firefox tips part II

Part 2 of this post.

it turns out that there are some very interesting things hidden in the dom.* section of about:config.

Specifically, there is this handy key which defaults to false, but if set to true is actually a rather beneficial security enhancement:

dom.disable_window_status_change

Setting this to true will prevent javascript from manipulating the status bar. This “feature” is often used in phishing attacks to disguise the real location a given link is referencing. If you set this to true, you will be able to see where you’re really going to end up, rather than where the script is programmed to make you think you’ll be headed.

For some more reading on the topic, designed around building a custom security policy for firefox suitable for pushing out to end users, check out this article.