diff options
| author | wolfbeast <mcwerewolf@gmail.com> | 2018-05-29 17:27:27 +0200 |
|---|---|---|
| committer | wolfbeast <mcwerewolf@gmail.com> | 2018-05-29 17:27:27 +0200 |
| commit | d58930d925e61cb23839d40ac384246d6e2d2332 (patch) | |
| tree | 2759cc40bdb00df877d25d3470fc1b074df73910 | |
| parent | 636d127253b75d0880f16ad96f006f6e27378130 (diff) | |
| download | UXP-d58930d925e61cb23839d40ac384246d6e2d2332.tar UXP-d58930d925e61cb23839d40ac384246d6e2d2332.tar.gz UXP-d58930d925e61cb23839d40ac384246d6e2d2332.tar.lz UXP-d58930d925e61cb23839d40ac384246d6e2d2332.tar.xz UXP-d58930d925e61cb23839d40ac384246d6e2d2332.zip | |
Fix sec pref locations and enable HPKP checking by default.
Some prefs were incorrectly in all.js (ocsp and hpkp)
| -rw-r--r-- | modules/libpref/init/all.js | 10 | ||||
| -rw-r--r-- | netwerk/base/security-prefs.js | 11 |
2 files changed, 11 insertions, 10 deletions
diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js index 18e23ff2e..16ab85485 100644 --- a/modules/libpref/init/all.js +++ b/modules/libpref/init/all.js @@ -2158,19 +2158,9 @@ pref("security.block_script_with_wrong_mime", true); // Block images of wrong MIME for XCTO: nosniff. pref("security.xcto_nosniff_block_images", false); -// OCSP must-staple -pref("security.ssl.enable_ocsp_must_staple", true); - // Insecure Form Field Warning pref("security.insecure_field_warning.contextual.enabled", false); -// Disable pinning checks by default. -pref("security.cert_pinning.enforcement_level", 0); -// Do not process hpkp headers rooted by not built in roots by default. -// This is to prevent accidental pinning from MITM devices and is used -// for tests. -pref("security.cert_pinning.process_headers_from_non_builtin_roots", false); - // If set to true, allow view-source URIs to be opened from URIs that share // their protocol with the inner URI of the view-source URI pref("security.view-source.reachable-from-inner-protocol", false); diff --git a/netwerk/base/security-prefs.js b/netwerk/base/security-prefs.js index 329a4c6b7..5351d7c04 100644 --- a/netwerk/base/security-prefs.js +++ b/netwerk/base/security-prefs.js @@ -111,6 +111,17 @@ pref("security.ssl.errorReporting.enabled", true); pref("security.ssl.errorReporting.url", "https://incoming.telemetry.mozilla.org/submit/sslreports/"); pref("security.ssl.errorReporting.automatic", false); +// OCSP must-staple +pref("security.ssl.enable_ocsp_must_staple", true); + +// HPKP settings + +// Enable pinning checks by default. +pref("security.cert_pinning.enforcement_level", 2); +// Do not process hpkp headers rooted by not built in roots by default. +// This is to prevent accidental pinning from MITM devices and is used +// for tests. +pref("security.cert_pinning.process_headers_from_non_builtin_roots", false); // Impose a maximum age on HPKP headers, to avoid sites getting permanently // blacking themselves out by setting a bad pin. (60 days by default) // https://tools.ietf.org/html/rfc7469#section-4.1 |