Policies.jsm 38.3 KB
Newer Older
1
2
3
4
5
6
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this file,
 * You can obtain one at http://mozilla.org/MPL/2.0/. */

"use strict";

7
8
9
const {XPCOMUtils} = ChromeUtils.import("resource://gre/modules/XPCOMUtils.jsm");
const {Services} = ChromeUtils.import("resource://gre/modules/Services.jsm");
const {AppConstants} = ChromeUtils.import("resource://gre/modules/AppConstants.jsm");
10
11
12
13
14

XPCOMUtils.defineLazyServiceGetters(this, {
  gCertDB: ["@mozilla.org/security/x509certdb;1", "nsIX509CertDB"],
  gXulStore: ["@mozilla.org/xul/xulstore;1", "nsIXULStore"],
});
15

16
XPCOMUtils.defineLazyModuleGetters(this, {
17
  AddonManager: "resource://gre/modules/AddonManager.jsm",
18
  BookmarksPolicies: "resource:///modules/policies/BookmarksPolicies.jsm",
19
  CustomizableUI: "resource:///modules/CustomizableUI.jsm",
20
21
  ProxyPolicies: "resource:///modules/policies/ProxyPolicies.jsm",
  WebsiteFilter: "resource:///modules/policies/WebsiteFilter.jsm",
22
23
});

24
25
XPCOMUtils.defineLazyGlobalGetters(this, ["File", "FileReader"]);

26
const PREF_LOGLEVEL           = "browser.policies.loglevel";
27
const BROWSER_DOCUMENT_URL    = AppConstants.BROWSER_CHROME_URL;
28
29

XPCOMUtils.defineLazyGetter(this, "log", () => {
30
  let { ConsoleAPI } = ChromeUtils.import("resource://gre/modules/Console.jsm");
31
32
33
34
35
36
37
38
39
  return new ConsoleAPI({
    prefix: "Policies.jsm",
    // tip: set maxLogLevel to "debug" and use log.debug() to create detailed
    // messages during development. See LOG_LEVELS in Console.jsm for details.
    maxLogLevel: "error",
    maxLogLevelPref: PREF_LOGLEVEL,
  });
});

40
var EXPORTED_SYMBOLS = ["Policies"];
41

42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
/*
 * ============================
 * = POLICIES IMPLEMENTATIONS =
 * ============================
 *
 * The Policies object below is where the implementation for each policy
 * happens. An object for each policy should be defined, containing
 * callback functions that will be called by the engine.
 *
 * See the _callbacks object in EnterprisePolicies.js for the list of
 * possible callbacks and an explanation of each.
 *
 * Each callback will be called with two parameters:
 * - manager
 *   This is the EnterprisePoliciesManager singleton object from
 *   EnterprisePolicies.js
 *
 * - param
 *   The parameter defined for this policy in policies-schema.json.
 *   It will be different for each policy. It could be a boolean,
 *   a string, an array or a complex object. All parameters have
 *   been validated according to the schema, and no unknown
 *   properties will be present on them.
 *
 * The callbacks will be bound to their parent policy object.
 */
68
var Policies = {
69
70
71
72
73
74
  "3rdparty": {
    onBeforeAddons(manager, param) {
      manager.setExtensionPolicies(param.Extensions);
    },
  },

75
76
77
  "AppUpdateURL": {
    onBeforeAddons(manager, param) {
      setDefaultPref("app.update.url", param.href);
78
    },
79
80
  },

81
82
83
84
85
86
87
88
89
90
91
  "Authentication": {
    onBeforeAddons(manager, param) {
      if ("SPNEGO" in param) {
        setAndLockPref("network.negotiate-auth.trusted-uris", param.SPNEGO.join(", "));
      }
      if ("Delegated" in param) {
        setAndLockPref("network.negotiate-auth.delegation-uris", param.Delegated.join(", "));
      }
      if ("NTLM" in param) {
        setAndLockPref("network.automatic-ntlm-auth.trusted-uris", param.NTLM.join(", "));
      }
92
93
94
95
96
97
98
99
      if ("AllowNonFQDN" in param) {
        if (param.AllowNonFQDN.NTLM) {
          setAndLockPref("network.automatic-ntlm-auth.allow-non-fqdn", param.AllowNonFQDN.NTLM);
        }
        if (param.AllowNonFQDN.SPNEGO) {
          setAndLockPref("network.negotiate-auth.allow-non-fqdn", param.AllowNonFQDN.SPNEGO);
        }
      }
100
    },
101
102
  },

103
104
105
  "BlockAboutAddons": {
    onBeforeUIStartup(manager, param) {
      if (param) {
106
        blockAboutPage(manager, "about:addons", true);
107
      }
108
    },
109
110
  },

111
  "BlockAboutConfig": {
112
    onBeforeUIStartup(manager, param) {
113
      if (param) {
114
        blockAboutPage(manager, "about:config");
115
        setAndLockPref("devtools.chrome.enabled", false);
116
      }
117
    },
118
  },
119

120
121
122
  "BlockAboutProfiles": {
    onBeforeUIStartup(manager, param) {
      if (param) {
123
        blockAboutPage(manager, "about:profiles");
124
      }
125
    },
126
127
  },

128
129
130
  "BlockAboutSupport": {
    onBeforeUIStartup(manager, param) {
      if (param) {
131
        blockAboutPage(manager, "about:support");
132
      }
133
    },
134
135
  },

136
137
138
  "Bookmarks": {
    onAllWindowsRestored(manager, param) {
      BookmarksPolicies.processBookmarks(param);
139
    },
140
141
  },

142
143
144
145
146
147
  "CaptivePortal": {
    onBeforeAddons(manager, param) {
      setAndLockPref("network.captive-portal-service.enabled", param);
    },
  },

148
149
150
  "Certificates": {
    onBeforeAddons(manager, param) {
      if ("ImportEnterpriseRoots" in param) {
151
        setAndLockPref("security.enterprise_roots.enabled", param.ImportEnterpriseRoots);
152
      }
153
154
155
156
157
158
      if ("Install" in param) {
        (async () => {
          let dirs = [];
          let platform = AppConstants.platform;
          if (platform == "win") {
            dirs = [
159
              // Ugly, but there is no official way to get %USERNAME\AppData\Roaming\Mozilla.
160
              Services.dirsvc.get("XREUSysExt", Ci.nsIFile).parent,
161
162
              // Even more ugly, but there is no official way to get %USERNAME\AppData\Local\Mozilla.
              Services.dirsvc.get("DefProfLRt", Ci.nsIFile).parent.parent,
163
164
165
166
167
168
169
170
            ];
          } else if (platform == "macosx" || platform == "linux") {
            dirs = [
              // These two keys are named wrong. They return the Mozilla directory.
              Services.dirsvc.get("XREUserNativeManifests", Ci.nsIFile),
              Services.dirsvc.get("XRESysNativeManifests", Ci.nsIFile),
            ];
          }
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
          dirs.unshift(Services.dirsvc.get("XREAppDist", Ci.nsIFile));
          for (let certfilename of param.Install) {
            let certfile;
            try {
              certfile = Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsIFile);
              certfile.initWithPath(certfilename);
            } catch (e) {
              for (let dir of dirs) {
                certfile = dir.clone();
                certfile.append(platform == "linux" ? "certificates" : "Certificates");
                certfile.append(certfilename);
                if (certfile.exists()) {
                  break;
                }
              }
            }
            let file;
            try {
              file = await File.createFromNsIFile(certfile);
            } catch (e) {
              log.error(`Unable to find certificate - ${certfilename}`);
              continue;
            }
            let reader = new FileReader();
            reader.onloadend = function() {
              if (reader.readyState != reader.DONE) {
                log.error(`Unable to read certificate - ${certfile.path}`);
                return;
              }
              let cert = reader.result;
201
              try {
202
203
204
205
206
                if (/-----BEGIN CERTIFICATE-----/.test(cert)) {
                  gCertDB.addCertFromBase64(pemToBase64(cert), "CTu,CTu,");
                } else {
                  gCertDB.addCert(cert, "CTu,CTu,");
                }
207
              } catch (e) {
208
                log.error(`Unable to add certificate - ${certfile.path}`);
209
              }
210
211
            };
            reader.readAsBinaryString(file);
212
213
214
          }
        })();
      }
215
    },
216
217
  },

218
  "Cookies": {
219
    onBeforeUIStartup(manager, param) {
220
      addAllowDenyPermissions("cookie", param.Allow, param.Block);
221
222

      if (param.Block) {
223
        const hosts = param.Block.map(url => url.hostname).sort().join("\n");
224
225
        runOncePerModification("clearCookiesForBlockedHosts", hosts, () => {
          for (let blocked of param.Block) {
226
            Services.cookies.removeCookiesWithOriginAttributes("{}", blocked.hostname);
227
228
229
          }
        });
      }
230
231
232

      if (param.Default !== undefined ||
          param.AcceptThirdParty !== undefined ||
233
          param.RejectTracker !== undefined ||
234
235
236
237
238
          param.Locked) {
        const ACCEPT_COOKIES = 0;
        const REJECT_THIRD_PARTY_COOKIES = 1;
        const REJECT_ALL_COOKIES = 2;
        const REJECT_UNVISITED_THIRD_PARTY = 3;
239
        const REJECT_TRACKER = 4;
240
241
242
243
244

        let newCookieBehavior = ACCEPT_COOKIES;
        if (param.Default !== undefined && !param.Default) {
          newCookieBehavior = REJECT_ALL_COOKIES;
        } else if (param.AcceptThirdParty) {
245
          if (param.AcceptThirdParty == "never") {
246
247
248
249
            newCookieBehavior = REJECT_THIRD_PARTY_COOKIES;
          } else if (param.AcceptThirdParty == "from-visited") {
            newCookieBehavior = REJECT_UNVISITED_THIRD_PARTY;
          }
250
251
        } else if (param.RejectTracker !== undefined && param.RejectTracker) {
          newCookieBehavior = REJECT_TRACKER;
252
253
        }

254
        setDefaultPref("network.cookie.cookieBehavior", newCookieBehavior, param.Locked);
255
256
257
258
259
260
261
262
263
264
265
      }

      const KEEP_COOKIES_UNTIL_EXPIRATION = 0;
      const KEEP_COOKIES_UNTIL_END_OF_SESSION = 2;

      if (param.ExpireAtSessionEnd !== undefined || param.Locked) {
        let newLifetimePolicy = KEEP_COOKIES_UNTIL_EXPIRATION;
        if (param.ExpireAtSessionEnd) {
          newLifetimePolicy = KEEP_COOKIES_UNTIL_END_OF_SESSION;
        }

266
        setDefaultPref("network.cookie.lifetimePolicy", newLifetimePolicy, param.Locked);
267
      }
268
    },
269
270
  },

271
272
273
274
  "DisableAppUpdate": {
    onBeforeAddons(manager, param) {
      if (param) {
        manager.disallowFeature("appUpdate");
275
      }
276
    },
277
278
  },

279
  "DisableBuiltinPDFViewer": {
280
    onBeforeAddons(manager, param) {
281
      if (param) {
282
        setAndLockPref("pdfjs.disabled", true);
283
      }
284
    },
285
286
  },

287
288
289
290
291
292
293
  "DisableDeveloperTools": {
    onBeforeAddons(manager, param) {
      if (param) {
        setAndLockPref("devtools.policy.disabled", true);
        setAndLockPref("devtools.chrome.enabled", false);

        manager.disallowFeature("devtools");
294
295
296
        blockAboutPage(manager, "about:devtools");
        blockAboutPage(manager, "about:debugging");
        blockAboutPage(manager, "about:devtools-toolbox");
297
      }
298
    },
299
300
  },

301
302
303
304
305
  "DisableFeedbackCommands": {
    onBeforeUIStartup(manager, param) {
      if (param) {
        manager.disallowFeature("feedbackCommands");
      }
306
    },
307
308
  },

309
310
311
312
313
  "DisableFirefoxAccounts": {
    onBeforeAddons(manager, param) {
      if (param) {
        setAndLockPref("identity.fxaccounts.enabled", false);
      }
314
    },
315
316
  },

317
318
  "DisableFirefoxScreenshots": {
    onBeforeAddons(manager, param) {
319
      if (param) {
320
321
        setAndLockPref("extensions.screenshots.disabled", true);
      }
322
    },
323
324
  },

325
326
  "DisableFirefoxStudies": {
    onBeforeAddons(manager, param) {
327
      if (param) {
328
        manager.disallowFeature("Shield");
329
330
        setAndLockPref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false);
        setAndLockPref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false);
331
      }
332
    },
333
334
  },

335
336
337
  "DisableForgetButton": {
    onProfileAfterChange(manager, param) {
      if (param) {
338
        setAndLockPref("privacy.panicButton.enabled", false);
339
      }
340
    },
341
342
  },

343
344
  "DisableFormHistory": {
    onBeforeUIStartup(manager, param) {
345
      if (param) {
346
347
        setAndLockPref("browser.formfill.enable", false);
      }
348
    },
349
350
  },

351
352
353
354
355
  "DisableMasterPasswordCreation": {
    onBeforeUIStartup(manager, param) {
      if (param) {
        manager.disallowFeature("createMasterPassword");
      }
356
    },
357
358
  },

359
360
361
362
363
  "DisablePocket": {
    onBeforeAddons(manager, param) {
      if (param) {
        setAndLockPref("extensions.pocket.enabled", false);
      }
364
    },
365
366
  },

367
368
369
370
  "DisablePrivateBrowsing": {
    onBeforeAddons(manager, param) {
      if (param) {
        manager.disallowFeature("privatebrowsing");
371
        blockAboutPage(manager, "about:privatebrowsing", true);
372
373
        setAndLockPref("browser.privatebrowsing.autostart", false);
      }
374
    },
375
376
  },

377
378
379
380
381
382
  "DisableProfileImport": {
    onBeforeUIStartup(manager, param) {
      if (param) {
        manager.disallowFeature("profileImport");
        setAndLockPref("browser.newtabpage.activity-stream.migrationExpired", true);
      }
383
    },
384
385
  },

386
387
388
389
390
391
  "DisableProfileRefresh": {
    onBeforeUIStartup(manager, param) {
      if (param) {
        manager.disallowFeature("profileRefresh");
        setAndLockPref("browser.disableResetPrompt", true);
      }
392
    },
393
394
  },

395
396
397
398
399
  "DisableSafeMode": {
    onBeforeUIStartup(manager, param) {
      if (param) {
        manager.disallowFeature("safeMode");
      }
400
    },
401
402
  },

403
404
  "DisableSecurityBypass": {
    onBeforeUIStartup(manager, param) {
405
406
407
408
      if ("InvalidCertificate" in param) {
        setAndLockPref("security.certerror.hideAddException", param.InvalidCertificate);
      }

409
410
411
      if ("SafeBrowsing" in param) {
        setAndLockPref("browser.safebrowsing.allowOverride", !param.SafeBrowsing);
      }
412
    },
413
414
  },

415
416
417
  "DisableSetDesktopBackground": {
    onBeforeUIStartup(manager, param) {
      if (param) {
418
        manager.disallowFeature("setDesktopBackground");
419
      }
420
    },
421
422
423
  },

  "DisableSystemAddonUpdate": {
424
425
426
427
    onBeforeAddons(manager, param) {
      if (param) {
        manager.disallowFeature("SysAddonUpdate");
      }
428
    },
429
430
  },

431
432
433
434
435
  "DisableTelemetry": {
    onBeforeAddons(manager, param) {
      if (param) {
        setAndLockPref("datareporting.healthreport.uploadEnabled", false);
        setAndLockPref("datareporting.policy.dataSubmissionEnabled", false);
436
        blockAboutPage(manager, "about:telemetry");
437
      }
438
    },
439
440
  },

441
  "DisplayBookmarksToolbar": {
442
    onBeforeUIStartup(manager, param) {
443
444
445
446
447
448
449
      let value = (!param).toString();
      // This policy is meant to change the default behavior, not to force it.
      // If this policy was alreay applied and the user chose to re-hide the
      // bookmarks toolbar, do not show it again.
      runOncePerModification("displayBookmarksToolbar", value, () => {
        gXulStore.setValue(BROWSER_DOCUMENT_URL, "PersonalToolbar", "collapsed", value);
      });
450
    },
451
452
  },

453
  "DisplayMenuBar": {
454
    onBeforeUIStartup(manager, param) {
455
      let value = (!param).toString();
456
457
458
        // This policy is meant to change the default behavior, not to force it.
        // If this policy was alreay applied and the user chose to re-hide the
        // menu bar, do not show it again.
459
460
461
      runOncePerModification("displayMenuBar", value, () => {
        gXulStore.setValue(BROWSER_DOCUMENT_URL, "toolbar-menubar", "autohide", value);
      });
462
    },
463
464
  },

465
466
467
468
  "DNSOverHTTPS": {
    onBeforeAddons(manager, param) {
      if ("Enabled" in param) {
        let mode = param.Enabled ? 2 : 5;
469
        setDefaultPref("network.trr.mode", mode, param.Locked);
470
471
      }
      if (param.ProviderURL) {
472
        setDefaultPref("network.trr.uri", param.ProviderURL.href, param.Locked);
473
474
475
476
      }
    },
  },

477
  "DontCheckDefaultBrowser": {
478
    onBeforeUIStartup(manager, param) {
479
      setAndLockPref("browser.shell.checkDefaultBrowser", !param);
480
    },
481
482
  },

483
484
  "EnableTrackingProtection": {
    onBeforeUIStartup(manager, param) {
485
      if (param.Value) {
486
487
        setDefaultPref("privacy.trackingprotection.enabled", true, param.Locked);
        setDefaultPref("privacy.trackingprotection.pbmode.enabled", true, param.Locked);
488
      } else {
489
490
        setAndLockPref("privacy.trackingprotection.enabled", false);
        setAndLockPref("privacy.trackingprotection.pbmode.enabled", false);
491
      }
492
    },
493
494
  },

495
496
  "Extensions": {
    onBeforeUIStartup(manager, param) {
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
      let uninstallingPromise = Promise.resolve();
      if ("Uninstall" in param) {
        uninstallingPromise = runOncePerModification("extensionsUninstall", JSON.stringify(param.Uninstall), async () => {
          // If we're uninstalling add-ons, re-run the extensionsInstall runOnce even if it hasn't
          // changed, which will allow add-ons to be updated.
          Services.prefs.clearUserPref("browser.policies.runOncePerModification.extensionsInstall");
          let addons = await AddonManager.getAddonsByIDs(param.Uninstall);
          for (let addon of addons) {
            if (addon) {
              try {
                await addon.uninstall();
              } catch (e) {
                // This can fail for add-ons that can't be uninstalled.
                // Just ignore.
              }
            }
          }
        });
      }
516
      if ("Install" in param) {
517
518
        runOncePerModification("extensionsInstall", JSON.stringify(param.Install), async () => {
          await uninstallingPromise;
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
          for (let location of param.Install) {
            let url;
            if (location.includes("://")) {
              // Assume location is an URI
              url = location;
            } else {
              // Assume location is a file path
              let xpiFile = Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsIFile);
              try {
                xpiFile.initWithPath(location);
              } catch (e) {
                log.error(`Invalid extension path location - ${location}`);
                continue;
              }
              url = Services.io.newFileURI(xpiFile).spec;
            }
535
536
537
            AddonManager.getInstallForURL(url, {
              telemetryInfo: {source: "enterprise-policy"},
            }).then(install => {
538
539
540
541
542
              if (install.addon && install.addon.appDisabled) {
                log.error(`Incompatible add-on - ${location}`);
                install.cancel();
                return;
              }
543
              let listener = {
544
545
546
547
548
549
550
551
              /* eslint-disable-next-line no-shadow */
                onDownloadEnded: (install) => {
                  if (install.addon && install.addon.appDisabled) {
                    log.error(`Incompatible add-on - ${location}`);
                    install.removeListener(listener);
                    install.cancel();
                  }
                },
552
                onDownloadFailed: () => {
553
                  install.removeListener(listener);
554
                  log.error(`Download failed - ${location}`);
555
                  clearRunOnceModification("extensionsInstall");
556
557
                },
                onInstallFailed: () => {
558
                  install.removeListener(listener);
559
560
561
                  log.error(`Installation failed - ${location}`);
                },
                onInstallEnded: () => {
562
                  install.removeListener(listener);
563
                  log.debug(`Installation succeeded - ${location}`);
564
                },
565
566
567
              };
              install.addListener(listener);
              install.install();
568
            });
569
570
571
572
573
574
575
576
          }
        });
      }
      if ("Locked" in param) {
        for (let ID of param.Locked) {
          manager.disallowFeature(`modify-extension:${ID}`);
        }
      }
577
    },
578
579
  },

580
581
582
583
584
585
586
587
  "ExtensionUpdate": {
    onBeforeAddons(manager, param) {
      if (!param) {
        setAndLockPref("extensions.update.enabled", param);
      }
    },
  },

588
  "FlashPlugin": {
589
    onBeforeUIStartup(manager, param) {
590
      addAllowDenyPermissions("plugin:flash", param.Allow, param.Block);
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608

      const FLASH_NEVER_ACTIVATE = 0;
      const FLASH_ASK_TO_ACTIVATE = 1;
      const FLASH_ALWAYS_ACTIVATE = 2;

      let flashPrefVal;
      if (param.Default === undefined) {
        flashPrefVal = FLASH_ASK_TO_ACTIVATE;
      } else if (param.Default) {
        flashPrefVal = FLASH_ALWAYS_ACTIVATE;
      } else {
        flashPrefVal = FLASH_NEVER_ACTIVATE;
      }
      if (param.Locked) {
        setAndLockPref("plugin.state.flash", flashPrefVal);
      } else if (param.Default !== undefined) {
        setDefaultPref("plugin.state.flash", flashPrefVal);
      }
609
    },
610
611
  },

612
613
614
615
616
  "HardwareAcceleration": {
    onBeforeAddons(manager, param) {
      if (!param) {
        setAndLockPref("layers.acceleration.disabled", true);
      }
617
    },
618
619
  },

620
621
622
623
624
  "Homepage": {
    onBeforeUIStartup(manager, param) {
      // |homepages| will be a string containing a pipe-separated ('|') list of
      // URLs because that is what the "Home page" section of about:preferences
      // (and therefore what the pref |browser.startup.homepage|) accepts.
625
626
627
628
629
      if (param.URL) {
        let homepages = param.URL.href;
        if (param.Additional && param.Additional.length > 0) {
          homepages += "|" + param.Additional.map(url => url.href).join("|");
        }
630
        setDefaultPref("browser.startup.homepage", homepages, param.Locked);
631
632
633
634
635
636
637
638
639
        if (param.Locked) {
          setAndLockPref("pref.browser.homepage.disable_button.current_page", true);
          setAndLockPref("pref.browser.homepage.disable_button.bookmark_page", true);
          setAndLockPref("pref.browser.homepage.disable_button.restore_default", true);
        } else {
          runOncePerModification("setHomepage", homepages, () => {
            Services.prefs.clearUserPref("browser.startup.homepage");
          });
        }
640
      }
641
642
643
644
645
646
647
648
649
650
651
652
653
      if (param.StartPage) {
        let prefValue;
        switch (param.StartPage) {
          case "none":
            prefValue = 0;
            break;
          case "homepage":
            prefValue = 1;
            break;
          case "previous-session":
            prefValue = 3;
            break;
        }
654
        setDefaultPref("browser.startup.page", prefValue, param.Locked);
655
      }
656
    },
657
658
  },

659
  "InstallAddonsPermission": {
660
    onBeforeUIStartup(manager, param) {
661
662
663
664
665
      if ("Allow" in param) {
        addAllowDenyPermissions("install", param.Allow, null);
      }
      if ("Default" in param) {
        setAndLockPref("xpinstall.enabled", param.Default);
666
        if (!param.Default) {
667
          blockAboutPage(manager, "about:debugging");
668
669
          setAndLockPref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false);
          setAndLockPref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false);
670
          manager.disallowFeature("xpinstall");
671
        }
672
      }
673
    },
674
675
  },

676
677
678
679
680
681
682
  "NetworkPrediction": {
    onBeforeAddons(manager, param) {
      setAndLockPref("network.dns.disablePrefetch", !param);
      setAndLockPref("network.dns.disablePrefetchFromHTTPS", !param);
    },
  },

683
684
685
686
687
  "NoDefaultBookmarks": {
    onProfileAfterChange(manager, param) {
      if (param) {
        manager.disallowFeature("defaultBookmarks");
      }
688
    },
689
690
  },

691
692
693
  "OfferToSaveLogins": {
    onBeforeUIStartup(manager, param) {
      setAndLockPref("signon.rememberSignons", param);
694
    },
695
696
  },

697
698
  "OverrideFirstRunPage": {
    onProfileAfterChange(manager, param) {
699
      let url = param ? param.href : "";
700
      setAndLockPref("startup.homepage_welcome_url", url);
701
    },
702
703
  },

704
705
  "OverridePostUpdatePage": {
    onProfileAfterChange(manager, param) {
706
      let url = param ? param.href : "";
707
708
709
710
711
      setAndLockPref("startup.homepage_override_url", url);
      // The pref startup.homepage_override_url is only used
      // as a fallback when the update.xml file hasn't provided
      // a specific post-update URL.
      manager.disallowFeature("postUpdateCustomPage");
712
    },
713
714
  },

715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
  "Permissions": {
    onBeforeUIStartup(manager, param) {
      if (param.Camera) {
        addAllowDenyPermissions("camera", param.Camera.Allow, param.Camera.Block);
        setDefaultPermission("camera", param.Camera);
      }

      if (param.Microphone) {
        addAllowDenyPermissions("microphone", param.Microphone.Allow, param.Microphone.Block);
        setDefaultPermission("microphone", param.Microphone);
      }

      if (param.Location) {
        addAllowDenyPermissions("geo", param.Location.Allow, param.Location.Block);
        setDefaultPermission("geo", param.Location);
      }

      if (param.Notifications) {
        addAllowDenyPermissions("desktop-notification", param.Notifications.Allow, param.Notifications.Block);
        setDefaultPermission("desktop-notification", param.Notifications);
      }
736
    },
737
738
  },

739
  "PopupBlocking": {
740
    onBeforeUIStartup(manager, param) {
741
      addAllowDenyPermissions("popup", param.Allow, null);
742
743
744
745
746
747
748
749
750
751

      if (param.Locked) {
        let blockValue = true;
        if (param.Default !== undefined && !param.Default) {
          blockValue = false;
        }
        setAndLockPref("dom.disable_open_during_load", blockValue);
      } else if (param.Default !== undefined) {
        setDefaultPref("dom.disable_open_during_load", !!param.Default);
      }
752
    },
753
754
  },

755
756
757
758
759
760
761
762
  "Proxy": {
    onBeforeAddons(manager, param) {
      if (param.Locked) {
        manager.disallowFeature("changeProxySettings");
        ProxyPolicies.configureProxySettings(param, setAndLockPref);
      } else {
        ProxyPolicies.configureProxySettings(param, setDefaultPref);
      }
763
    },
764
  },
765

766
767
768
769
770
771
  "RequestedLocales": {
    onBeforeAddons(manager, param) {
      Services.locale.requestedLocales = param;
    },
  },

772
773
774
775
776
777
778
779
780
781
782
783
784
  "SanitizeOnShutdown": {
    onBeforeUIStartup(manager, param) {
      setAndLockPref("privacy.sanitize.sanitizeOnShutdown", param);
      if (param) {
        setAndLockPref("privacy.clearOnShutdown.cache", true);
        setAndLockPref("privacy.clearOnShutdown.cookies", true);
        setAndLockPref("privacy.clearOnShutdown.downloads", true);
        setAndLockPref("privacy.clearOnShutdown.formdata", true);
        setAndLockPref("privacy.clearOnShutdown.history", true);
        setAndLockPref("privacy.clearOnShutdown.sessions", true);
        setAndLockPref("privacy.clearOnShutdown.siteSettings", true);
        setAndLockPref("privacy.clearOnShutdown.offlineApps", true);
      }
785
    },
786
787
  },

788
789
790
791
792
793
794
795
796
797
798
799
800
  "SearchBar": {
    onAllWindowsRestored(manager, param) {
      // This policy is meant to change the default behavior, not to force it.
      // If this policy was already applied and the user chose move the search
      // bar, don't move it again.
      runOncePerModification("searchInNavBar", param, () => {
        if (param == "separate") {
          CustomizableUI.addWidgetToArea("search-container", CustomizableUI.AREA_NAVBAR,
          CustomizableUI.getPlacementOfWidget("urlbar-container").position + 1);
        } else if (param == "unified") {
          CustomizableUI.removeWidgetFromArea("search-container");
        }
      });
801
    },
802
803
  },

804
  "SearchEngines": {
805
806
807
808
809
    onBeforeUIStartup(manager, param) {
      if (param.PreventInstalls) {
        manager.disallowFeature("installSearchEngine", true);
      }
    },
810
    onAllWindowsRestored(manager, param) {
811
      Services.search.init().then(async () => {
812
813
        if (param.Remove) {
          // Only rerun if the list of engine names has changed.
814
815
816
          await runOncePerModification("removeSearchEngines",
                                       JSON.stringify(param.Remove),
                                       async function() {
817
818
819
820
            for (let engineName of param.Remove) {
              let engine = Services.search.getEngineByName(engineName);
              if (engine) {
                try {
821
                  await Services.search.removeEngine(engine);
822
823
824
825
826
827
828
                } catch (ex) {
                  log.error("Unable to remove the search engine", ex);
                }
              }
            }
          });
        }
829
830
831
        if (param.Add) {
          // Only rerun if the list of engine names has changed.
          let engineNameList = param.Add.map(engine => engine.Name);
832
833
834
          await runOncePerModification("addSearchEngines",
                                       JSON.stringify(engineNameList),
                                       async function() {
835
836
837
            for (let newEngine of param.Add) {
              let newEngineParameters = {
                template:    newEngine.URLTemplate,
838
                iconURL:     newEngine.IconURL ? newEngine.IconURL.href : null,
839
840
841
                alias:       newEngine.Alias,
                description: newEngine.Description,
                method:      newEngine.Method,
842
                postData:    newEngine.PostData,
843
                suggestURL:  newEngine.SuggestURLTemplate,
844
                extensionID: "set-via-policy",
845
                queryCharset: "UTF-8",
846
847
              };
              try {
848
849
                await Services.search.addEngineWithDetails(newEngine.Name,
                                                           newEngineParameters);
850
851
852
853
854
855
856
              } catch (ex) {
                log.error("Unable to add search engine", ex);
              }
            }
          });
        }
        if (param.Default) {
857
          await runOncePerModification("setDefaultSearchEngine", param.Default, async () => {
858
859
860
861
            let defaultEngine;
            try {
              defaultEngine = Services.search.getEngineByName(param.Default);
              if (!defaultEngine) {
862
                throw new Error("No engine by that name could be found");
863
864
865
866
867
868
869
870
              }
            } catch (ex) {
              log.error(`Search engine lookup failed when attempting to set ` +
                        `the default engine. Requested engine was ` +
                        `"${param.Default}".`, ex);
            }
            if (defaultEngine) {
              try {
871
                await Services.search.setDefault(defaultEngine);
872
873
874
875
876
877
878
              } catch (ex) {
                log.error("Unable to set the default search engine", ex);
              }
            }
          });
        }
      });
879
    },
880
881
  },

882
883
884
  "SecurityDevices": {
    onProfileAfterChange(manager, param) {
      let securityDevices = param;
885
886
887
888
889
890
891
892
      let pkcs11db = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService(Ci.nsIPKCS11ModuleDB);
      let moduleList = pkcs11db.listModules();
      for (let deviceName in securityDevices) {
        let foundModule = false;
        for (let module of moduleList) {
          if (module && module.libName === securityDevices[deviceName]) {
            foundModule = true;
            break;
893
894
          }
        }
895
896
897
898
899
900
901
902
903
904
        if (foundModule) {
          continue;
        }
        try {
          pkcs11db.addModule(deviceName, securityDevices[deviceName], 0, 0);
        } catch (ex) {
          log.error(`Unable to add security device ${deviceName}`);
          log.debug(ex);
        }
      }
905
906
907
    },
  },

908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
  "SSLVersionMax": {
    onBeforeAddons(manager, param) {
      let tlsVersion;
      switch (param) {
        case "tls1":
          tlsVersion = 1;
          break;
        case "tls1.1":
          tlsVersion = 2;
          break;
        case "tls1.2":
          tlsVersion = 3;
          break;
        case "tls1.3":
          tlsVersion = 4;
          break;
      }
      setAndLockPref("security.tls.version.max", tlsVersion);
    },
  },

  "SSLVersionMin": {
    onBeforeAddons(manager, param) {
      let tlsVersion;
      switch (param) {
        case "tls1":
          tlsVersion = 1;
          break;
        case "tls1.1":
          tlsVersion = 2;
          break;
        case "tls1.2":
          tlsVersion = 3;
          break;
        case "tls1.3":
          tlsVersion = 4;
          break;
      }
      setAndLockPref("security.tls.version.min", tlsVersion);
    },
  },

950
951
952
953
954
955
  "SupportMenu": {
    onProfileAfterChange(manager, param) {
      manager.setSupportMenu(param);
    },
  },

956
957
958
  "WebsiteFilter": {
    onBeforeUIStartup(manager, param) {
      this.filter = new WebsiteFilter(param.Block || [], param.Exceptions || []);
959
    },
960
961
  },

962
};
963
964
965
966
967
968
969
970
971

/*
 * ====================
 * = HELPER FUNCTIONS =
 * ====================
 *
 * The functions below are helpers to be used by several policies.
 */

972
973
974
975
976
977
978
979
980
981
982
983
984
/**
 * setAndLockPref
 *
 * Sets the _default_ value of a pref, and locks it (meaning that
 * the default value will always be returned, independent from what
 * is stored as the user value).
 * The value is only changed in memory, and not stored to disk.
 *
 * @param {string} prefName
 *        The pref to be changed
 * @param {boolean,number,string} prefValue
 *        The value to set and lock
 */
985
function setAndLockPref(prefName, prefValue) {
986
  setDefaultPref(prefName, prefValue, true);
987
988
989
990
991
}

/**
 * setDefaultPref
 *
992
 * Sets the _default_ value of a pref and optionally locks it.
993
994
995
996
997
998
 * The value is only changed in memory, and not stored to disk.
 *
 * @param {string} prefName
 *        The pref to be changed
 * @param {boolean,number,string} prefValue
 *        The value to set
999
1000
 * @param {boolean} locked
 *        Optionally lock the pref
For faster browsing, not all history is shown. View entire blame