[X2Go-Commits] [pale-moon] 14/102: Add preference for fully disabling HSTS.
git-admin at x2go.org
git-admin at x2go.org
Mon Feb 25 23:25:43 CET 2019
This is an automated email from the git hooks/post-receive script.
x2go pushed a commit to branch upstream/28.4.0
in repository pale-moon.
commit 3afb818f20be5029c55c431ad25721e2404bff2d
Author: Ascrod <32915892+Ascrod at users.noreply.github.com>
Date: Wed Jan 16 19:33:09 2019 -0500
Add preference for fully disabling HSTS.
---
modules/libpref/init/all.js | 2 ++
security/manager/ssl/nsSiteSecurityService.cpp | 24 ++++++++++++++++++++++++
security/manager/ssl/nsSiteSecurityService.h | 1 +
3 files changed, 27 insertions(+)
diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js
index f6a9939..21e36bf 100644
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -2038,6 +2038,8 @@ pref("network.proxy.autoconfig_url.include_path", false);
pref("network.proxy.autoconfig_retry_interval_min", 5); // 5 seconds
pref("network.proxy.autoconfig_retry_interval_max", 300); // 5 minutes
+// Master switch for HSTS usage (security <-> privacy tradeoff)
+pref("network.stricttransportsecurity.enabled", true);
// Use the HSTS preload list by default
pref("network.stricttransportsecurity.preloadlist", true);
diff --git a/security/manager/ssl/nsSiteSecurityService.cpp b/security/manager/ssl/nsSiteSecurityService.cpp
index 1d79844..0fd19dd 100644
--- a/security/manager/ssl/nsSiteSecurityService.cpp
+++ b/security/manager/ssl/nsSiteSecurityService.cpp
@@ -211,6 +211,7 @@ nsSiteSecurityService::nsSiteSecurityService()
: mMaxMaxAge(kSixtyDaysInSeconds)
, mUsePreloadList(true)
, mPreloadListTimeOffset(0)
+ , mUseStsService(true)
{
}
@@ -239,6 +240,10 @@ nsSiteSecurityService::Init()
"network.stricttransportsecurity.preloadlist", true);
mozilla::Preferences::AddStrongObserver(this,
"network.stricttransportsecurity.preloadlist");
+ mUseStsService = mozilla::Preferences::GetBool(
+ "network.stricttransportsecurity.enabled", true);
+ mozilla::Preferences::AddStrongObserver(this,
+ "network.stricttransportsecurity.enabled");
mProcessPKPHeadersFromNonBuiltInRoots = mozilla::Preferences::GetBool(
"security.cert_pinning.process_headers_from_non_builtin_roots", false);
mozilla::Preferences::AddStrongObserver(this,
@@ -335,6 +340,11 @@ nsSiteSecurityService::SetHSTSState(uint32_t aType,
aHSTSState == SecurityPropertyNegative),
"HSTS State must be SecurityPropertySet or SecurityPropertyNegative");
+ // Exit early if STS not enabled
+ if (!mUseStsService) {
+ return NS_OK;
+ }
+
int64_t expiretime = ExpireTimeFromMaxAge(maxage);
SiteHSTSState siteState(expiretime, aHSTSState, includeSubdomains);
nsAutoCString stateString;
@@ -922,6 +932,13 @@ nsSiteSecurityService::IsSecureURI(uint32_t aType, nsIURI* aURI,
nsAutoCString hostname;
nsresult rv = GetHost(aURI, hostname);
NS_ENSURE_SUCCESS(rv, rv);
+
+ // Exit early if STS not enabled
+ if (!mUseStsService) {
+ *aResult = false;
+ return NS_OK;
+ }
+
/* An IP address never qualifies as a secure URI. */
if (HostIsIPAddress(hostname.get())) {
*aResult = false;
@@ -980,6 +997,11 @@ nsSiteSecurityService::IsSecureHost(uint32_t aType, const char* aHost,
*aCached = false;
}
+ // Exit early if checking HSTS and STS not enabled
+ if (!mUseStsService && aType != nsISiteSecurityService::HEADER_HSTS) {
+ return NS_OK;
+ }
+
/* An IP address never qualifies as a secure URI. */
if (HostIsIPAddress(aHost)) {
return NS_OK;
@@ -1282,6 +1304,8 @@ nsSiteSecurityService::Observe(nsISupports *subject,
if (strcmp(topic, NS_PREFBRANCH_PREFCHANGE_TOPIC_ID) == 0) {
mUsePreloadList = mozilla::Preferences::GetBool(
"network.stricttransportsecurity.preloadlist", true);
+ mUseStsService = mozilla::Preferences::GetBool(
+ "network.stricttransportsecurity.enabled", true);
mPreloadListTimeOffset =
mozilla::Preferences::GetInt("test.currentTimeOffsetSeconds", 0);
mProcessPKPHeadersFromNonBuiltInRoots = mozilla::Preferences::GetBool(
diff --git a/security/manager/ssl/nsSiteSecurityService.h b/security/manager/ssl/nsSiteSecurityService.h
index c401805..63afee3 100644
--- a/security/manager/ssl/nsSiteSecurityService.h
+++ b/security/manager/ssl/nsSiteSecurityService.h
@@ -150,6 +150,7 @@ private:
uint64_t mMaxMaxAge;
bool mUsePreloadList;
+ bool mUseStsService;
int64_t mPreloadListTimeOffset;
bool mProcessPKPHeadersFromNonBuiltInRoots;
RefPtr<mozilla::DataStorage> mSiteStateStorage;
--
Alioth's /home/x2go-admin/maintenancescripts/git/hooks/post-receive-email on /srv/git/code.x2go.org/pale-moon.git
More information about the x2go-commits
mailing list