Set ignoreHTTPSErrors per context

Author: yury-s

juggler/TargetRegistry.js

@@ -2,6 +2,7 @@ const {EventEmitter} = ChromeUtils.import('resource://gre/modules/EventEmitter.j
 const {Helper} = ChromeUtils.import('chrome://juggler/content/Helper.js');
 const {SimpleChannel} = ChromeUtils.import('chrome://juggler/content/SimpleChannel.js');
 const {Services} = ChromeUtils.import("resource://gre/modules/Services.jsm");
+const {Preferences} = ChromeUtils.import("resource://gre/modules/Preferences.jsm");
 const {ContextualIdentityService} = ChromeUtils.import("resource://gre/modules/ContextualIdentityService.jsm");
 const {NetUtil} = ChromeUtils.import('resource://gre/modules/NetUtil.jsm');
 const {PageHandler} = ChromeUtils.import("chrome://juggler/content/protocol/PageHandler.js");
@@ -325,6 +326,18 @@ class BrowserContext {
     this.options.scriptsToEvaluateOnNewDocument = [];
     this.options.bindings = [];
     this.pages = new Set();
+
+    if (this.options.ignoreHTTPSErrors) {
+      Preferences.set("network.stricttransportsecurity.preloadlist", false);
+      Preferences.set("security.cert_pinning.enforcement_level", 0);
+
+      const certOverrideService = Cc[
+        "@mozilla.org/security/certoverride;1"
+      ].getService(Ci.nsICertOverrideService);
+      certOverrideService.setDisableAllSecurityChecksAndLetAttackersInterceptMyData(
+        true, this.userContextId
+      );
+    }
   }
 
   destroy() {

juggler/protocol/Protocol.js

@@ -210,6 +210,7 @@ const Browser = {
         removeOnDetach: t.Optional(t.Boolean),
         userAgent: t.Optional(t.String),
         bypassCSP: t.Optional(t.Boolean),
+        ignoreHTTPSErrors: t.Optional(t.Boolean),
         javaScriptDisabled: t.Optional(t.Boolean),
         viewport: t.Optional(pageTypes.Viewport),
         locale: t.Optional(t.String),

security/manager/ssl/SSLServerCertVerification.cpp

@@ -1296,8 +1296,8 @@ PRErrorCode AuthCertificateParseResults(
         return SEC_ERROR_NO_MEMORY;
       }
       nsresult rv = overrideService->HasMatchingOverride(
-          aHostName, aPort, nssCert, &overrideBits, &isTemporaryOverride,
-          &haveOverride);
+          aHostName, aPort, aOriginAttributes.mUserContextId, nssCert,
+          &overrideBits, &isTemporaryOverride, &haveOverride);
       if (NS_SUCCEEDED(rv) && haveOverride) {
         // remove the errors that are already overriden
         remainingDisplayErrors &= ~overrideBits;

security/manager/ssl/nsCertOverrideService.cpp

@@ -413,13 +413,20 @@ nsCertOverrideService::RememberTemporaryValidityOverrideUsingFingerprint(
 
 NS_IMETHODIMP
 nsCertOverrideService::HasMatchingOverride(const nsACString& aHostName,
-                                           int32_t aPort, nsIX509Cert* aCert,
+                                           int32_t aPort,
+                                           uint32_t aUserContextId,
+                                           nsIX509Cert* aCert,
                                            uint32_t* aOverrideBits,
                                            bool* aIsTemporary, bool* _retval) {
   bool disableAllSecurityCheck = false;
   {
     MutexAutoLock lock(mMutex);
-    disableAllSecurityCheck = mDisableAllSecurityCheck;
+    if (aUserContextId) {
+      disableAllSecurityCheck = mUserContextIdsWithDisabledSecurityChecks.has(
+          aUserContextId);
+    } else {
+      disableAllSecurityCheck = mDisableAllSecurityCheck;
+    }
   }
   if (disableAllSecurityCheck) {
     nsCertOverride::OverrideBits all = nsCertOverride::OverrideBits::Untrusted |
@@ -632,12 +639,21 @@ static bool IsDebugger() {
 
 NS_IMETHODIMP
 nsCertOverrideService::
-    SetDisableAllSecurityChecksAndLetAttackersInterceptMyData(bool aDisable) {
+    SetDisableAllSecurityChecksAndLetAttackersInterceptMyData(
+      bool aDisable, uint32_t aUserContextId) {
   if (false /* juggler hacks */ && !(PR_GetEnv("XPCSHELL_TEST_PROFILE_DIR") || IsDebugger())) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   MutexAutoLock lock(mMutex);
+  if (aUserContextId) {
+    if (aDisable) {
+      mozilla::Unused << mUserContextIdsWithDisabledSecurityChecks.put(aUserContextId);
+    } else {
+      mUserContextIdsWithDisabledSecurityChecks.remove(aUserContextId);
+    }
+    return NS_OK;
+  }
   mDisableAllSecurityCheck = aDisable;
   return NS_OK;
 }

security/manager/ssl/nsCertOverrideService.h

@@ -133,6 +133,7 @@ class nsCertOverrideService final : public nsICertOverrideService,
   ~nsCertOverrideService();
 
   bool mDisableAllSecurityCheck;
+  mozilla::HashSet<uint32_t> mUserContextIdsWithDisabledSecurityChecks;
   mozilla::Mutex mMutex;
   nsCOMPtr<nsIFile> mSettingsFile;
   nsTHashtable<nsCertOverrideEntry> mSettingsTable;

security/manager/ssl/nsICertOverrideService.idl

@@ -98,6 +98,7 @@ interface nsICertOverrideService : nsISupports {
   [must_use]
   boolean hasMatchingOverride(in AUTF8String aHostName,
                               in int32_t aPort,
+                              in uint32_t aUserContextId,
                               in nsIX509Cert aCert,
                               out uint32_t aOverrideBits,
                               out boolean aIsTemporary);
@@ -137,5 +138,7 @@ interface nsICertOverrideService : nsISupports {
    *  @param aDisable If true, disable all security check and make
    *                  hasMatchingOverride always return true.
    */
-  void setDisableAllSecurityChecksAndLetAttackersInterceptMyData(in boolean aDisable);
+  void setDisableAllSecurityChecksAndLetAttackersInterceptMyData(
+      in boolean aDisable,
+      [optional] in uint32_t aUserContextId);
 };