Bug 1848815 - Add a user-facing setting to enable enterprise roots import, and enable it by default. r=keeler,settings-reviewers,fluent-reviewers,desktop-theme-reviewers,flod,Itiel,Gijs,valentin

Differential Revision: https://phabricator.services.mozilla.com/D186236

browser/base/content/test/about/browser_aboutCertError_mitm.js

@@ -18,6 +18,7 @@ add_task(async function checkMitmPriming() {
     set: [
       [PREF_MITM_PRIMING, true],
       [PREF_MITM_PRIMING_ENDPOINT, UNKNOWN_ISSUER],
+      [PREF_ENTERPRISE_ROOTS, false],
     ],
   });
 

browser/components/doh/DoHHeuristics.sys.mjs

@@ -27,7 +27,6 @@ XPCOMUtils.defineLazyServiceGetter(
 
 ChromeUtils.defineESModuleGetters(lazy, {
   DoHConfigController: "resource:///modules/DoHConfig.sys.mjs",
-  Preferences: "resource://gre/modules/Preferences.sys.mjs",
 });
 
 const GLOBAL_CANARY = "use-application-dns.net.";
@@ -53,7 +52,6 @@ export const Heuristics = {
       youtube: safeSearchChecks.youtube,
       zscalerCanary: zscaler,
       canary,
-      modifiedRoots: await modifiedRoots(),
       browserParent: await parentalControls(),
       thirdPartyRoots: await thirdPartyRoots(),
       policy: await enterprisePolicy(),
@@ -135,7 +133,6 @@ export const Heuristics = {
         "youtube",
         "zscalerCanary",
         "canary",
-        "modifiedRoots",
         "browserParent",
         "thirdPartyRoots",
         "policy",
@@ -253,20 +250,6 @@ async function globalCanary() {
   return "enable_doh";
 }
 
-async function modifiedRoots() {
-  // Check for presence of enterprise_roots cert pref. If enabled, disable DoH
-  let rootsEnabled = lazy.Preferences.get(
-    "security.enterprise_roots.enabled",
-    false
-  );
-
-  if (rootsEnabled) {
-    return "disable_doh";
-  }
-
-  return "enable_doh";
-}
-
 export async function parentalControls() {
   if (lazy.gParentalControlsService.parentalControlsEnabled) {
     return "disable_doh";

browser/components/doh/test/browser/browser_providerSteering.js

@@ -80,27 +80,6 @@ add_task(async function testProviderSteering() {
   gDNSOverride.setCnameOverride(TEST_DOMAIN, provider.canonicalName);
   await testNetChangeResult(provider.uri, "enable_doh", provider.id);
 
-  // Set enterprise roots enabled and ensure provider steering is disabled.
-  Preferences.set("security.enterprise_roots.enabled", true);
-  await testNetChangeResult(AUTO_TRR_URI, "disable_doh");
-  checkScalars(
-    [
-      [
-        "networking.doh_heuristics_result",
-        { value: Heuristics.Telemetry.modifiedRoots },
-      ],
-      [
-        "networking.doh_heuristic_ever_tripped",
-        { value: true, key: "modifiedRoots" },
-      ],
-      // All of the other heuristics must be false.
-    ].concat(falseExpectations(["modifiedRoots"]))
-  );
-  Preferences.reset("security.enterprise_roots.enabled");
-
-  // Check that provider steering is enabled again after we reset above.
-  await testNetChangeResult(provider.uri, "enable_doh", provider.id);
-
   // Trigger safesearch heuristics and ensure provider steering is disabled.
   let googleDomain = "google.com.";
   let googleIP = "1.1.1.1";
@@ -117,12 +96,8 @@ add_task(async function testProviderSteering() {
         { value: Heuristics.Telemetry.google },
       ],
       ["networking.doh_heuristic_ever_tripped", { value: true, key: "google" }],
-      [
-        "networking.doh_heuristic_ever_tripped",
-        { value: true, key: "modifiedRoots" },
-      ],
       // All of the other heuristics must be false.
-    ].concat(falseExpectations(["modifiedRoots", "google"]))
+    ].concat(falseExpectations(["google"]))
   );
 
   // Check that provider steering is enabled again after we reset above.
@@ -139,11 +114,7 @@ add_task(async function testProviderSteering() {
         { value: Heuristics.Telemetry.pass },
       ],
       ["networking.doh_heuristic_ever_tripped", { value: true, key: "google" }],
-      [
-        "networking.doh_heuristic_ever_tripped",
-        { value: true, key: "modifiedRoots" },
-      ],
       // All of the other heuristics must be false.
-    ].concat(falseExpectations(["modifiedRoots", "google"]))
+    ].concat(falseExpectations(["google"]))
   );
 });

browser/components/preferences/privacy.inc.xhtml

@@ -1193,6 +1193,18 @@
               "/>
     </vbox>
   </hbox>
+
+  <hbox id="certEnableThirdPartyToggleBox" align="center">
+    <checkbox id="certEnableThirdPartyToggle"
+              data-l10n-id="certs-thirdparty-toggle"
+              preference="security.enterprise_roots.enabled"
+              class="tail-with-learn-more"
+    />
+    <html:a is="moz-support-link"
+            class="learnMore"
+            support-page="automatically-trust-third-party-certificates"
+    />
+  </hbox>
 </groupbox>
 
 <!-- HTTPS-ONLY Mode -->

browser/components/preferences/privacy.js

@@ -195,6 +195,8 @@ Preferences.addAll([
 
   { id: "security.OCSP.enabled", type: "int" },
 
+  { id: "security.enterprise_roots.enabled", type: "bool" },
+
   // Add-ons, malware, phishing
   { id: "xpinstall.whitelist.required", type: "bool" },
 
@@ -458,6 +460,19 @@ var gPrivacyPane = {
     showQuickActionsGroup();
   },
 
+  _initThirdPartyCertsToggle() {
+    // Third-party certificate import is only implemented for Windows and Mac,
+    // and we should not expose this as a user-configurable setting if there's
+    // an enterprise policy controlling it (either to enable _or_ disable it).
+    let canConfigureThirdPartyCerts =
+      (AppConstants.platform == "win" || AppConstants.platform == "macosx") &&
+      typeof Services.policies.getActivePolicies()?.Certificates
+        ?.ImportEnterpriseRoots == "undefined";
+
+    document.getElementById("certEnableThirdPartyToggleBox").hidden =
+      !canConfigureThirdPartyCerts;
+  },
+
   syncFromHttpsOnlyPref() {
     let httpsOnlyOnPref = Services.prefs.getBoolPref(
       "dom.security.https_only_mode"
@@ -894,6 +909,7 @@ var gPrivacyPane = {
     this.fingerprintingProtectionReadPrefs();
     this.networkCookieBehaviorReadPrefs();
     this._initTrackingProtectionExtensionControl();
+    this._initThirdPartyCertsToggle();
 
     Services.telemetry.setEventRecordingEnabled("privacy.ui.fpp", true);
 

browser/locales/en-US/browser/preferences/preferences.ftl

@@ -1477,6 +1477,10 @@ certs-devices =
     .label = Security Devices…
     .accesskey = D
 
+certs-thirdparty-toggle =
+    .label = Allow { -brand-short-name } to automatically trust third-party root certificates you install
+    .accesskey = t
+
 space-alert-over-5gb-settings-button =
     .label = Open Settings
     .accesskey = O

modules/libpref/init/StaticPrefList.yaml

@@ -13812,7 +13812,7 @@
 # Whether or not to import and trust third party root certificates from the OS.
 - name: security.enterprise_roots.enabled
   type: RelaxedAtomicBool
-  value: false
+  value: true
   mirror: always
 
 - name: security.intermediate_preloading_healer.enabled

security/manager/ssl/nsNSSComponent.cpp

@@ -1156,8 +1156,7 @@ void nsNSSComponent::setValidationOptions(
 
 void nsNSSComponent::UpdateCertVerifierWithEnterpriseRoots() {
   MutexAutoLock lock(mMutex);
-  MOZ_ASSERT(mDefaultCertVerifier);
-  if (NS_WARN_IF(!mDefaultCertVerifier)) {
+  if (!mDefaultCertVerifier) {
     return;
   }
 

security/manager/ssl/tests/unit/test_enterprise_roots.js

@@ -69,6 +69,7 @@ add_task(async function run_test() {
     Ci.nsIX509CertDB
   );
   nssComponent.getEnterpriseRoots(); // blocks until roots are loaded
+  await check_some_enterprise_roots_imported(nssComponent, certDB);
   Services.prefs.setBoolPref("security.enterprise_roots.enabled", false);
   await check_no_enterprise_roots_imported(nssComponent, certDB);
   Services.prefs.setBoolPref("security.enterprise_roots.enabled", true);