diff options
Diffstat (limited to 'browser/components/enterprisepolicies')
11 files changed, 236 insertions, 47 deletions
diff --git a/browser/components/enterprisepolicies/Policies.sys.mjs b/browser/components/enterprisepolicies/Policies.sys.mjs index fd15c244cc..ebc1bc0a58 100644 --- a/browser/components/enterprisepolicies/Policies.sys.mjs +++ b/browser/components/enterprisepolicies/Policies.sys.mjs @@ -549,10 +549,26 @@ export var Policies = { param.ClientSignature ); } + if ("DefaultResult" in param) { + if ( + !Number.isInteger(param.DefaultResult) || + param.DefaultResult < 0 || + param.DefaultResult > 2 + ) { + lazy.log.error( + `Non-integer or out of range value for DefaultResult: ${param.DefaultResult}` + ); + } else { + setAndLockPref( + "browser.contentanalysis.default_result", + param.DefaultResult + ); + } + } let boolPrefs = [ ["IsPerUser", "is_per_user"], ["ShowBlockedResult", "show_blocked_result"], - ["DefaultAllow", "default_allow"], + ["BypassForSameTabOperations", "bypass_for_same_tab_operations"], ]; for (let pref of boolPrefs) { if (pref[0] in param) { @@ -773,6 +789,15 @@ export var Policies = { }, }, + DisableEncryptedClientHello: { + onBeforeAddons(manager, param) { + if (param) { + setAndLockPref("network.dns.echconfig.enabled", false); + setAndLockPref("network.dns.http3_echconfig.enabled", false); + } + }, + }, + DisableFeedbackCommands: { onBeforeUIStartup(manager, param) { if (param) { @@ -1515,6 +1540,31 @@ export var Policies = { }, }, + HttpAllowlist: { + onBeforeAddons(manager, param) { + addAllowDenyPermissions("https-only-load-insecure", param); + }, + }, + + HttpsOnlyMode: { + onBeforeAddons(manager, param) { + switch (param) { + case "disallowed": + setAndLockPref("dom.security.https_only_mode", false); + break; + case "enabled": + PoliciesUtils.setDefaultPref("dom.security.https_only_mode", true); + break; + case "force_enabled": + setAndLockPref("dom.security.https_only_mode", true); + break; + case "allowed": + // The default case. + break; + } + }, + }, + InstallAddonsPermission: { onBeforeUIStartup(manager, param) { if ("Allow" in param) { @@ -1787,6 +1837,12 @@ export var Policies = { }, }, + PostQuantumKeyAgreementEnabled: { + onBeforeAddons(manager, param) { + setAndLockPref("security.tls.enable_kyber", param); + }, + }, + Preferences: { onBeforeAddons(manager, param) { let allowedPrefixes = [ @@ -1811,6 +1867,7 @@ export var Policies = { "places.", "pref.", "print.", + "privacy.globalprivacycontrol.enabled", "privacy.userContext.enabled", "privacy.userContext.ui.enabled", "signon.", @@ -1831,6 +1888,8 @@ export var Policies = { "security.insecure_connection_text.enabled", "security.insecure_connection_text.pbmode.enabled", "security.mixed_content.block_active_content", + "security.mixed_content.block_display_content", + "security.mixed_content.upgrade_display_content", "security.osclientcerts.assume_rsa_pss_support", "security.osclientcerts.autoload", "security.OCSP.enabled", @@ -2457,13 +2516,6 @@ export var Policies = { UserMessaging: { onBeforeAddons(manager, param) { - if ("WhatsNew" in param) { - PoliciesUtils.setDefaultPref( - "browser.messaging-system.whatsNewPanel.enabled", - param.WhatsNew, - param.Locked - ); - } if ("ExtensionRecommendations" in param) { PoliciesUtils.setDefaultPref( "browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", diff --git a/browser/components/enterprisepolicies/content/aboutPolicies.html b/browser/components/enterprisepolicies/content/aboutPolicies.html index bf0a962aa8..0b7a4e78ff 100644 --- a/browser/components/enterprisepolicies/content/aboutPolicies.html +++ b/browser/components/enterprisepolicies/content/aboutPolicies.html @@ -24,7 +24,6 @@ rel="localization" href="browser/policies/policies-descriptions.ftl" /> - <link rel="localization" href="toolkit/branding/accounts.ftl" /> <link rel="localization" href="toolkit/branding/brandings.ftl" /> <script src="chrome://browser/content/policies/aboutPolicies.js"></script> </head> diff --git a/browser/components/enterprisepolicies/content/aboutPolicies.js b/browser/components/enterprisepolicies/content/aboutPolicies.js index 9cde085f3d..2de9be0982 100644 --- a/browser/components/enterprisepolicies/content/aboutPolicies.js +++ b/browser/components/enterprisepolicies/content/aboutPolicies.js @@ -294,6 +294,7 @@ function generateDocumentation() { SanitizeOnShutdown: "SanitizeOnShutdown2", WindowsSSO: "Windows10SSO", SecurityDevices: "SecurityDevices2", + DisableFirefoxAccounts: "DisableFirefoxAccounts1", }; for (let policyName in schema.properties) { diff --git a/browser/components/enterprisepolicies/helpers/BookmarksPolicies.sys.mjs b/browser/components/enterprisepolicies/helpers/BookmarksPolicies.sys.mjs index 5fc70c31cf..2e52a248c8 100644 --- a/browser/components/enterprisepolicies/helpers/BookmarksPolicies.sys.mjs +++ b/browser/components/enterprisepolicies/helpers/BookmarksPolicies.sys.mjs @@ -204,44 +204,30 @@ async function insertBookmark(bookmark) { } function setFaviconForBookmark(bookmark) { - let faviconURI; - let nullPrincipal = Services.scriptSecurityManager.createNullPrincipal({}); - switch (bookmark.Favicon.protocol) { - case "data:": - // data urls must first call replaceFaviconDataFromDataURL, using a - // fake URL. Later, it's needed to call setAndFetchFaviconForPage - // with the same URL. - faviconURI = Services.io.newURI("fake-favicon-uri:" + bookmark.URL.href); - - lazy.PlacesUtils.favicons.replaceFaviconDataFromDataURL( - faviconURI, - bookmark.Favicon.href, - 0 /* max expiration length */, - nullPrincipal + case "data:": { + lazy.PlacesUtils.favicons.setFaviconForPage( + bookmark.URL.URI, + Services.io.newURI("fake-favicon-uri:" + bookmark.URL.href), + bookmark.Favicon.URI ); - break; - + return; + } case "http:": - case "https:": - faviconURI = Services.io.newURI(bookmark.Favicon.href); - break; - - default: - lazy.log.error( - `Bad URL given for favicon on bookmark "${bookmark.Title}"` + case "https:": { + lazy.PlacesUtils.favicons.setAndFetchFaviconForPage( + bookmark.URL.URI, + bookmark.Favicon.URI, + false /* forceReload */, + lazy.PlacesUtils.favicons.FAVICON_LOAD_NON_PRIVATE, + null, + Services.scriptSecurityManager.createNullPrincipal({}) ); return; + } } - lazy.PlacesUtils.favicons.setAndFetchFaviconForPage( - Services.io.newURI(bookmark.URL.href), - faviconURI, - false /* forceReload */, - lazy.PlacesUtils.favicons.FAVICON_LOAD_NON_PRIVATE, - null, - nullPrincipal - ); + lazy.log.error(`Bad URL given for favicon on bookmark "${bookmark.Title}"`); } // Cache of folder names to guids to be used by the getParentGuid diff --git a/browser/components/enterprisepolicies/schemas/policies-schema.json b/browser/components/enterprisepolicies/schemas/policies-schema.json index 3c578f2c4b..7058efb698 100644 --- a/browser/components/enterprisepolicies/schemas/policies-schema.json +++ b/browser/components/enterprisepolicies/schemas/policies-schema.json @@ -265,7 +265,10 @@ "ShowBlockedResult": { "type": "boolean" }, - "DefaultAllow": { + "DefaultResult": { + "type": "number" + }, + "BypassForSameTabOperations": { "type": "boolean" } } @@ -426,6 +429,10 @@ "type": "boolean" }, + "DisableEncryptedClientHello": { + "type": "boolean" + }, + "DisableFeedbackCommands": { "type": "boolean" }, @@ -832,6 +839,19 @@ } }, + "HttpAllowlist": { + "type": "array", + "strict": false, + "items": { + "type": "origin" + } + }, + + "HttpsOnlyMode": { + "type": "string", + "enum": ["allowed", "disallowed", "enabled", "force_enabled"] + }, + "InstallAddonsPermission": { "type": "object", "properties": { @@ -1180,6 +1200,10 @@ } }, + "PostQuantumKeyAgreementEnabled": { + "type": "boolean" + }, + "Preferences": { "type": ["object", "JSON"], "patternProperties": { diff --git a/browser/components/enterprisepolicies/tests/browser/browser_policy_extensions.js b/browser/components/enterprisepolicies/tests/browser/browser_policy_extensions.js index 7d1313548b..6b8feb4d82 100644 --- a/browser/components/enterprisepolicies/tests/browser/browser_policy_extensions.js +++ b/browser/components/enterprisepolicies/tests/browser/browser_policy_extensions.js @@ -40,7 +40,7 @@ add_task(async function test_addon_install() { add_task(async function test_addon_locked() { let tab = await BrowserTestUtils.openNewForegroundTab(gBrowser); - const win = await BrowserOpenAddonsMgr("addons://list/extension"); + const win = await BrowserAddonUI.openAddonsMgr("addons://list/extension"); await isExtensionLocked(win, ADDON_ID); diff --git a/browser/components/enterprisepolicies/tests/browser/browser_policy_extensionsettings2.js b/browser/components/enterprisepolicies/tests/browser/browser_policy_extensionsettings2.js index 612448ee4e..dd610ec7e5 100644 --- a/browser/components/enterprisepolicies/tests/browser/browser_policy_extensionsettings2.js +++ b/browser/components/enterprisepolicies/tests/browser/browser_policy_extensionsettings2.js @@ -45,7 +45,7 @@ add_task(async function test_addon_install() { add_task(async function test_addon_locked_update_disabled() { let tab = await BrowserTestUtils.openNewForegroundTab(gBrowser); - const win = await BrowserOpenAddonsMgr( + const win = await BrowserAddonUI.openAddonsMgr( "addons://detail/" + encodeURIComponent(ADDON_ID) ); diff --git a/browser/components/enterprisepolicies/tests/browser/browser_policy_masterpassword.js b/browser/components/enterprisepolicies/tests/browser/browser_policy_masterpassword.js index 872eb5a652..87fb072971 100644 --- a/browser/components/enterprisepolicies/tests/browser/browser_policy_masterpassword.js +++ b/browser/components/enterprisepolicies/tests/browser/browser_policy_masterpassword.js @@ -7,6 +7,25 @@ let { LoginTestUtils } = ChromeUtils.importESModule( "resource://testing-common/LoginTestUtils.sys.mjs" ); +let { sinon } = ChromeUtils.importESModule( + "resource://testing-common/Sinon.sys.mjs" +); + +let { FormAutofillUtils } = ChromeUtils.importESModule( + "resource://gre/modules/shared/FormAutofillUtils.sys.mjs" +); + +add_setup(async function () { + // Stub these out so we don't end up invoking the MP dialog + // in order to decrypt prefs to find out if these are enabled or disabled. + sinon.stub(FormAutofillUtils, "getOSAuthEnabled").returns(false); + sinon.stub(LoginHelper, "getOSAuthEnabled").returns(false); + + registerCleanupFunction(async function () { + sinon.restore(); + }); +}); + // Test that once a password is set, you can't unset it add_task(async function test_policy_masterpassword_set() { await setupPolicyEngineWithJson({ diff --git a/browser/components/enterprisepolicies/tests/xpcshell/test_extensionsettings.js b/browser/components/enterprisepolicies/tests/xpcshell/test_extensionsettings.js index 22a6269cce..76157c7e97 100644 --- a/browser/components/enterprisepolicies/tests/xpcshell/test_extensionsettings.js +++ b/browser/components/enterprisepolicies/tests/xpcshell/test_extensionsettings.js @@ -8,10 +8,14 @@ const { AddonTestUtils } = ChromeUtils.importESModule( const { AddonManager } = ChromeUtils.importESModule( "resource://gre/modules/AddonManager.sys.mjs" ); +const { ExtensionTestUtils } = ChromeUtils.importESModule( + "resource://testing-common/ExtensionXPCShellUtils.sys.mjs" +); AddonTestUtils.init(this); AddonTestUtils.overrideCertDB(); AddonTestUtils.appInfo = getAppInfo(); +ExtensionTestUtils.init(this); const server = AddonTestUtils.createHttpServer({ hosts: ["example.com"] }); const BASE_URL = `http://example.com/data`; @@ -21,6 +25,34 @@ let themeID = "policytheme@mozilla.com"; let fileURL; +async function assertManagementAPIInstallType(addonId, expectedInstallType) { + const addon = await AddonManager.getAddonByID(addonId); + const expectInstalledByPolicy = expectedInstallType === "admin"; + equal( + addon.isInstalledByEnterprisePolicy, + expectInstalledByPolicy, + `Addon should ${ + expectInstalledByPolicy ? "be" : "NOT be" + } marked as installed by enterprise policy` + ); + const policy = WebExtensionPolicy.getByID(addonId); + const pageURL = policy.extension.baseURI.resolve( + "_generated_background_page.html" + ); + const page = await ExtensionTestUtils.loadContentPage(pageURL); + const { id, installType } = await page.spawn([], async () => { + const res = await this.content.wrappedJSObject.browser.management.getSelf(); + return { id: res.id, installType: res.installType }; + }); + await page.close(); + Assert.equal(id, addonId, "Got results for the expected addon id"); + Assert.equal( + installType, + expectedInstallType, + "Got the expected installType on policy installed extension" + ); +} + add_setup(async function setup() { await AddonTestUtils.promiseStartupManager(); @@ -115,7 +147,14 @@ add_task(async function test_addon_allowed() { ); await install.install(); notEqual(install.addon, null, "Addon should not be null"); + await assertManagementAPIInstallType(install.addon.id, "normal"); equal(install.addon.appDisabled, false, "Addon should not be disabled"); + equal( + install.addon.isInstalledByEnterprisePolicy, + false, + "Addon should NOT be marked as installed by enterprise policy" + ); + await install.addon.uninstall(); }); @@ -169,6 +208,8 @@ add_task(async function test_addon_forceinstalled() { 0, "Addon should not be able to be disabled." ); + await assertManagementAPIInstallType(addon.id, "admin"); + await addon.uninstall(); }); @@ -199,6 +240,8 @@ add_task(async function test_addon_normalinstalled() { 0, "Addon should be able to be disabled." ); + await assertManagementAPIInstallType(addon.id, "admin"); + await addon.uninstall(); }); @@ -290,6 +333,7 @@ add_task(async function test_addon_normalinstalled_file() { 0, "Addon should be able to be disabled." ); + await assertManagementAPIInstallType(addon.id, "admin"); await addon.uninstall(); }); diff --git a/browser/components/enterprisepolicies/tests/xpcshell/test_permissions.js b/browser/components/enterprisepolicies/tests/xpcshell/test_permissions.js index f4440e53f5..c9231132c8 100644 --- a/browser/components/enterprisepolicies/tests/xpcshell/test_permissions.js +++ b/browser/components/enterprisepolicies/tests/xpcshell/test_permissions.js @@ -315,7 +315,7 @@ add_task(async function test_cookie_allow_session() { ); }); -// This again seems out of places, but AutoLaunchProtocolsFromOrigins +// This again seems out of place, but AutoLaunchProtocolsFromOrigins // is all permissions. add_task(async function test_autolaunchprotocolsfromorigins() { await setupPolicyEngineWithJson({ @@ -337,7 +337,7 @@ add_task(async function test_autolaunchprotocolsfromorigins() { ); }); -// This again seems out of places, but PasswordManagerExceptions +// This again seems out of place, but PasswordManagerExceptions // is all permissions. add_task(async function test_passwordmanagerexceptions() { await setupPolicyEngineWithJson({ @@ -353,3 +353,20 @@ add_task(async function test_passwordmanagerexceptions() { Ci.nsIPermissionManager.DENY_ACTION ); }); + +// This again seems out of place, but HttpAllowlist +// is all permissions. +add_task(async function test_httpsonly_exceptions() { + await setupPolicyEngineWithJson({ + policies: { + HttpAllowlist: ["https://http.example.com"], + }, + }); + equal( + PermissionTestUtils.testPermission( + URI("https://http.example.com"), + "https-only-load-insecure" + ), + Ci.nsIPermissionManager.ALLOW_ACTION + ); +}); diff --git a/browser/components/enterprisepolicies/tests/xpcshell/test_simple_pref_policies.js b/browser/components/enterprisepolicies/tests/xpcshell/test_simple_pref_policies.js index c0952d0627..cfcb655777 100644 --- a/browser/components/enterprisepolicies/tests/xpcshell/test_simple_pref_policies.js +++ b/browser/components/enterprisepolicies/tests/xpcshell/test_simple_pref_policies.js @@ -657,13 +657,11 @@ const POLICIES_TESTS = [ { policies: { UserMessaging: { - WhatsNew: false, SkipOnboarding: true, Locked: true, }, }, lockedPrefs: { - "browser.messaging-system.whatsNewPanel.enabled": false, "browser.aboutwelcome.enabled": false, }, }, @@ -1099,6 +1097,55 @@ const POLICIES_TESTS = [ "network.proxy.type": 5, }, }, + + // POLICY: DisableEncryptedClientHello + { + policies: { + DisableEncryptedClientHello: true, + }, + lockedPrefs: { + "network.dns.echconfig.enabled": false, + "network.dns.http3_echconfig.enabled": false, + }, + }, + + // POLICY: PostQuantumKeyAgreementEnabled + { + policies: { + PostQuantumKeyAgreementEnabled: false, + }, + lockedPrefs: { + "security.tls.enable_kyber": false, + }, + }, + + // POLICY: HttpsOnlyMode + { + policies: { + HttpsOnlyMode: "enabled", + }, + unlockedPrefs: { + "dom.security.https_only_mode": true, + }, + }, + + { + policies: { + HttpsOnlyMode: "disallowed", + }, + lockedPrefs: { + "dom.security.https_only_mode": false, + }, + }, + + { + policies: { + HttpsOnlyMode: "force_enabled", + }, + lockedPrefs: { + "dom.security.https_only_mode": true, + }, + }, ]; add_task(async function test_policy_simple_prefs() { |