diff options
| author | Ascrod <32915892+Ascrod@users.noreply.github.com> | 2019-01-16 19:33:09 -0500 |
|---|---|---|
| committer | Ascrod <32915892+Ascrod@users.noreply.github.com> | 2019-01-16 19:33:09 -0500 |
| commit | 3afb818f20be5029c55c431ad25721e2404bff2d (patch) | |
| tree | d4a36e41a7c36602b89c399c226ae215eb14cab7 /security/manager/ssl/nsSiteSecurityService.cpp | |
| parent | c80c9cc4020be922207dfb136541c0f9b8eba1b5 (diff) | |
| download | UXP-3afb818f20be5029c55c431ad25721e2404bff2d.tar UXP-3afb818f20be5029c55c431ad25721e2404bff2d.tar.gz UXP-3afb818f20be5029c55c431ad25721e2404bff2d.tar.lz UXP-3afb818f20be5029c55c431ad25721e2404bff2d.tar.xz UXP-3afb818f20be5029c55c431ad25721e2404bff2d.zip | |
Add preference for fully disabling HSTS.
Diffstat (limited to 'security/manager/ssl/nsSiteSecurityService.cpp')
| -rw-r--r-- | security/manager/ssl/nsSiteSecurityService.cpp | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/security/manager/ssl/nsSiteSecurityService.cpp b/security/manager/ssl/nsSiteSecurityService.cpp index 1d79844ff..0fd19dd5b 100644 --- a/security/manager/ssl/nsSiteSecurityService.cpp +++ b/security/manager/ssl/nsSiteSecurityService.cpp @@ -211,6 +211,7 @@ nsSiteSecurityService::nsSiteSecurityService() : mMaxMaxAge(kSixtyDaysInSeconds) , mUsePreloadList(true) , mPreloadListTimeOffset(0) + , mUseStsService(true) { } @@ -239,6 +240,10 @@ nsSiteSecurityService::Init() "network.stricttransportsecurity.preloadlist", true); mozilla::Preferences::AddStrongObserver(this, "network.stricttransportsecurity.preloadlist"); + mUseStsService = mozilla::Preferences::GetBool( + "network.stricttransportsecurity.enabled", true); + mozilla::Preferences::AddStrongObserver(this, + "network.stricttransportsecurity.enabled"); mProcessPKPHeadersFromNonBuiltInRoots = mozilla::Preferences::GetBool( "security.cert_pinning.process_headers_from_non_builtin_roots", false); mozilla::Preferences::AddStrongObserver(this, @@ -335,6 +340,11 @@ nsSiteSecurityService::SetHSTSState(uint32_t aType, aHSTSState == SecurityPropertyNegative), "HSTS State must be SecurityPropertySet or SecurityPropertyNegative"); + // Exit early if STS not enabled + if (!mUseStsService) { + return NS_OK; + } + int64_t expiretime = ExpireTimeFromMaxAge(maxage); SiteHSTSState siteState(expiretime, aHSTSState, includeSubdomains); nsAutoCString stateString; @@ -922,6 +932,13 @@ nsSiteSecurityService::IsSecureURI(uint32_t aType, nsIURI* aURI, nsAutoCString hostname; nsresult rv = GetHost(aURI, hostname); NS_ENSURE_SUCCESS(rv, rv); + + // Exit early if STS not enabled + if (!mUseStsService) { + *aResult = false; + return NS_OK; + } + /* An IP address never qualifies as a secure URI. */ if (HostIsIPAddress(hostname.get())) { *aResult = false; @@ -980,6 +997,11 @@ nsSiteSecurityService::IsSecureHost(uint32_t aType, const char* aHost, *aCached = false; } + // Exit early if checking HSTS and STS not enabled + if (!mUseStsService && aType != nsISiteSecurityService::HEADER_HSTS) { + return NS_OK; + } + /* An IP address never qualifies as a secure URI. */ if (HostIsIPAddress(aHost)) { return NS_OK; @@ -1282,6 +1304,8 @@ nsSiteSecurityService::Observe(nsISupports *subject, if (strcmp(topic, NS_PREFBRANCH_PREFCHANGE_TOPIC_ID) == 0) { mUsePreloadList = mozilla::Preferences::GetBool( "network.stricttransportsecurity.preloadlist", true); + mUseStsService = mozilla::Preferences::GetBool( + "network.stricttransportsecurity.enabled", true); mPreloadListTimeOffset = mozilla::Preferences::GetInt("test.currentTimeOffsetSeconds", 0); mProcessPKPHeadersFromNonBuiltInRoots = mozilla::Preferences::GetBool( |