js file]] in the [[Profile_folder | profile folder]].
** If all else fails, you can ask in the [http://forums.mozillazine.org/ forums] or on [[IRC#IRC | IRC]].
** If all else fails, you can ask in the [http://forums.mozillazine.org/ forums] or on [[IRC#IRC | IRC]].
Line 16: Line 16:
   lockPref("network.proxy.type", 0);
   lockPref("network.proxy.type", 0);
* The parser ignores the first line of this file under the assumption that it was made unparseable on purpose "to protect the privacy of the JavaScript preferences file from loading by the browser" (code imported by [https://bugzilla.mozilla.org/attachment.cgi?id=61802&action=diff#mozilla/extensions/pref/autoconfig/src/nsJSConfigTriggers.cpp_sec2 bug 89137]).
* The parser ignores the first line of this file under the assumption that it was made unparseable on purpose "to protect the privacy of the JavaScript preferences file from loading by the browser" (code imported by [https://bugzilla.mozilla.org/attachment.cgi?id=61802&action=diff#mozilla/extensions/pref/autoconfig/src/nsJSConfigTriggers.cpp_sec2 bug 89137]).
* Save the file as '''mozilla.cfg''' in your your [[installation directory]] (where the seamonkey, thunderbird or firefox executable is located)
* Save the file as '''mozilla.cfg''' in your your [[installation directory]] (where the firefox, thunderbird, or seamonkey executable is located)
* '''Note''': This document (like many references throughout the web) previously recommended encoding this file as ROT13. This requirement is not mandatory and can easily be circumvented when loading the lock file (see below).
* '''Notes''':  
 
:# The mozilla.cfg file should be saved ANSI encoded.
:# This document (like many references throughout the web) previously recommended encoding this file as ROT13. This requirement is not mandatory and can easily be circumvented when loading the lock file (see below).
====Other uses for the mozilla.cfg file====
====Other uses for the mozilla.cfg file====
In addition to locking preferences and disallowing changes with <code>lockPref();</code> lines,  you can use the mozilla.cfg file to make other preference changes.  You can set a new default value for a preference by adding a <code>defaultPref();</code> line (related bug [https://bugzilla.mozilla.org/show_bug.cgi?id=786875 786875]).  You can also modify a preference but allow it to be changed or reset in the current session by adding a <code>pref();</code> line (as shown [https://support.mozilla.org/en-US/questions/944575?page=2#answer-402508 here], for example). [https://support.mozilla.org/en-US/questions/933876] [https://support.mozilla.org/questions/944575#answer-402419]
In addition to locking preferences and disallowing changes with <code>lockPref();</code> lines,  you can use the mozilla.cfg file to make other preference changes.  You can set a new default value for a preference by adding a <code>defaultPref();</code> line (related bug [https://bugzilla.mozilla.org/show_bug.cgi?id=786875 786875]).  You can also modify a preference but allow it to be changed or reset in the current session by adding a <code>pref();</code> line (as shown [https://support.mozilla.org/en-US/questions/944575?page=2#answer-402508 here], for example). [https://support.mozilla.org/en-US/questions/933876] [https://support.mozilla.org/questions/944575#answer-402419]
Line 27: Line 28:
   pref("general.config.obscure_value", 0); // only needed if you do not want to obscure the content with ROT-13
   pref("general.config.obscure_value", 0); // only needed if you do not want to obscure the content with ROT-13
   pref("general.config.filename", "mozilla.cfg");
   pref("general.config.filename", "mozilla.cfg");
* Save the change and completely restart Firefox. Now, all of the prefs listed will be locked.
* Save the change and completely restart the application. Now, all of the prefs listed will be locked.
* '''Notes:'''
* '''Notes:'''
:# The local-settings.js file should be saved ANSI encoded.
:# This document previously recommended modifying the "all.js" file in the ''greprefs'' subfolder. Doing so breaks application updates whenever all.js must be updated (more details are given in [https://bugzilla.mozilla.org/show_bug.cgi?id=448504 bug 448504]). Furthermore, in current versions of Firefox, Thunderbird, and SeaMonkey, ''all.js'' is now packaged as ''greprefs.js'' in the ''omni.ja'' file found at top level of the installation directory.
:# This document previously recommended modifying the "all.js" file in the ''greprefs'' subfolder. Doing so breaks application updates whenever all.js must be updated (more details are given in [https://bugzilla.mozilla.org/show_bug.cgi?id=448504 bug 448504]). Furthermore, in current versions of Firefox, Thunderbird, and SeaMonkey, ''all.js'' is now packaged as ''greprefs.js'' in the ''omni.ja'' file found at top level of the installation directory.
:# While most files previously located in the ''defaults/pref'' directory are part of the zipfile ''omni.ja'', you can still place the file local-settings.js in the ''defaults/pref'' folder where also the ''channel-prefs.js'' file is located (see [https://bugzilla.mozilla.org/show_bug.cgi?id=595522 bug 595522]).
:# While most files previously located in the ''defaults/pref'' directory are part of the zipfile ''omni.ja'', you can still place the file local-settings.js in the ''defaults/pref'' folder where also the ''channel-prefs.js'' file is located (see [https://bugzilla.mozilla.org/show_bug.cgi?id=595522 bug 595522]).
=== Verifying the lock ===
* To verify that the preference is actually locked, go into the Config Editor again after the restart (e.g., by typing "about:config" into the browser's location bar) and look up the preference.
* If the lock was successfully applied, the entry appears in ''italic'' and should state ''locked'' in the status column.


== Optional Steps ==
== Optional Steps ==
=== Hiding options ===
=== Hiding options ===
Since these settings can no longer be changed by the user, you may want to prevent them from being shown at all in the GUI. This purely cosmetic change can be done by modifying [[userChrome.css]].
When a preference is locked, its GUI elements (checkboxes, buttons, etc.) are just grayed out like disabled items. Since these settings can no longer be changed by the user, you may want to prevent them from being shown at all in the GUI. Be careful though as dependent elements may still need to be accessible unless their preferences are locked as well. This purely cosmetic change can be done by modifying [[userChrome.css]] after identifying the [https://developer.mozilla.org/en-US/docs/CSS/CSS_Reference?redirectlocale=en-US&redirectslug=CSS_Reference#Selectors CSS selectors] associated with the respective GUI element.
 
=== Restricting file access ===
=== Restricting file access ===
A user who can modify ''local-settings.js'' can obviously remove the lock file reference and change those settings. Revoking write authority from the user for ''local-settings.js'' would prevent this. However, it should be noted that doing this may prevent the user from upgrading Firefox in the future, as new major versions may contain changes to related files (such as "all.js").
A user who can modify ''local-settings.js'' can obviously remove the lock file reference and change those settings. Revoking write authority from the user for ''local-settings.js'' would prevent this. However, it should be noted that doing this may prevent the user from upgrading the application in the future, as new major versions may contain changes to related files (such as "all.js").
=== Caveats ===
=== Caveats ===
Since it is possible to completely bypass locked preferences by running a separate version of Firefox or Mozilla Suite (or a completely different browser) from a different location, it may be necessary to restrict which programs can be run. However, at this point, it is probably a good idea to examine exactly why you are locking the preferences in the first place. If the intent is to protect users from themselves, or to keep novice users from breaking their software, then you have probably done enough. However, if you are trying to secure your network using client-side settings, then you should realize this is very difficult, and ultimately wastes too many resources. Instead, you should probably redirect your efforts to the server/router where you can fight battles that are more easily won.
Since it is possible to completely bypass locked preferences by running a separate version of Firefox, Thunderbird, or SeaMonkey (or a completely different application) from a different location, it may be necessary to restrict which programs can be run. However, at this point, it is probably a good idea to examine exactly why you are locking the preferences in the first place. If the intent is to protect users from themselves, or to keep novice users from breaking their software, then you have probably done enough. However, if you are trying to secure your network using client-side settings, then you should realize this is very difficult, and ultimately wastes too many resources. Instead, you should probably redirect your efforts to the server/router where you can fight battles that are more easily won.
=== Undoing ===
=== Undoing ===
To unlock all preferences, remove the entry you added earlier from the "local-settings.js" file and completely restart Firefox or Mozilla Suite.
To unlock all preferences, remove the entry you added earlier from the "local-settings.js" file and completely restart Firefox, Thunderbird, or SeaMonkey.


==External links==
==External links==
* [http://ilias.ca/blog/2005/03/locking-mozilla-firefox-settings/  Locking Mozilla Firefox Settings] at ilias.ca  
* [http://ilias.ca/blog/2005/03/locking-mozilla-firefox-settings/  Locking Mozilla Firefox Settings] at ilias.ca  
* [https://developer.mozilla.org/en/Automatic_Mozilla_Configurator/Locked_config_settings Automatic Mozilla Configurator:Locked config settings] at developer.mozilla.org
* [https://developer.mozilla.org/en/Automatic_Mozilla_Configurator/Locked_config_settings Automatic Mozilla Configurator:Locked config settings] at developer.mozilla.org
* [http://mike.kaply.com/2012/03/16/customizing-firefox-autoconfig-files/ Customizing Firefox - Autoconfig Files]  at mike.kaply.com
* [http://mike.kaply.com/2012/03/16/customizing-firefox-autoconfig-files/ Customizing Firefox - Autoconfig Files]  at mike.kaply.com (see also  [https://bugzilla.mozilla.org/show_bug.cgi?id=841011 bug 841011], below)


===Related bugs===
* [https://bugzilla.mozilla.org/show_bug.cgi?id=776490 Bug 776490 - variable lock (lockPref) does not work] 


[[Category:Configuration]]
[[Category:Configuration]]

Latest revision as of 17:55, 19 July 2016

This article describes how to prevent specific settings from being modified from inside Firefox, Thunderbird, or SeaMonkey. This is commonly known as locking preferences.

If you're looking at a larger scale internal solution, you should consider using the CCK2 Wizard for Firefox, which supports preference locking and much more - all packaged in an easy to use installer.

Guide

Determining settings

  • You must first determine which settings you want to lock. This can be done multiple ways:
    • A mostly complete list describing available settings can be found online on the about:config entries page (along with mail and news settings specific to Thunderbird and SeaMonkey).
    • Preference settings, both user-specified and default values, are displayed in the about:config window while Firefox or SeaMonkey is running (in Thunderbird you have to invoke the Config Editor from the Advanced preferences), Settings shown here are updated as you change them in the browser.
    • When the browser closes, it saves user-specified settings to the prefs.js file in the profile folder.
    • If all else fails, you can ask in the forums or on IRC.
  • Since it is commonly requested, we will use the browser proxy setting as an example. If you search for "proxy", you will eventually find the preference string for this option is "network.proxy.type". As described in the about:config entries article, the setting to use a direct connection is 0.

Creating the lock file

  • Next, create a text file, and make the first line start with double forward slashes. On the next line(s), add the preferences you want to lock. The format of these lines is similar to that found in prefs.js, except that lockPref is used instead:
 //
 lockPref("network.proxy.type", 0);
  • The parser ignores the first line of this file under the assumption that it was made unparseable on purpose "to protect the privacy of the JavaScript preferences file from loading by the browser" (code imported by bug 89137).
  • Save the file as mozilla.cfg in your your installation directory (where the firefox, thunderbird, or seamonkey executable is located)
  • Notes:
  1. The mozilla.cfg file should be saved ANSI encoded.
  2. This document (like many references throughout the web) previously recommended encoding this file as ROT13. This requirement is not mandatory and can easily be circumvented when loading the lock file (see below).

Other uses for the mozilla.cfg file

In addition to locking preferences and disallowing changes with lockPref(); lines, you can use the mozilla.cfg file to make other preference changes. You can set a new default value for a preference by adding a defaultPref(); line (related bug 786875). You can also modify a preference but allow it to be changed or reset in the current session by adding a pref(); line (as shown here, for example). [1] [2]

Loading the lock file

Finally, you must tell the application to load the lock file. Create a new file (eg "local-settings.js") in the defaults/pref subfolder of the installation directory.

  • Open the "local-settings.js" file in a text editor and add the following line to the bottom, which points to the newly created lock file.
 pref("general.config.obscure_value", 0); // only needed if you do not want to obscure the content with ROT-13
 pref("general.config.filename", "mozilla.cfg");
  • Save the change and completely restart the application. Now, all of the prefs listed will be locked.
  • Notes:
  1. The local-settings.js file should be saved ANSI encoded.
  2. This document previously recommended modifying the "all.js" file in the greprefs subfolder. Doing so breaks application updates whenever all.js must be updated (more details are given in bug 448504). Furthermore, in current versions of Firefox, Thunderbird, and SeaMonkey, all.js is now packaged as greprefs.js in the omni.ja file found at top level of the installation directory.
  3. While most files previously located in the defaults/pref directory are part of the zipfile omni.ja, you can still place the file local-settings.js in the defaults/pref folder where also the channel-prefs.js file is located (see bug 595522).

Verifying the lock

  • To verify that the preference is actually locked, go into the Config Editor again after the restart (e.g., by typing "about:config" into the browser's location bar) and look up the preference.
  • If the lock was successfully applied, the entry appears in italic and should state locked in the status column.

Optional Steps

Hiding options

When a preference is locked, its GUI elements (checkboxes, buttons, etc.) are just grayed out like disabled items. Since these settings can no longer be changed by the user, you may want to prevent them from being shown at all in the GUI. Be careful though as dependent elements may still need to be accessible unless their preferences are locked as well. This purely cosmetic change can be done by modifying userChrome.css after identifying the CSS selectors associated with the respective GUI element.

Restricting file access

A user who can modify local-settings.js can obviously remove the lock file reference and change those settings. Revoking write authority from the user for local-settings.js would prevent this. However, it should be noted that doing this may prevent the user from upgrading the application in the future, as new major versions may contain changes to related files (such as "all.js").

Caveats

Since it is possible to completely bypass locked preferences by running a separate version of Firefox, Thunderbird, or SeaMonkey (or a completely different application) from a different location, it may be necessary to restrict which programs can be run. However, at this point, it is probably a good idea to examine exactly why you are locking the preferences in the first place. If the intent is to protect users from themselves, or to keep novice users from breaking their software, then you have probably done enough. However, if you are trying to secure your network using client-side settings, then you should realize this is very difficult, and ultimately wastes too many resources. Instead, you should probably redirect your efforts to the server/router where you can fight battles that are more easily won.

Undoing

To unlock all preferences, remove the entry you added earlier from the "local-settings.js" file and completely restart Firefox, Thunderbird, or SeaMonkey.

External links