Bug 1335134 - pref security.mixed_content.send_hsts_priming to false r?mayhemer
MozReview-Commit-ID: DKPmIrEhyo0
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -5538,24 +5538,25 @@ pref("media.block-autoplay-until-in-fore
#ifdef MOZ_STYLO
// Is the Servo-backed style system enabled?
pref("layout.css.servo.enabled", true);
#endif
// HSTS Priming
// If a request is mixed-content, send an HSTS priming request to attempt to
// see if it is available over HTTPS.
-pref("security.mixed_content.send_hsts_priming", true);
#ifdef RELEASE_OR_BETA
// Don't change the order of evaluation of mixed-content and HSTS upgrades in
// order to be most compatible with current standards
+pref("security.mixed_content.send_hsts_priming", false);
pref("security.mixed_content.use_hsts", false);
#else
// Change the order of evaluation so HSTS upgrades happen before
// mixed-content blocking
+pref("security.mixed_content.send_hsts_priming", true);
pref("security.mixed_content.use_hsts", true);
#endif
// Approximately 1 week default cache for HSTS priming failures, in seconds
pref ("security.mixed_content.hsts_priming_cache_timeout", 10080);
// Force the channel to timeout in 3 seconds if we have not received
// expects a time in milliseconds
pref ("security.mixed_content.hsts_priming_request_timeout", 3000);
--- a/netwerk/base/security-prefs.js
+++ b/netwerk/base/security-prefs.js
@@ -102,19 +102,27 @@ pref("security.ssl.errorReporting.enable
pref("security.ssl.errorReporting.url", "https://incoming.telemetry.mozilla.org/submit/sslreports/");
pref("security.ssl.errorReporting.automatic", false);
// Impose a maximum age on HPKP headers, to avoid sites getting permanently
// blacking themselves out by setting a bad pin. (60 days by default)
// https://tools.ietf.org/html/rfc7469#section-4.1
pref("security.cert_pinning.max_max_age_seconds", 5184000);
+// HSTS Priming
// If a request is mixed-content, send an HSTS priming request to attempt to
// see if it is available over HTTPS.
-pref("security.mixed_content.send_hsts_priming", true);
#ifdef RELEASE_OR_BETA
-// Don't change the order of evaluation of mixed-content and HSTS upgrades
+// Don't change the order of evaluation of mixed-content and HSTS upgrades in
+// order to be most compatible with current standards
+pref("security.mixed_content.send_hsts_priming", false);
pref("security.mixed_content.use_hsts", false);
#else
// Change the order of evaluation so HSTS upgrades happen before
// mixed-content blocking
+pref("security.mixed_content.send_hsts_priming", true);
pref("security.mixed_content.use_hsts", true);
#endif
+// Approximately 1 week default cache for HSTS priming failures, in seconds
+pref ("security.mixed_content.hsts_priming_cache_timeout", 10080);
+// Force the channel to timeout in 3 seconds if we have not received
+// expects a time in milliseconds
+pref ("security.mixed_content.hsts_priming_request_timeout", 3000);