Mercurial > mozreview > gecko / changeset / 54c5d4972cf40735198ce3a0b6f63feb2abdc03b
summary | shortlog | changelog | pushlog | graph | tags | bookmarks | branches | files | changeset | raw | zip | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Bug 1335134 - pref security.mixed_content.send_hsts_priming to false r?mayhemer draft
authorKate McKinley <kmckinley@mozilla.com>
Mon, 30 Jan 2017 11:28:51 -0800
changeset 468148 54c5d4972cf40735198ce3a0b6f63feb2abdc03b
parent 468147 531b72b93b87a4852a4103088810e4043e49d71c
child 543860 f3ff04919bcde3cb1f6f24c83be6f20962a814c7
push id43366
push userbmo:kmckinley@mozilla.com
push dateMon, 30 Jan 2017 19:52:02 +0000
reviewersmayhemer
bugs1335134
milestone54.0a1
Bug 1335134 - pref security.mixed_content.send_hsts_priming to false r?mayhemer MozReview-Commit-ID: DKPmIrEhyo0
modules/libpref/init/all.js file | annotate | diff | comparison | revisions
netwerk/base/security-prefs.js file | annotate | diff | comparison | revisions 
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -5538,24 +5538,25 @@ pref("media.block-autoplay-until-in-fore
 #ifdef MOZ_STYLO
 // Is the Servo-backed style system enabled?
 pref("layout.css.servo.enabled", true);
 #endif
 
 // HSTS Priming
 // If a request is mixed-content, send an HSTS priming request to attempt to
 // see if it is available over HTTPS.
-pref("security.mixed_content.send_hsts_priming", true);
 #ifdef RELEASE_OR_BETA
 // Don't change the order of evaluation of mixed-content and HSTS upgrades in
 // order to be most compatible with current standards
+pref("security.mixed_content.send_hsts_priming", false);
 pref("security.mixed_content.use_hsts", false);
 #else
 // Change the order of evaluation so HSTS upgrades happen before
 // mixed-content blocking
+pref("security.mixed_content.send_hsts_priming", true);
 pref("security.mixed_content.use_hsts", true);
 #endif
 // Approximately 1 week default cache for HSTS priming failures, in seconds
 pref ("security.mixed_content.hsts_priming_cache_timeout", 10080);
 // Force the channel to timeout in 3 seconds if we have not received
 // expects a time in milliseconds
 pref ("security.mixed_content.hsts_priming_request_timeout", 3000);
 
--- a/netwerk/base/security-prefs.js
+++ b/netwerk/base/security-prefs.js
@@ -102,19 +102,27 @@ pref("security.ssl.errorReporting.enable
 pref("security.ssl.errorReporting.url", "https://incoming.telemetry.mozilla.org/submit/sslreports/");
 pref("security.ssl.errorReporting.automatic", false);
 
 // Impose a maximum age on HPKP headers, to avoid sites getting permanently
 // blacking themselves out by setting a bad pin.  (60 days by default)
 // https://tools.ietf.org/html/rfc7469#section-4.1
 pref("security.cert_pinning.max_max_age_seconds", 5184000);
 
+// HSTS Priming
 // If a request is mixed-content, send an HSTS priming request to attempt to
 // see if it is available over HTTPS.
-pref("security.mixed_content.send_hsts_priming", true);
 #ifdef RELEASE_OR_BETA
-// Don't change the order of evaluation of mixed-content and HSTS upgrades
+// Don't change the order of evaluation of mixed-content and HSTS upgrades in
+// order to be most compatible with current standards
+pref("security.mixed_content.send_hsts_priming", false);
 pref("security.mixed_content.use_hsts", false);
 #else
 // Change the order of evaluation so HSTS upgrades happen before
 // mixed-content blocking
+pref("security.mixed_content.send_hsts_priming", true);
 pref("security.mixed_content.use_hsts", true);
 #endif
+// Approximately 1 week default cache for HSTS priming failures, in seconds
+pref ("security.mixed_content.hsts_priming_cache_timeout", 10080);
+// Force the channel to timeout in 3 seconds if we have not received
+// expects a time in milliseconds
+pref ("security.mixed_content.hsts_priming_request_timeout", 3000);
gecko
Deployed from 4e825768105f at 2024-04-08T16:23:59Z.