Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Mozilla.cfg not forcing all lockPref / not changing default value for some preferences

  • 4 replies
  • 1 has this problem
  • 1 view
  • Paskiausią atsakymą parašė Mike Kaply

more options

Hello Everyone,

Im implementing DOD compliant settings to Mozilla for our enviroment. I am currently in the testing phase - making sure its all set before deployment, Heres where the fun begins.

Ive done the usual - Place the mozilla.cfg in C:\Program Files\Mozilla Firefox Place the autoconfig.js in C:\Program Files\Mozilla Firefox\defaults\pref

and have set the lockPref accordingly for each finding. The issue is that some are being set correctly while others arent being changed at all and most changes arent locked. I have edited the config file to not include the comments (except the top one of course) and changed the \n\r and \r\n to be only \n for the entire file so formatting should not be the issue. I have also changed all commas to match the ones settings that work (no luck) - “” rather than ""

These are working - but doesnt have the lock image

lockPref(“security.default_personal_cert”, “Ask Every Time”; lockPref(“signon.rememberSignons”, false); lockPref(“toolkit.telemetry.archive.enabled”, false); lockPref(“browser.search.update”, false); lockPref(“browser.contentblocking.category”, strict); lockPref(“privacy.trackingprotection.cryptomining.enabled”, true); lockPref(“security.tls.version.max”, 4); lockPref(“dom.disable_window_flip”, true); lockPref(“network.protocol-handler.external.shell”, false);


These have Lock image and cannot be changed -working as it should

lockPref(“toolkit.telemetry.enabled”, false);



These are not working:

lockPref(“extensions.update.enabled”, false); lockPref(“dom.event.contextmenu.enabled”, false); lockPref(“extensions.htmlaboutaddons.recommendations.enabled”, false); lockPref(“datareporting.policy.dataSubmissionEnabled”, false); lockPref(“security.ssl3.rsa_des_ede3_sha”, false); lockPref(“security.enterprise_roots.enabled”, true); lockPref(“security.tls.version.min”, 2); lockPref(“browser.formfill.enable”, false) lockPref(“signon.autofillForms”, false); lockPref(“dom.disable_window_move_resize”, true); lockPref(“devtools.policy.disabled”, true);

These dont even show up in firefox:

lockPref(“xpinstall.enabled”, false); lockPref(“plugin.disable_full_page_plugin_for_types”, PDF, FDF, XFDF, LSL, LSO, LSS, IQY, RQY, XLK, XLS, XLT, POT, PPS, PPT, DOS, DOT, WKS, BAT, PS, EPS, WCH, WCM, WB1, WB3, RTF, DOC, MDB, MDE, WBK, WB1, WCH, WCM, AD, ADP); lockPref(“dom.disable_window_open_feature.status”, true); lockPref(“browser.newtabpage.activity-stream.enabled”, false)

below is the config file


// IMPORTANT: The settings applied within this directory are for STIGS compliance.


// Installed version of Firefox unsupported. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-17988

//NEED MANAGED BY OTHER MEANS


// FireFox is configured to ask which certificate to present to a web site when a certificate is required. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-15768

lockPref(“security.default_personal_cert”, “Ask Every Time”;


// FireFox is configured to use a password store with or without a master password. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-15776

lockPref(“signon.rememberSignons”, false);


// Fingerprinting protection must be enabled. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-102879

lockPref(“privacy.trackingprotection.fingerprinting.enabled”, true);


// Telemetry must be disabled. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-102875

lockPref(“toolkit.telemetry.enabled”, false);


// Telemetry archive must be disabled. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-102877

lockPref(“toolkit.telemetry.archive.enabled”, false);


// Firefox is configured to allow JavaScript to disable or replace context menus. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-15986

lockPref(“dom.event.contextmenu.enabled”, false);


// Firefox automatically updates installed add-ons and plugins. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-19742

lockPref(“extensions.update.enabled”, false);


// Firefox automatically checks for updated version of installed Search plugins. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-19744

lockPref(“browser.search.update”, false);


// Enhanced Tracking Protection must be enabled. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-102883

lockPref(“browser.contentblocking.category”, strict);


// Cryptomining protection must be enabled. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-102881

lockPref(“privacy.trackingprotection.cryptomining.enabled”, true);


// Extension recommendations must be disabled. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-102885

lockPref(“extensions.htmlaboutaddons.recommendations.enabled”, false);


// Background submission of information to Mozilla must be disabled. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-79053

lockPref(“datareporting.policy.dataSubmissionEnabled”, false);


// Deprecated ciphers must be disabled. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-102889

lockPref(“security.ssl3.rsa_des_ede3_sha”, false);


// The DOD Root Certificate is not installed. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-6318 // --Note: In a Windows environment, use of policy setting "security.enterprise_roots.enabled=true" will point Firefox to the Windows Trusted Root Certification Authority Store, this is not a finding.

lockPref(“security.enterprise_roots.enabled”, true);


// Firefox must be configured to allow only TLS. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-15983

lockPref(“security.tls.version.min”, 2); lockPref(“security.tls.version.max”, 4);


// Extensions install must be disabled. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-64891

lockPref(“xpinstall.enabled”, false);


// Firefox is configured to allow JavaScript to raise or lower windows. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-15985

lockPref(“dom.disable_window_flip”, true);


// Firefox formfill assistance option is disabled. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-15774

lockPref(“browser.formfill.enable”, false)


// Firefox is configured to autofill passwords. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-15775

lockPref(“signon.autofillForms”, false);


// Firefox is not configured to prompt a user before downloading and opening required file types. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-15772

lockPref(“plugin.disable_full_page_plugin_for_types”, PDF, FDF, XFDF, LSL, LSO, LSS, IQY, RQY, XLK, XLS, XLT, POT, PPS, PPT, DOS, DOT, WKS, BAT, PS, EPS, WCH, WCM, WB1, WB3, RTF, DOC, MDB, MDE, WBK, WB1, WCH, WCM, AD, ADP);


// FireFox plug-in for ActiveX controls is installed. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-15773

//NEED MANAGED BY OTHER MEANS


//Firefox automatically executes or downloads MIME types which are not authorized for auto-download. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-15770

//NEED MANAGED BY OTHER MEANS


// Network shell protocol is enabled in FireFox. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-15771

lockPref(“network.protocol-handler.external.shell”, false);


// FireFox is not configured to block pop-up windows. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-15778

lockPref(“dom.disable_window_open_feature.status”, true);


// FireFox is configured to allow JavaScript to move or resize windows. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-15779

lockPref(“dom.disable_window_move_resize”, true);


// Firefox Development Tools Must Be Disabled. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-97529

lockPref(“devtools.policy.disabled”, true);


// Activity Stream must be disabled. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-102887

lockPref(“browser.newtabpage.activity-stream.enabled”, false)


// Created by: Kaige Royal // Date: 2/7/2021

Hello Everyone, Im implementing DOD compliant settings to Mozilla for our enviroment. I am currently in the testing phase - making sure its all set before deployment, Heres where the fun begins. Ive done the usual - Place the mozilla.cfg in C:\Program Files\Mozilla Firefox Place the autoconfig.js in C:\Program Files\Mozilla Firefox\defaults\pref and have set the lockPref accordingly for each finding. The issue is that some are being set correctly while others arent being changed at all and most changes arent locked. I have edited the config file to not include the comments (except the top one of course) and changed the \n\r and \r\n to be only \n for the entire file so formatting should not be the issue. I have also changed all commas to match the ones settings that work (no luck) - “” rather than "" These are working - but doesnt have the lock image lockPref(“security.default_personal_cert”, “Ask Every Time”; lockPref(“signon.rememberSignons”, false); lockPref(“toolkit.telemetry.archive.enabled”, false); lockPref(“browser.search.update”, false); lockPref(“browser.contentblocking.category”, strict); lockPref(“privacy.trackingprotection.cryptomining.enabled”, true); lockPref(“security.tls.version.max”, 4); lockPref(“dom.disable_window_flip”, true); lockPref(“network.protocol-handler.external.shell”, false); These have Lock image and cannot be changed -working as it should lockPref(“toolkit.telemetry.enabled”, false); These are not working: lockPref(“extensions.update.enabled”, false); lockPref(“dom.event.contextmenu.enabled”, false); lockPref(“extensions.htmlaboutaddons.recommendations.enabled”, false); lockPref(“datareporting.policy.dataSubmissionEnabled”, false); lockPref(“security.ssl3.rsa_des_ede3_sha”, false); lockPref(“security.enterprise_roots.enabled”, true); lockPref(“security.tls.version.min”, 2); lockPref(“browser.formfill.enable”, false) lockPref(“signon.autofillForms”, false); lockPref(“dom.disable_window_move_resize”, true); lockPref(“devtools.policy.disabled”, true); These dont even show up in firefox: lockPref(“xpinstall.enabled”, false); lockPref(“plugin.disable_full_page_plugin_for_types”, PDF, FDF, XFDF, LSL, LSO, LSS, IQY, RQY, XLK, XLS, XLT, POT, PPS, PPT, DOS, DOT, WKS, BAT, PS, EPS, WCH, WCM, WB1, WB3, RTF, DOC, MDB, MDE, WBK, WB1, WCH, WCM, AD, ADP); lockPref(“dom.disable_window_open_feature.status”, true); lockPref(“browser.newtabpage.activity-stream.enabled”, false) below is the config file ------------------------------------------------------------------------------ // IMPORTANT: The settings applied within this directory are for STIGS compliance. // Installed version of Firefox unsupported. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-17988 //NEED MANAGED BY OTHER MEANS // FireFox is configured to ask which certificate to present to a web site when a certificate is required. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-15768 lockPref(“security.default_personal_cert”, “Ask Every Time”; // FireFox is configured to use a password store with or without a master password. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-15776 lockPref(“signon.rememberSignons”, false); // Fingerprinting protection must be enabled. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-102879 lockPref(“privacy.trackingprotection.fingerprinting.enabled”, true); // Telemetry must be disabled. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-102875 lockPref(“toolkit.telemetry.enabled”, false); // Telemetry archive must be disabled. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-102877 lockPref(“toolkit.telemetry.archive.enabled”, false); // Firefox is configured to allow JavaScript to disable or replace context menus. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-15986 lockPref(“dom.event.contextmenu.enabled”, false); // Firefox automatically updates installed add-ons and plugins. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-19742 lockPref(“extensions.update.enabled”, false); // Firefox automatically checks for updated version of installed Search plugins. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-19744 lockPref(“browser.search.update”, false); // Enhanced Tracking Protection must be enabled. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-102883 lockPref(“browser.contentblocking.category”, strict); // Cryptomining protection must be enabled. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-102881 lockPref(“privacy.trackingprotection.cryptomining.enabled”, true); // Extension recommendations must be disabled. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-102885 lockPref(“extensions.htmlaboutaddons.recommendations.enabled”, false); // Background submission of information to Mozilla must be disabled. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-79053 lockPref(“datareporting.policy.dataSubmissionEnabled”, false); // Deprecated ciphers must be disabled. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-102889 lockPref(“security.ssl3.rsa_des_ede3_sha”, false); // The DOD Root Certificate is not installed. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-6318 // --Note: In a Windows environment, use of policy setting "security.enterprise_roots.enabled=true" will point Firefox to the Windows Trusted Root Certification Authority Store, this is not a finding. lockPref(“security.enterprise_roots.enabled”, true); // Firefox must be configured to allow only TLS. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-15983 lockPref(“security.tls.version.min”, 2); lockPref(“security.tls.version.max”, 4); // Extensions install must be disabled. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-64891 lockPref(“xpinstall.enabled”, false); // Firefox is configured to allow JavaScript to raise or lower windows. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-15985 lockPref(“dom.disable_window_flip”, true); // Firefox formfill assistance option is disabled. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-15774 lockPref(“browser.formfill.enable”, false) // Firefox is configured to autofill passwords. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-15775 lockPref(“signon.autofillForms”, false); // Firefox is not configured to prompt a user before downloading and opening required file types. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-15772 lockPref(“plugin.disable_full_page_plugin_for_types”, PDF, FDF, XFDF, LSL, LSO, LSS, IQY, RQY, XLK, XLS, XLT, POT, PPS, PPT, DOS, DOT, WKS, BAT, PS, EPS, WCH, WCM, WB1, WB3, RTF, DOC, MDB, MDE, WBK, WB1, WCH, WCM, AD, ADP); // FireFox plug-in for ActiveX controls is installed. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-15773 //NEED MANAGED BY OTHER MEANS //Firefox automatically executes or downloads MIME types which are not authorized for auto-download. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-15770 //NEED MANAGED BY OTHER MEANS // Network shell protocol is enabled in FireFox. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-15771 lockPref(“network.protocol-handler.external.shell”, false); // FireFox is not configured to block pop-up windows. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-15778 lockPref(“dom.disable_window_open_feature.status”, true); // FireFox is configured to allow JavaScript to move or resize windows. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-15779 lockPref(“dom.disable_window_move_resize”, true); // Firefox Development Tools Must Be Disabled. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-97529 lockPref(“devtools.policy.disabled”, true); // Activity Stream must be disabled. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-102887 lockPref(“browser.newtabpage.activity-stream.enabled”, false) // Created by: Kaige Royal // Date: 2/7/2021
Pridėtos ekrano nuotraukos

Chosen solution

If I look closely to your above posted code then I notice you use Unicode quotes (”: &#201d;) and not the ASCII quotes (": ), so you need to make sure that all quotes are the latter.

Skaityti atsakymą kartu su kontekstu 👍 0

All Replies (4)

more options

Chosen Solution

If I look closely to your above posted code then I notice you use Unicode quotes (”: &#201d;) and not the ASCII quotes (": ), so you need to make sure that all quotes are the latter.

more options

The pref you posted under "These dont even show up in firefox:" are no longer supported in current Firefox releases. You can check about:config to see what prefs are suprorted or search the source code via https://searchfox.org/mozilla-release

Note that you can also use policies.json to deploy Firefox settings and there is support for quite a few prefs.

more options

Also, this preference:

lockPref(“plugin.disable_full_page_plugin_for_types”, PDF, FDF, XFDF, LSL, LSO, LSS, IQY, RQY, XLK, XLS, XLT, POT, PPS, PPT, DOS, DOT, WKS, BAT, PS, EPS, WCH, WCM, WB1, WB3, RTF, DOC, MDB, MDE, WBK, WB1, WCH, WCM, AD, ADP);

Is missing quotes for the types.

If you email the actual config file to me at mkaply at mozilla.com, I'll fix it up

Side note, I'm working with the DOD to update the STIG. Hopefully updates out soon and will remove all these old prefs and switch to using policies.

more options

I worked on this via email with Royal and we also found some unquoted strings. I marked the quote problem as the fix since that was the primary problem.

It's still not working locally for them (although it is for me), so I think they are having a separate issue. I'll continue to help as needed.