4 files changed, 30 insertions, 3 deletions
diff --git a/application/palemoon/components/preferences/security.xul b/application/palemoon/components/preferences/security.xul
index b12946f2a..bc1625275 100644
--- a/application/palemoon/components/preferences/security.xul
+++ b/application/palemoon/components/preferences/security.xul
@@ -43,8 +43,8 @@
 
       <!-- Security Protocols -->
       
-      <preference id="network.stricttransportsecurity.preloadlist"
-                  name="network.stricttransportsecurity.preloadlist"
+      <preference id="network.stricttransportsecurity.enabled"
+                  name="network.stricttransportsecurity.enabled"
                   type="bool"/>
       <preference id="security.cert_pinning.enforcement_level"
                   name="security.cert_pinning.enforcement_level"
@@ -146,7 +146,7 @@
         <checkbox id="enableHSTS"
                   label="&enableHSTS.label;"
                   accesskey="&enableHSTS.accesskey;"
-                  preference="network.stricttransportsecurity.preloadlist" />
+                  preference="network.stricttransportsecurity.enabled" />
         <checkbox id="enableHPKP"
                   label="&enableHPKP.label;"
                   accesskey="&enableHPKP.accesskey;"
diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js
index f6a993962..21e36bf16 100644
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -2038,6 +2038,8 @@ pref("network.proxy.autoconfig_url.include_path", false);
 pref("network.proxy.autoconfig_retry_interval_min", 5);    // 5 seconds
 pref("network.proxy.autoconfig_retry_interval_max", 300);  // 5 minutes
 
+// Master switch for HSTS usage (security <-> privacy tradeoff)
+pref("network.stricttransportsecurity.enabled", true);
 // Use the HSTS preload list by default
 pref("network.stricttransportsecurity.preloadlist", true);
 
diff --git a/security/manager/ssl/nsSiteSecurityService.cpp b/security/manager/ssl/nsSiteSecurityService.cpp
index 1d79844ff..fc38f4e64 100644
--- a/security/manager/ssl/nsSiteSecurityService.cpp
+++ b/security/manager/ssl/nsSiteSecurityService.cpp
@@ -211,6 +211,7 @@ nsSiteSecurityService::nsSiteSecurityService()
   : mMaxMaxAge(kSixtyDaysInSeconds)
   , mUsePreloadList(true)
   , mPreloadListTimeOffset(0)
+  , mUseStsService(true)
 {
 }
 
@@ -239,6 +240,10 @@ nsSiteSecurityService::Init()
     "network.stricttransportsecurity.preloadlist", true);
   mozilla::Preferences::AddStrongObserver(this,
     "network.stricttransportsecurity.preloadlist");
+  mUseStsService = mozilla::Preferences::GetBool(
+    "network.stricttransportsecurity.enabled", true);
+  mozilla::Preferences::AddStrongObserver(this,
+    "network.stricttransportsecurity.enabled");
   mProcessPKPHeadersFromNonBuiltInRoots = mozilla::Preferences::GetBool(
     "security.cert_pinning.process_headers_from_non_builtin_roots", false);
   mozilla::Preferences::AddStrongObserver(this,
@@ -335,6 +340,11 @@ nsSiteSecurityService::SetHSTSState(uint32_t aType,
               aHSTSState == SecurityPropertyNegative),
       "HSTS State must be SecurityPropertySet or SecurityPropertyNegative");
 
+  // Exit early if STS not enabled
+  if (!mUseStsService) {
+    return NS_OK;
+  }
+
   int64_t expiretime = ExpireTimeFromMaxAge(maxage);
   SiteHSTSState siteState(expiretime, aHSTSState, includeSubdomains);
   nsAutoCString stateString;
@@ -922,6 +932,13 @@ nsSiteSecurityService::IsSecureURI(uint32_t aType, nsIURI* aURI,
   nsAutoCString hostname;
   nsresult rv = GetHost(aURI, hostname);
   NS_ENSURE_SUCCESS(rv, rv);
+
+  // Exit early if STS not enabled
+  if (!mUseStsService) {
+    *aResult = false;
+    return NS_OK;
+  }
+
   /* An IP address never qualifies as a secure URI. */
   if (HostIsIPAddress(hostname.get())) {
     *aResult = false;
@@ -980,6 +997,11 @@ nsSiteSecurityService::IsSecureHost(uint32_t aType, const char* aHost,
     *aCached = false;
   }
 
+  // Exit early if checking HSTS and STS not enabled
+  if (!mUseStsService && aType == nsISiteSecurityService::HEADER_HSTS) {
+    return NS_OK;
+  }
+
   /* An IP address never qualifies as a secure URI. */
   if (HostIsIPAddress(aHost)) {
     return NS_OK;
@@ -1282,6 +1304,8 @@ nsSiteSecurityService::Observe(nsISupports *subject,
   if (strcmp(topic, NS_PREFBRANCH_PREFCHANGE_TOPIC_ID) == 0) {
     mUsePreloadList = mozilla::Preferences::GetBool(
       "network.stricttransportsecurity.preloadlist", true);
+    mUseStsService = mozilla::Preferences::GetBool(
+      "network.stricttransportsecurity.enabled", true);
     mPreloadListTimeOffset =
       mozilla::Preferences::GetInt("test.currentTimeOffsetSeconds", 0);
     mProcessPKPHeadersFromNonBuiltInRoots = mozilla::Preferences::GetBool(
diff --git a/security/manager/ssl/nsSiteSecurityService.h b/security/manager/ssl/nsSiteSecurityService.h
index c40180550..63afee377 100644
--- a/security/manager/ssl/nsSiteSecurityService.h
+++ b/security/manager/ssl/nsSiteSecurityService.h
@@ -150,6 +150,7 @@ private:
 
   uint64_t mMaxMaxAge;
   bool mUsePreloadList;
+  bool mUseStsService;
   int64_t mPreloadListTimeOffset;
   bool mProcessPKPHeadersFromNonBuiltInRoots;
   RefPtr<mozilla::DataStorage> mSiteStateStorage;