mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-11-27 14:52:16 +00:00
Bug 1848815 - Add a user-facing setting to enable enterprise roots import, and enable it by default. r=keeler,settings-reviewers,fluent-reviewers,desktop-theme-reviewers,flod,Itiel,Gijs
Differential Revision: https://phabricator.services.mozilla.com/D186236
This commit is contained in:
parent
af73f591a5
commit
e48b3d224a
@ -1179,6 +1179,18 @@
|
||||
"/>
|
||||
</vbox>
|
||||
</hbox>
|
||||
|
||||
<hbox id="certEnableThirdPartyToggleBox" align="center">
|
||||
<checkbox id="certEnableThirdPartyToggle"
|
||||
data-l10n-id="certs-thirdparty-toggle"
|
||||
preference="security.enterprise_roots.enabled"
|
||||
class="tail-with-learn-more"
|
||||
/>
|
||||
<html:a is="moz-support-link"
|
||||
class="learnMore"
|
||||
support-page="automatically-trust-third-party-certificates"
|
||||
/>
|
||||
</hbox>
|
||||
</groupbox>
|
||||
|
||||
<!-- HTTPS-ONLY Mode -->
|
||||
|
@ -191,6 +191,8 @@ Preferences.addAll([
|
||||
|
||||
{ id: "security.OCSP.enabled", type: "int" },
|
||||
|
||||
{ id: "security.enterprise_roots.enabled", type: "bool" },
|
||||
|
||||
// Add-ons, malware, phishing
|
||||
{ id: "xpinstall.whitelist.required", type: "bool" },
|
||||
|
||||
@ -450,6 +452,19 @@ var gPrivacyPane = {
|
||||
showQuickActionsGroup();
|
||||
},
|
||||
|
||||
_initThirdPartyCertsToggle() {
|
||||
// Third-party certificate import is only implemented for Windows and Mac,
|
||||
// and we should not expose this as a user-configurable setting if there's
|
||||
// an enterprise policy controlling it (either to enable _or_ disable it).
|
||||
let canConfigureThirdPartyCerts =
|
||||
(AppConstants.platform == "win" || AppConstants.platform == "macosx") &&
|
||||
typeof Services.policies.getActivePolicies()?.Certificates
|
||||
?.ImportEnterpriseRoots == "undefined";
|
||||
|
||||
document.getElementById("certEnableThirdPartyToggleBox").hidden =
|
||||
!canConfigureThirdPartyCerts;
|
||||
},
|
||||
|
||||
syncFromHttpsOnlyPref() {
|
||||
let httpsOnlyOnPref = Services.prefs.getBoolPref(
|
||||
"dom.security.https_only_mode"
|
||||
@ -886,6 +901,7 @@ var gPrivacyPane = {
|
||||
this.fingerprintingProtectionReadPrefs();
|
||||
this.networkCookieBehaviorReadPrefs();
|
||||
this._initTrackingProtectionExtensionControl();
|
||||
this._initThirdPartyCertsToggle();
|
||||
|
||||
Services.telemetry.setEventRecordingEnabled("privacy.ui.fpp", true);
|
||||
|
||||
|
@ -1472,6 +1472,10 @@ certs-devices =
|
||||
.label = Security Devices…
|
||||
.accesskey = D
|
||||
|
||||
certs-thirdparty-toggle =
|
||||
.label = Allow { -brand-short-name } to automatically trust third-party root certificates you install
|
||||
.accesskey = t
|
||||
|
||||
space-alert-over-5gb-settings-button =
|
||||
.label = Open Settings
|
||||
.accesskey = O
|
||||
|
@ -13907,7 +13907,7 @@
|
||||
# Whether or not to import and trust third party root certificates from the OS.
|
||||
- name: security.enterprise_roots.enabled
|
||||
type: RelaxedAtomicBool
|
||||
value: false
|
||||
value: true
|
||||
mirror: always
|
||||
|
||||
- name: security.intermediate_preloading_healer.enabled
|
||||
|
@ -1156,8 +1156,7 @@ void nsNSSComponent::setValidationOptions(
|
||||
|
||||
void nsNSSComponent::UpdateCertVerifierWithEnterpriseRoots() {
|
||||
MutexAutoLock lock(mMutex);
|
||||
MOZ_ASSERT(mDefaultCertVerifier);
|
||||
if (NS_WARN_IF(!mDefaultCertVerifier)) {
|
||||
if (!mDefaultCertVerifier) {
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -69,6 +69,7 @@ add_task(async function run_test() {
|
||||
Ci.nsIX509CertDB
|
||||
);
|
||||
nssComponent.getEnterpriseRoots(); // blocks until roots are loaded
|
||||
await check_some_enterprise_roots_imported(nssComponent, certDB);
|
||||
Services.prefs.setBoolPref("security.enterprise_roots.enabled", false);
|
||||
await check_no_enterprise_roots_imported(nssComponent, certDB);
|
||||
Services.prefs.setBoolPref("security.enterprise_roots.enabled", true);
|
||||
|
Loading…
Reference in New Issue
Block a user