diff options
author | Moonchild <mcwerewolf@wolfbeast.com> | 2019-01-18 05:28:19 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-01-18 05:28:19 +0100 |
commit | 01ad6e7451f20f819e4ae3b10c981cc52b65b63d (patch) | |
tree | d7fdbdce1cca820e83ff19cb15af143211ab8d39 | |
parent | f6ef8d8ca7ed96d699c28914fc590b0604520fd0 (diff) | |
parent | a74b0934718f3cc442d8118acdecc4e5aa5b5323 (diff) | |
download | UXP-01ad6e7451f20f819e4ae3b10c981cc52b65b63d.tar UXP-01ad6e7451f20f819e4ae3b10c981cc52b65b63d.tar.gz UXP-01ad6e7451f20f819e4ae3b10c981cc52b65b63d.tar.lz UXP-01ad6e7451f20f819e4ae3b10c981cc52b65b63d.tar.xz UXP-01ad6e7451f20f819e4ae3b10c981cc52b65b63d.zip |
Merge pull request #931 from Ascrod/master
Fix option for disabling HSTS in Pale Moon
-rw-r--r-- | application/palemoon/components/preferences/security.xul | 6 | ||||
-rw-r--r-- | modules/libpref/init/all.js | 2 | ||||
-rw-r--r-- | security/manager/ssl/nsSiteSecurityService.cpp | 24 | ||||
-rw-r--r-- | security/manager/ssl/nsSiteSecurityService.h | 1 |
4 files changed, 30 insertions, 3 deletions
diff --git a/application/palemoon/components/preferences/security.xul b/application/palemoon/components/preferences/security.xul index b12946f2a..bc1625275 100644 --- a/application/palemoon/components/preferences/security.xul +++ b/application/palemoon/components/preferences/security.xul @@ -43,8 +43,8 @@ <!-- Security Protocols --> - <preference id="network.stricttransportsecurity.preloadlist" - name="network.stricttransportsecurity.preloadlist" + <preference id="network.stricttransportsecurity.enabled" + name="network.stricttransportsecurity.enabled" type="bool"/> <preference id="security.cert_pinning.enforcement_level" name="security.cert_pinning.enforcement_level" @@ -146,7 +146,7 @@ <checkbox id="enableHSTS" label="&enableHSTS.label;" accesskey="&enableHSTS.accesskey;" - preference="network.stricttransportsecurity.preloadlist" /> + preference="network.stricttransportsecurity.enabled" /> <checkbox id="enableHPKP" label="&enableHPKP.label;" accesskey="&enableHPKP.accesskey;" diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js index f6a993962..21e36bf16 100644 --- a/modules/libpref/init/all.js +++ b/modules/libpref/init/all.js @@ -2038,6 +2038,8 @@ pref("network.proxy.autoconfig_url.include_path", false); pref("network.proxy.autoconfig_retry_interval_min", 5); // 5 seconds pref("network.proxy.autoconfig_retry_interval_max", 300); // 5 minutes +// Master switch for HSTS usage (security <-> privacy tradeoff) +pref("network.stricttransportsecurity.enabled", true); // Use the HSTS preload list by default pref("network.stricttransportsecurity.preloadlist", true); diff --git a/security/manager/ssl/nsSiteSecurityService.cpp b/security/manager/ssl/nsSiteSecurityService.cpp index 1d79844ff..fc38f4e64 100644 --- a/security/manager/ssl/nsSiteSecurityService.cpp +++ b/security/manager/ssl/nsSiteSecurityService.cpp @@ -211,6 +211,7 @@ nsSiteSecurityService::nsSiteSecurityService() : mMaxMaxAge(kSixtyDaysInSeconds) , mUsePreloadList(true) , mPreloadListTimeOffset(0) + , mUseStsService(true) { } @@ -239,6 +240,10 @@ nsSiteSecurityService::Init() "network.stricttransportsecurity.preloadlist", true); mozilla::Preferences::AddStrongObserver(this, "network.stricttransportsecurity.preloadlist"); + mUseStsService = mozilla::Preferences::GetBool( + "network.stricttransportsecurity.enabled", true); + mozilla::Preferences::AddStrongObserver(this, + "network.stricttransportsecurity.enabled"); mProcessPKPHeadersFromNonBuiltInRoots = mozilla::Preferences::GetBool( "security.cert_pinning.process_headers_from_non_builtin_roots", false); mozilla::Preferences::AddStrongObserver(this, @@ -335,6 +340,11 @@ nsSiteSecurityService::SetHSTSState(uint32_t aType, aHSTSState == SecurityPropertyNegative), "HSTS State must be SecurityPropertySet or SecurityPropertyNegative"); + // Exit early if STS not enabled + if (!mUseStsService) { + return NS_OK; + } + int64_t expiretime = ExpireTimeFromMaxAge(maxage); SiteHSTSState siteState(expiretime, aHSTSState, includeSubdomains); nsAutoCString stateString; @@ -922,6 +932,13 @@ nsSiteSecurityService::IsSecureURI(uint32_t aType, nsIURI* aURI, nsAutoCString hostname; nsresult rv = GetHost(aURI, hostname); NS_ENSURE_SUCCESS(rv, rv); + + // Exit early if STS not enabled + if (!mUseStsService) { + *aResult = false; + return NS_OK; + } + /* An IP address never qualifies as a secure URI. */ if (HostIsIPAddress(hostname.get())) { *aResult = false; @@ -980,6 +997,11 @@ nsSiteSecurityService::IsSecureHost(uint32_t aType, const char* aHost, *aCached = false; } + // Exit early if checking HSTS and STS not enabled + if (!mUseStsService && aType == nsISiteSecurityService::HEADER_HSTS) { + return NS_OK; + } + /* An IP address never qualifies as a secure URI. */ if (HostIsIPAddress(aHost)) { return NS_OK; @@ -1282,6 +1304,8 @@ nsSiteSecurityService::Observe(nsISupports *subject, if (strcmp(topic, NS_PREFBRANCH_PREFCHANGE_TOPIC_ID) == 0) { mUsePreloadList = mozilla::Preferences::GetBool( "network.stricttransportsecurity.preloadlist", true); + mUseStsService = mozilla::Preferences::GetBool( + "network.stricttransportsecurity.enabled", true); mPreloadListTimeOffset = mozilla::Preferences::GetInt("test.currentTimeOffsetSeconds", 0); mProcessPKPHeadersFromNonBuiltInRoots = mozilla::Preferences::GetBool( diff --git a/security/manager/ssl/nsSiteSecurityService.h b/security/manager/ssl/nsSiteSecurityService.h index c40180550..63afee377 100644 --- a/security/manager/ssl/nsSiteSecurityService.h +++ b/security/manager/ssl/nsSiteSecurityService.h @@ -150,6 +150,7 @@ private: uint64_t mMaxMaxAge; bool mUsePreloadList; + bool mUseStsService; int64_t mPreloadListTimeOffset; bool mProcessPKPHeadersFromNonBuiltInRoots; RefPtr<mozilla::DataStorage> mSiteStateStorage; |