Trust user certificate authorities on API >= 24. https://redmine.stoutner.com/issues/636
[PrivacyBrowser.git] / app / src / main / res / xml / network_security_config.xml
index e499e37fb0b80292e6fe20312a9d3dff796ff247..63449cfe212a117f3112ae0d384ea550fece78ec 100644 (file)
   You should have received a copy of the GNU General Public License
   along with Privacy Browser.  If not, see <http://www.gnu.org/licenses/>. -->
 
-<!-- Allow HTTP traffic and disable HSTS, which has no benefit for Privacy Browser (because unspecified links default to HTTPS) but has negative fingerprinting implications. -->
-<network-security-config
-    xmlns:tools="http://schemas.android.com/tools">
-    <base-config cleartextTrafficPermitted="true" hstsEnforced="false" tools:ignore="InsecureBaseConfiguration" />
+<network-security-config xmlns:tools="http://schemas.android.com/tools">
+    <!-- Allow HTTP traffic and disable HSTS, which has no benefit for Privacy Browser (because unspecified links default to HTTPS) but has negative fingerprinting implications. -->
+    <base-config cleartextTrafficPermitted="true" hstsEnforced="false" tools:ignore="InsecureBaseConfiguration">
+        <trust-anchors>
+            <!-- Trust system certificate authorities. -->
+            <certificates src="system" />
+
+            <!-- Trust user certificate authorities. -->
+            <certificates src="user" tools:ignore="AcceptsUserCertificates" />
+        </trust-anchors>
+    </base-config>
 </network-security-config>
\ No newline at end of file