Bug 1848815 - Add a user-facing setting to enable enterprise roots import, and enable it by default. r=keeler,settings-reviewers,fluent-reviewers,desktop-theme-reviewers,flod,Itiel,Gijs

Differential Revision: https://phabricator.services.mozilla.com/D186236
This commit is contained in:
Molly Howell 2023-09-12 17:15:09 +00:00
parent af73f591a5
commit e48b3d224a
6 changed files with 35 additions and 3 deletions

View File

@ -1179,6 +1179,18 @@
"/>
</vbox>
</hbox>
<hbox id="certEnableThirdPartyToggleBox" align="center">
<checkbox id="certEnableThirdPartyToggle"
data-l10n-id="certs-thirdparty-toggle"
preference="security.enterprise_roots.enabled"
class="tail-with-learn-more"
/>
<html:a is="moz-support-link"
class="learnMore"
support-page="automatically-trust-third-party-certificates"
/>
</hbox>
</groupbox>
<!-- HTTPS-ONLY Mode -->

View File

@ -191,6 +191,8 @@ Preferences.addAll([
{ id: "security.OCSP.enabled", type: "int" },
{ id: "security.enterprise_roots.enabled", type: "bool" },
// Add-ons, malware, phishing
{ id: "xpinstall.whitelist.required", type: "bool" },
@ -450,6 +452,19 @@ var gPrivacyPane = {
showQuickActionsGroup();
},
_initThirdPartyCertsToggle() {
// Third-party certificate import is only implemented for Windows and Mac,
// and we should not expose this as a user-configurable setting if there's
// an enterprise policy controlling it (either to enable _or_ disable it).
let canConfigureThirdPartyCerts =
(AppConstants.platform == "win" || AppConstants.platform == "macosx") &&
typeof Services.policies.getActivePolicies()?.Certificates
?.ImportEnterpriseRoots == "undefined";
document.getElementById("certEnableThirdPartyToggleBox").hidden =
!canConfigureThirdPartyCerts;
},
syncFromHttpsOnlyPref() {
let httpsOnlyOnPref = Services.prefs.getBoolPref(
"dom.security.https_only_mode"
@ -886,6 +901,7 @@ var gPrivacyPane = {
this.fingerprintingProtectionReadPrefs();
this.networkCookieBehaviorReadPrefs();
this._initTrackingProtectionExtensionControl();
this._initThirdPartyCertsToggle();
Services.telemetry.setEventRecordingEnabled("privacy.ui.fpp", true);

View File

@ -1472,6 +1472,10 @@ certs-devices =
.label = Security Devices…
.accesskey = D
certs-thirdparty-toggle =
.label = Allow { -brand-short-name } to automatically trust third-party root certificates you install
.accesskey = t
space-alert-over-5gb-settings-button =
.label = Open Settings
.accesskey = O

View File

@ -13907,7 +13907,7 @@
# Whether or not to import and trust third party root certificates from the OS.
- name: security.enterprise_roots.enabled
type: RelaxedAtomicBool
value: false
value: true
mirror: always
- name: security.intermediate_preloading_healer.enabled

View File

@ -1156,8 +1156,7 @@ void nsNSSComponent::setValidationOptions(
void nsNSSComponent::UpdateCertVerifierWithEnterpriseRoots() {
MutexAutoLock lock(mMutex);
MOZ_ASSERT(mDefaultCertVerifier);
if (NS_WARN_IF(!mDefaultCertVerifier)) {
if (!mDefaultCertVerifier) {
return;
}

View File

@ -69,6 +69,7 @@ add_task(async function run_test() {
Ci.nsIX509CertDB
);
nssComponent.getEnterpriseRoots(); // blocks until roots are loaded
await check_some_enterprise_roots_imported(nssComponent, certDB);
Services.prefs.setBoolPref("security.enterprise_roots.enabled", false);
await check_no_enterprise_roots_imported(nssComponent, certDB);
Services.prefs.setBoolPref("security.enterprise_roots.enabled", true);