Add ability to disable HSTS

Author: K4sum1

browser/components/preferences/main.inc.xhtml

@@ -177,6 +177,13 @@
   </hbox>
   <description class="indent tip-caption" data-l10n-id="r3dfox-csp-desc"/>
 
+  <hbox align="center">
+    <checkbox id="r3dfoxhsts"
+              data-l10n-id="r3dfox-hsts"
+              preference="network.stricttransportsecurity.enabled"/>
+  </hbox>
+  <description class="indent tip-caption" data-l10n-id="r3dfox-hsts-desc"/>
+
   <hbox align="center">
     <checkbox id="r3dfoxe10s"
               data-l10n-id="r3dfox-e10s"

browser/components/preferences/main.js

@@ -82,6 +82,7 @@ Preferences.addAll([
   { id: "widget.windows-style.modern", type: "bool" },
   { id: "browser.e10s.disabled", type: "bool" },
   { id: "security.csp.enable", type: "bool",  inverted: true },
+  { id: "network.stricttransportsecurity.enabled", type: "bool",  inverted: true },
   { id: "accessibility.force_disabled", type: "int" },
 
   /* Tab preferences

browser/locales/en-US/browser/preferences/preferences.ftl

@@ -242,6 +242,11 @@ r3dfox-csp =
 
 r3dfox-csp-desc = CSP is a security feature, improperly designed websites may require disabling CSP.  Not recommended unless you know what you are doing.
 
+r3dfox-hsts =
+    .label = Disable HTTP Strict Transport Security (HSTS)
+
+r3dfox-hsts-desc = HSTS is a security feature, websites with missing, expired, or wrong certificates may require disabling HSTS to access.  Not recommended unless you know what you are doing.
+
 r3dfox-e10s =
     .label = Disable content multiprocess (e10s) (BETA)
 

modules/libpref/init/all.js

@@ -1637,6 +1637,8 @@ pref("network.proxy.autoconfig_retry_interval_min", 5);    // 5 seconds
 pref("network.proxy.autoconfig_retry_interval_max", 300);  // 5 minutes
 pref("network.proxy.enable_wpad_over_dhcp", true);
 
+// Master switch for HSTS usage (security <-> privacy tradeoff)
+pref("network.stricttransportsecurity.enabled", true);
 // Use the HSTS preload list by default
 pref("network.stricttransportsecurity.preloadlist", true);
 

security/manager/ssl/nsSiteSecurityService.cpp

@@ -168,7 +168,7 @@ void SiteHSTSState::ToString(nsCString& aString) {
 }
 
 nsSiteSecurityService::nsSiteSecurityService()
-    : mUsePreloadList(true), mPreloadListTimeOffset(0), mDafsa(kDafsa) {}
+    : mUsePreloadList(true), mPreloadListTimeOffset(0), mUseStsService(true), mDafsa(kDafsa) {}
 
 nsSiteSecurityService::~nsSiteSecurityService() = default;
 
@@ -185,6 +185,10 @@ nsresult nsSiteSecurityService::Init() {
       "network.stricttransportsecurity.preloadlist", true);
   mozilla::Preferences::AddStrongObserver(
       this, "network.stricttransportsecurity.preloadlist");
+  mUseStsService = mozilla::Preferences::GetBool(
+    "network.stricttransportsecurity.enabled", true);
+  mozilla::Preferences::AddStrongObserver(
+      this, "network.stricttransportsecurity.enabled");
   mPreloadListTimeOffset =
       mozilla::Preferences::GetInt("test.currentTimeOffsetSeconds", 0);
   mozilla::Preferences::AddStrongObserver(this,
@@ -315,6 +319,11 @@ nsresult nsSiteSecurityService::SetHSTSState(
   MOZ_ASSERT(aHSTSState == SecurityPropertySet,
              "HSTS State must be SecurityPropertySet");
 
+  // Exit early if STS not enabled
+  if (!mUseStsService) {
+    return NS_OK;
+  }
+
   int64_t expiretime = ExpireTimeFromMaxAge(maxage);
   SiteHSTSState siteState(hostname, aOriginAttributes, expiretime, aHSTSState,
                           includeSubdomains);
@@ -742,6 +751,13 @@ nsSiteSecurityService::IsSecureURI(nsIURI* aURI,
   nsAutoCString hostname;
   nsresult rv = GetHost(aURI, hostname);
   NS_ENSURE_SUCCESS(rv, rv);
+
+  // Exit early if STS not enabled
+  if (!mUseStsService) {
+    *aResult = false;
+    return NS_OK;
+  }
+
   /* An IP address never qualifies as a secure URI. */
   if (HostIsIPAddress(hostname)) {
     *aResult = false;
@@ -928,6 +944,11 @@ nsresult nsSiteSecurityService::IsSecureHost(
   NS_ENSURE_ARG(aResult);
   *aResult = false;
 
+  // Exit early if STS not enabled
+  if (!mUseStsService) {
+    return NS_OK;
+  }
+
   /* An IP address never qualifies as a secure URI. */
   const nsCString& flatHost = PromiseFlatCString(aHost);
   if (HostIsIPAddress(flatHost)) {
@@ -1008,6 +1029,8 @@ nsSiteSecurityService::Observe(nsISupports* /*subject*/, const char* topic,
   if (strcmp(topic, NS_PREFBRANCH_PREFCHANGE_TOPIC_ID) == 0) {
     mUsePreloadList = mozilla::Preferences::GetBool(
         "network.stricttransportsecurity.preloadlist", true);
+    mUseStsService = mozilla::Preferences::GetBool(
+      "network.stricttransportsecurity.enabled", true);
     mPreloadListTimeOffset =
         mozilla::Preferences::GetInt("test.currentTimeOffsetSeconds", 0);
   }

security/manager/ssl/nsSiteSecurityService.h

@@ -150,6 +150,7 @@ class nsSiteSecurityService : public nsISiteSecurityService,
                                nsIDataStorage::DataType aDataStorageType);
 
   bool mUsePreloadList;
+  bool mUseStsService;
   int64_t mPreloadListTimeOffset;
   nsCOMPtr<nsIDataStorage> mSiteStateStorage;
   const mozilla::Dafsa mDafsa;