/* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this file, * You can obtain one at http://mozilla.org/MPL/2.0/. */ import { XPCOMUtils } from "resource://gre/modules/XPCOMUtils.sys.mjs"; const lazy = {}; XPCOMUtils.defineLazyServiceGetter( lazy, "sss", "@mozilla.org/ssservice;1", "nsISiteSecurityService" ); XPCOMUtils.defineLazyServiceGetter( lazy, "certOverrideService", "@mozilla.org/security/certoverride;1", "nsICertOverrideService" ); const CERT_PINNING_ENFORCEMENT_PREF = "security.cert_pinning.enforcement_level"; const HSTS_PRELOAD_LIST_PREF = "network.stricttransportsecurity.preloadlist"; let requiredPreferencesSet = false; /** @namespace */ export const Certificates = {}; /** * Disable all security checks and allow all certs * per user context or globally. * * @param {string=} userContextId * Id of the user context to disable all security checks * and allow all certs for it. If not provided, disable globally. */ Certificates.disableSecurityChecks = function (userContextId = null) { if (!requiredPreferencesSet) { requiredPreferencesSet = true; // Make it possible to register certificate overrides for domains that use HSTS or HPKP. // Disable HTTP Strict Transport Security (HSTS) preload list. // That means that for the websites from HSTS preload list // HTTPS is not going to be enforced until the website is visited. Services.prefs.setBoolPref(HSTS_PRELOAD_LIST_PREF, false); // Disable preloaded static public key pins. // Which means that the public key hashes of certificates // will not be validated against the list of static public key pins. Services.prefs.setIntPref(CERT_PINNING_ENFORCEMENT_PREF, 0); } if (userContextId === null) { lazy.certOverrideService.setDisableAllSecurityChecksAndLetAttackersInterceptMyData( true ); } else { lazy.certOverrideService.setDisableAllSecurityChecksAndLetAttackersInterceptMyDataForUserContext( userContextId, true ); } }; /** * Enable all security checks and allow all certs * per user context or globally. * * @param {string=} userContextId * Id of the user context to enable all security checks * and allow all certs for it. If not provided, enable globally. * Note: if the security checks are enabled for a user context but disabled globally * we will still have HSTS preload list and preloaded static key pins disabled * for this user context. */ Certificates.enableSecurityChecks = function (userContextId = null) { if (userContextId === null) { lazy.certOverrideService.setDisableAllSecurityChecksAndLetAttackersInterceptMyData( false ); } else { lazy.certOverrideService.setDisableAllSecurityChecksAndLetAttackersInterceptMyDataForUserContext( userContextId, false ); } // TODO Bug 1862018. Reconsider when supporting multiple sessions. if (userContextId === null) { Services.prefs.clearUserPref(HSTS_PRELOAD_LIST_PREF); Services.prefs.clearUserPref(CERT_PINNING_ENFORCEMENT_PREF); // clear collected HSTS and HPKP state // through the site security service lazy.sss.clearAll(); requiredPreferencesSet = false; } }; /** * Reset security settings which were set for a user context. * * @param {string} userContextId * Id of the user context to reset all security checks. */ Certificates.resetSecurityChecksForUserContext = function (userContextId) { lazy.certOverrideService.resetDisableAllSecurityChecksAndLetAttackersInterceptMyDataForUserContext( userContextId ); };