With security.certerrors.mitm.auto_enable_enterprise_roots being set to true we will automatically attempt to fix certificate errors by importing OS roots. While this is desirable for most of our users (given that they don't have an alternative to using the internet with these imported roots), there's evidently a group of more advanced users who would prefer to have better control of this feature.

Since the size of that group might change due to events like Lenovo Superfish and it might include technically less advanced users, it's probably a good idea to make it easier to configure the behavior.

At the very least we should probably expose this option in about:preferences. In addition, I could imagine an optional "middle-ground" setting, where Firefox would ask the user whether they want to keep the enterprise root pref enabled if it fixes the connection, potentially displaying the certificate chain that successfully established a connection.