commit f8266ef232f7d811e1bf943a5d577a23de4667c6 parent 28366619263a7de7455047a64d58a982e340ff9b Author: Dana Keeler <dkeeler@mozilla.com> Date: Thu, 2 Oct 2025 19:43:25 +0000 Bug 1990316 - enforce certificate transparency on Firefox for Android r=jschanck,geckoview-reviewers,android-reviewers,nalexander,tcampbell Differential Revision: https://phabricator.services.mozilla.com/D265906 Diffstat:
6 files changed, 21 insertions(+), 27 deletions(-)
diff --git a/mobile/android/android-components/components/browser/engine-gecko/src/main/java/mozilla/components/browser/engine/gecko/GeckoEngine.kt b/mobile/android/android-components/components/browser/engine-gecko/src/main/java/mozilla/components/browser/engine/gecko/GeckoEngine.kt @@ -1636,9 +1636,9 @@ class GeckoEngine( get() = runtime.settings.cookieBehaviorOptInPartitioningPBM set(value) { runtime.settings.setCookieBehaviorOptInPartitioningPBM(value) } - override var certificateTransparencyMode: Int - get() = runtime.settings.certificateTransparencyMode - set(value) { runtime.settings.setCertificateTransparencyMode(value) } + override var certificateTransparencyMode: Int? + get() = runtime.settings.certificateTransparencyMode.or(2) + set(value) { value?.let { runtime.settings.setCertificateTransparencyMode(value) } } override var postQuantumKeyExchangeEnabled: Boolean? get() = runtime.settings.postQuantumKeyExchangeEnabled.or(false) diff --git a/mobile/android/android-components/components/concept/engine/src/main/java/mozilla/components/concept/engine/Settings.kt b/mobile/android/android-components/components/concept/engine/src/main/java/mozilla/components/concept/engine/Settings.kt @@ -345,7 +345,7 @@ abstract class Settings { /** * Setting to control how Certificate Transparency information is processed. */ - open var certificateTransparencyMode: Int by UnsupportedSetting() + open var certificateTransparencyMode: Int? by UnsupportedSetting() /** * Setting to control whether post-quantum key exchange mechanisms are used @@ -440,7 +440,7 @@ data class DefaultSettings( val getDesktopMode: () -> Boolean = { false }, override var cookieBehaviorOptInPartitioning: Boolean = false, override var cookieBehaviorOptInPartitioningPBM: Boolean = false, - override var certificateTransparencyMode: Int = 0, + override var certificateTransparencyMode: Int? = null, override var postQuantumKeyExchangeEnabled: Boolean? = null, override var dohAutoselectEnabled: Boolean = false, override var bannedPorts: String = "", diff --git a/mobile/android/fenix/app/nimbus.fml.yaml b/mobile/android/fenix/app/nimbus.fml.yaml @@ -808,23 +808,13 @@ features: certificateTransparencyMode: description: > What mode Certificate Transparency is in (0=disable, 1=telemetry only, 2=enforce). - type: Int - default: 0 + type: Option<Int> + default: null crliteChannel: description: > The channel from which CRLite filters will be installed. type: Option<String> default: null - defaults: - - channel: nightly - value: - certificateTransparencyMode: 2 - - channel: developer - value: - certificateTransparencyMode: 2 - - channel: beta - value: - certificateTransparencyMode: 2 pqcrypto: description: Control the use of post-quantum key exchange mechanisms in TLS and HTTP/3. diff --git a/mobile/android/geckoview/src/androidTest/java/org/mozilla/geckoview/test/RuntimeSettingsTest.kt b/mobile/android/geckoview/src/androidTest/java/org/mozilla/geckoview/test/RuntimeSettingsTest.kt @@ -718,26 +718,26 @@ class RuntimeSettingsTest : BaseSessionTest() { val geckoRuntimeSettings = sessionRule.runtime.settings assertThat( - "Certificate Transparency mode should default to 1", + "Certificate Transparency mode should default to 2", geckoRuntimeSettings.certificateTransparencyMode, - equalTo(1), + equalTo(2), ) - geckoRuntimeSettings.setCertificateTransparencyMode(2) + geckoRuntimeSettings.setCertificateTransparencyMode(0) assertThat( - "Certificate Transparency mode should be set to 2", + "Certificate Transparency mode should be set to 0", geckoRuntimeSettings.certificateTransparencyMode, - equalTo(2), + equalTo(0), ) val preference = (sessionRule.getPrefs("security.pki.certificate_transparency.mode").get(0)) as Int assertThat( - "Certificate Transparency mode pref should be set to 2", + "Certificate Transparency mode pref should be set to 0", preference, - equalTo(2), + equalTo(0), ) } diff --git a/mobile/android/geckoview/src/main/java/org/mozilla/geckoview/GeckoRuntimeSettings.java b/mobile/android/geckoview/src/main/java/org/mozilla/geckoview/GeckoRuntimeSettings.java @@ -788,8 +788,8 @@ public final class GeckoRuntimeSettings extends RuntimeSettings { new Pref<Boolean>("network.cookie.cookieBehavior.optInPartitioning", false); /* package */ final Pref<Boolean> mCookieBehaviorOptInPartitioningPBM = new Pref<Boolean>("network.cookie.cookieBehavior.optInPartitioning.pbmode", false); - /* package */ final Pref<Integer> mCertificateTransparencyMode = - new Pref<Integer>("security.pki.certificate_transparency.mode", 1); + /* package */ final PrefWithoutDefault<Integer> mCertificateTransparencyMode = + new PrefWithoutDefault<Integer>("security.pki.certificate_transparency.mode"); /* package */ final PrefWithoutDefault<Boolean> mPostQuantumKeyExchangeTLSEnabled = new PrefWithoutDefault<Boolean>("security.tls.enable_kyber"); /* package */ final PrefWithoutDefault<Boolean> mPostQuantumKeyExchangeHttp3Enabled = @@ -1237,7 +1237,9 @@ public final class GeckoRuntimeSettings extends RuntimeSettings { * @return What certificate transparency mode has been set. */ public @NonNull int getCertificateTransparencyMode() { - return mCertificateTransparencyMode.get(); + final Integer MODE_ENFORCE = 2; + final Integer certificateTransparencyMode = mCertificateTransparencyMode.get(); + return certificateTransparencyMode != null ? certificateTransparencyMode : MODE_ENFORCE; } /** diff --git a/mobile/android/geckoview/src/main/java/org/mozilla/geckoview/doc-files/CHANGELOG.md b/mobile/android/geckoview/src/main/java/org/mozilla/geckoview/doc-files/CHANGELOG.md @@ -18,11 +18,13 @@ exclude: true - Added [`WebExtension.InvalidMetaDataException`][145.2]. ([bug 1981496]({{bugzilla}}1981496)) - Added [`GeckoSession.PromptDelegate.RedirectPrompt`][145.3] to display a prompt when a third-party redirect is blocked. - Added support for controlling `security.pki.crlite_channel` via [`GeckoRuntimeSettings.setCrliteChannel`][145.4] +- Changed certificate transparency information in TLS connections to now be required by default. This can be controlled by the [`GeckoRuntimeSettings.setCertificateTransparencyMode`][145.5] API. [145.1]: {{javadoc_uri}}/WebNotification.html#show [145.2]: {{javadoc_uri}}/WebExtension.InvalidMetaDataException.html [145.3]: {{javadoc_uri}}/GeckoSession.PromptDelegate.RedirectPrompt.html [145.4]: {{javadoc_uri}}/GeckoRuntimeSettings.html#setCrliteChannel +[145.5]: {{javadoc_uri}}/GeckoRuntimeSettings.html#setCertificateTransparencyMode ## v144 - Added [`GeckoSession.flushSessionState()`][144.1] to immediately notify the registered [`GeckoSession.ProgressDelegate`][144.2] and [`GeckoSession.HistoryDelegate`][144.3] of the current session state.