"Make your Firefox faster, safer and stable with few mouse clicks
"article says that many companies installs really DANGEROUS plugins in Firefox. I love Firefox but I must admit that it is a security risk since it allows plugin installation so easily. It should at least pop-up a message like "A plugin was installed stealthy. Do you want to disable it?"
My question is (because I don't really want to uninstall Firefox) how can I make Firefox not to accept new plugins? Maybe if I delete some files I can cripple Firefox plugin system until it is not working at all – but Firefox still works. I looked in my installed plugins (indeed I have that dangerous plugin installed) and I need none of them!
Best Answer
tl;dr ok sorry my answer may not be very readable but it incorporates several original research results that I successfully used in personal scope to block new plugins, while retaining addons.
ultra short version
short version (additionally):
<Firefox installation dir>/plugins
. This would prevent any plugins from directory-based installing (as long as an installer doesn't replace the rights), except the few four that Firefox is prepared to know about.plugin.scan.plid.all
tofalse
inabout:config
. This disables firefox registry-based scanning for new plugins.click to play: you can make firefox ask you each time a site needs a plugin whether to activate it. In
about:config
setplugin.default.state
to1
(meaning "clicktoplay"), and also setplugins.click_to_play
totrue
.when using windows, for configuring directory permissions, you can use
cacls
withpsexec
(link below) for system-level access, or perhaps the permission listing on right-click properties' security tabHKEY_CURRENT_USER\Software\MozillaPlugins\plugin-id
,HKEY_LOCAL_MACHINE\Software\MozillaPlugins\plugin-id
,HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\plugin-id
. you can use regedit with the toolpsexec -s -i regedit.exe
(orregedt32.exe
).very long version
update 2014/06
additionally to my original answer:
click_to_play
were mixed in 885357 withplugin.default.state
. you want to setplugin.default.state
to1
meaning "clicktoplay" or0
meaning "disabled". the possible values are here in source/dom/plugins/base/nsIPluginTag.idlplugin.expose_full_path
is gone in newer versionssecurity.xpconnect.plugin.unrestricted
may or may not be related9999.0
too seems to be a valid value to minimum version. with todays media-hyped "increment version number per month" strategies99.0
may be not enough, albeit I doubt the sales power of version 139 and9999.0
still could cause surprise if it ever gets invalidated as a version.gecko.handlerService.defaultHandlersVersion
andMimeTypes.rdf
can also induce program execution. there may or may not be other relevant concepts.even more additional info:
lockPref
,mozilla.cfg
and co.about:config
entries of interest regarding update may includeextensions.update.enabled
,plugins.update.notifyUser
,extensions.update.autoUpdateDefault
,browser.search.update
,app.update.service.enabled
,app.update.silent
,app.update.enabled
,app.update.staging.enabled
,app.update.url
,services.sync.prefs.sync.app.update.mode
,app.update.channel
,app.update.auto
andapp.update.mode
for which you can get a hint of possible values in for examplesource/browser/components/preferences/in-content/advanced.js
,2
being roughlywarn
for mode, andfalse
meaning ask forauto
, and more eg.app.update.incompatible.mode
with hint of values in source/browser/app/profile/firefox.js, etc.original answer
There's actually a way to prevent some, or all, plugins from "installing" but keep addons in Firefox. The problem is that on Windows, Firefox scans for plugins on some locations. On each of these locations can reside one or more plugins.
You can control how Firefox treats each of these locations but you cannot control how it treats individual plugins if the location lists more than one. Doing this involves multiple methods. Not all are nice.
Before getting into it, it's worth to mention that there is also click to play, that will ask you to click before activating any plugin individually, if a webpage asks for any. It can be found in
about:config
asplugins.click_to_play
. You can set it totrue
.Now, first the nicer parts:
You shall go to the
about:config
page and filter for plugin.scan. Here, plid means a registry key location. The rest is for plugins that are handled individually.The "1.3", etc. is the minimum version number that Firefox accepts. The recommendation is that for plugins you want to disable, set this value to
19.0
. I've set it to99.0
and it works in Firefox 18.You can check the actual location of these plugins by the means described on Mozilla's KB. The idea is that you go to the
about:plugins
page to see active plugin's location. But you need to setplugin.expose_full_path
totrue
first.To disable all registry-based plugin location scan, set
plugin.scan.plid.all
tofalse
. The actual registry key is described on another page the KB. I listed the keys later.If you ever need to reset these about:config settings, right click on them and choose reset.
Now for the uglier part:
Firefox will look for plugins in
<Firefox installation dir>/plugins
. This was where plugins like Acrobat, QuickTime and Office installed themselves in my computer.The setting that was controlling this directory was removed. That's why I choose to modify the access rights of this directory. Set the rights for all users to read-only. Then no new program will be able to write to it.
I guess you could do the same with the registry key, too. The actual registry keys are:
(To set permission on a registry key, you right-click it and go for "Permissions...". You shall see it, but if don't try starting regedit with the tool
psexec -s -i regedit.exe
or usingregedt32.exe
if I recall it well.)Just for the record, I've removed all access from the system user for the plugins dir, and Firefox didn't crash. Any new installation may, though.
For archiving purposes, I include the full url's as text here:
plugin scanning: http://kb.mozillazine.org/Plugin_scanning . registry key: https://developer.mozilla.org/en-US/docs/Adding_Extensions_using_the_Windows_Registry#Plugins . location: http://kb.mozillazine.org/Issues_related_to_plugins#Plugin_location .
I've found these articles by browsing a category page listing all kind of interesting articles: http://kb.mozillazine.org/Category:Plugins