Adding upstream version 86.0.1.upstream/86.0.1upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

20 files changed, 1629 insertions, 0 deletions

diff --git a/toolkit/components/enterprisepolicies/EnterprisePolicies.jsm b/toolkit/components/enterprisepolicies/EnterprisePolicies.jsm
new file mode 100644
index 0000000000..0d615ed560
--- /dev/null
+++ b/toolkit/components/enterprisepolicies/EnterprisePolicies.jsm
@@ -0,0 +1,22 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+var EXPORTED_SYMBOLS = ["EnterprisePolicies"];
+
+function EnterprisePolicies() {
+  // eslint-disable-next-line mozilla/use-services
+  const appinfo = Cc["@mozilla.org/xre/app-info;1"].getService(
+    Ci.nsIXULRuntime
+  );
+  if (appinfo.processType == appinfo.PROCESS_TYPE_DEFAULT) {
+    const { EnterprisePoliciesManager } = ChromeUtils.import(
+      "resource://gre/modules/EnterprisePoliciesParent.jsm"
+    );
+    return new EnterprisePoliciesManager();
+  }
+  const { EnterprisePoliciesManagerContent } = ChromeUtils.import(
+    "resource://gre/modules/EnterprisePoliciesContent.jsm"
+  );
+  return new EnterprisePoliciesManagerContent();
+}
diff --git a/toolkit/components/enterprisepolicies/EnterprisePoliciesContent.jsm b/toolkit/components/enterprisepolicies/EnterprisePoliciesContent.jsm
new file mode 100644
index 0000000000..ba101cf814
--- /dev/null
+++ b/toolkit/components/enterprisepolicies/EnterprisePoliciesContent.jsm
@@ -0,0 +1,27 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+var EXPORTED_SYMBOLS = ["EnterprisePoliciesManagerContent"];
+
+const { Services } = ChromeUtils.import("resource://gre/modules/Services.jsm");
+
+class EnterprisePoliciesManagerContent {
+  get status() {
+    return (
+      Services.cpmm.sharedData.get("EnterprisePolicies:Status") ||
+      Ci.nsIEnterprisePolicies.INACTIVE
+    );
+  }
+
+  isAllowed(feature) {
+    let disallowedFeatures = Services.cpmm.sharedData.get(
+      "EnterprisePolicies:DisallowedFeatures"
+    );
+    return !(disallowedFeatures && disallowedFeatures.has(feature));
+  }
+}
+
+EnterprisePoliciesManagerContent.prototype.QueryInterface = ChromeUtils.generateQI(
+  ["nsIEnterprisePolicies"]
+);
diff --git a/toolkit/components/enterprisepolicies/EnterprisePoliciesParent.jsm b/toolkit/components/enterprisepolicies/EnterprisePoliciesParent.jsm
new file mode 100644
index 0000000000..8b0a5170cb
--- /dev/null
+++ b/toolkit/components/enterprisepolicies/EnterprisePoliciesParent.jsm
@@ -0,0 +1,656 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+var EXPORTED_SYMBOLS = ["EnterprisePoliciesManager"];
+
+const { XPCOMUtils } = ChromeUtils.import(
+  "resource://gre/modules/XPCOMUtils.jsm"
+);
+const { Services } = ChromeUtils.import("resource://gre/modules/Services.jsm");
+const { AppConstants } = ChromeUtils.import(
+  "resource://gre/modules/AppConstants.jsm"
+);
+
+XPCOMUtils.defineLazyModuleGetters(this, {
+  WindowsGPOParser: "resource://gre/modules/policies/WindowsGPOParser.jsm",
+  macOSPoliciesParser:
+    "resource://gre/modules/policies/macOSPoliciesParser.jsm",
+  Policies: "resource:///modules/policies/Policies.jsm",
+  JsonSchemaValidator:
+    "resource://gre/modules/components-utils/JsonSchemaValidator.jsm",
+});
+
+// This is the file that will be searched for in the
+// ${InstallDir}/distribution folder.
+const POLICIES_FILENAME = "policies.json";
+
+// When true browser policy is loaded per-user from
+// /run/user/$UID/appname
+const PREF_PER_USER_DIR = "toolkit.policies.perUserDir";
+// For easy testing, modify the helpers/sample.json file,
+// and set PREF_ALTERNATE_PATH in firefox.js as:
+// /your/repo/browser/components/enterprisepolicies/helpers/sample.json
+const PREF_ALTERNATE_PATH = "browser.policies.alternatePath";
+// For testing, we may want to set PREF_ALTERNATE_PATH to point to a file
+// relative to the test root directory. In order to enable this, the string
+// below may be placed at the beginning of that preference value and it will
+// be replaced with the path to the test root directory.
+const MAGIC_TEST_ROOT_PREFIX = "<test-root>";
+const PREF_TEST_ROOT = "mochitest.testRoot";
+
+const PREF_LOGLEVEL = "browser.policies.loglevel";
+
+// To force disallowing enterprise-only policies during tests
+const PREF_DISALLOW_ENTERPRISE = "browser.policies.testing.disallowEnterprise";
+
+// To allow for cleaning up old policies
+const PREF_POLICIES_APPLIED = "browser.policies.applied";
+
+XPCOMUtils.defineLazyGetter(this, "log", () => {
+  let { ConsoleAPI } = ChromeUtils.import("resource://gre/modules/Console.jsm");
+  return new ConsoleAPI({
+    prefix: "Enterprise Policies",
+    // tip: set maxLogLevel to "debug" and use log.debug() to create detailed
+    // messages during development. See LOG_LEVELS in Console.jsm for details.
+    maxLogLevel: "error",
+    maxLogLevelPref: PREF_LOGLEVEL,
+  });
+});
+
+let env = Cc["@mozilla.org/process/environment;1"].getService(
+  Ci.nsIEnvironment
+);
+const isXpcshell = env.exists("XPCSHELL_TEST_PROFILE_DIR");
+
+// We're only testing for empty objects, not
+// empty strings or empty arrays.
+function isEmptyObject(obj) {
+  if (typeof obj != "object" || Array.isArray(obj)) {
+    return false;
+  }
+  for (let key of Object.keys(obj)) {
+    if (!isEmptyObject(obj[key])) {
+      return false;
+    }
+  }
+  return true;
+}
+
+function EnterprisePoliciesManager() {
+  Services.obs.addObserver(this, "profile-after-change", true);
+  Services.obs.addObserver(this, "final-ui-startup", true);
+  Services.obs.addObserver(this, "sessionstore-windows-restored", true);
+  Services.obs.addObserver(this, "EnterprisePolicies:Restart", true);
+}
+
+EnterprisePoliciesManager.prototype = {
+  QueryInterface: ChromeUtils.generateQI([
+    "nsIObserver",
+    "nsISupportsWeakReference",
+    "nsIEnterprisePolicies",
+  ]),
+
+  _initialize() {
+    if (Services.prefs.getBoolPref(PREF_POLICIES_APPLIED, false)) {
+      if ("_cleanup" in Policies) {
+        let policyImpl = Policies._cleanup;
+
+        for (let timing of Object.keys(this._callbacks)) {
+          let policyCallback = policyImpl[timing];
+          if (policyCallback) {
+            this._schedulePolicyCallback(
+              timing,
+              policyCallback.bind(
+                policyImpl,
+                this /* the EnterprisePoliciesManager */
+              )
+            );
+          }
+        }
+      }
+      Services.prefs.clearUserPref(PREF_POLICIES_APPLIED);
+    }
+
+    let provider = this._chooseProvider();
+
+    if (!provider) {
+      this.status = Ci.nsIEnterprisePolicies.INACTIVE;
+      return;
+    }
+
+    if (provider.failed) {
+      this.status = Ci.nsIEnterprisePolicies.FAILED;
+      return;
+    }
+
+    this.status = Ci.nsIEnterprisePolicies.ACTIVE;
+    this._parsedPolicies = {};
+    Services.telemetry.scalarSet(
+      "policies.count",
+      Object.keys(provider.policies).length
+    );
+    this._activatePolicies(provider.policies);
+
+    Services.prefs.setBoolPref(PREF_POLICIES_APPLIED, true);
+  },
+
+  _chooseProvider() {
+    let provider = null;
+    if (AppConstants.platform == "win") {
+      provider = new WindowsGPOPoliciesProvider();
+    } else if (AppConstants.platform == "macosx") {
+      provider = new macOSPoliciesProvider();
+    }
+    if (provider && provider.hasPolicies) {
+      return provider;
+    }
+
+    provider = new JSONPoliciesProvider();
+    if (provider.hasPolicies) {
+      return provider;
+    }
+
+    return null;
+  },
+
+  _activatePolicies(unparsedPolicies) {
+    let { schema } = ChromeUtils.import(
+      "resource:///modules/policies/schema.jsm"
+    );
+
+    for (let policyName of Object.keys(unparsedPolicies)) {
+      let policySchema = schema.properties[policyName];
+      let policyParameters = unparsedPolicies[policyName];
+
+      if (!policySchema) {
+        log.error(`Unknown policy: ${policyName}`);
+        continue;
+      }
+
+      if (policySchema.enterprise_only && !areEnterpriseOnlyPoliciesAllowed()) {
+        log.error(`Policy ${policyName} is only allowed on ESR`);
+        continue;
+      }
+
+      let {
+        valid: parametersAreValid,
+        parsedValue: parsedParameters,
+      } = JsonSchemaValidator.validate(policyParameters, policySchema, {
+        allowExtraProperties: true,
+      });
+
+      if (!parametersAreValid) {
+        log.error(`Invalid parameters specified for ${policyName}.`);
+        continue;
+      }
+
+      this._parsedPolicies[policyName] = parsedParameters;
+      let policyImpl = Policies[policyName];
+
+      for (let timing of Object.keys(this._callbacks)) {
+        let policyCallback = policyImpl[timing];
+        if (policyCallback) {
+          this._schedulePolicyCallback(
+            timing,
+            policyCallback.bind(
+              policyImpl,
+              this /* the EnterprisePoliciesManager */,
+              parsedParameters
+            )
+          );
+        }
+      }
+    }
+  },
+
+  _callbacks: {
+    // The earliest that a policy callback can run. This will
+    // happen right after the Policy Engine itself has started,
+    // and before the Add-ons Manager has started.
+    onBeforeAddons: [],
+
+    // This happens after all the initialization related to
+    // the profile has finished (prefs, places database, etc.).
+    onProfileAfterChange: [],
+
+    // Just before the first browser window gets created.
+    onBeforeUIStartup: [],
+
+    // Called after all windows from the last session have been
+    // restored (or the default window and homepage tab, if the
+    // session is not being restored).
+    // The content of the tabs themselves have not necessarily
+    // finished loading.
+    onAllWindowsRestored: [],
+  },
+
+  _schedulePolicyCallback(timing, callback) {
+    this._callbacks[timing].push(callback);
+  },
+
+  _runPoliciesCallbacks(timing) {
+    let callbacks = this._callbacks[timing];
+    while (callbacks.length) {
+      let callback = callbacks.shift();
+      try {
+        callback();
+      } catch (ex) {
+        log.error("Error running ", callback, `for ${timing}:`, ex);
+      }
+    }
+  },
+
+  async _restart() {
+    DisallowedFeatures = {};
+
+    Services.ppmm.sharedData.delete("EnterprisePolicies:Status");
+    Services.ppmm.sharedData.delete("EnterprisePolicies:DisallowedFeatures");
+
+    this._status = Ci.nsIEnterprisePolicies.UNINITIALIZED;
+    for (let timing of Object.keys(this._callbacks)) {
+      this._callbacks[timing] = [];
+    }
+
+    let { PromiseUtils } = ChromeUtils.import(
+      "resource://gre/modules/PromiseUtils.jsm"
+    );
+    // Simulate the startup process. This step-by-step is a bit ugly but it
+    // tries to emulate the same behavior as of a normal startup.
+
+    await PromiseUtils.idleDispatch(() => {
+      this.observe(null, "policies-startup", null);
+    });
+
+    await PromiseUtils.idleDispatch(() => {
+      this.observe(null, "profile-after-change", null);
+    });
+
+    await PromiseUtils.idleDispatch(() => {
+      this.observe(null, "final-ui-startup", null);
+    });
+
+    await PromiseUtils.idleDispatch(() => {
+      this.observe(null, "sessionstore-windows-restored", null);
+    });
+  },
+
+  // nsIObserver implementation
+  observe: function BG_observe(subject, topic, data) {
+    switch (topic) {
+      case "policies-startup":
+        // Before the first set of policy callbacks runs, we must
+        // initialize the service.
+        this._initialize();
+
+        this._runPoliciesCallbacks("onBeforeAddons");
+        break;
+
+      case "profile-after-change":
+        this._runPoliciesCallbacks("onProfileAfterChange");
+        break;
+
+      case "final-ui-startup":
+        this._runPoliciesCallbacks("onBeforeUIStartup");
+        break;
+
+      case "sessionstore-windows-restored":
+        this._runPoliciesCallbacks("onAllWindowsRestored");
+
+        // After the last set of policy callbacks ran, notify the test observer.
+        Services.obs.notifyObservers(
+          null,
+          "EnterprisePolicies:AllPoliciesApplied"
+        );
+        break;
+
+      case "EnterprisePolicies:Restart":
+        this._restart().then(null, Cu.reportError);
+        break;
+    }
+  },
+
+  disallowFeature(feature, neededOnContentProcess = false) {
+    DisallowedFeatures[feature] = neededOnContentProcess;
+
+    // NOTE: For optimization purposes, only features marked as needed
+    // on content process will be passed onto the child processes.
+    if (neededOnContentProcess) {
+      Services.ppmm.sharedData.set(
+        "EnterprisePolicies:DisallowedFeatures",
+        new Set(
+          Object.keys(DisallowedFeatures).filter(key => DisallowedFeatures[key])
+        )
+      );
+    }
+  },
+
+  // ------------------------------
+  // public nsIEnterprisePolicies members
+  // ------------------------------
+
+  _status: Ci.nsIEnterprisePolicies.UNINITIALIZED,
+
+  set status(val) {
+    this._status = val;
+    if (val != Ci.nsIEnterprisePolicies.INACTIVE) {
+      Services.ppmm.sharedData.set("EnterprisePolicies:Status", val);
+    }
+    return val;
+  },
+
+  get status() {
+    return this._status;
+  },
+
+  isAllowed: function BG_sanitize(feature) {
+    return !(feature in DisallowedFeatures);
+  },
+
+  getActivePolicies() {
+    return this._parsedPolicies;
+  },
+
+  setSupportMenu(supportMenu) {
+    SupportMenu = supportMenu;
+  },
+
+  getSupportMenu() {
+    return SupportMenu;
+  },
+
+  setExtensionPolicies(extensionPolicies) {
+    ExtensionPolicies = extensionPolicies;
+  },
+
+  getExtensionPolicy(extensionID) {
+    if (ExtensionPolicies && extensionID in ExtensionPolicies) {
+      return ExtensionPolicies[extensionID];
+    }
+    return null;
+  },
+
+  setExtensionSettings(extensionSettings) {
+    ExtensionSettings = extensionSettings;
+    if (
+      "*" in extensionSettings &&
+      "install_sources" in extensionSettings["*"]
+    ) {
+      InstallSources = new MatchPatternSet(
+        extensionSettings["*"].install_sources
+      );
+    }
+  },
+
+  getExtensionSettings(extensionID) {
+    let settings = null;
+    if (ExtensionSettings) {
+      if (extensionID in ExtensionSettings) {
+        settings = ExtensionSettings[extensionID];
+      } else if ("*" in ExtensionSettings) {
+        settings = ExtensionSettings["*"];
+      }
+    }
+    return settings;
+  },
+
+  mayInstallAddon(addon) {
+    // See https://dev.chromium.org/administrators/policy-list-3/extension-settings-full
+    if (!ExtensionSettings) {
+      return true;
+    }
+    if (addon.id in ExtensionSettings) {
+      if ("installation_mode" in ExtensionSettings[addon.id]) {
+        switch (ExtensionSettings[addon.id].installation_mode) {
+          case "blocked":
+            return false;
+          default:
+            return true;
+        }
+      }
+    }
+    if ("*" in ExtensionSettings) {
+      if (
+        ExtensionSettings["*"].installation_mode &&
+        ExtensionSettings["*"].installation_mode == "blocked"
+      ) {
+        return false;
+      }
+      if ("allowed_types" in ExtensionSettings["*"]) {
+        return ExtensionSettings["*"].allowed_types.includes(addon.type);
+      }
+    }
+    return true;
+  },
+
+  allowedInstallSource(uri) {
+    return InstallSources ? InstallSources.matches(uri) : true;
+  },
+};
+
+let DisallowedFeatures = {};
+let SupportMenu = null;
+let ExtensionPolicies = null;
+let ExtensionSettings = null;
+let InstallSources = null;
+
+/**
+ * areEnterpriseOnlyPoliciesAllowed
+ *
+ * Checks whether the policies marked as enterprise_only in the
+ * schema are allowed to run on this browser.
+ *
+ * This is meant to only allow policies to run on ESR, but in practice
+ * we allow it to run on channels different than release, to allow
+ * these policies to be tested on pre-release channels.
+ *
+ * @returns {Bool} Whether the policy can run.
+ */
+function areEnterpriseOnlyPoliciesAllowed() {
+  if (Cu.isInAutomation || isXpcshell) {
+    if (Services.prefs.getBoolPref(PREF_DISALLOW_ENTERPRISE, false)) {
+      // This is used as an override to test the "enterprise_only"
+      // functionality itself on tests.
+      return false;
+    }
+    return true;
+  }
+
+  if (AppConstants.MOZ_UPDATE_CHANNEL != "release") {
+    return true;
+  }
+
+  return false;
+}
+
+/*
+ * JSON PROVIDER OF POLICIES
+ *
+ * This is a platform-agnostic provider which looks for
+ * policies specified through a policies.json file stored
+ * in the installation's distribution folder.
+ */
+
+class JSONPoliciesProvider {
+  constructor() {
+    this._policies = null;
+    this._failed = false;
+    this._readData();
+  }
+
+  get hasPolicies() {
+    return (
+      this._failed ||
+      (this._policies !== null && !isEmptyObject(this._policies))
+    );
+  }
+
+  get policies() {
+    return this._policies;
+  }
+
+  get failed() {
+    return this._failed;
+  }
+
+  _getConfigurationFile() {
+    let configFile = null;
+
+    if (AppConstants.platform == "linux") {
+      let systemConfigFile = Cc["@mozilla.org/file/local;1"].createInstance(
+        Ci.nsIFile
+      );
+      systemConfigFile.initWithPath(
+        "/etc/" + Services.appinfo.name.toLowerCase() + "/policies"
+      );
+      systemConfigFile.append(POLICIES_FILENAME);
+      if (systemConfigFile.exists()) {
+        return systemConfigFile;
+      }
+    }
+
+    try {
+      let perUserPath = Services.prefs.getBoolPref(PREF_PER_USER_DIR, false);
+      if (perUserPath) {
+        configFile = Services.dirsvc.get("XREUserRunTimeDir", Ci.nsIFile);
+      } else {
+        configFile = Services.dirsvc.get("XREAppDist", Ci.nsIFile);
+      }
+      configFile.append(POLICIES_FILENAME);
+    } catch (ex) {
+      // Getting the correct directory will fail in xpcshell tests. This should
+      // be handled the same way as if the configFile simply does not exist.
+    }
+
+    let alternatePath = Services.prefs.getStringPref(PREF_ALTERNATE_PATH, "");
+
+    // Check if we are in automation *before* we use the synchronous
+    // nsIFile.exists() function or allow the config file to be overriden
+    // An alternate policy path can also be used in Nightly builds (for
+    // testing purposes), but the Background Update Agent will be unable to
+    // detect the alternate policy file so the DisableAppUpdate policy may not
+    // work as expected.
+    if (
+      alternatePath &&
+      (Cu.isInAutomation || AppConstants.NIGHTLY_BUILD || isXpcshell) &&
+      (!configFile || !configFile.exists())
+    ) {
+      if (alternatePath.startsWith(MAGIC_TEST_ROOT_PREFIX)) {
+        // Intentionally not using a default value on this pref lookup. If no
+        // test root is set, we are not currently testing and this function
+        // should throw rather than returning something.
+        let testRoot = Services.prefs.getStringPref(PREF_TEST_ROOT);
+        let relativePath = alternatePath.substring(
+          MAGIC_TEST_ROOT_PREFIX.length
+        );
+        if (AppConstants.platform == "win") {
+          relativePath = relativePath.replace(/\//g, "\\");
+        }
+        alternatePath = testRoot + relativePath;
+      }
+
+      configFile = Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsIFile);
+      configFile.initWithPath(alternatePath);
+    }
+
+    return configFile;
+  }
+
+  _readData() {
+    let configFile = this._getConfigurationFile();
+    if (!configFile) {
+      // Do nothing, _policies will remain null
+      return;
+    }
+    try {
+      let data = Cu.readUTF8File(configFile);
+      if (data) {
+        this._policies = JSON.parse(data).policies;
+
+        if (!this._policies) {
+          log.error("Policies file doesn't contain a 'policies' object");
+          this._failed = true;
+        }
+      }
+    } catch (ex) {
+      if (
+        ex instanceof Components.Exception &&
+        ex.result == Cr.NS_ERROR_FILE_NOT_FOUND
+      ) {
+        // Do nothing, _policies will remain null
+      } else if (ex instanceof SyntaxError) {
+        log.error("Error parsing JSON file");
+        this._failed = true;
+      } else {
+        log.error("Error reading file");
+        this._failed = true;
+      }
+    }
+  }
+}
+
+class WindowsGPOPoliciesProvider {
+  constructor() {
+    this._policies = null;
+
+    let wrk = Cc["@mozilla.org/windows-registry-key;1"].createInstance(
+      Ci.nsIWindowsRegKey
+    );
+
+    // Machine policies override user policies, so we read
+    // user policies first and then replace them if necessary.
+    log.debug("root = HKEY_CURRENT_USER");
+    this._readData(wrk, wrk.ROOT_KEY_CURRENT_USER);
+    log.debug("root = HKEY_LOCAL_MACHINE");
+    this._readData(wrk, wrk.ROOT_KEY_LOCAL_MACHINE);
+  }
+
+  get hasPolicies() {
+    return this._policies !== null && !isEmptyObject(this._policies);
+  }
+
+  get policies() {
+    return this._policies;
+  }
+
+  get failed() {
+    return this._failed;
+  }
+
+  _readData(wrk, root) {
+    try {
+      wrk.open(root, "SOFTWARE\\Policies", wrk.ACCESS_READ);
+      if (wrk.hasChild("Mozilla\\" + Services.appinfo.name)) {
+        this._policies = WindowsGPOParser.readPolicies(wrk, this._policies);
+      }
+      wrk.close();
+    } catch (e) {
+      log.error("Unable to access registry - ", e);
+    }
+  }
+}
+
+class macOSPoliciesProvider {
+  constructor() {
+    this._policies = null;
+    let prefReader = Cc["@mozilla.org/mac-preferences-reader;1"].createInstance(
+      Ci.nsIMacPreferencesReader
+    );
+    if (!prefReader.policiesEnabled()) {
+      return;
+    }
+    this._policies = macOSPoliciesParser.readPolicies(prefReader);
+  }
+
+  get hasPolicies() {
+    return this._policies !== null && Object.keys(this._policies).length;
+  }
+
+  get policies() {
+    return this._policies;
+  }
+
+  get failed() {
+    return this._failed;
+  }
+}
diff --git a/toolkit/components/enterprisepolicies/WindowsGPOParser.jsm b/toolkit/components/enterprisepolicies/WindowsGPOParser.jsm
new file mode 100644
index 0000000000..2b945ab90c
--- /dev/null
+++ b/toolkit/components/enterprisepolicies/WindowsGPOParser.jsm
@@ -0,0 +1,111 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+"use strict";
+
+const { Services } = ChromeUtils.import("resource://gre/modules/Services.jsm");
+const { XPCOMUtils } = ChromeUtils.import(
+  "resource://gre/modules/XPCOMUtils.jsm"
+);
+
+const PREF_LOGLEVEL = "browser.policies.loglevel";
+
+XPCOMUtils.defineLazyGetter(this, "log", () => {
+  let { ConsoleAPI } = ChromeUtils.import("resource://gre/modules/Console.jsm");
+  return new ConsoleAPI({
+    prefix: "GPOParser.jsm",
+    // tip: set maxLogLevel to "debug" and use log.debug() to create detailed
+    // messages during development. See LOG_LEVELS in Console.jsm for details.
+    maxLogLevel: "error",
+    maxLogLevelPref: PREF_LOGLEVEL,
+  });
+});
+
+var EXPORTED_SYMBOLS = ["WindowsGPOParser"];
+
+var WindowsGPOParser = {
+  readPolicies(wrk, policies) {
+    let childWrk = wrk.openChild(
+      "Mozilla\\" + Services.appinfo.name,
+      wrk.ACCESS_READ
+    );
+    if (!policies) {
+      policies = {};
+    }
+    try {
+      policies = registryToObject(childWrk, policies);
+    } catch (e) {
+      log.error(e);
+    } finally {
+      childWrk.close();
+    }
+    // Need an extra check here so we don't
+    // JSON.stringify if we aren't in debug mode
+    if (log._maxLogLevel == "debug") {
+      log.debug(JSON.stringify(policies, null, 2));
+    }
+    return policies;
+  },
+};
+
+function registryToObject(wrk, policies) {
+  if (!policies) {
+    policies = {};
+  }
+  if (wrk.valueCount > 0) {
+    if (wrk.getValueName(0) == "1") {
+      // If the first item is 1, just assume it is an array
+      let array = [];
+      for (let i = 0; i < wrk.valueCount; i++) {
+        array.push(readRegistryValue(wrk, wrk.getValueName(i)));
+      }
+      // If it's an array, it shouldn't have any children
+      return array;
+    }
+    for (let i = 0; i < wrk.valueCount; i++) {
+      let name = wrk.getValueName(i);
+      let value = readRegistryValue(wrk, name);
+      policies[name] = value;
+    }
+  }
+  if (wrk.childCount > 0) {
+    if (wrk.getChildName(0) == "1") {
+      // If the first item is 1, it's an array of objects
+      let array = [];
+      for (let i = 0; i < wrk.childCount; i++) {
+        let name = wrk.getChildName(i);
+        let childWrk = wrk.openChild(name, wrk.ACCESS_READ);
+        array.push(registryToObject(childWrk));
+        childWrk.close();
+      }
+      // If it's an array, it shouldn't have any children
+      return array;
+    }
+    for (let i = 0; i < wrk.childCount; i++) {
+      let name = wrk.getChildName(i);
+      let childWrk = wrk.openChild(name, wrk.ACCESS_READ);
+      policies[name] = registryToObject(childWrk);
+      childWrk.close();
+    }
+  }
+  return policies;
+}
+
+function readRegistryValue(wrk, value) {
+  switch (wrk.getValueType(value)) {
+    case 7: // REG_MULTI_SZ
+      return wrk.readStringValue(value).replace(/\0/g, "\n");
+    case 2: // REG_EXPAND_SZ
+    case wrk.TYPE_STRING:
+      return wrk.readStringValue(value);
+    case wrk.TYPE_BINARY:
+      return wrk.readBinaryValue(value);
+    case wrk.TYPE_INT:
+      return wrk.readIntValue(value);
+    case wrk.TYPE_INT64:
+      return wrk.readInt64Value(value);
+  }
+  // unknown type
+  return null;
+}
diff --git a/toolkit/components/enterprisepolicies/components.conf b/toolkit/components/enterprisepolicies/components.conf
new file mode 100644
index 0000000000..6f0fac6bf7
--- /dev/null
+++ b/toolkit/components/enterprisepolicies/components.conf
@@ -0,0 +1,16 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+Classes = [
+    {
+        'js_name': 'policies',
+        'cid': '{49e8d8ef-a713-492a-a3d2-5c9dad4ce2e5}',
+        'contract_ids': ['@mozilla.org/enterprisepolicies;1'],
+        'interfaces': ['nsIEnterprisePolicies'],
+        'jsm': 'resource://gre/modules/EnterprisePolicies.jsm',
+        'constructor': 'EnterprisePolicies',
+    },
+]
diff --git a/toolkit/components/enterprisepolicies/macOSPoliciesParser.jsm b/toolkit/components/enterprisepolicies/macOSPoliciesParser.jsm
new file mode 100644
index 0000000000..dac5469584
--- /dev/null
+++ b/toolkit/components/enterprisepolicies/macOSPoliciesParser.jsm
@@ -0,0 +1,158 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+"use strict";
+
+const { XPCOMUtils } = ChromeUtils.import(
+  "resource://gre/modules/XPCOMUtils.jsm"
+);
+
+const PREF_LOGLEVEL = "browser.policies.loglevel";
+
+XPCOMUtils.defineLazyGetter(this, "log", () => {
+  let { ConsoleAPI } = ChromeUtils.import("resource://gre/modules/Console.jsm");
+  return new ConsoleAPI({
+    prefix: "macOSPoliciesParser.jsm",
+    // tip: set maxLogLevel to "debug" and use log.debug() to create detailed
+    // messages during development. See LOG_LEVELS in Console.jsm for details.
+    maxLogLevel: "error",
+    maxLogLevelPref: PREF_LOGLEVEL,
+  });
+});
+
+var EXPORTED_SYMBOLS = ["macOSPoliciesParser"];
+
+var macOSPoliciesParser = {
+  readPolicies(reader) {
+    let nativePolicies = reader.readPreferences();
+    if (!nativePolicies) {
+      return null;
+    }
+
+    nativePolicies = this.unflatten(nativePolicies);
+    nativePolicies = this.removeUnknownPolicies(nativePolicies);
+
+    // Need an extra check here so we don't
+    // JSON.stringify if we aren't in debug mode
+    if (log.maxLogLevel == "debug") {
+      log.debug(JSON.stringify(nativePolicies, null, 2));
+    }
+
+    return nativePolicies;
+  },
+
+  removeUnknownPolicies(policies) {
+    let { schema } = ChromeUtils.import(
+      "resource:///modules/policies/schema.jsm"
+    );
+
+    for (let policyName of Object.keys(policies)) {
+      if (!schema.properties.hasOwnProperty(policyName)) {
+        log.debug(`Removing unknown policy: ${policyName}`);
+        delete policies[policyName];
+      }
+    }
+
+    return policies;
+  },
+
+  unflatten(input, delimiter = "__") {
+    let ret = {};
+
+    for (let key of Object.keys(input)) {
+      if (!key.includes(delimiter)) {
+        // Short-circuit for policies that are not specified in
+        // the flat format.
+        ret[key] = input[key];
+        continue;
+      }
+
+      log.debug(`Unflattening policy key "${key}".`);
+
+      let subkeys = key.split(delimiter);
+
+      // `obj`: is the intermediate step into the unflattened
+      // return object. For example, for an input:
+      //
+      // Foo__Bar__Baz: 5,
+      //
+      // when the subkey being iterated is Bar, then `obj` will be
+      // the Bar object being constructed, as represented below:
+      //
+      // ret = {
+      //   Foo = {
+      //     Bar = {   <---- obj
+      //       Baz: 5,
+      //     }
+      //   }
+      // }
+      let obj = ret;
+
+      // Iterate until the second to last subkey, as the last one
+      // needs special handling afterwards.
+      for (let i = 0; i < subkeys.length - 1; i++) {
+        let subkey = subkeys[i];
+
+        if (!isValidSubkey(subkey)) {
+          log.error(`Error in key ${key}: can't use indexes bigger than 50.`);
+          continue;
+        }
+
+        if (!obj[subkey]) {
+          // if this subkey hasn't been seen yet, create the object
+          // for it, which could be an array if the next subkey is
+          // a number.
+          //
+          // For example, in the following examples:
+          // A)
+          // Foo__Bar__0
+          // Foo__Bar__1
+          //
+          // B)
+          // Foo__Bar__Baz
+          // Foo__Bar__Qux
+          //
+          // If the subkey being analysed right now is Bar, then in example A
+          // we'll create an array to accomodate the numeric entries.
+          // Otherwise, if it's example B, we'll create an object to host all
+          // the named keys.
+          if (Number.isInteger(Number(subkeys[i + 1]))) {
+            obj[subkey] = [];
+          } else {
+            obj[subkey] = {};
+          }
+        }
+
+        obj = obj[subkey];
+      }
+
+      let lastSubkey = subkeys[subkeys.length - 1];
+      if (!isValidSubkey(lastSubkey)) {
+        log.error(`Error in key ${key}: can't use indexes bigger than 50.`);
+        continue;
+      }
+
+      // In the last subkey, we assign it the value by accessing the input
+      // object again with the full key. For example, in the case:
+      //
+      // input = {"Foo__Bar__Baz": 5}
+      //
+      // what we're doing in practice is:
+      //
+      // ret["Foo"]["Bar"]["Baz"] = input["Foo__Bar__Baz"];
+      // \_______ _______/   |
+      //         v           |
+      //        obj      last subkey
+
+      obj[lastSubkey] = input[key];
+    }
+
+    return ret;
+  },
+};
+
+function isValidSubkey(subkey) {
+  let valueAsNumber = Number(subkey);
+  return Number.isNaN(valueAsNumber) || valueAsNumber <= 50;
+}
diff --git a/toolkit/components/enterprisepolicies/moz.build b/toolkit/components/enterprisepolicies/moz.build
new file mode 100644
index 0000000000..09d2046e1b
--- /dev/null
+++ b/toolkit/components/enterprisepolicies/moz.build
@@ -0,0 +1,37 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+with Files("**"):
+    BUG_COMPONENT = ("Firefox", "Enterprise Policies")
+
+XPIDL_SOURCES += [
+    "nsIEnterprisePolicies.idl",
+]
+
+XPIDL_MODULE = "enterprisepolicies"
+
+TEST_DIRS += ["tests"]
+
+if CONFIG["MOZ_WIDGET_TOOLKIT"] != "android":
+    EXTRA_JS_MODULES += [
+        "EnterprisePolicies.jsm",
+        "EnterprisePoliciesContent.jsm",
+        "EnterprisePoliciesParent.jsm",
+    ]
+
+    XPCOM_MANIFESTS += [
+        "components.conf",
+    ]
+
+if CONFIG["MOZ_WIDGET_TOOLKIT"] == "windows":
+    EXTRA_JS_MODULES.policies += [
+        "WindowsGPOParser.jsm",
+    ]
+
+if CONFIG["MOZ_WIDGET_TOOLKIT"] == "cocoa":
+    EXTRA_JS_MODULES.policies += [
+        "macOSPoliciesParser.jsm",
+    ]
diff --git a/toolkit/components/enterprisepolicies/nsIEnterprisePolicies.idl b/toolkit/components/enterprisepolicies/nsIEnterprisePolicies.idl
new file mode 100644
index 0000000000..fd81f5a9da
--- /dev/null
+++ b/toolkit/components/enterprisepolicies/nsIEnterprisePolicies.idl
@@ -0,0 +1,68 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+#include "nsIURI.idl"
+
+[scriptable, uuid(6a568972-cc91-4bf5-963e-3768f3319b8a)]
+interface nsIEnterprisePolicies : nsISupports
+{
+  const short UNINITIALIZED = -1;
+  const short INACTIVE      = 0;
+  const short ACTIVE        = 1;
+  const short FAILED        = 2;
+
+  readonly attribute short status;
+
+  bool isAllowed(in ACString feature);
+
+  /**
+   * Get the active policies that have been successfully parsed.
+   *
+   * @returns A JS object that contains the policies names and
+   *          their corresponding parameters.
+   */
+  jsval getActivePolicies();
+
+  /**
+   * Get the contents of the support menu (if applicable)
+   *
+   * @returns A JS object that contains the url and label or null.
+   */
+  jsval getSupportMenu();
+
+  /**
+   * Get the policy for a given extensionID (if available)
+   *
+   * @returns A JS object that contains the storage or null if unavailable.
+   */
+  jsval getExtensionPolicy(in ACString extensionID);
+
+  /**
+   * Retrieves the ExtensionSettings policy for the given extensionID.
+   *
+   * If there is no policy for the extension, it returns the global policy.
+   *
+   * If there is no global policy, it returns null.
+   *
+   * @returns A JS object that settings or null if unavailable.
+   */
+  jsval getExtensionSettings(in ACString extensionID);
+
+  /**
+   * Uses the whitelist, blacklist and settings to determine if an extension
+   * may be installed.
+   *
+   * @returns A boolean - true of the extension may be installed.
+   */
+  bool mayInstallAddon(in jsval addon);
+
+  /**
+   * Uses install_sources to determine if an extension can be installed
+   * from the given URI.
+   *
+   * @returns A boolean - true of the extension may be installed.
+   */
+  bool allowedInstallSource(in nsIURI uri);
+};
diff --git a/toolkit/components/enterprisepolicies/tests/EnterprisePolicyTesting.jsm b/toolkit/components/enterprisepolicies/tests/EnterprisePolicyTesting.jsm
new file mode 100644
index 0000000000..dd98c03bce
--- /dev/null
+++ b/toolkit/components/enterprisepolicies/tests/EnterprisePolicyTesting.jsm
@@ -0,0 +1,184 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+"use strict";
+
+const { Preferences } = ChromeUtils.import(
+  "resource://gre/modules/Preferences.jsm"
+);
+const { Services } = ChromeUtils.import("resource://gre/modules/Services.jsm");
+const { OS } = ChromeUtils.import("resource://gre/modules/osfile.jsm");
+const { Assert } = ChromeUtils.import("resource://testing-common/Assert.jsm");
+ChromeUtils.defineModuleGetter(
+  this,
+  "FileTestUtils",
+  "resource://testing-common/FileTestUtils.jsm"
+);
+
+var EXPORTED_SYMBOLS = ["EnterprisePolicyTesting", "PoliciesPrefTracker"];
+
+var EnterprisePolicyTesting = {
+  // |json| must be an object representing the desired policy configuration, OR a
+  // path to the JSON file containing the policy configuration.
+  setupPolicyEngineWithJson: async function setupPolicyEngineWithJson(
+    json,
+    customSchema
+  ) {
+    let filePath;
+    if (typeof json == "object") {
+      filePath = FileTestUtils.getTempFile("policies.json").path;
+
+      // This file gets automatically deleted by FileTestUtils
+      // at the end of the test run.
+      await OS.File.writeAtomic(filePath, JSON.stringify(json), {
+        encoding: "utf-8",
+      });
+    } else {
+      filePath = json;
+    }
+
+    Services.prefs.setStringPref("browser.policies.alternatePath", filePath);
+
+    let promise = new Promise(resolve => {
+      Services.obs.addObserver(function observer() {
+        Services.obs.removeObserver(
+          observer,
+          "EnterprisePolicies:AllPoliciesApplied"
+        );
+        resolve();
+      }, "EnterprisePolicies:AllPoliciesApplied");
+    });
+
+    // Clear any previously used custom schema
+    Cu.unload("resource:///modules/policies/schema.jsm");
+
+    if (customSchema) {
+      let schemaModule = ChromeUtils.import(
+        "resource:///modules/policies/schema.jsm",
+        null
+      );
+      schemaModule.schema = customSchema;
+    }
+
+    Services.obs.notifyObservers(null, "EnterprisePolicies:Restart");
+    return promise;
+  },
+
+  checkPolicyPref(prefName, expectedValue, expectedLockedness) {
+    if (expectedLockedness !== undefined) {
+      Assert.equal(
+        Preferences.locked(prefName),
+        expectedLockedness,
+        `Pref ${prefName} is correctly locked/unlocked`
+      );
+    }
+
+    Assert.equal(
+      Preferences.get(prefName),
+      expectedValue,
+      `Pref ${prefName} has the correct value`
+    );
+  },
+
+  resetRunOnceState: function resetRunOnceState() {
+    const runOnceBaseKeys = [
+      "browser.policies.runonce.",
+      "browser.policies.runOncePerModification.",
+    ];
+    for (let base of runOnceBaseKeys) {
+      for (let key of Services.prefs.getChildList(base)) {
+        if (Services.prefs.prefHasUserValue(key)) {
+          Services.prefs.clearUserPref(key);
+        }
+      }
+    }
+  },
+};
+
+/**
+ * This helper will track prefs that have been changed
+ * by the policy engine through the setAndLockPref and
+ * setDefaultPref APIs (from Policies.jsm) and make sure
+ * that they are restored to their original values when
+ * the test ends or another test case restarts the engine.
+ */
+var PoliciesPrefTracker = {
+  _originalFunc: null,
+  _originalValues: new Map(),
+
+  start() {
+    let PoliciesBackstage = ChromeUtils.import(
+      "resource:///modules/policies/Policies.jsm",
+      null
+    );
+    this._originalFunc = PoliciesBackstage.setDefaultPref;
+    PoliciesBackstage.setDefaultPref = this.hoistedSetDefaultPref.bind(this);
+  },
+
+  stop() {
+    this.restoreDefaultValues();
+
+    let PoliciesBackstage = ChromeUtils.import(
+      "resource:///modules/policies/Policies.jsm",
+      null
+    );
+    PoliciesBackstage.setDefaultPref = this._originalFunc;
+    this._originalFunc = null;
+  },
+
+  hoistedSetDefaultPref(prefName, prefValue, locked = false) {
+    // If this pref is seen multiple times, the very first
+    // value seen is the one that is actually the default.
+    if (!this._originalValues.has(prefName)) {
+      let defaults = new Preferences({ defaultBranch: true });
+      let stored = {};
+
+      if (defaults.has(prefName)) {
+        stored.originalDefaultValue = defaults.get(prefName);
+      } else {
+        stored.originalDefaultValue = undefined;
+      }
+
+      if (
+        Preferences.isSet(prefName) &&
+        Preferences.get(prefName) == prefValue
+      ) {
+        // If a user value exists, and we're changing the default
+        // value to be th same as the user value, that will cause
+        // the user value to be dropped. In that case, let's also
+        // store it to ensure that we restore everything correctly.
+        stored.originalUserValue = Preferences.get(prefName);
+      }
+
+      this._originalValues.set(prefName, stored);
+    }
+
+    // Now that we've stored the original values, call the
+    // original setDefaultPref function.
+    this._originalFunc(prefName, prefValue, locked);
+  },
+
+  restoreDefaultValues() {
+    let defaults = new Preferences({ defaultBranch: true });
+
+    for (let [prefName, stored] of this._originalValues) {
+      // If a pref was used through setDefaultPref instead
+      // of setAndLockPref, it wasn't locked, but calling
+      // unlockPref is harmless
+      Preferences.unlock(prefName);
+
+      if (stored.originalDefaultValue !== undefined) {
+        defaults.set(prefName, stored.originalDefaultValue);
+      } else {
+        Services.prefs.getDefaultBranch("").deleteBranch(prefName);
+      }
+
+      if (stored.originalUserValue !== undefined) {
+        Preferences.set(prefName, stored.originalUserValue);
+      }
+    }
+
+    this._originalValues.clear();
+  },
+};
diff --git a/toolkit/components/enterprisepolicies/tests/browser/browser.ini b/toolkit/components/enterprisepolicies/tests/browser/browser.ini
new file mode 100644
index 0000000000..23a860dd8b
--- /dev/null
+++ b/toolkit/components/enterprisepolicies/tests/browser/browser.ini
@@ -0,0 +1,9 @@
+[DEFAULT]
+head = head.js
+support-files =
+  config_broken_json.json
+
+[browser_policies_basic_tests.js]
+[browser_policies_broken_json.js]
+[browser_policies_enterprise_only.js]
+[browser_policies_mistyped_json.js]
diff --git a/toolkit/components/enterprisepolicies/tests/browser/browser_policies_basic_tests.js b/toolkit/components/enterprisepolicies/tests/browser/browser_policies_basic_tests.js
new file mode 100644
index 0000000000..24de9c2f23
--- /dev/null
+++ b/toolkit/components/enterprisepolicies/tests/browser/browser_policies_basic_tests.js
@@ -0,0 +1,126 @@
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/ */
+
+"use strict";
+
+add_task(async function test_simple_policies() {
+  let { Policies } = ChromeUtils.import(
+    "resource:///modules/policies/Policies.jsm"
+  );
+
+  let policy0Ran = false,
+    policy1Ran = false,
+    policy2Ran = false,
+    policy3Ran = false;
+
+  // Implement functions to handle the four simple policies that will be added
+  // to the schema.
+  Policies.simple_policy0 = {
+    onProfileAfterChange(manager, param) {
+      is(param, true, "Param matches what was passed in config file");
+      policy0Ran = true;
+    },
+  };
+
+  Policies.simple_policy1 = {
+    onProfileAfterChange(manager, param) {
+      is(param, true, "Param matches what was passed in config file");
+      manager.disallowFeature("feature1", /* needed in content process */ true);
+      policy1Ran = true;
+    },
+  };
+
+  Policies.simple_policy2 = {
+    onBeforeUIStartup(manager, param) {
+      is(param, true, "Param matches what was passed in config file");
+      manager.disallowFeature(
+        "feature2",
+        /* needed in content process */ false
+      );
+      policy2Ran = true;
+    },
+  };
+
+  Policies.simple_policy3 = {
+    onAllWindowsRestored(manager, param) {
+      is(param, false, "Param matches what was passed in config file");
+      policy3Ran = true;
+    },
+  };
+
+  await setupPolicyEngineWithJson(
+    // policies.json
+    {
+      policies: {
+        simple_policy0: true,
+        simple_policy1: true,
+        simple_policy2: true,
+        simple_policy3: false,
+      },
+    },
+
+    // custom schema
+    {
+      properties: {
+        simple_policy0: {
+          type: "boolean",
+        },
+
+        simple_policy1: {
+          type: "boolean",
+        },
+
+        simple_policy2: {
+          type: "boolean",
+        },
+
+        simple_policy3: {
+          type: "boolean",
+        },
+      },
+    }
+  );
+
+  is(
+    Services.policies.status,
+    Ci.nsIEnterprisePolicies.ACTIVE,
+    "Engine is active"
+  );
+  is(
+    Services.policies.isAllowed("feature1"),
+    false,
+    "Dummy feature was disallowed"
+  );
+  is(
+    Services.policies.isAllowed("feature2"),
+    false,
+    "Dummy feature was disallowed"
+  );
+
+  ok(policy0Ran, "Policy 0 ran correctly through BeforeAddons");
+  ok(policy1Ran, "Policy 1 ran correctly through onProfileAfterChange");
+  ok(policy2Ran, "Policy 2 ran correctly through onBeforeUIStartup");
+  ok(policy3Ran, "Policy 3 ran correctly through onAllWindowsRestored");
+
+  await SpecialPowers.spawn(gBrowser.selectedBrowser, [], async function() {
+    if (Services.appinfo.processType == Services.appinfo.PROCESS_TYPE_CONTENT) {
+      is(
+        Services.policies.isAllowed("feature1"),
+        false,
+        "Correctly disallowed in the content process"
+      );
+      // Feature 2 wasn't explictly marked as needed in the content process, so it is not marked
+      // as disallowed there.
+      is(
+        Services.policies.isAllowed("feature2"),
+        true,
+        "Correctly missing in the content process"
+      );
+    }
+  });
+
+  delete Policies.simple_policy0;
+  delete Policies.simple_policy1;
+  delete Policies.simple_policy2;
+  delete Policies.simple_policy3;
+});
diff --git a/toolkit/components/enterprisepolicies/tests/browser/browser_policies_broken_json.js b/toolkit/components/enterprisepolicies/tests/browser/browser_policies_broken_json.js
new file mode 100644
index 0000000000..a4a274ab08
--- /dev/null
+++ b/toolkit/components/enterprisepolicies/tests/browser/browser_policies_broken_json.js
@@ -0,0 +1,14 @@
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/ */
+
+"use strict";
+
+add_task(async function test_broken_json() {
+  await setupPolicyEngineWithJson("config_broken_json.json");
+
+  is(
+    Services.policies.status,
+    Ci.nsIEnterprisePolicies.FAILED,
+    "Engine was correctly set to the error state"
+  );
+});
diff --git a/toolkit/components/enterprisepolicies/tests/browser/browser_policies_enterprise_only.js b/toolkit/components/enterprisepolicies/tests/browser/browser_policies_enterprise_only.js
new file mode 100644
index 0000000000..85bec8191f
--- /dev/null
+++ b/toolkit/components/enterprisepolicies/tests/browser/browser_policies_enterprise_only.js
@@ -0,0 +1,70 @@
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/ */
+
+"use strict";
+
+const PREF_DISALLOW_ENTERPRISE = "browser.policies.testing.disallowEnterprise";
+
+add_task(async function test_enterprise_only_policies() {
+  let { Policies } = ChromeUtils.import(
+    "resource:///modules/policies/Policies.jsm"
+  );
+
+  let normalPolicyRan = false,
+    enterprisePolicyRan = false;
+
+  Policies.NormalPolicy = {
+    onProfileAfterChange(manager, param) {
+      normalPolicyRan = true;
+    },
+  };
+
+  Policies.EnterpriseOnlyPolicy = {
+    onProfileAfterChange(manager, param) {
+      enterprisePolicyRan = true;
+    },
+  };
+
+  Services.prefs.setBoolPref(PREF_DISALLOW_ENTERPRISE, true);
+
+  await setupPolicyEngineWithJson(
+    // policies.json
+    {
+      policies: {
+        NormalPolicy: true,
+        EnterpriseOnlyPolicy: true,
+      },
+    },
+
+    // custom schema
+    {
+      properties: {
+        NormalPolicy: {
+          type: "boolean",
+        },
+
+        EnterpriseOnlyPolicy: {
+          type: "boolean",
+          enterprise_only: true,
+        },
+      },
+    }
+  );
+
+  is(
+    Services.policies.status,
+    Ci.nsIEnterprisePolicies.ACTIVE,
+    "Engine is active"
+  );
+  is(normalPolicyRan, true, "Normal policy ran as expected");
+  is(
+    enterprisePolicyRan,
+    false,
+    "Enterprise-only policy was prevented from running"
+  );
+
+  // Clean-up
+  delete Policies.NormalPolicy;
+  delete Policies.EnterpriseOnlyPolicy;
+  Services.prefs.clearUserPref(PREF_DISALLOW_ENTERPRISE);
+});
diff --git a/toolkit/components/enterprisepolicies/tests/browser/browser_policies_mistyped_json.js b/toolkit/components/enterprisepolicies/tests/browser/browser_policies_mistyped_json.js
new file mode 100644
index 0000000000..0b82a11377
--- /dev/null
+++ b/toolkit/components/enterprisepolicies/tests/browser/browser_policies_mistyped_json.js
@@ -0,0 +1,17 @@
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/ */
+
+"use strict";
+
+add_task(async function test_json_with_mistyped_policies() {
+  // Note: The "polcies" string is intentionally mistyped
+  await setupPolicyEngineWithJson({
+    polcies: {},
+  });
+
+  is(
+    Services.policies.status,
+    Ci.nsIEnterprisePolicies.FAILED,
+    "Engine was correctly set to the error state"
+  );
+});
diff --git a/toolkit/components/enterprisepolicies/tests/browser/config_broken_json.json b/toolkit/components/enterprisepolicies/tests/browser/config_broken_json.json
new file mode 100644
index 0000000000..7e13efdd88
--- /dev/null
+++ b/toolkit/components/enterprisepolicies/tests/browser/config_broken_json.json
@@ -0,0 +1,3 @@
+{
+  "policies
+}
diff --git a/toolkit/components/enterprisepolicies/tests/browser/head.js b/toolkit/components/enterprisepolicies/tests/browser/head.js
new file mode 100644
index 0000000000..f099749df1
--- /dev/null
+++ b/toolkit/components/enterprisepolicies/tests/browser/head.js
@@ -0,0 +1,28 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+"use strict";
+
+const { EnterprisePolicyTesting, PoliciesPrefTracker } = ChromeUtils.import(
+  "resource://testing-common/EnterprisePolicyTesting.jsm",
+  null
+);
+const { TestUtils } = ChromeUtils.import(
+  "resource://testing-common/TestUtils.jsm",
+  null
+);
+
+PoliciesPrefTracker.start();
+
+async function setupPolicyEngineWithJson(json, customSchema) {
+  PoliciesPrefTracker.restoreDefaultValues();
+  if (typeof json != "object") {
+    let filePath = getTestFilePath(json ? json : "non-existing-file.json");
+    return EnterprisePolicyTesting.setupPolicyEngineWithJson(
+      filePath,
+      customSchema
+    );
+  }
+  return EnterprisePolicyTesting.setupPolicyEngineWithJson(json, customSchema);
+}
diff --git a/toolkit/components/enterprisepolicies/tests/moz.build b/toolkit/components/enterprisepolicies/tests/moz.build
new file mode 100644
index 0000000000..63b6391244
--- /dev/null
+++ b/toolkit/components/enterprisepolicies/tests/moz.build
@@ -0,0 +1,15 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+BROWSER_CHROME_MANIFESTS += [
+    "browser/browser.ini",
+]
+
+TESTING_JS_MODULES += [
+    "EnterprisePolicyTesting.jsm",
+]
+
+XPCSHELL_TESTS_MANIFESTS += ["xpcshell/xpcshell.ini"]
diff --git a/toolkit/components/enterprisepolicies/tests/xpcshell/head.js b/toolkit/components/enterprisepolicies/tests/xpcshell/head.js
new file mode 100644
index 0000000000..74bd1252f9
--- /dev/null
+++ b/toolkit/components/enterprisepolicies/tests/xpcshell/head.js
@@ -0,0 +1,47 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+"use strict";
+
+const { Services } = ChromeUtils.import("resource://gre/modules/Services.jsm");
+const { OS } = ChromeUtils.import("resource://gre/modules/osfile.jsm");
+const { Preferences } = ChromeUtils.import(
+  "resource://gre/modules/Preferences.jsm"
+);
+const { updateAppInfo, getAppInfo } = ChromeUtils.import(
+  "resource://testing-common/AppInfo.jsm"
+);
+const { FileTestUtils } = ChromeUtils.import(
+  "resource://testing-common/FileTestUtils.jsm"
+);
+const { PermissionTestUtils } = ChromeUtils.import(
+  "resource://testing-common/PermissionTestUtils.jsm"
+);
+const { EnterprisePolicyTesting } = ChromeUtils.import(
+  "resource://testing-common/EnterprisePolicyTesting.jsm"
+);
+
+updateAppInfo({
+  name: "XPCShell",
+  ID: "xpcshell@tests.mozilla.org",
+  version: "48",
+  platformVersion: "48",
+});
+
+// This initializes the policy engine for xpcshell tests
+let policies = Cc["@mozilla.org/enterprisepolicies;1"].getService(
+  Ci.nsIObserver
+);
+policies.observe(null, "policies-startup", null);
+
+async function setupPolicyEngineWithJson(json, customSchema) {
+  if (typeof json != "object") {
+    let filePath = do_get_file(json ? json : "non-existing-file.json").path;
+    return EnterprisePolicyTesting.setupPolicyEngineWithJson(
+      filePath,
+      customSchema
+    );
+  }
+  return EnterprisePolicyTesting.setupPolicyEngineWithJson(json, customSchema);
+}
diff --git a/toolkit/components/enterprisepolicies/tests/xpcshell/test_empty.js b/toolkit/components/enterprisepolicies/tests/xpcshell/test_empty.js
new file mode 100644
index 0000000000..7458f95960
--- /dev/null
+++ b/toolkit/components/enterprisepolicies/tests/xpcshell/test_empty.js
@@ -0,0 +1,16 @@
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/ */
+
+"use strict";
+
+add_task(async function test_empty_toplevel() {
+  await setupPolicyEngineWithJson({
+    policies: {},
+  });
+
+  equal(
+    Services.policies.status,
+    Ci.nsIEnterprisePolicies.INACTIVE,
+    "Engine is not active"
+  );
+});
diff --git a/toolkit/components/enterprisepolicies/tests/xpcshell/xpcshell.ini b/toolkit/components/enterprisepolicies/tests/xpcshell/xpcshell.ini
new file mode 100644
index 0000000000..b5ba816b26
--- /dev/null
+++ b/toolkit/components/enterprisepolicies/tests/xpcshell/xpcshell.ini
@@ -0,0 +1,5 @@
+[DEFAULT]
+head = head.js
+skip-if = toolkit == 'android'
+
+[test_empty.js]