summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@gmail.com>2018-05-29 17:27:27 +0200
committerwolfbeast <mcwerewolf@gmail.com>2018-05-29 17:27:27 +0200
commitd58930d925e61cb23839d40ac384246d6e2d2332 (patch)
tree2759cc40bdb00df877d25d3470fc1b074df73910
parent636d127253b75d0880f16ad96f006f6e27378130 (diff)
downloadUXP-d58930d925e61cb23839d40ac384246d6e2d2332.tar
UXP-d58930d925e61cb23839d40ac384246d6e2d2332.tar.gz
UXP-d58930d925e61cb23839d40ac384246d6e2d2332.tar.lz
UXP-d58930d925e61cb23839d40ac384246d6e2d2332.tar.xz
UXP-d58930d925e61cb23839d40ac384246d6e2d2332.zip
Fix sec pref locations and enable HPKP checking by default.
Some prefs were incorrectly in all.js (ocsp and hpkp)
-rw-r--r--modules/libpref/init/all.js10
-rw-r--r--netwerk/base/security-prefs.js11
2 files changed, 11 insertions, 10 deletions
diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js
index 18e23ff2e..16ab85485 100644
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -2158,19 +2158,9 @@ pref("security.block_script_with_wrong_mime", true);
// Block images of wrong MIME for XCTO: nosniff.
pref("security.xcto_nosniff_block_images", false);
-// OCSP must-staple
-pref("security.ssl.enable_ocsp_must_staple", true);
-
// Insecure Form Field Warning
pref("security.insecure_field_warning.contextual.enabled", false);
-// Disable pinning checks by default.
-pref("security.cert_pinning.enforcement_level", 0);
-// Do not process hpkp headers rooted by not built in roots by default.
-// This is to prevent accidental pinning from MITM devices and is used
-// for tests.
-pref("security.cert_pinning.process_headers_from_non_builtin_roots", false);
-
// If set to true, allow view-source URIs to be opened from URIs that share
// their protocol with the inner URI of the view-source URI
pref("security.view-source.reachable-from-inner-protocol", false);
diff --git a/netwerk/base/security-prefs.js b/netwerk/base/security-prefs.js
index 329a4c6b7..5351d7c04 100644
--- a/netwerk/base/security-prefs.js
+++ b/netwerk/base/security-prefs.js
@@ -111,6 +111,17 @@ pref("security.ssl.errorReporting.enabled", true);
pref("security.ssl.errorReporting.url", "https://incoming.telemetry.mozilla.org/submit/sslreports/");
pref("security.ssl.errorReporting.automatic", false);
+// OCSP must-staple
+pref("security.ssl.enable_ocsp_must_staple", true);
+
+// HPKP settings
+
+// Enable pinning checks by default.
+pref("security.cert_pinning.enforcement_level", 2);
+// Do not process hpkp headers rooted by not built in roots by default.
+// This is to prevent accidental pinning from MITM devices and is used
+// for tests.
+pref("security.cert_pinning.process_headers_from_non_builtin_roots", false);
// Impose a maximum age on HPKP headers, to avoid sites getting permanently
// blacking themselves out by setting a bad pin. (60 days by default)
// https://tools.ietf.org/html/rfc7469#section-4.1