Certificates.sys.mjs (3679B)
1 /* This Source Code Form is subject to the terms of the Mozilla Public 2 * License, v. 2.0. If a copy of the MPL was not distributed with this file, 3 * You can obtain one at http://mozilla.org/MPL/2.0/. */ 4 5 import { XPCOMUtils } from "resource://gre/modules/XPCOMUtils.sys.mjs"; 6 7 const lazy = {}; 8 9 XPCOMUtils.defineLazyServiceGetter( 10 lazy, 11 "sss", 12 "@mozilla.org/ssservice;1", 13 Ci.nsISiteSecurityService 14 ); 15 16 XPCOMUtils.defineLazyServiceGetter( 17 lazy, 18 "certOverrideService", 19 "@mozilla.org/security/certoverride;1", 20 Ci.nsICertOverrideService 21 ); 22 23 const CERT_PINNING_ENFORCEMENT_PREF = "security.cert_pinning.enforcement_level"; 24 const HSTS_PRELOAD_LIST_PREF = "network.stricttransportsecurity.preloadlist"; 25 26 let requiredPreferencesSet = false; 27 28 /** @namespace */ 29 export const Certificates = {}; 30 31 /** 32 * Disable all security checks and allow all certs 33 * per user context or globally. 34 * 35 * @param {string=} userContextId 36 * Id of the user context to disable all security checks 37 * and allow all certs for it. If not provided, disable globally. 38 */ 39 Certificates.disableSecurityChecks = function (userContextId = null) { 40 if (!requiredPreferencesSet) { 41 requiredPreferencesSet = true; 42 43 // Make it possible to register certificate overrides for domains that use HSTS or HPKP. 44 // Disable HTTP Strict Transport Security (HSTS) preload list. 45 // That means that for the websites from HSTS preload list 46 // HTTPS is not going to be enforced until the website is visited. 47 Services.prefs.setBoolPref(HSTS_PRELOAD_LIST_PREF, false); 48 // Disable preloaded static public key pins. 49 // Which means that the public key hashes of certificates 50 // will not be validated against the list of static public key pins. 51 Services.prefs.setIntPref(CERT_PINNING_ENFORCEMENT_PREF, 0); 52 } 53 54 if (userContextId === null) { 55 lazy.certOverrideService.setDisableAllSecurityChecksAndLetAttackersInterceptMyData( 56 true 57 ); 58 } else { 59 lazy.certOverrideService.setDisableAllSecurityChecksAndLetAttackersInterceptMyDataForUserContext( 60 userContextId, 61 true 62 ); 63 } 64 }; 65 66 /** 67 * Enable all security checks and allow all certs 68 * per user context or globally. 69 * 70 * @param {string=} userContextId 71 * Id of the user context to enable all security checks 72 * and allow all certs for it. If not provided, enable globally. 73 * Note: if the security checks are enabled for a user context but disabled globally 74 * we will still have HSTS preload list and preloaded static key pins disabled 75 * for this user context. 76 */ 77 Certificates.enableSecurityChecks = function (userContextId = null) { 78 if (userContextId === null) { 79 lazy.certOverrideService.setDisableAllSecurityChecksAndLetAttackersInterceptMyData( 80 false 81 ); 82 } else { 83 lazy.certOverrideService.setDisableAllSecurityChecksAndLetAttackersInterceptMyDataForUserContext( 84 userContextId, 85 false 86 ); 87 } 88 89 // TODO Bug 1862018. Reconsider when supporting multiple sessions. 90 if (userContextId === null) { 91 Services.prefs.clearUserPref(HSTS_PRELOAD_LIST_PREF); 92 Services.prefs.clearUserPref(CERT_PINNING_ENFORCEMENT_PREF); 93 94 // clear collected HSTS and HPKP state 95 // through the site security service 96 lazy.sss.clearAll(); 97 98 requiredPreferencesSet = false; 99 } 100 }; 101 102 /** 103 * Reset security settings which were set for a user context. 104 * 105 * @param {string} userContextId 106 * Id of the user context to reset all security checks. 107 */ 108 Certificates.resetSecurityChecksForUserContext = function (userContextId) { 109 lazy.certOverrideService.resetDisableAllSecurityChecksAndLetAttackersInterceptMyDataForUserContext( 110 userContextId 111 ); 112 };