tor-browser

commit a2b0be99c0b0fa271c4521dc2f136cdb1d397290
parent 3eedd1a0aa90942cbfc6d3ad54222b8b7be78d55
Author: John M. Schanck <jschanck@mozilla.com>
Date:   Wed,  1 Oct 2025 20:11:15 +0000

Bug 1988610 - add a nimbus feature for setting the CRLite channel on Android. r=keeler,geckoview-reviewers,android-reviewers,geckoview-api-reviewers,ohall,tcampbell

Differential Revision: https://phabricator.services.mozilla.com/D264867

Diffstat:
M
mobile/android/android-components/components/browser/engine-gecko/src/main/java/mozilla/components/browser/engine/gecko/GeckoEngine.kt
 | 
5
+++++
M
mobile/android/android-components/components/concept/engine/src/main/java/mozilla/components/concept/engine/Settings.kt
 | 
6
++++++
M
mobile/android/fenix/app/nimbus.fml.yaml
 | 
5
+++++
M
mobile/android/fenix/app/src/main/java/org/mozilla/fenix/components/Core.kt
 | 
1
+
M
mobile/android/geckoview/api.txt
 | 
2
++
M
mobile/android/geckoview/src/androidTest/java/org/mozilla/geckoview/test/RuntimeSettingsTest.kt
 | 
28
++++++++++++++++++++++++++++
M
mobile/android/geckoview/src/main/java/org/mozilla/geckoview/GeckoRuntimeSettings.java
 | 
23
+++++++++++++++++++++++
M
mobile/android/geckoview/src/main/java/org/mozilla/geckoview/doc-files/CHANGELOG.md
 | 
4
+++-

8 files changed, 73 insertions(+), 1 deletion(-)
diff --git a/mobile/android/android-components/components/browser/engine-gecko/src/main/java/mozilla/components/browser/engine/gecko/GeckoEngine.kt b/mobile/android/android-components/components/browser/engine-gecko/src/main/java/mozilla/components/browser/engine/gecko/GeckoEngine.kt
@@ -1655,6 +1655,10 @@ class GeckoEngine(
         override var lnaBlockingEnabled: Boolean
             get() = runtime.settings.lnaBlockingEnabled
             set(value) { runtime.settings.setLnaBlockingEnabled(value) }
+
+        override var crliteChannel: String?
+            get() = runtime.settings.crliteChannel
+            set(value) { value?.let { runtime.settings.setCrliteChannel(value) } }
     }.apply {
         defaultSettings?.let {
             this.javascriptEnabled = it.javascriptEnabled
@@ -1702,6 +1706,7 @@ class GeckoEngine(
             this.dohAutoselectEnabled = it.dohAutoselectEnabled
             this.bannedPorts = it.bannedPorts
             this.lnaBlockingEnabled = it.lnaBlockingEnabled
+            this.crliteChannel = it.crliteChannel
         }
     }
 
diff --git a/mobile/android/android-components/components/concept/engine/src/main/java/mozilla/components/concept/engine/Settings.kt b/mobile/android/android-components/components/concept/engine/src/main/java/mozilla/components/concept/engine/Settings.kt
@@ -367,6 +367,11 @@ abstract class Settings {
      * Setting to control blocking of local network & local device (localhost) access
      */
     open var lnaBlockingEnabled: Boolean by UnsupportedSetting()
+
+    /**
+     * Setting to control the CRLite certificate blocklist channel
+     */
+    open var crliteChannel: String? by UnsupportedSetting()
 }
 
 /**
@@ -440,6 +445,7 @@ data class DefaultSettings(
     override var dohAutoselectEnabled: Boolean = false,
     override var bannedPorts: String = "",
     override var lnaBlockingEnabled: Boolean = false,
+    override var crliteChannel: String? = null,
 ) : Settings() {
     override val desktopModeEnabled: Boolean
         get() = getDesktopMode()
diff --git a/mobile/android/fenix/app/nimbus.fml.yaml b/mobile/android/fenix/app/nimbus.fml.yaml
@@ -810,6 +810,11 @@ features:
           What mode Certificate Transparency is in (0=disable, 1=telemetry only, 2=enforce).
         type: Int
         default: 0
+      crliteChannel:
+        description: >
+          The channel from which CRLite filters will be installed.
+        type: Option<String>
+        default: null
     defaults:
       - channel: nightly
         value:
diff --git a/mobile/android/fenix/app/src/main/java/org/mozilla/fenix/components/Core.kt b/mobile/android/fenix/app/src/main/java/org/mozilla/fenix/components/Core.kt
@@ -196,6 +196,7 @@ class Core(
             dohAutoselectEnabled = FxNimbus.features.doh.value().autoselectEnabled,
             bannedPorts = FxNimbus.features.networkingBannedPorts.value().bannedPortList,
             lnaBlockingEnabled = context.settings().isLnaBlockingEnabled,
+            crliteChannel = FxNimbus.features.pki.value().crliteChannel,
         )
 
         // Apply fingerprinting protection overrides if the feature is enabled in Nimbus
diff --git a/mobile/android/geckoview/api.txt b/mobile/android/geckoview/api.txt
@@ -979,6 +979,7 @@ package org.mozilla.geckoview {
     method public boolean getCookieBehaviorOptInPartitioning();
     method public boolean getCookieBehaviorOptInPartitioningPBM();
     method @Nullable public Class<? extends android.app.Service> getCrashHandler();
+    method @NonNull public String getCrliteChannel();
     method @Nullable public String getDefaultRecursiveResolverUri();
     method @Nullable public Boolean getDisableShip();
     method @Nullable public Float getDisplayDensityOverride();
@@ -1041,6 +1042,7 @@ package org.mozilla.geckoview {
     method @NonNull public GeckoRuntimeSettings setConsoleOutputEnabled(boolean);
     method @NonNull public GeckoRuntimeSettings setCookieBehaviorOptInPartitioning(boolean);
     method @NonNull public GeckoRuntimeSettings setCookieBehaviorOptInPartitioningPBM(boolean);
+    method @NonNull public GeckoRuntimeSettings setCrliteChannel(@NonNull String);
     method @NonNull public GeckoRuntimeSettings setDefaultRecursiveResolverUri(@NonNull String);
     method @NonNull public GeckoRuntimeSettings setDohAutoselectEnabled(boolean);
     method @NonNull public GeckoRuntimeSettings setDoubleTapZoomingEnabled(boolean);
diff --git a/mobile/android/geckoview/src/androidTest/java/org/mozilla/geckoview/test/RuntimeSettingsTest.kt b/mobile/android/geckoview/src/androidTest/java/org/mozilla/geckoview/test/RuntimeSettingsTest.kt
@@ -1007,4 +1007,32 @@ class RuntimeSettingsTest : BaseSessionTest() {
             equalTo("12345,23456"),
         )
     }
+
+    @Test
+    fun switchCRLiteChannel() {
+        val geckoRuntimeSettings = sessionRule.runtime.settings
+        val crliteChannel = "test"
+
+        assertThat(
+            "CRLite channel should not be set",
+            geckoRuntimeSettings.crliteChannel,
+            equalTo(null),
+        )
+
+        geckoRuntimeSettings.setCrliteChannel(crliteChannel)
+
+        assertThat(
+            "Runtime settings crliteChannel should match the string passed above",
+            geckoRuntimeSettings.crliteChannel,
+            equalTo(crliteChannel),
+        )
+
+        val crlitePreference =
+            (sessionRule.getPrefs("security.pki.crlite_channel").get(0)) as String
+        assertThat(
+            "The security.pki.crlite_channel preference should be set to the correct string",
+            crlitePreference,
+            equalTo(crliteChannel),
+        )
+    }
 }
diff --git a/mobile/android/geckoview/src/main/java/org/mozilla/geckoview/GeckoRuntimeSettings.java b/mobile/android/geckoview/src/main/java/org/mozilla/geckoview/GeckoRuntimeSettings.java
@@ -805,6 +805,8 @@ public final class GeckoRuntimeSettings extends RuntimeSettings {
       new Pref<String>("network.security.ports.banned", "");
   /* package */ final PrefWithoutDefault<Boolean> mRemoteSettingCrashPullNeverShowAgain =
       new PrefWithoutDefault<Boolean>("browser.crashReports.requestedNeverShowAgain");
+  /* package */ final PrefWithoutDefault<String> mCrliteChannel =
+      new PrefWithoutDefault<String>("security.pki.crlite_channel");
 
   /* package */ int mPreferredColorScheme = COLOR_SCHEME_SYSTEM;
 
@@ -2291,6 +2293,27 @@ public final class GeckoRuntimeSettings extends RuntimeSettings {
     return mBannedPorts.get();
   }
 
+  /**
+   * Set the preference that controls the channel from which CRLite certificate blocklists are
+   * downloaded.
+   *
+   * @param channel The name of the CRLite channel
+   * @return This GeckoRuntimeSettings instance
+   */
+  public @NonNull GeckoRuntimeSettings setCrliteChannel(final @NonNull String channel) {
+    mCrliteChannel.commit(channel);
+    return this;
+  }
+
+  /**
+   * Get the channel from which CRLite certificate blocklists are downloaded.
+   *
+   * @return a String containing the name of the CRLite channel
+   */
+  public @NonNull String getCrliteChannel() {
+    return mCrliteChannel.get();
+  }
+
   // For internal use only
   /* protected */ @NonNull
   GeckoRuntimeSettings setProcessCount(final int processCount) {
diff --git a/mobile/android/geckoview/src/main/java/org/mozilla/geckoview/doc-files/CHANGELOG.md b/mobile/android/geckoview/src/main/java/org/mozilla/geckoview/doc-files/CHANGELOG.md
@@ -17,10 +17,12 @@ exclude: true
 - Added [`WebNotification.show`][145.1]. Implementations of `WebNotificationDelegate.onShowNotification` should now call either `show` when the notification is successfully opened, or `dismiss` if it failed.
 - Added [`WebExtension.InvalidMetaDataException`][145.2]. ([bug 1981496]({{bugzilla}}1981496))
 - Added [`GeckoSession.PromptDelegate.RedirectPrompt`][145.3] to display a prompt when a third-party redirect is blocked.
+- Added support for controlling `security.pki.crlite_channel` via [`GeckoRuntimeSettings.setCrliteChannel`][145.4]
 
 [145.1]: {{javadoc_uri}}/WebNotification.html#show
 [145.2]: {{javadoc_uri}}/WebExtension.InvalidMetaDataException.html
 [145.3]: {{javadoc_uri}}/GeckoSession.PromptDelegate.RedirectPrompt.html
+[145.4]: {{javadoc_uri}}/GeckoRuntimeSettings.html#setCrliteChannel
 
 ## v144
 - Added [`GeckoSession.flushSessionState()`][144.1] to immediately notify the registered [`GeckoSession.ProgressDelegate`][144.2] and [`GeckoSession.HistoryDelegate`][144.3] of the current session state.
@@ -1840,4 +1842,4 @@ to allow adding gecko profiler markers.
 [65.24]: {{javadoc_uri}}/CrashReporter.html#sendCrashReport(android.content.Context,android.os.Bundle,java.lang.String)
 [65.25]: {{javadoc_uri}}/GeckoResult.html
 
-[api-version]: d618af14d4ebf592db8cfafdf5e89e2bf6616d7a
+[api-version]: a15af3b5439f5bed524e92e4c59c52d139d435a8