Updating to 3.5

BrowserLoadURL broken

Overriding BrowserLoadURL in this kiosk extension was use to stop access to:

• file://
• about:
• resource:

File browsing is not really a security problem, though some people perceive it to be, therefore file:// should be disallowed.

BrowserLoadURL does not work in Firefox 3.5

This issue has been raised on mozillazine, however the fixes involve hacking browser.jar instead of overriding it with browser.xul, as what extensions should be doing. The final suggestion of fixing the local file browsing issue elegantly with CSS with:

@-moz-document url-prefix(file://) {
html > body { visibility: hidden !important;
}

Does not work in my tests.

https://bugzilla.mozilla.org/show_bug.cgi?id=524951

Stopping downloads

Stopping downloads should just work with http://git.webconverger.org/?p=iceweasel-webconverger.git;a=blob;f=content/unknownContentType.xul, however Firefox just continues downloading the file with the .part extension.

Setting the download dir as /dev/null does not work either btw.

This must limit needs to be in place as an attacker could start downloading a large file e.g. http://download.webconverger.org/webc-5.5.tar.gz and render an average Internet connection useless. Also in many countries "PAYG Internet" exists, so this hole can burn a hole in the pocket of Internet café operators.

irc.mozilla.org's #extdev sez I should look at https://developer.mozilla.org/en/nsIDownloadProgressListener to disable downloads.

https://bugzilla.mozilla.org/show_bug.cgi?id=524949

TODO: Implement https://developer.mozilla.org/en/NsIContentPolicy by building a XPCOM Component in Javascript

iceweasel-webconverger

Default and most common.

iceweasel-webcnoaddressbar

Customization option. For customers who want patrons to browse, but not enter in URLs.

iceweasel-webcfullscreen

Customization option. For customers who want to do Digital signage or just show off some pictures somewhere.

If you're concerned about the scroll bar, alter the overflow CSS element. Here is an example of a Web application providing a digital sign.

Implementation

We have forked rkiosk and created our own extension, (iceweasel-)webconverger. We had to do this as I had to modify some of upstream's packaging and functions. Upstream was also a little un-cooperative.

• iceweasel-webconverger.git.

Test the extension on your Firefox browser

http://webconverger.com/xpis

This will lock down the browser and you'll need to use the firefox --safe-mode to remove it.

The best way of installing and removing this extension is with:

deb http://debian.webconverger.com/ lenny/
deb-src http://debian.webconverger.com/ lenny/

in your /etc/apt/sources.list and the apt-get install iceweasel-webconverger on a Debian machine.

Slideware

"iceweasel-fullerscreen" is the name of the package of Daniel Glazman's FullerScreen extension. It is good particularly for slideshows, though not digital signage as 'FullerScreen' does not allow Flash movies to go fullscreen.

Further Links

• Ubufox - Ubuntu's custom kiosk modifications
• Another kiosk wiki
• Kiosk browser extension
• Bugzilla kiosk related bugs
• del.icio.us links
• GNU Kiosk
• rkiosk
• public fox