Backed out changeset e2f01ea9db72 (bug 1848815) for bc failure on browser_aboutCertError_mitm.js

browser/components/preferences/privacy.inc.xhtml

@@ -1179,18 +1179,6 @@
               "/>
     </vbox>
   </hbox>
-
-  <hbox id="certEnableThirdPartyToggleBox" align="center">
-    <checkbox id="certEnableThirdPartyToggle"
-              data-l10n-id="certs-thirdparty-toggle"
-              preference="security.enterprise_roots.enabled"
-              class="tail-with-learn-more"
-    />
-    <html:a is="moz-support-link"
-            class="learnMore"
-            support-page="automatically-trust-third-party-certificates"
-    />
-  </hbox>
 </groupbox>
 
 <!-- HTTPS-ONLY Mode -->

browser/components/preferences/privacy.js

@@ -191,8 +191,6 @@ Preferences.addAll([
 
   { id: "security.OCSP.enabled", type: "int" },
 
-  { id: "security.enterprise_roots.enabled", type: "bool" },
-
   // Add-ons, malware, phishing
   { id: "xpinstall.whitelist.required", type: "bool" },
 
@@ -452,19 +450,6 @@ var gPrivacyPane = {
     showQuickActionsGroup();
   },
 
-  _initThirdPartyCertsToggle() {
-    // Third-party certificate import is only implemented for Windows and Mac,
-    // and we should not expose this as a user-configurable setting if there's
-    // an enterprise policy controlling it (either to enable _or_ disable it).
-    let canConfigureThirdPartyCerts =
-      (AppConstants.platform == "win" || AppConstants.platform == "macosx") &&
-      typeof Services.policies.getActivePolicies()?.Certificates
-        ?.ImportEnterpriseRoots == "undefined";
-
-    document.getElementById("certEnableThirdPartyToggleBox").hidden =
-      !canConfigureThirdPartyCerts;
-  },
-
   syncFromHttpsOnlyPref() {
     let httpsOnlyOnPref = Services.prefs.getBoolPref(
       "dom.security.https_only_mode"
@@ -901,7 +886,6 @@ var gPrivacyPane = {
     this.fingerprintingProtectionReadPrefs();
     this.networkCookieBehaviorReadPrefs();
     this._initTrackingProtectionExtensionControl();
-    this._initThirdPartyCertsToggle();
 
     Services.telemetry.setEventRecordingEnabled("privacy.ui.fpp", true);
 

browser/locales/en-US/browser/preferences/preferences.ftl

@@ -1472,10 +1472,6 @@ certs-devices =
     .label = Security Devices…
     .accesskey = D
 
-certs-thirdparty-toggle =
-    .label = Allow { -brand-short-name } to automatically trust third-party root certificates you install
-    .accesskey = t
-
 space-alert-over-5gb-settings-button =
     .label = Open Settings
     .accesskey = O

modules/libpref/init/StaticPrefList.yaml

@@ -13907,7 +13907,7 @@
 # Whether or not to import and trust third party root certificates from the OS.
 - name: security.enterprise_roots.enabled
   type: RelaxedAtomicBool
-  value: true
+  value: false
   mirror: always
 
 - name: security.intermediate_preloading_healer.enabled

security/manager/ssl/nsNSSComponent.cpp

@@ -1156,7 +1156,8 @@ void nsNSSComponent::setValidationOptions(
 
 void nsNSSComponent::UpdateCertVerifierWithEnterpriseRoots() {
   MutexAutoLock lock(mMutex);
-  if (!mDefaultCertVerifier) {
+  MOZ_ASSERT(mDefaultCertVerifier);
+  if (NS_WARN_IF(!mDefaultCertVerifier)) {
     return;
   }
 

security/manager/ssl/tests/unit/test_enterprise_roots.js

@@ -69,7 +69,6 @@ add_task(async function run_test() {
     Ci.nsIX509CertDB
   );
   nssComponent.getEnterpriseRoots(); // blocks until roots are loaded
-  await check_some_enterprise_roots_imported(nssComponent, certDB);
   Services.prefs.setBoolPref("security.enterprise_roots.enabled", false);
   await check_no_enterprise_roots_imported(nssComponent, certDB);
   Services.prefs.setBoolPref("security.enterprise_roots.enabled", true);