| Quellcodebibliothek Statistik Leitseite products/Sources/formale Sprachen/C/Firefox/browser/components/enterprisepolicies/ (Browser von der Mozilla Stiftung Version 136.0.1©) Datei vom 10.2.2025 mit Größe 93 kB |
|
Quelle Policies.sys.mjs Sprache: unbekannt |
|
|
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this file, * You can obtain one at http://mozilla.org/MPL/2.0/. */ import { XPCOMUtils } from "resource://gre/modules/XPCOMUtils.sys.mjs"; import { AppConstants } from "resource://gre/modules/AppConstants.sys.mjs"; const lazy = {}; XPCOMUtils.defineLazyServiceGetters(lazy, { gCertDB: ["@mozilla.org/security/x509certdb;1", "nsIX509CertDB"], gExternalProtocolService: [ "@mozilla.org/uriloader/external-protocol-service;1", "nsIExternalProtocolService", ], gHandlerService: [ "@mozilla.org/uriloader/handler-service;1", "nsIHandlerService", ], gMIMEService: ["@mozilla.org/mime;1", "nsIMIMEService"], }); ChromeUtils.defineESModuleGetters(lazy, { AddonManager: "resource://gre/modules/AddonManager.sys.mjs", BookmarksPolicies: "resource:///modules/policies/BookmarksPolicies.sys.mjs", CustomizableUI: "resource:///modules/CustomizableUI.sys.mjs", FileUtils: "resource://gre/modules/FileUtils.sys.mjs", ProxyPolicies: "resource:///modules/policies/ProxyPolicies.sys.mjs", UrlbarPrefs: "resource:///modules/UrlbarPrefs.sys.mjs", WebsiteFilter: "resource:///modules/policies/WebsiteFilter.sys.mjs", }); const PREF_LOGLEVEL = "browser.policies.loglevel"; const BROWSER_DOCUMENT_URL = AppConstants.BROWSER_CHROME_URL; const ABOUT_CONTRACT = "@mozilla.org/network/protocol/about;1?what="; const isXpcshell = Services.env.exists("XPCSHELL_TEST_PROFILE_DIR"); ChromeUtils.defineLazyGetter(lazy, "log", () => { let { ConsoleAPI } = ChromeUtils.importESModule( "resource://gre/modules/Console.sys.mjs" ); return new ConsoleAPI({ prefix: "Policies", // tip: set maxLogLevel to "debug" and use log.debug() to create detailed // messages during development. See LOG_LEVELS in Console.sys.mjs for details. maxLogLevel: "error", maxLogLevelPref: PREF_LOGLEVEL, }); }); /* * ============================ * = POLICIES IMPLEMENTATIONS = * ============================ * * The Policies object below is where the implementation for each policy * happens. An object for each policy should be defined, containing * callback functions that will be called by the engine. * * See the _callbacks object in EnterprisePolicies.js for the list of * possible callbacks and an explanation of each. * * Each callback will be called with two parameters: * - manager * This is the EnterprisePoliciesManager singleton object from * EnterprisePolicies.js * * - param * The parameter defined for this policy in policies-schema.json. * It will be different for each policy. It could be a boolean, * a string, an array or a complex object. All parameters have * been validated according to the schema, and no unknown * properties will be present on them. * * The callbacks will be bound to their parent policy object. */ export var Policies = { // Used for cleaning up policies. // Use the same timing that you used for setting up the policy. _cleanup: { onBeforeAddons() { if (Cu.isInAutomation || isXpcshell) { console.log("_cleanup from onBeforeAddons"); clearBlockedAboutPages(); } }, onProfileAfterChange() { if (Cu.isInAutomation || isXpcshell) { console.log("_cleanup from onProfileAfterChange"); } }, onBeforeUIStartup() { if (Cu.isInAutomation || isXpcshell) { console.log("_cleanup from onBeforeUIStartup"); } }, onAllWindowsRestored() { if (Cu.isInAutomation || isXpcshell) { console.log("_cleanup from onAllWindowsRestored"); } }, }, "3rdparty": { onBeforeAddons(manager, param) { manager.setExtensionPolicies(param.Extensions); }, }, AllowedDomainsForApps: { onBeforeAddons(manager, param) { Services.obs.addObserver(function (subject) { let channel = subject.QueryInterface(Ci.nsIHttpChannel); if (channel.URI.host.endsWith(".google.com")) { channel.setRequestHeader("X-GoogApps-Allowed-Domains", param, true); } }, "http-on-modify-request"); }, }, AllowFileSelectionDialogs: { onBeforeUIStartup(manager, param) { if (!param) { setAndLockPref("widget.disable_file_pickers", true); setAndLockPref("browser.download.useDownloadDir", true); manager.disallowFeature("filepickers"); } }, }, AppAutoUpdate: { onBeforeUIStartup(manager, param) { // Logic feels a bit reversed here, but it's correct. If AppAutoUpdate is // true, we disallow turning off auto updating, and visa versa. if (param) { manager.disallowFeature("app-auto-updates-off"); } else { manager.disallowFeature("app-auto-updates-on"); } }, }, AppUpdatePin: { validate(param) { // This is the version when pinning was introduced. Attempting to set a // pin before this will not work, because Balrog's pinning table will // never have the necessary entry. const earliestPinMajorVersion = 102; const earliestPinMinorVersion = 0; let pinParts = param.split("."); if (pinParts.length < 2) { lazy.log.error("AppUpdatePin has too few dots."); return false; } if (pinParts.length > 3) { lazy.log.error("AppUpdatePin has too many dots."); return false; } const trailingPinPart = pinParts.pop(); if (trailingPinPart != "") { lazy.log.error("AppUpdatePin does not end with a trailing dot."); return false; } const pinMajorVersionStr = pinParts.shift(); if (!pinMajorVersionStr.length) { lazy.log.error("AppUpdatePin's major version is empty."); return false; } if (!/^\d+$/.test(pinMajorVersionStr)) { lazy.log.error( "AppUpdatePin's major version contains a non-numeric character." ); return false; } if (/^0/.test(pinMajorVersionStr)) { lazy.log.error("AppUpdatePin's major version contains a leading 0."); return false; } const pinMajorVersionInt = parseInt(pinMajorVersionStr, 10); if (isNaN(pinMajorVersionInt)) { lazy.log.error( "AppUpdatePin's major version could not be parsed to an integer." ); return false; } if (pinMajorVersionInt < earliestPinMajorVersion) { lazy.log.error( `AppUpdatePin must not be earlier than '${earliestPinMajorVersion}.${earliestPinMinorV ); return false; } if (pinParts.length) { const pinMinorVersionStr = pinParts.shift(); if (!pinMinorVersionStr.length) { lazy.log.error("AppUpdatePin's minor version is empty."); return false; } if (!/^\d+$/.test(pinMinorVersionStr)) { lazy.log.error( "AppUpdatePin's minor version contains a non-numeric character." ); return false; } if (/^0\d/.test(pinMinorVersionStr)) { lazy.log.error("AppUpdatePin's minor version contains a leading 0."); return false; } const pinMinorVersionInt = parseInt(pinMinorVersionStr, 10); if (isNaN(pinMinorVersionInt)) { lazy.log.error( "AppUpdatePin's minor version could not be parsed to an integer." ); return false; } if ( pinMajorVersionInt == earliestPinMajorVersion && pinMinorVersionInt < earliestPinMinorVersion ) { lazy.log.error( `AppUpdatePin must not be earlier than '${earliestPinMajorVersion}.${earliestPinMinorV ); return false; } } return true; }, // No additional implementation needed here. UpdateService.sys.mjs will check // for this policy directly when determining the update URL. }, AppUpdateURL: { // No implementation needed here. UpdateService.sys.mjs will check for this // policy directly when determining the update URL. }, Authentication: { onBeforeAddons(manager, param) { // When Authentication was originally implemented, it was always // locked, so it defaults to locked. let locked = true; if ("Locked" in param) { locked = param.Locked; } if ("SPNEGO" in param) { PoliciesUtils.setDefaultPref( "network.negotiate-auth.trusted-uris", param.SPNEGO.join(", "), locked ); } if ("Delegated" in param) { PoliciesUtils.setDefaultPref( "network.negotiate-auth.delegation-uris", param.Delegated.join(", "), locked ); } if ("NTLM" in param) { PoliciesUtils.setDefaultPref( "network.automatic-ntlm-auth.trusted-uris", param.NTLM.join(", "), locked ); } if ("AllowNonFQDN" in param) { if ("NTLM" in param.AllowNonFQDN) { PoliciesUtils.setDefaultPref( "network.automatic-ntlm-auth.allow-non-fqdn", param.AllowNonFQDN.NTLM, locked ); } if ("SPNEGO" in param.AllowNonFQDN) { PoliciesUtils.setDefaultPref( "network.negotiate-auth.allow-non-fqdn", param.AllowNonFQDN.SPNEGO, locked ); } } if ("AllowProxies" in param) { if ("NTLM" in param.AllowProxies) { PoliciesUtils.setDefaultPref( "network.automatic-ntlm-auth.allow-proxies", param.AllowProxies.NTLM, locked ); } if ("SPNEGO" in param.AllowProxies) { PoliciesUtils.setDefaultPref( "network.negotiate-auth.allow-proxies", param.AllowProxies.SPNEGO, locked ); } } if ("PrivateBrowsing" in param) { PoliciesUtils.setDefaultPref( "network.auth.private-browsing-sso", param.PrivateBrowsing, locked ); } }, }, AutofillAddressEnabled: { onBeforeAddons(manager, param) { setAndLockPref("extensions.formautofill.addresses.enabled", param); }, }, AutofillCreditCardEnabled: { onBeforeAddons(manager, param) { setAndLockPref("extensions.formautofill.creditCards.enabled", param); }, }, AutoLaunchProtocolsFromOrigins: { onBeforeAddons(manager, param) { for (let info of param) { addAllowDenyPermissions( `open-protocol-handler^${info.protocol}`, info.allowed_origins ); } }, }, BackgroundAppUpdate: { onBeforeAddons(manager, param) { if (param) { manager.disallowFeature("app-background-update-off"); } else { manager.disallowFeature("app-background-update-on"); } }, }, BlockAboutAddons: { onBeforeUIStartup(manager, param) { if (param) { blockAboutPage(manager, "about:addons", true); } }, }, BlockAboutConfig: { onBeforeUIStartup(manager, param) { if (param) { blockAboutPage(manager, "about:config"); setAndLockPref("devtools.chrome.enabled", false); } }, }, BlockAboutProfiles: { onBeforeUIStartup(manager, param) { if (param) { blockAboutPage(manager, "about:profiles"); } }, }, BlockAboutSupport: { onBeforeUIStartup(manager, param) { if (param) { blockAboutPage(manager, "about:support"); manager.disallowFeature("aboutSupport"); } }, }, Bookmarks: { onAllWindowsRestored(manager, param) { lazy.BookmarksPolicies.processBookmarks(param); }, }, CaptivePortal: { onBeforeAddons(manager, param) { setAndLockPref("network.captive-portal-service.enabled", param); }, }, Certificates: { onBeforeAddons(manager, param) { if ("ImportEnterpriseRoots" in param) { setAndLockPref( "security.enterprise_roots.enabled", param.ImportEnterpriseRoots ); } if ("Install" in param) { (async () => { let dirs = []; let platform = AppConstants.platform; if (platform == "win") { dirs = [ // Ugly, but there is no official way to get %USERNAME\AppData\Roaming\Mozilla. Services.dirsvc.get("XREUSysExt", Ci.nsIFile).parent, // Even more ugly, but there is no official way to get %USERNAME\AppData\Local\Mozilla. Services.dirsvc.get("DefProfLRt", Ci.nsIFile).parent.parent, ]; } else if (platform == "macosx" || platform == "linux") { dirs = [ // These two keys are named wrong. They return the Mozilla directory. Services.dirsvc.get("XREUserNativeManifests", Ci.nsIFile), Services.dirsvc.get("XRESysNativeManifests", Ci.nsIFile), ]; } dirs.unshift(Services.dirsvc.get("XREAppDist", Ci.nsIFile)); for (let certfilename of param.Install) { let certfile; try { certfile = Cc["@mozilla.org/file/local;1"].createInstance( Ci.nsIFile ); certfile.initWithPath(certfilename); } catch (e) { for (let dir of dirs) { certfile = dir.clone(); certfile.append( platform == "linux" ? "certificates" : "Certificates" ); certfile.append(certfilename); if (certfile.exists()) { break; } } } let file; try { file = await File.createFromNsIFile(certfile); } catch (e) { lazy.log.error(`Unable to find certificate - ${certfilename}`); continue; } let reader = new FileReader(); reader.onloadend = function () { if (reader.readyState != reader.DONE) { lazy.log.error(`Unable to read certificate - ${certfile.path}`); return; } let certFile = reader.result; let certFileArray = []; for (let i = 0; i < certFile.length; i++) { certFileArray.push(certFile.charCodeAt(i)); } let cert; try { cert = lazy.gCertDB.constructX509(certFileArray); } catch (e) { lazy.log.debug( `constructX509 failed with error '${e}' - trying constructX509FromBase64.` ); try { // It might be PEM instead of DER. cert = lazy.gCertDB.constructX509FromBase64( pemToBase64(certFile) ); } catch (ex) { lazy.log.error( `Unable to add certificate - ${certfile.path}`, ex ); } } if (cert) { if ( lazy.gCertDB.isCertTrusted( cert, Ci.nsIX509Cert.CA_CERT, Ci.nsIX509CertDB.TRUSTED_SSL ) ) { // Certificate is already installed. return; } try { lazy.gCertDB.addCert(certFile, "CT,CT,"); } catch (e) { // It might be PEM instead of DER. lazy.gCertDB.addCertFromBase64( pemToBase64(certFile), "CT,CT," ); } } }; reader.readAsBinaryString(file); } })(); } }, }, Containers: { // Queried directly by ContextualIdentityService.sys.mjs }, ContentAnalysis: { onBeforeAddons(manager, param) { if ("PipePathName" in param) { setAndLockPref( "browser.contentanalysis.pipe_path_name", param.PipePathName ); } if ("AgentTimeout" in param) { if (!Number.isInteger(param.AgentTimeout)) { lazy.log.error( `Non-integer value for AgentTimeout: ${param.AgentTimeout}` ); } else { setAndLockPref( "browser.contentanalysis.agent_timeout", param.AgentTimeout ); } } if ("AllowUrlRegexList" in param) { setAndLockPref( "browser.contentanalysis.allow_url_regex_list", param.AllowUrlRegexList ); } if ("DenyUrlRegexList" in param) { setAndLockPref( "browser.contentanalysis.deny_url_regex_list", param.DenyUrlRegexList ); } if ("AgentName" in param) { setAndLockPref("browser.contentanalysis.agent_name", param.AgentName); } if ("ClientSignature" in param) { setAndLockPref( "browser.contentanalysis.client_signature", param.ClientSignature ); } if ("DefaultResult" in param) { if ( !Number.isInteger(param.DefaultResult) || param.DefaultResult < 0 || param.DefaultResult > 2 ) { lazy.log.error( `Non-integer or out of range value for DefaultResult: ${param.DefaultResult}` ); } else { setAndLockPref( "browser.contentanalysis.default_result", param.DefaultResult ); } } let boolPrefs = [ ["IsPerUser", "is_per_user"], ["ShowBlockedResult", "show_blocked_result"], ["BypassForSameTabOperations", "bypass_for_same_tab_operations"], ]; for (let pref of boolPrefs) { if (pref[0] in param) { setAndLockPref( `browser.contentanalysis.${pref[1]}`, !!param[pref[0]] ); } } let interceptionPointPrefs = [ ["Clipboard", "clipboard"], ["DragAndDrop", "drag_and_drop"], ["FileUpload", "file_upload"], ["Print", "print"], ]; if ("InterceptionPoints" in param) { for (let pref of interceptionPointPrefs) { // Need to set and lock this value even if the enterprise // policy isn't set so users can't change it let value = true; if (pref[0] in param.InterceptionPoints) { if ("Enabled" in param.InterceptionPoints[pref[0]]) { value = !!param.InterceptionPoints[pref[0]].Enabled; } } setAndLockPref( `browser.contentanalysis.interception_point.${pref[1]}.enabled`, value ); } } if ("Enabled" in param) { let enabled = !!param.Enabled; setAndLockPref("browser.contentanalysis.enabled", enabled); let ca = Cc["@mozilla.org/contentanalysis;1"].getService( Ci.nsIContentAnalysis ); ca.isSetByEnterprisePolicy = true; } }, }, Cookies: { onBeforeUIStartup(manager, param) { addAllowDenyPermissions("cookie", param.Allow, param.Block); if (param.AllowSession) { for (let origin of param.AllowSession) { try { Services.perms.addFromPrincipal( Services.scriptSecurityManager.createContentPrincipalFromOrigin( origin ), "cookie", Ci.nsICookiePermission.ACCESS_SESSION, Ci.nsIPermissionManager.EXPIRE_POLICY ); } catch (ex) { lazy.log.error( `Unable to add cookie session permission - ${origin.href}` ); } } } if (param.Block) { const hosts = param.Block.map(url => url.hostname) .sort() .join("\n"); runOncePerModification("clearCookiesForBlockedHosts", hosts, () => { for (let blocked of param.Block) { Services.cookies.removeCookiesWithOriginAttributes( "{}", blocked.hostname ); } }); } if (param.ExpireAtSessionEnd != undefined) { lazy.log.error( "'ExpireAtSessionEnd' has been deprecated and it has no effect anymore." ); } // New Cookie Behavior option takes precendence let defaultPref = Services.prefs.getDefaultBranch(""); let newCookieBehavior = defaultPref.getIntPref( "network.cookie.cookieBehavior" ); let newCookieBehaviorPB = defaultPref.getIntPref( "network.cookie.cookieBehavior.pbmode" ); if ("Behavior" in param || "BehaviorPrivateBrowsing" in param) { let behaviors = { accept: Ci.nsICookieService.BEHAVIOR_ACCEPT, "reject-foreign": Ci.nsICookieService.BEHAVIOR_REJECT_FOREIGN, reject: Ci.nsICookieService.BEHAVIOR_REJECT, "limit-foreign": Ci.nsICookieService.BEHAVIOR_LIMIT_FOREIGN, "reject-tracker": Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER, "reject-tracker-and-partition-foreign": Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN, }; if ("Behavior" in param) { newCookieBehavior = behaviors[param.Behavior]; } if ("BehaviorPrivateBrowsing" in param) { newCookieBehaviorPB = behaviors[param.BehaviorPrivateBrowsing]; } } else { // Default, AcceptThirdParty, and RejectTracker are being // deprecated in favor of Behavior. They will continue // to be supported, though. if ( param.Default !== undefined || param.AcceptThirdParty !== undefined || param.RejectTracker !== undefined || param.Locked ) { newCookieBehavior = Ci.nsICookieService.BEHAVIOR_ACCEPT; if (param.Default !== undefined && !param.Default) { newCookieBehavior = Ci.nsICookieService.BEHAVIOR_REJECT; } else if (param.AcceptThirdParty) { if (param.AcceptThirdParty == "never") { newCookieBehavior = Ci.nsICookieService.BEHAVIOR_REJECT_FOREIGN; } else if (param.AcceptThirdParty == "from-visited") { newCookieBehavior = Ci.nsICookieService.BEHAVIOR_LIMIT_FOREIGN; } } else if (param.RejectTracker) { newCookieBehavior = Ci.nsICookieService.BEHAVIOR_REJECT_TRACKER; } } // With the old cookie policy, we made private browsing the same. newCookieBehaviorPB = newCookieBehavior; } // We set the values no matter what just in case the policy was only used to lock. PoliciesUtils.setDefaultPref( "network.cookie.cookieBehavior", newCookieBehavior, param.Locked ); PoliciesUtils.setDefaultPref( "network.cookie.cookieBehavior.pbmode", newCookieBehaviorPB, param.Locked ); }, }, DefaultDownloadDirectory: { onBeforeAddons(manager, param) { PoliciesUtils.setDefaultPref( "browser.download.dir", replacePathVariables(param) ); }, }, DisableAccounts: { onBeforeAddons(manager, param) { if (param) { setAndLockPref("identity.fxaccounts.enabled", false); setAndLockPref("browser.aboutwelcome.enabled", false); } }, }, DisableAppUpdate: { onBeforeAddons(manager, param) { if (param) { manager.disallowFeature("appUpdate"); } }, }, DisableBuiltinPDFViewer: { onBeforeAddons(manager, param) { if (param) { setAndLockPref("pdfjs.disabled", true); } }, }, DisabledCiphers: { onBeforeAddons(manager, param) { let cipherPrefs = { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: "security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: "security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: "security.ssl3.ecdhe_ecdsa_chacha20_poly1305_sha256", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: "security.ssl3.ecdhe_rsa_chacha20_poly1305_sha256", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: "security.ssl3.ecdhe_ecdsa_aes_256_gcm_sha384", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: "security.ssl3.ecdhe_rsa_aes_256_gcm_sha384", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: "security.ssl3.ecdhe_rsa_aes_128_sha", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: "security.ssl3.ecdhe_ecdsa_aes_128_sha", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: "security.ssl3.ecdhe_rsa_aes_256_sha", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: "security.ssl3.ecdhe_ecdsa_aes_256_sha", TLS_DHE_RSA_WITH_AES_128_CBC_SHA: "security.ssl3.dhe_rsa_aes_128_sha", TLS_DHE_RSA_WITH_AES_256_CBC_SHA: "security.ssl3.dhe_rsa_aes_256_sha", TLS_RSA_WITH_AES_128_GCM_SHA256: "security.ssl3.rsa_aes_128_gcm_sha256", TLS_RSA_WITH_AES_256_GCM_SHA384: "security.ssl3.rsa_aes_256_gcm_sha384", TLS_RSA_WITH_AES_128_CBC_SHA: "security.ssl3.rsa_aes_128_sha", TLS_RSA_WITH_AES_256_CBC_SHA: "security.ssl3.rsa_aes_256_sha", TLS_RSA_WITH_3DES_EDE_CBC_SHA: "security.ssl3.deprecated.rsa_des_ede3_sha", }; for (let cipher in param) { setAndLockPref(cipherPrefs[cipher], !param[cipher]); } }, }, DisableDefaultBrowserAgent: { // The implementation of this policy is in the default browser agent itself // (/toolkit/mozapps/defaultagent); we need an entry for it here so that it // shows up in about:policies as a real policy and not as an error. }, DisableDeveloperTools: { onBeforeAddons(manager, param) { if (param) { setAndLockPref("devtools.policy.disabled", true); setAndLockPref("devtools.chrome.enabled", false); manager.disallowFeature("devtools"); blockAboutPage(manager, "about:debugging"); blockAboutPage(manager, "about:devtools-toolbox"); blockAboutPage(manager, "about:profiling"); } }, }, DisableEncryptedClientHello: { onBeforeAddons(manager, param) { if (param) { setAndLockPref("network.dns.echconfig.enabled", false); setAndLockPref("network.dns.http3_echconfig.enabled", false); } }, }, DisableFeedbackCommands: { onBeforeUIStartup(manager, param) { if (param) { manager.disallowFeature("feedbackCommands"); } }, }, DisableFirefoxAccounts: { onBeforeAddons(manager, param) { // If DisableAccounts is set, let it take precedence. if ("DisableAccounts" in manager.getActivePolicies()) { return; } if (param) { setAndLockPref("identity.fxaccounts.enabled", false); setAndLockPref("browser.aboutwelcome.enabled", false); } }, }, DisableFirefoxScreenshots: { onBeforeAddons(manager, param) { if (param) { setAndLockPref("extensions.screenshots.disabled", true); } }, }, DisableFirefoxStudies: { onBeforeAddons(manager, param) { if (param) { manager.disallowFeature("Shield"); setAndLockPref( "browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false ); setAndLockPref( "browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false ); } }, }, DisableForgetButton: { onProfileAfterChange(manager, param) { if (param) { setAndLockPref("privacy.panicButton.enabled", false); } }, }, DisableFormHistory: { onBeforeUIStartup(manager, param) { if (param) { setAndLockPref("browser.formfill.enable", false); } }, }, DisableMasterPasswordCreation: { onBeforeUIStartup(manager, param) { if (param) { manager.disallowFeature("createMasterPassword"); } }, }, DisablePasswordReveal: { onBeforeUIStartup(manager, param) { if (param) { manager.disallowFeature("passwordReveal"); } }, }, DisablePocket: { onBeforeAddons(manager, param) { if (param) { setAndLockPref("extensions.pocket.enabled", false); } }, }, DisablePrivateBrowsing: { onBeforeAddons(manager, param) { if (param) { manager.disallowFeature("privatebrowsing"); blockAboutPage(manager, "about:privatebrowsing", true); setAndLockPref("browser.privatebrowsing.autostart", false); } }, }, DisableProfileImport: { onBeforeUIStartup(manager, param) { if (param) { manager.disallowFeature("profileImport"); setAndLockPref( "browser.newtabpage.activity-stream.migrationExpired", true ); } }, }, DisableProfileRefresh: { onBeforeUIStartup(manager, param) { if (param) { manager.disallowFeature("profileRefresh"); setAndLockPref("browser.disableResetPrompt", true); } }, }, DisableSafeMode: { onBeforeUIStartup(manager, param) { if (param) { manager.disallowFeature("safeMode"); } }, }, DisableSecurityBypass: { onBeforeUIStartup(manager, param) { if ("InvalidCertificate" in param) { setAndLockPref( "security.certerror.hideAddException", param.InvalidCertificate ); } if ("SafeBrowsing" in param) { setAndLockPref( "browser.safebrowsing.allowOverride", !param.SafeBrowsing ); } }, }, DisableSetDesktopBackground: { onBeforeUIStartup(manager, param) { if (param) { manager.disallowFeature("setDesktopBackground"); } }, }, DisableSystemAddonUpdate: { onBeforeAddons(manager, param) { if (param) { manager.disallowFeature("SysAddonUpdate"); } }, }, DisableTelemetry: { onBeforeAddons(manager, param) { if (param) { setAndLockPref("datareporting.healthreport.uploadEnabled", false); setAndLockPref("datareporting.policy.dataSubmissionEnabled", false); setAndLockPref("toolkit.telemetry.archive.enabled", false); blockAboutPage(manager, "about:telemetry"); } }, }, DisableThirdPartyModuleBlocking: { onBeforeUIStartup(manager, param) { if (param) { manager.disallowFeature("thirdPartyModuleBlocking"); } }, }, DisplayBookmarksToolbar: { onBeforeUIStartup(manager, param) { let visibility; if (typeof param === "boolean") { visibility = param ? "always" : "newtab"; } else { visibility = param; } // This policy is meant to change the default behavior, not to force it. // If this policy was already applied and the user chose to re-hide the // bookmarks toolbar, do not show it again. runOncePerModification("displayBookmarksToolbar", visibility, () => { let visibilityPref = "browser.toolbars.bookmarks.visibility"; Services.prefs.setCharPref(visibilityPref, visibility); }); }, }, DisplayMenuBar: { onBeforeUIStartup(manager, param) { let value; if ( typeof param === "boolean" || param == "default-on" || param == "default-off" ) { switch (param) { case "default-on": value = "false"; break; case "default-off": value = "true"; break; default: value = (!param).toString(); break; } // This policy is meant to change the default behavior, not to force it. // If this policy was already applied and the user chose to re-hide the // menu bar, do not show it again. runOncePerModification("displayMenuBar", value, () => { Services.xulStore.setValue( BROWSER_DOCUMENT_URL, "toolbar-menubar", "autohide", value ); }); } else { switch (param) { case "always": value = "false"; break; case "never": // Make sure Alt key doesn't show the menubar setAndLockPref("ui.key.menuAccessKeyFocuses", false); value = "true"; break; } Services.xulStore.setValue( BROWSER_DOCUMENT_URL, "toolbar-menubar", "autohide", value ); manager.disallowFeature("hideShowMenuBar"); } }, }, DNSOverHTTPS: { onBeforeAddons(manager, param) { if ("Enabled" in param) { let mode = param.Enabled ? 2 : 5; // Fallback only matters if DOH is enabled. if (param.Fallback === false) { mode = 3; } PoliciesUtils.setDefaultPref("network.trr.mode", mode, param.Locked); } if ("ProviderURL" in param) { PoliciesUtils.setDefaultPref( "network.trr.uri", param.ProviderURL.href, param.Locked ); } if ("ExcludedDomains" in param) { PoliciesUtils.setDefaultPref( "network.trr.excluded-domains", param.ExcludedDomains.join(","), param.Locked ); } }, }, DontCheckDefaultBrowser: { onBeforeUIStartup(manager, param) { setAndLockPref("browser.shell.checkDefaultBrowser", !param); }, }, DownloadDirectory: { onBeforeAddons(manager, param) { setAndLockPref("browser.download.dir", replacePathVariables(param)); // If a custom download directory is being used, just lock folder list to 2. setAndLockPref("browser.download.folderList", 2); // Per Chrome spec, user can't choose to download every time // if this is set. setAndLockPref("browser.download.useDownloadDir", true); }, }, EnableTrackingProtection: { onBeforeUIStartup(manager, param) { if (param.Value) { PoliciesUtils.setDefaultPref( "privacy.trackingprotection.enabled", true, param.Locked ); PoliciesUtils.setDefaultPref( "privacy.trackingprotection.pbmode.enabled", true, param.Locked ); } else { setAndLockPref("privacy.trackingprotection.enabled", false); setAndLockPref("privacy.trackingprotection.pbmode.enabled", false); } if ("Cryptomining" in param) { PoliciesUtils.setDefaultPref( "privacy.trackingprotection.cryptomining.enabled", param.Cryptomining, param.Locked ); } if ("Fingerprinting" in param) { PoliciesUtils.setDefaultPref( "privacy.trackingprotection.fingerprinting.enabled", param.Fingerprinting, param.Locked ); } if ("EmailTracking" in param) { PoliciesUtils.setDefaultPref( "privacy.trackingprotection.emailtracking.enabled", param.EmailTracking, param.Locked ); PoliciesUtils.setDefaultPref( "privacy.trackingprotection.emailtracking.pbmode.enabled", param.EmailTracking, param.Locked ); } if ("Exceptions" in param) { addAllowDenyPermissions("trackingprotection", param.Exceptions); } }, }, EncryptedMediaExtensions: { onBeforeAddons(manager, param) { if ("Enabled" in param) { PoliciesUtils.setDefaultPref( "media.eme.enabled", param.Enabled, param.Locked ); } }, }, ExemptDomainFileTypePairsFromFileTypeDownloadWarnings: { // This policy is handled directly in EnterprisePoliciesParent.sys.mjs // and requires no validation (It's done by the schema). }, Extensions: { onBeforeUIStartup(manager, param) { let uninstallingPromise = Promise.resolve(); if ("Uninstall" in param) { uninstallingPromise = runOncePerModification( "extensionsUninstall", JSON.stringify(param.Uninstall), async () => { // If we're uninstalling add-ons, re-run the extensionsInstall runOnce even if it hasn't // changed, which will allow add-ons to be updated. Services.prefs.clearUserPref( "browser.policies.runOncePerModification.extensionsInstall" ); let addons = await lazy.AddonManager.getAddonsByIDs( param.Uninstall ); for (let addon of addons) { if (addon) { try { await addon.uninstall(); } catch (e) { // This can fail for add-ons that can't be uninstalled. lazy.log.debug( `Add-on ID (${addon.id}) couldn't be uninstalled.` ); } } } } ); } if ("Install" in param) { runOncePerModification( "extensionsInstall", JSON.stringify(param.Install), async () => { await uninstallingPromise; for (let location of param.Install) { let uri; try { // We need to try as a file first because // Windows paths are valid URIs. // This is done for legacy support (old API) let xpiFile = new lazy.FileUtils.File(location); uri = Services.io.newFileURI(xpiFile); } catch (e) { uri = Services.io.newURI(location); } installAddonFromURL(uri.spec); } } ); } if ("Locked" in param) { for (let ID of param.Locked) { manager.disallowFeature(`uninstall-extension:${ID}`); manager.disallowFeature(`disable-extension:${ID}`); } } }, }, ExtensionSettings: { onBeforeAddons(manager, param) { try { manager.setExtensionSettings(param); } catch (e) { lazy.log.error("Invalid ExtensionSettings"); } }, async onBeforeUIStartup(manager, param) { let extensionSettings = param; let blockAllExtensions = false; if ("*" in extensionSettings) { if ( "installation_mode" in extensionSettings["*"] && extensionSettings["*"].installation_mode == "blocked" ) { blockAllExtensions = true; // Turn off discovery pane in about:addons setAndLockPref("extensions.getAddons.showPane", false); // Turn off recommendations setAndLockPref( "extensions.htmlaboutaddons.recommendations.enable", false ); // Block about:debugging blockAboutPage(manager, "about:debugging"); } if ("restricted_domains" in extensionSettings["*"]) { let restrictedDomains = Services.prefs .getCharPref("extensions.webextensions.restrictedDomains") .split(","); setAndLockPref( "extensions.webextensions.restrictedDomains", restrictedDomains .concat(extensionSettings["*"].restricted_domains) .join(",") ); } } let addons = await lazy.AddonManager.getAllAddons(); let allowedExtensions = []; for (let extensionID in extensionSettings) { if (extensionID == "*") { // Ignore global settings continue; } if ("installation_mode" in extensionSettings[extensionID]) { if ( extensionSettings[extensionID].installation_mode == "force_installed" || extensionSettings[extensionID].installation_mode == "normal_installed" ) { if (!extensionSettings[extensionID].install_url) { throw new Error(`Missing install_url for ${extensionID}`); } installAddonFromURL( extensionSettings[extensionID].install_url, extensionID, addons.find(addon => addon.id == extensionID) ); manager.disallowFeature(`uninstall-extension:${extensionID}`); if ( extensionSettings[extensionID].installation_mode == "force_installed" ) { manager.disallowFeature(`disable-extension:${extensionID}`); } allowedExtensions.push(extensionID); } else if ( extensionSettings[extensionID].installation_mode == "allowed" ) { allowedExtensions.push(extensionID); } else if ( extensionSettings[extensionID].installation_mode == "blocked" ) { if (addons.find(addon => addon.id == extensionID)) { // Can't use the addon from getActiveAddons since it doesn't have uninstall. let addon = await lazy.AddonManager.getAddonByID(extensionID); try { await addon.uninstall(); } catch (e) { // This can fail for add-ons that can't be uninstalled. lazy.log.debug( `Add-on ID (${addon.id}) couldn't be uninstalled.` ); } } } } } if (blockAllExtensions) { for (let addon of addons) { if ( addon.isSystem || addon.isBuiltin || !(addon.scope & lazy.AddonManager.SCOPE_PROFILE) ) { continue; } if (!allowedExtensions.includes(addon.id)) { try { // Can't use the addon from getActiveAddons since it doesn't have uninstall. let addonToUninstall = await lazy.AddonManager.getAddonByID( addon.id ); await addonToUninstall.uninstall(); } catch (e) { // This can fail for add-ons that can't be uninstalled. lazy.log.debug( `Add-on ID (${addon.id}) couldn't be uninstalled.` ); } } } } }, }, ExtensionUpdate: { onBeforeAddons(manager, param) { if (!param) { setAndLockPref("extensions.update.enabled", param); } }, }, FirefoxHome: { onBeforeAddons(manager, param) { if ("Search" in param) { PoliciesUtils.setDefaultPref( "browser.newtabpage.activity-stream.showSearch", param.Search, param.Locked ); } if ("TopSites" in param) { PoliciesUtils.setDefaultPref( "browser.newtabpage.activity-stream.feeds.topsites", param.TopSites, param.Locked ); } if ("SponsoredTopSites" in param) { PoliciesUtils.setDefaultPref( "browser.newtabpage.activity-stream.showSponsoredTopSites", param.SponsoredTopSites, param.Locked ); } if ("Highlights" in param) { PoliciesUtils.setDefaultPref( "browser.newtabpage.activity-stream.feeds.section.highlights", param.Highlights, param.Locked ); } if ("Pocket" in param) { PoliciesUtils.setDefaultPref( "browser.newtabpage.activity-stream.feeds.system.topstories", param.Pocket, param.Locked ); PoliciesUtils.setDefaultPref( "browser.newtabpage.activity-stream.feeds.section.topstories", param.Pocket, param.Locked ); } if ("SponsoredPocket" in param) { PoliciesUtils.setDefaultPref( "browser.newtabpage.activity-stream.showSponsored", param.SponsoredPocket, param.Locked ); } }, }, FirefoxSuggest: { onBeforeAddons(manager, param) { (async () => { await lazy.UrlbarPrefs.firefoxSuggestScenarioStartupPromise; if ("WebSuggestions" in param) { PoliciesUtils.setDefaultPref( "browser.urlbar.suggest.quicksuggest.nonsponsored", param.WebSuggestions, param.Locked ); } if ("SponsoredSuggestions" in param) { PoliciesUtils.setDefaultPref( "browser.urlbar.suggest.quicksuggest.sponsored", param.SponsoredSuggestions, param.Locked ); } if ("ImproveSuggest" in param) { PoliciesUtils.setDefaultPref( "browser.urlbar.quicksuggest.dataCollection.enabled", param.ImproveSuggest, param.Locked ); } })(); }, }, GoToIntranetSiteForSingleWordEntryInAddressBar: { onBeforeAddons(manager, param) { setAndLockPref("browser.fixup.dns_first_for_single_words", param); }, }, Handlers: { onBeforeAddons(manager, param) { if ("mimeTypes" in param) { for (let mimeType in param.mimeTypes) { let mimeInfo = param.mimeTypes[mimeType]; let realMIMEInfo = lazy.gMIMEService.getFromTypeAndExtension( mimeType, "" ); processMIMEInfo(mimeInfo, realMIMEInfo); } } if ("extensions" in param) { for (let extension in param.extensions) { let mimeInfo = param.extensions[extension]; try { let realMIMEInfo = lazy.gMIMEService.getFromTypeAndExtension( "", extension ); processMIMEInfo(mimeInfo, realMIMEInfo); } catch (e) { lazy.log.error(`Invalid file extension (${extension})`); } } } if ("schemes" in param) { for (let scheme in param.schemes) { let handlerInfo = param.schemes[scheme]; let realHandlerInfo = lazy.gExternalProtocolService.getProtocolHandlerInfo(scheme); processMIMEInfo(handlerInfo, realHandlerInfo); } } }, }, HardwareAcceleration: { onBeforeAddons(manager, param) { if (!param) { setAndLockPref("layers.acceleration.disabled", true); } }, }, Homepage: { onBeforeUIStartup(manager, param) { if ("StartPage" in param && param.StartPage == "none") { // For blank startpage, we use about:blank rather // than messing with browser.startup.page param.URL = new URL("about:blank"); } // |homepages| will be a string containing a pipe-separated ('|') list of // URLs because that is what the "Home page" section of about:preferences // (and therefore what the pref |browser.startup.homepage|) accepts. if ("URL" in param) { let homepages = param.URL.href; if (param.Additional && param.Additional.length) { homepages += "|" + param.Additional.map(url => url.href).join("|"); } PoliciesUtils.setDefaultPref( "browser.startup.homepage", homepages, param.Locked ); if (param.Locked) { setAndLockPref( "pref.browser.homepage.disable_button.current_page", true ); setAndLockPref( "pref.browser.homepage.disable_button.bookmark_page", true ); setAndLockPref( "pref.browser.homepage.disable_button.restore_default", true ); } else { // Clear out old run once modification that is no longer used. clearRunOnceModification("setHomepage"); } // If a homepage has been set via policy, show the home button if (param.URL != "about:blank") { manager.disallowFeature("removeHomeButtonByDefault"); } } if (param.StartPage) { let prefValue; switch (param.StartPage) { case "homepage": case "homepage-locked": case "none": prefValue = 1; break; case "previous-session": prefValue = 3; break; } PoliciesUtils.setDefaultPref( "browser.startup.page", prefValue, param.StartPage == "homepage-locked" ); } }, }, HttpAllowlist: { onBeforeAddons(manager, param) { addAllowDenyPermissions("https-only-load-insecure", param); }, }, HttpsOnlyMode: { onBeforeAddons(manager, param) { switch (param) { case "disallowed": setAndLockPref("dom.security.https_only_mode", false); break; case "enabled": PoliciesUtils.setDefaultPref("dom.security.https_only_mode", true); break; case "force_enabled": setAndLockPref("dom.security.https_only_mode", true); break; case "allowed": // The default case. break; } }, }, InstallAddonsPermission: { onBeforeUIStartup(manager, param) { if ("Allow" in param) { addAllowDenyPermissions("install", param.Allow, null); } if ("Default" in param) { setAndLockPref("xpinstall.enabled", param.Default); if (!param.Default) { blockAboutPage(manager, "about:debugging"); setAndLockPref( "browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false ); setAndLockPref( "browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false ); manager.disallowFeature("xpinstall"); } } }, }, LegacyProfiles: { // Handled in nsToolkitProfileService.cpp (Windows only) }, LegacySameSiteCookieBehaviorEnabled: { onBeforeAddons(manager, param) { PoliciesUtils.setDefaultPref( "network.cookie.sameSite.laxByDefault", !param ); }, }, LegacySameSiteCookieBehaviorEnabledForDomainList: { onBeforeAddons(manager, param) { PoliciesUtils.setDefaultPref( "network.cookie.sameSite.laxByDefault.disabledHosts", param.join(",") ); }, }, LocalFileLinks: { onBeforeAddons(manager, param) { // If there are existing capabilities, lock them with the policy pref. let policyNames = Services.prefs .getCharPref("capability.policy.policynames", "") .split(" "); policyNames.push("localfilelinks_policy"); setAndLockPref("capability.policy.policynames", policyNames.join(" ")); setAndLockPref( "capability.policy.localfilelinks_policy.checkloaduri.enabled", "allAccess" ); setAndLockPref( "capability.policy.localfilelinks_policy.sites", param.join(" ") ); }, }, ManagedBookmarks: {}, ManualAppUpdateOnly: { onBeforeAddons(manager, param) { if (param) { manager.disallowFeature("autoAppUpdateChecking"); } }, }, MicrosoftEntraSSO: { onBeforeAddons(manager, param) { setAndLockPref("network.http.microsoft-entra-sso.enabled", param); }, }, NetworkPrediction: { onBeforeAddons(manager, param) { setAndLockPref("network.dns.disablePrefetch", !param); setAndLockPref("network.dns.disablePrefetchFromHTTPS", !param); }, }, NewTabPage: { onBeforeAddons(manager, param) { setAndLockPref("browser.newtabpage.enabled", param); }, }, NoDefaultBookmarks: { onProfileAfterChange(manager, param) { if (param) { manager.disallowFeature("defaultBookmarks"); } }, }, OfferToSaveLogins: { onBeforeUIStartup(manager, param) { setAndLockPref("signon.rememberSignons", param); setAndLockPref("services.passwordSavingEnabled", param); }, }, OfferToSaveLoginsDefault: { onBeforeUIStartup(manager, param) { let policies = Services.policies.getActivePolicies(); if ("OfferToSaveLogins" in policies) { lazy.log.error( `OfferToSaveLoginsDefault ignored because OfferToSaveLogins is present.` ); } else { PoliciesUtils.setDefaultPref("signon.rememberSignons", param); } }, }, OverrideFirstRunPage: { onProfileAfterChange(manager, param) { let url = param ? param : ""; setAndLockPref("startup.homepage_welcome_url", url); setAndLockPref("browser.aboutwelcome.enabled", false); }, }, OverridePostUpdatePage: { onProfileAfterChange(manager, param) { let url = param ? param.href : ""; setAndLockPref("startup.homepage_override_url", url); // The pref startup.homepage_override_url is only used // as a fallback when the update.xml file hasn't provided // a specific post-update URL. manager.disallowFeature("postUpdateCustomPage"); }, }, PasswordManagerEnabled: { onBeforeUIStartup(manager, param) { if (!param) { blockAboutPage(manager, "about:logins", true); setAndLockPref("pref.privacy.disable_button.view_passwords", true); } setAndLockPref("signon.rememberSignons", param); }, }, PasswordManagerExceptions: { onBeforeUIStartup(manager, param) { addAllowDenyPermissions("login-saving", null, param); }, }, PDFjs: { onBeforeAddons(manager, param) { if ("Enabled" in param) { setAndLockPref("pdfjs.disabled", !param.Enabled); } if ("EnablePermissions" in param) { setAndLockPref("pdfjs.enablePermissions", param.EnablePermissions); } }, }, Permissions: { onBeforeUIStartup(manager, param) { if (param.Camera) { addAllowDenyPermissions( "camera", param.Camera.Allow, param.Camera.Block ); setDefaultPermission("camera", param.Camera); } if (param.Microphone) { addAllowDenyPermissions( "microphone", param.Microphone.Allow, param.Microphone.Block ); setDefaultPermission("microphone", param.Microphone); } if (param.Autoplay) { addAllowDenyPermissions( "autoplay-media", param.Autoplay.Allow, param.Autoplay.Block ); if ("Default" in param.Autoplay) { let prefValue; switch (param.Autoplay.Default) { case "allow-audio-video": prefValue = 0; break; case "block-audio": prefValue = 1; break; case "block-audio-video": prefValue = 5; break; } PoliciesUtils.setDefaultPref( "media.autoplay.default", prefValue, param.Autoplay.Locked ); } } if (param.Location) { addAllowDenyPermissions( "geo", param.Location.Allow, param.Location.Block ); setDefaultPermission("geo", param.Location); } if (param.Notifications) { addAllowDenyPermissions( "desktop-notification", param.Notifications.Allow, param.Notifications.Block ); setDefaultPermission("desktop-notification", param.Notifications); } if ("VirtualReality" in param) { addAllowDenyPermissions( "xr", param.VirtualReality.Allow, param.VirtualReality.Block ); setDefaultPermission("xr", param.VirtualReality); } }, }, PictureInPicture: { onBeforeAddons(manager, param) { if ("Enabled" in param) { PoliciesUtils.setDefaultPref( "media.videocontrols.picture-in-picture.video-toggle.enabled", param.Enabled ); } if (param.Locked) { Services.prefs.lockPref( "media.videocontrols.picture-in-picture.video-toggle.enabled" ); } }, }, PopupBlocking: { onBeforeUIStartup(manager, param) { addAllowDenyPermissions("popup", param.Allow, null); if (param.Locked) { let blockValue = true; if (param.Default !== undefined && !param.Default) { blockValue = false; } setAndLockPref("dom.disable_open_during_load", blockValue); } else if (param.Default !== undefined) { PoliciesUtils.setDefaultPref( "dom.disable_open_during_load", !!param.Default ); } }, }, PostQuantumKeyAgreementEnabled: { onBeforeAddons(manager, param) { setAndLockPref("network.http.http3.enable_kyber", param); setAndLockPref("security.tls.enable_kyber", param); setAndLockPref("media.webrtc.enable_pq_dtls", param); }, }, Preferences: { onBeforeAddons(manager, param) { let allowedPrefixes = [ "accessibility.", "alerts.", "app.update.", "browser.", "datareporting.policy.", "dom.", "extensions.", "general.autoScroll", "general.smoothScroll", "geo.", "gfx.", "identity.fxaccounts.toolbar.", "intl.", "keyword.enabled", "layers.", "layout.", "media.", "network.", "pdfjs.", "places.", "pref.", "print.", "privacy.globalprivacycontrol.enabled", "privacy.userContext.enabled", "privacy.userContext.ui.enabled", "signon.", "spellchecker.", "toolkit.legacyUserProfileCustomizations.stylesheets", "ui.", "widget.", "xpinstall.whitelist.required", ]; if (!AppConstants.MOZ_REQUIRE_SIGNING) { allowedPrefixes.push("xpinstall.signatures.required"); } const allowedSecurityPrefs = [ "security.block_fileuri_script_with_wrong_mime", "security.default_personal_cert", "security.disable_button.openCertManager", "security.disable_button.openDeviceManager", "security.insecure_connection_text.enabled", "security.insecure_connection_text.pbmode.enabled", "security.mixed_content.block_active_content", "security.mixed_content.block_display_content", "security.mixed_content.upgrade_display_content", "security.osclientcerts.assume_rsa_pss_support", "security.osclientcerts.autoload", "security.OCSP.enabled", "security.OCSP.require", "security.pki.certificate_transparency.disable_for_hosts", "security.pki.certificate_transparency.disable_for_spki_hashes", "security.pki.certificate_transparency.mode", "security.ssl.enable_ocsp_stapling", "security.ssl.errorReporting.enabled", "security.ssl.require_safe_negotiation", "security.tls.enable_0rtt_data", "security.tls.hello_downgrade_check", "security.tls.version.enable-deprecated", "security.warn_submit_secure_to_insecure", ]; const blockedPrefs = [ "app.update.channel", "app.update.lastUpdateTime", "app.update.migrated", "browser.vpn_promo.disallowed_regions", ]; for (let preference in param) { if (blockedPrefs.includes(preference)) { lazy.log.error( `Unable to set preference ${preference}. Preference not allowed for security reasons.` ); continue; } if (preference.startsWith("security.")) { if (!allowedSecurityPrefs.includes(preference)) { lazy.log.error( `Unable to set preference ${preference}. Preference not allowed for security reasons.` ); continue; } } else if ( !allowedPrefixes.some(prefix => preference.startsWith(prefix)) ) { lazy.log.error( `Unable to set preference ${preference}. Preference not allowed for stability reasons.` ); continue; } if (typeof param[preference] != "object") { // Legacy policy preferences setAndLockPref(preference, param[preference]); } else { if (param[preference].Status == "clear") { Services.prefs.clearUserPref(preference); continue; } let prefBranch; if (param[preference].Status == "user") { prefBranch = Services.prefs; } else { prefBranch = Services.prefs.getDefaultBranch(""); } // Prefs that were previously locked should stay locked, // but policy can update the value. let prefWasLocked = Services.prefs.prefIsLocked(preference); if (prefWasLocked) { Services.prefs.unlockPref(preference); } try { let prefType = param[preference].Type || typeof param[preference].Value; switch (prefType) { case "boolean": prefBranch.setBoolPref(preference, param[preference].Value); break; case "number": if (!Number.isInteger(param[preference].Value)) { throw new Error(`Non-integer value for ${preference}`); } // This is ugly, but necessary. On Windows GPO and macOS // configs, booleans are converted to 0/1. In the previous // Preferences implementation, the schema took care of // automatically converting these values to booleans. // Since we allow arbitrary prefs now, we have to do // something different. See bug 1666836, 1668374, and 1872267. // We only set something as int if it was explicit in policy, // the same type as the default pref, or NOT 0/1. Otherwise // we set it as bool. if ( param[preference].Type == "number" || prefBranch.getPrefType(preference) == prefBranch.PREF_INT || ![0, 1].includes(param[preference].Value) ) { prefBranch.setIntPref(preference, param[preference].Value); } else { prefBranch.setBoolPref(preference, !!param[preference].Value); } break; case "string": prefBranch.setStringPref(preference, param[preference].Value); break; } } catch (e) { lazy.log.error( `Unable to set preference ${preference}. Probable type mismatch.` ); } if (param[preference].Status == "locked" || prefWasLocked) { Services.prefs.lockPref(preference); } } } }, }, PrimaryPassword: { onAllWindowsRestored(manager, param) { if (param) { manager.disallowFeature("removeMasterPassword"); } else { manager.disallowFeature("createMasterPassword"); } }, }, PrintingEnabled: { onBeforeUIStartup(manager, param) { setAndLockPref("print.enabled", param); }, }, PrivateBrowsingModeAvailability: { onBeforeAddons(manager, param) { switch (param) { // Private Browsing mode disabled case 1: manager.disallowFeature("privatebrowsing"); blockAboutPage(manager, "about:privatebrowsing", true); setAndLockPref("browser.privatebrowsing.autostart", false); break; // Private Browsing mode forced case 2: setAndLockPref("browser.privatebrowsing.autostart", true); break; // Private Browsing mode available case 0: break; } }, }, PromptForDownloadLocation: { onBeforeAddons(manager, param) { setAndLockPref("browser.download.useDownloadDir", !param); }, }, Proxy: { onBeforeAddons(manager, param) { if (param.Locked) { manager.disallowFeature("changeProxySettings"); } lazy.ProxyPolicies.configureProxySettings( param, PoliciesUtils.setDefaultPref ); }, }, RequestedLocales: { onBeforeAddons(manager, param) { let requestedLocales; if (Array.isArray(param)) { requestedLocales = param; } else if (param) { requestedLocales = param.split(","); } else { requestedLocales = []; } runOncePerModification( "requestedLocales", JSON.stringify(requestedLocales), () => { Services.locale.requestedLocales = requestedLocales; } ); }, }, SanitizeOnShutdown: { onBeforeUIStartup(manager, param) { if (typeof param === "boolean") { setAndLockPref("privacy.sanitize.sanitizeOnShutdown", param); setAndLockPref("privacy.clearOnShutdown.cache", param); setAndLockPref("privacy.clearOnShutdown.cookies", param); setAndLockPref("privacy.clearOnShutdown.downloads", param); --> -------------------- --> maximum size reached --> -------------------- [ Dauer der Verarbeitung: 0.66 Sekunden (vorverarbeitet) ] |
2026-04-02