Disable JavaScript's Moving Or Resizing Windows Capability

An XCCDF Rule

Description

JavaScript can configure and make changes to the web browser's appearance by specifically moving and resizing browser windows. This can be disabled by setting dom.disable_window_move_resize to true in the policy file.

Rationale

JavaScript can make changes to the browser’s appearance. This activity can help disguise an attack taking place in a minimized background window.

ID: xccdf_org.ssgproject.content_rule_firefox_policy-javascript_window_resizing
Severity: Medium
References: CCI-000381

CM-7

FFOX-00-000010
Updated: about 1 year ago


firefox_cfg="policies.json"
# Default to /etc/firefox/policies to use for remediations.
firefox_dirs="/etc/firefox/policies"
permissions=644
declare __REMEDIATE_PYTHON
if [ -x /usr/bin/python ]; then
    __REMEDIATE_PYTHON=/usr/bin/python
elif [ -x /usr/bin/python3 ]; then
    __REMEDIATE_PYTHON=/usr/bin/python3
elif [ -x /usr/bin/python2 ]; then
    __REMEDIATE_PYTHON=/usr/bin/python2
else
    echo "Python required and no python interpreter found."
    exit 1
fi
declare __FIREFOX_DISTRIBUTION
if find /usr -iname firefox\* -type f -print | grep -qe "firefox.sh$\|firefox-bin$"; then
   __FIREFOX_DISTRIBUTION=$(dirname "$(find /usr -iname firefox\* -type f -print | grep -e "firefox.sh$\|firefox-bin$" | head -n1)")/distribution
fi
# If there's a policies file in the distribution directory already, modify it.
if [ -f ${__FIREFOX_DISTRIBUTION}/policies.json ]; then
        firefox_dirs="${__FIREFOX_DISTRIBUTION}"
fi
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
    if ! [ -d "${firefox_dir}" ]; then
        mkdir -p "${firefox_dir}"
        chmod 755 "${firefox_dir}"
    fi
    # Make sure the Firefox .cfg file exists and has the appropriate permissions
    if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        echo "{" > "${firefox_dir}/${firefox_cfg}"
        echo "    \"policies\": {" >> "${firefox_dir}/${firefox_cfg}"
        echo "    }" >> "${firefox_dir}/${firefox_cfg}"
        echo "}" >> "${firefox_dir}/${firefox_cfg}"
        chmod ${permissions} "${firefox_dir}/${firefox_cfg}"
    fi
    # If the key exists, change it. Otherwise, add it to the config_file.
    if [ -x ${__REMEDIATE_PYTHON} ]; then
        echo """
import json
_file=open('${firefox_dir}/${firefox_cfg}', 'r')
_tree=json.load(_file)
_file.close()


if 'Preferences' in _tree['policies']:
   pass
else:
   _tree['policies']['Preferences'] = dict()

if 'dom.disable_window_move_resize' in _tree['policies']['Preferences']:
   pass
else:
   _tree['policies']['Preferences']['dom.disable_window_move_resize'] = dict()

_tree['policies']['Preferences']['dom.disable_window_move_resize']['Value'] = True


if 'Preferences' in _tree['policies']:
   pass
else:
   _tree['policies']['Preferences'] = dict()

if 'dom.disable_window_move_resize' in _tree['policies']['Preferences']:
   pass
else:
   _tree['policies']['Preferences']['dom.disable_window_move_resize'] = dict()

_tree['policies']['Preferences']['dom.disable_window_move_resize']['Status'] = 'locked'

_file=open('${firefox_dir}/${firefox_cfg}', 'w')
json.dump(_tree, _file, indent=4, sort_keys=True)
_file.close()
""" | ${__REMEDIATE_PYTHON}
        chmod ${permissions} "${firefox_dir}/${firefox_cfg}"
    fi
done

Disable JavaScript's Moving Or Resizing Windows Capability

Description

Rationale

Remediation - Shell Script