I'm sure you have already heard of the many external protocol handling vulnerabilities that hitted Firefox lately. Normally on this site you read about "in-security", this article is a little exception since it contains some tips that anybody can adopt to harden his preferred http/https client, also named Mozilla Firefox, thought the about:config interface.
First of all open about:config by typing it in the url bar, then follow the below instructions accurately. A backup is strongly encouraged.
The preferences are in the form "preference key TAB value to set TAB default value or not and eventual warnings". Let's start.
protocol-handler.external-default false not default
This is the most important setting and alone is able to block the majority of the public vulnerabilities that make use of external handlers/protocols. Naturally you want to go deeper so continue with the following.
network.protocol-handler.external.afp false network.protocol-handler.external.data false network.protocol-handler.external.disk false network.protocol-handler.external.disks false network.protocol-handler.external.hcp false network.protocol-handler.external.javascript false network.protocol-handler.external.mailto false not default network.protocol-handler.external.ms-help false network.protocol-handler.external.news false not default network.protocol-handler.external.nntp false not default network.protocol-handler.external.shell false network.protocol-handler.external.snews false not default network.protocol-handler.external.vbscript false network.protocol-handler.external.vnd.ms.radio false
The above will disable external protocol handlers, mailto included (copy/paste will work naturally).
Warn if an external protocol handler is called (should never happens if you follow this howto literally).
network.protocol-handler.warn-external-default true network.protocol-handler.warn-external.file true not default network.protocol-handler.warn-external.mailto true not default network.protocol-handler.warn-external.news true not default network.protocol-handler.warn-external.nntp true not default network.protocol-handler.warn-external.snews true not default
Use the internal editor for source viewing.
view_source.editor.external false
Don't expose (disable) ALL the protocol handlers.
network.protocol-handler.expose-all false not default (WW)
Pay attention, links will no more work, but i guess that you still want to click on http/https and ftp links. Logan on #firefox (irc.mozilla.org) was kind enough to point me to a bugzilla entry (https://bugzilla.mozilla.org/show_bug.cgi?id=317023) that solves the latter problem defining a whitelist of exposed protocols.
As said in the 317023 entry add these three keys (and any other protocol that you want to keep operative).
network.protocol-handler.expose.http true not default network.protocol-handler.expose.https true not default network.protocol-handler.expose.ftp true not default network.protocol-handler.expose.javascript true not default
Disable existing protocol handlers.
network.protocol-handler.expose.mailto false network.protocol-handler.expose.news false network.protocol-handler.expose.nntp false network.protocol-handler.expose.snews false
Privacy settings.
privacy.item.cache true privacy.item.cookies true not default privacy.item.downloads true privacy.item.formdata true privacy.item.history true privacy.item.passwords true not default (!!) privacy.item.sessions true privacy.item.siteprefs true not default (!!)
privacy.sanitize.promptOnSanitize false not default privacy.sanitize.sanitizeOnShutdown true not default
References:
http://kb.mozillazine.org/About:config_entries
http://kb.mozillazine.org/Network.protocol-handler.expose-all
https://bugzilla.mozilla.org/show_bug.cgi?id=389106
https://bugzilla.mozilla.org/show_bug.cgi?id=317023
http://en.wikipedia.org/wiki/URI_scheme
Updates:
05-ago-2007: Updated the article with the tip from Gurmeet Kochar to make the javascript handler work again (add the network.protocol-handler.expose.javascript key with boolean value true).