gecko-dev/testing/marionette/cert.js

/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this file,
 * You can obtain one at http://mozilla.org/MPL/2.0/. */

"use strict";

const { Preferences } = ChromeUtils.import(
  "resource://gre/modules/Preferences.jsm"
);
const { XPCOMUtils } = ChromeUtils.import(
  "resource://gre/modules/XPCOMUtils.jsm"
);

this.EXPORTED_SYMBOLS = ["allowAllCerts"];

const sss = Cc["@mozilla.org/ssservice;1"].getService(
  Ci.nsISiteSecurityService
);

const certOverrideService = Cc[
  "@mozilla.org/security/certoverride;1"
].getService(Ci.nsICertOverrideService);

const CERT_PINNING_ENFORCEMENT_PREF = "security.cert_pinning.enforcement_level";
const HSTS_PRELOAD_LIST_PREF = "network.stricttransportsecurity.preloadlist";

/** @namespace */
this.allowAllCerts = {};

/**
 * Disable all security check and allow all certs.
 */
allowAllCerts.enable = function() {
  // make it possible to register certificate overrides for domains
  // that use HSTS or HPKP
  Preferences.set(HSTS_PRELOAD_LIST_PREF, false);
  Preferences.set(CERT_PINNING_ENFORCEMENT_PREF, 0);

  certOverrideService.setDisableAllSecurityChecksAndLetAttackersInterceptMyData(
    true
  );
};

/**
 * Enable all security check.
 */
allowAllCerts.disable = function() {
  certOverrideService.setDisableAllSecurityChecksAndLetAttackersInterceptMyData(
    false
  );

  Preferences.reset(HSTS_PRELOAD_LIST_PREF);
  Preferences.reset(CERT_PINNING_ENFORCEMENT_PREF);

  // clear collected HSTS and HPKP state
  // through the site security service
  sss.clearAll();
  sss.clearPreloads();
};
Bug 1103196 - Add ability to ignore invalid TLS certificates; r=automatedtester,keeler,mossop When the `acceptInsecureCerts` capability is set to true on creating a new Marionette session, a `nsICertOverrideService` override service is installed that causes all invalid TLS certificates to be ignored. This is in line with the expectations of the WebDriver specification. It is worth noting that this is a potential security risk and that this feature is only available in Gecko when the Marionette server is enabled. MozReview-Commit-ID: BXrQw17TgDy --HG-- extra : rebase_source : 023f18b07ffbb53c7dbc588a823c62830f032e3d 2016-11-06 21:03:31 +03:00			`/* This Source Code Form is subject to the terms of the Mozilla Public`
			`* License, v. 2.0. If a copy of the MPL was not distributed with this file,`
			`* You can obtain one at http://mozilla.org/MPL/2.0/. */`

			`"use strict";`

Bug 1514594: Part 3 - Change ChromeUtils.import API. * Bug 1514594: Part 3a - Change ChromeUtils.import to return an exports object; not pollute global. r=mccr8 This changes the behavior of ChromeUtils.import() to return an exports object, rather than a module global, in all cases except when `null` is passed as a second argument, and changes the default behavior not to pollute the global scope with the module's exports. Thus, the following code written for the old model: ChromeUtils.import("resource://gre/modules/Services.jsm"); is approximately the same as the following, in the new model: var {Services} = ChromeUtils.import("resource://gre/modules/Services.jsm"); Since the two behaviors are mutually incompatible, this patch will land with a scripted rewrite to update all existing callers to use the new model rather than the old. * Bug 1514594: Part 3b - Mass rewrite all JS code to use the new ChromeUtils.import API. rs=Gijs This was done using the followng script: https://bitbucket.org/kmaglione/m-c-rewrites/src/tip/processors/cu-import-exports.jsm * Bug 1514594: Part 3c - Update ESLint plugin for ChromeUtils.import API changes. r=Standard8 Differential Revision: https://phabricator.services.mozilla.com/D16747 * Bug 1514594: Part 3d - Remove/fix hundreds of duplicate imports from sync tests. r=Gijs Differential Revision: https://phabricator.services.mozilla.com/D16748 * Bug 1514594: Part 3e - Remove no-op ChromeUtils.import() calls. r=Gijs Differential Revision: https://phabricator.services.mozilla.com/D16749 * Bug 1514594: Part 3f.1 - Cleanup various test corner cases after mass rewrite. r=Gijs *** Bug 1514594: Part 3f.2 - Cleanup various non-test corner cases after mass rewrite. r=Gijs Differential Revision: https://phabricator.services.mozilla.com/D16750 --HG-- extra : rebase_source : 359574ee3064c90f33bf36c2ebe3159a24cc8895 extra : histedit_source : b93c8f42808b1599f9122d7842d2c0b3e656a594%2C64a3a4e3359dc889e2ab2b49461bab9e27fc10a7 2019-01-17 21:18:31 +03:00			`const { Preferences } = ChromeUtils.import(`
			`"resource://gre/modules/Preferences.jsm"`
			`);`
			`const { XPCOMUtils } = ChromeUtils.import(`
			`"resource://gre/modules/XPCOMUtils.jsm"`
			`);`
Bug 1103196 - Add ability to ignore invalid TLS certificates; r=automatedtester,keeler,mossop When the `acceptInsecureCerts` capability is set to true on creating a new Marionette session, a `nsICertOverrideService` override service is installed that causes all invalid TLS certificates to be ignored. This is in line with the expectations of the WebDriver specification. It is worth noting that this is a potential security risk and that this feature is only available in Gecko when the Marionette server is enabled. MozReview-Commit-ID: BXrQw17TgDy --HG-- extra : rebase_source : 023f18b07ffbb53c7dbc588a823c62830f032e3d 2016-11-06 21:03:31 +03:00
Bug 1577428 - Not allow nsICertOverrideService to be implemented in js r=keeler,ato Differential Revision: https://phabricator.services.mozilla.com/D43931 --HG-- rename : security/manager/ssl/tests/unit/test_js_cert_override_service.js => security/manager/ssl/tests/unit/test_allow_all_cert_errors.js extra : moz-landing-system : lando 2019-09-04 20:17:44 +03:00			`this.EXPORTED_SYMBOLS = ["allowAllCerts"];`
Bug 1103196 - Add ability to ignore invalid TLS certificates; r=automatedtester,keeler,mossop When the `acceptInsecureCerts` capability is set to true on creating a new Marionette session, a `nsICertOverrideService` override service is installed that causes all invalid TLS certificates to be ignored. This is in line with the expectations of the WebDriver specification. It is worth noting that this is a potential security risk and that this feature is only available in Gecko when the Marionette server is enabled. MozReview-Commit-ID: BXrQw17TgDy --HG-- extra : rebase_source : 023f18b07ffbb53c7dbc588a823c62830f032e3d 2016-11-06 21:03:31 +03:00
			`const sss = Cc["@mozilla.org/ssservice;1"].getService(`
			`Ci.nsISiteSecurityService`
			`);`

Bug 1577428 - Not allow nsICertOverrideService to be implemented in js r=keeler,ato Differential Revision: https://phabricator.services.mozilla.com/D43931 --HG-- rename : security/manager/ssl/tests/unit/test_js_cert_override_service.js => security/manager/ssl/tests/unit/test_allow_all_cert_errors.js extra : moz-landing-system : lando 2019-09-04 20:17:44 +03:00			`const certOverrideService = Cc[`
			`"@mozilla.org/security/certoverride;1"`
			`].getService(Ci.nsICertOverrideService);`

Bug 1456051 - Make cert an ES module. r=maja_zf In addition to the way symbols are exposed, this patch makes a few changes to what is exposed. Unexposing currentOverride and the error override bitmasks should not cause any problems. MozReview-Commit-ID: 9CWZHVyAKbg --HG-- extra : rebase_source : 6411f842c1eec26661cbe6f4d9e821904ffc4811 2018-04-23 12:01:40 +03:00			`const CERT_PINNING_ENFORCEMENT_PREF = "security.cert_pinning.enforcement_level";`
			`const HSTS_PRELOAD_LIST_PREF = "network.stricttransportsecurity.preloadlist";`
Bug 1103196 - Add ability to ignore invalid TLS certificates; r=automatedtester,keeler,mossop When the `acceptInsecureCerts` capability is set to true on creating a new Marionette session, a `nsICertOverrideService` override service is installed that causes all invalid TLS certificates to be ignored. This is in line with the expectations of the WebDriver specification. It is worth noting that this is a potential security risk and that this feature is only available in Gecko when the Marionette server is enabled. MozReview-Commit-ID: BXrQw17TgDy --HG-- extra : rebase_source : 023f18b07ffbb53c7dbc588a823c62830f032e3d 2016-11-06 21:03:31 +03:00
Bug 1577428 - Not allow nsICertOverrideService to be implemented in js r=keeler,ato Differential Revision: https://phabricator.services.mozilla.com/D43931 --HG-- rename : security/manager/ssl/tests/unit/test_js_cert_override_service.js => security/manager/ssl/tests/unit/test_allow_all_cert_errors.js extra : moz-landing-system : lando 2019-09-04 20:17:44 +03:00			`/** @namespace */`
			`this.allowAllCerts = {};`
Bug 1103196 - Add ability to ignore invalid TLS certificates; r=automatedtester,keeler,mossop When the `acceptInsecureCerts` capability is set to true on creating a new Marionette session, a `nsICertOverrideService` override service is installed that causes all invalid TLS certificates to be ignored. This is in line with the expectations of the WebDriver specification. It is worth noting that this is a potential security risk and that this feature is only available in Gecko when the Marionette server is enabled. MozReview-Commit-ID: BXrQw17TgDy --HG-- extra : rebase_source : 023f18b07ffbb53c7dbc588a823c62830f032e3d 2016-11-06 21:03:31 +03:00
Backed out changeset 2e0c2fea2799 (bug 1577428) linting doc failure on a CLOSED TREE --HG-- rename : security/manager/ssl/tests/unit/test_allow_all_cert_errors.js => security/manager/ssl/tests/unit/test_js_cert_override_service.js 2019-09-03 18:25:52 +03:00			`/**`
Bug 1577428 - Not allow nsICertOverrideService to be implemented in js r=keeler,ato Differential Revision: https://phabricator.services.mozilla.com/D43931 --HG-- rename : security/manager/ssl/tests/unit/test_js_cert_override_service.js => security/manager/ssl/tests/unit/test_allow_all_cert_errors.js extra : moz-landing-system : lando 2019-09-04 20:17:44 +03:00			`* Disable all security check and allow all certs.`
Backed out changeset 2e0c2fea2799 (bug 1577428) linting doc failure on a CLOSED TREE --HG-- rename : security/manager/ssl/tests/unit/test_allow_all_cert_errors.js => security/manager/ssl/tests/unit/test_js_cert_override_service.js 2019-09-03 18:25:52 +03:00			`*/`
Bug 1577428 - Not allow nsICertOverrideService to be implemented in js r=keeler,ato Differential Revision: https://phabricator.services.mozilla.com/D43931 --HG-- rename : security/manager/ssl/tests/unit/test_js_cert_override_service.js => security/manager/ssl/tests/unit/test_allow_all_cert_errors.js extra : moz-landing-system : lando 2019-09-04 20:17:44 +03:00			`allowAllCerts.enable = function() {`
			`// make it possible to register certificate overrides for domains`
			`// that use HSTS or HPKP`
			`Preferences.set(HSTS_PRELOAD_LIST_PREF, false);`
			`Preferences.set(CERT_PINNING_ENFORCEMENT_PREF, 0);`

			`certOverrideService.setDisableAllSecurityChecksAndLetAttackersInterceptMyData(`
			`true`
			`);`
			`};`
Backed out changeset 2e0c2fea2799 (bug 1577428) linting doc failure on a CLOSED TREE --HG-- rename : security/manager/ssl/tests/unit/test_allow_all_cert_errors.js => security/manager/ssl/tests/unit/test_js_cert_override_service.js 2019-09-03 18:25:52 +03:00
Bug 1577428 - Not allow nsICertOverrideService to be implemented in js r=keeler,ato Differential Revision: https://phabricator.services.mozilla.com/D43931 --HG-- rename : security/manager/ssl/tests/unit/test_js_cert_override_service.js => security/manager/ssl/tests/unit/test_allow_all_cert_errors.js extra : moz-landing-system : lando 2019-09-04 20:17:44 +03:00			`/**`
			`* Enable all security check.`
			`*/`
			`allowAllCerts.disable = function() {`
			`certOverrideService.setDisableAllSecurityChecksAndLetAttackersInterceptMyData(`
			`false`
			`);`

			`Preferences.reset(HSTS_PRELOAD_LIST_PREF);`
			`Preferences.reset(CERT_PINNING_ENFORCEMENT_PREF);`

			`// clear collected HSTS and HPKP state`
			`// through the site security service`
			`sss.clearAll();`
			`sss.clearPreloads();`
			`};`