Fix sec pref locations and enable HPKP checking by default.

Some prefs were incorrectly in all.js (ocsp and hpkp)
author: wolfbeast <mcwerewolf@gmail.com> 2018-05-29 17:27:27 +0200
committer: wolfbeast <mcwerewolf@gmail.com> 2018-05-29 17:27:27 +0200
commit: f75e1a465d9cfc9abdd8cae6b0b7dc32c3865670 (patch)
tree: 2759cc40bdb00df877d25d3470fc1b074df73910 /netwerk/base
parent: cfc6dc3df142e8e0b34f17ee7aeed5b13a728cce (diff)
download: uxp-f75e1a465d9cfc9abdd8cae6b0b7dc32c3865670.tar.gz
1 files changed, 11 insertions, 0 deletions
diff --git a/netwerk/base/security-prefs.js b/netwerk/base/security-prefs.js
index 329a4c6b70..5351d7c04d 100644
--- a/netwerk/base/security-prefs.js
+++ b/netwerk/base/security-prefs.js
@@ -111,6 +111,17 @@ pref("security.ssl.errorReporting.enabled", true);
 pref("security.ssl.errorReporting.url", "https://incoming.telemetry.mozilla.org/submit/sslreports/");
 pref("security.ssl.errorReporting.automatic", false);
 
+// OCSP must-staple
+pref("security.ssl.enable_ocsp_must_staple", true);
+
+// HPKP settings
+
+// Enable pinning checks by default.
+pref("security.cert_pinning.enforcement_level", 2);
+// Do not process hpkp headers rooted by not built in roots by default.
+// This is to prevent accidental pinning from MITM devices and is used
+// for tests.
+pref("security.cert_pinning.process_headers_from_non_builtin_roots", false);
 // Impose a maximum age on HPKP headers, to avoid sites getting permanently
 // blacking themselves out by setting a bad pin.  (60 days by default)
 // https://tools.ietf.org/html/rfc7469#section-4.1
author	wolfbeast <mcwerewolf@gmail.com>	2018-05-29 17:27:27 +0200
committer	wolfbeast <mcwerewolf@gmail.com>	2018-05-29 17:27:27 +0200
commit	f75e1a465d9cfc9abdd8cae6b0b7dc32c3865670 (patch)
tree	2759cc40bdb00df877d25d3470fc1b074df73910 /netwerk/base
parent	cfc6dc3df142e8e0b34f17ee7aeed5b13a728cce (diff)
download	uxp-f75e1a465d9cfc9abdd8cae6b0b7dc32c3865670.tar.gz