summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorMatt A. Tobin <email@mattatobin.com>2019-11-14 21:08:43 -0500
committerMatt A. Tobin <email@mattatobin.com>2019-11-14 21:08:43 -0500
commit1d30f6fa8413746ddc408f93710d701493af273d (patch)
treeabe84e83d704e13c60c90db7ac4b9e363d8a81fc /security
parent9308ec68e863e4c6e650680370a5d7baa9f0d1f3 (diff)
parent00573571a226a0c59dd744da67483864a22911aa (diff)
downloadUXP-1d30f6fa8413746ddc408f93710d701493af273d.tar
UXP-1d30f6fa8413746ddc408f93710d701493af273d.tar.gz
UXP-1d30f6fa8413746ddc408f93710d701493af273d.tar.lz
UXP-1d30f6fa8413746ddc408f93710d701493af273d.tar.xz
UXP-1d30f6fa8413746ddc408f93710d701493af273d.zip
Merge branch 'master' into mailnews-work
Diffstat (limited to 'security')
-rw-r--r--security/manager/ssl/StaticHPKPins.errors28
-rw-r--r--security/manager/ssl/StaticHPKPins.h477
-rw-r--r--security/manager/ssl/nsSiteSecurityService.cpp40
-rw-r--r--security/manager/ssl/nsSiteSecurityService.h1
-rw-r--r--security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js22
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_must_staple.js2
-rw-r--r--security/manager/ssl/tests/unit/test_pinning.js3
-rw-r--r--security/manager/ssl/tests/unit/test_pinning_dynamic.js1
-rw-r--r--security/manager/ssl/tests/unit/test_pinning_header_parsing.js6
-rw-r--r--security/manager/ssl/tests/unit/test_sss_readstate_garbage.js1
-rw-r--r--security/manager/ssl/tests/unit/test_sss_savestate.js1
11 files changed, 75 insertions, 507 deletions
diff --git a/security/manager/ssl/StaticHPKPins.errors b/security/manager/ssl/StaticHPKPins.errors
deleted file mode 100644
index f5b0a1ebb..000000000
--- a/security/manager/ssl/StaticHPKPins.errors
+++ /dev/null
@@ -1,28 +0,0 @@
-Can't find hash in builtin certs for Chrome nickname GoogleG2, inserting GOOGLE_PIN_GoogleG2
-Can't find hash in builtin certs for Chrome nickname RapidSSL, inserting GOOGLE_PIN_RapidSSL
-Can't find hash in builtin certs for Chrome nickname DigiCertSHA2HighAssuranceServerCA, inserting GOOGLE_PIN_DigiCertSHA2HighAssuranceServerCA
-Can't find hash in builtin certs for Chrome nickname VeriSignClass1, inserting GOOGLE_PIN_VeriSignClass1
-Can't find hash in builtin certs for Chrome nickname VeriSignClass4_G3, inserting GOOGLE_PIN_VeriSignClass4_G3
-Can't find hash in builtin certs for Chrome nickname VeriSignClass3_G2, inserting GOOGLE_PIN_VeriSignClass3_G2
-Can't find hash in builtin certs for Chrome nickname VeriSignClass2_G2, inserting GOOGLE_PIN_VeriSignClass2_G2
-Can't find hash in builtin certs for Chrome nickname Entrust_SSL, inserting GOOGLE_PIN_Entrust_SSL
-Can't find hash in builtin certs for Chrome nickname UTNDATACorpSGC, inserting GOOGLE_PIN_UTNDATACorpSGC
-Can't find hash in builtin certs for Chrome nickname GTECyberTrustGlobalRoot, inserting GOOGLE_PIN_GTECyberTrustGlobalRoot
-Can't find hash in builtin certs for Chrome nickname GoDaddySecure, inserting GOOGLE_PIN_GoDaddySecure
-Can't find hash in builtin certs for Chrome nickname SymantecClass3EVG3, inserting GOOGLE_PIN_SymantecClass3EVG3
-Can't find hash in builtin certs for Chrome nickname DigiCertECCSecureServerCA, inserting GOOGLE_PIN_DigiCertECCSecureServerCA
-Can't find hash in builtin certs for Chrome nickname LetsEncryptAuthorityPrimary_X1_X3, inserting GOOGLE_PIN_LetsEncryptAuthorityPrimary_X1_X3
-Can't find hash in builtin certs for Chrome nickname LetsEncryptAuthorityBackup_X2_X4, inserting GOOGLE_PIN_LetsEncryptAuthorityBackup_X2_X4
-Can't find hash in builtin certs for Chrome nickname COMODORSADomainValidationSecureServerCA, inserting GOOGLE_PIN_COMODORSADomainValidationSecureServerCA
-Writing pinset test
-Writing pinset google
-Writing pinset tor
-Writing pinset twitterCom
-Writing pinset twitterCDN
-Writing pinset dropbox
-Writing pinset facebook
-Writing pinset spideroak
-Writing pinset yahoo
-Writing pinset swehackCom
-Writing pinset ncsccs
-Writing pinset tumblr
diff --git a/security/manager/ssl/StaticHPKPins.h b/security/manager/ssl/StaticHPKPins.h
index 323d8ec85..a2313ea72 100644
--- a/security/manager/ssl/StaticHPKPins.h
+++ b/security/manager/ssl/StaticHPKPins.h
@@ -700,486 +700,13 @@ struct TransportSecurityPreload {
/* Sort hostnames for binary search. */
static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
- { "0.me.uk", true, true, false, -1, &kPinset_ncsccs },
- { "2mdn.net", true, false, false, -1, &kPinset_google_root_pems },
- { "accounts.firefox.com", true, false, true, 4, &kPinset_mozilla_services },
- { "accounts.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "addons.mozilla.net", true, false, true, 2, &kPinset_mozilla },
- { "addons.mozilla.org", true, false, true, 1, &kPinset_mozilla },
- { "admin.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "android.com", true, false, false, -1, &kPinset_google_root_pems },
- { "api.accounts.firefox.com", true, false, true, 5, &kPinset_mozilla_services },
- { "api.twitter.com", true, false, false, -1, &kPinset_twitterCDN },
- { "apis.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "appengine.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "apps.facebook.com", true, false, false, -1, &kPinset_facebook },
- { "appspot.com", true, false, false, -1, &kPinset_google_root_pems },
- { "at.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "au.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "aus4.mozilla.org", true, true, true, 3, &kPinset_mozilla },
- { "aus5.mozilla.org", true, true, true, 7, &kPinset_mozilla },
- { "az.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "be.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "bi.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "blog.torproject.org", true, false, false, -1, &kPinset_tor },
- { "blogger.com", true, false, false, -1, &kPinset_google_root_pems },
- { "blogspot.com", true, false, false, -1, &kPinset_google_root_pems },
- { "br.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "bugs.chromium.org", true, false, false, -1, &kPinset_google_root_pems },
- { "build.chromium.org", true, false, false, -1, &kPinset_google_root_pems },
- { "business.facebook.com", true, false, false, -1, &kPinset_facebook },
- { "business.twitter.com", true, false, false, -1, &kPinset_twitterCom },
- { "ca.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "cd.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "cdn.mozilla.net", true, false, true, -1, &kPinset_mozilla },
- { "cdn.mozilla.org", true, false, true, -1, &kPinset_mozilla },
- { "cg.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "ch.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "chart.apis.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "check.torproject.org", true, false, false, -1, &kPinset_tor },
- { "checkout.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "chfr.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "chit.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "chrome-devtools-frontend.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
- { "chrome.com", true, false, false, -1, &kPinset_google_root_pems },
- { "chrome.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "chromiumbugs.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
- { "chromiumcodereview.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
- { "cl.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "cloud.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "cn.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "co.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "code.facebook.com", true, false, false, -1, &kPinset_facebook },
- { "code.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "codereview.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
- { "codereview.chromium.org", true, false, false, -1, &kPinset_google_root_pems },
- { "contributor.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "cr.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "crbug.com", true, false, false, -1, &kPinset_google_root_pems },
- { "crosbug.com", true, false, false, -1, &kPinset_google_root_pems },
- { "crrev.com", true, false, false, -1, &kPinset_google_root_pems },
- { "ct.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "de.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "dev.twitter.com", true, false, false, -1, &kPinset_twitterCom },
- { "developer.android.com", true, false, false, -1, &kPinset_google_root_pems },
- { "developers.facebook.com", true, false, false, -1, &kPinset_facebook },
- { "dist.torproject.org", true, false, false, -1, &kPinset_tor },
- { "dk.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "dl.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "dns.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "do.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "docs.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "domains.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "doubleclick.net", true, false, false, -1, &kPinset_google_root_pems },
- { "drive.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "dropbox.com", true, false, false, -1, &kPinset_dropbox },
- { "dropboxstatic.com", false, true, false, -1, &kPinset_dropbox },
- { "dropboxusercontent.com", false, true, false, -1, &kPinset_dropbox },
- { "edit.yahoo.com", true, true, false, -1, &kPinset_yahoo },
- { "en-maktoob.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "encrypted.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "es.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "espanol.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
{ "exclude-subdomains.pinning.example.com", false, false, false, 0, &kPinset_mozilla_test },
- { "facebook.com", false, false, false, -1, &kPinset_facebook },
- { "fi.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "fi.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "firebaseio.com", true, false, false, -1, &kPinset_google_root_pems },
- { "fj.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "fr.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "g.co", true, false, false, -1, &kPinset_google_root_pems },
- { "g4w.co", true, false, false, -1, &kPinset_google_root_pems },
- { "ggpht.com", true, false, false, -1, &kPinset_google_root_pems },
- { "gl.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "glass.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "gm.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "gmail.com", false, false, false, -1, &kPinset_google_root_pems },
- { "goo.gl", true, false, false, -1, &kPinset_google_root_pems },
- { "google", true, false, false, -1, &kPinset_google_root_pems },
- { "google-analytics.com", true, false, false, -1, &kPinset_google_root_pems },
- { "google.ac", true, false, false, -1, &kPinset_google_root_pems },
- { "google.ad", true, false, false, -1, &kPinset_google_root_pems },
- { "google.ae", true, false, false, -1, &kPinset_google_root_pems },
- { "google.af", true, false, false, -1, &kPinset_google_root_pems },
- { "google.ag", true, false, false, -1, &kPinset_google_root_pems },
- { "google.am", true, false, false, -1, &kPinset_google_root_pems },
- { "google.as", true, false, false, -1, &kPinset_google_root_pems },
- { "google.at", true, false, false, -1, &kPinset_google_root_pems },
- { "google.az", true, false, false, -1, &kPinset_google_root_pems },
- { "google.ba", true, false, false, -1, &kPinset_google_root_pems },
- { "google.be", true, false, false, -1, &kPinset_google_root_pems },
- { "google.bf", true, false, false, -1, &kPinset_google_root_pems },
- { "google.bg", true, false, false, -1, &kPinset_google_root_pems },
- { "google.bi", true, false, false, -1, &kPinset_google_root_pems },
- { "google.bj", true, false, false, -1, &kPinset_google_root_pems },
- { "google.bs", true, false, false, -1, &kPinset_google_root_pems },
- { "google.by", true, false, false, -1, &kPinset_google_root_pems },
- { "google.ca", true, false, false, -1, &kPinset_google_root_pems },
- { "google.cat", true, false, false, -1, &kPinset_google_root_pems },
- { "google.cc", true, false, false, -1, &kPinset_google_root_pems },
- { "google.cd", true, false, false, -1, &kPinset_google_root_pems },
- { "google.cf", true, false, false, -1, &kPinset_google_root_pems },
- { "google.cg", true, false, false, -1, &kPinset_google_root_pems },
- { "google.ch", true, false, false, -1, &kPinset_google_root_pems },
- { "google.ci", true, false, false, -1, &kPinset_google_root_pems },
- { "google.cl", true, false, false, -1, &kPinset_google_root_pems },
- { "google.cm", true, false, false, -1, &kPinset_google_root_pems },
- { "google.cn", true, false, false, -1, &kPinset_google_root_pems },
- { "google.co.ao", true, false, false, -1, &kPinset_google_root_pems },
- { "google.co.bw", true, false, false, -1, &kPinset_google_root_pems },
- { "google.co.ck", true, false, false, -1, &kPinset_google_root_pems },
- { "google.co.cr", true, false, false, -1, &kPinset_google_root_pems },
- { "google.co.hu", true, false, false, -1, &kPinset_google_root_pems },
- { "google.co.id", true, false, false, -1, &kPinset_google_root_pems },
- { "google.co.il", true, false, false, -1, &kPinset_google_root_pems },
- { "google.co.im", true, false, false, -1, &kPinset_google_root_pems },
- { "google.co.in", true, false, false, -1, &kPinset_google_root_pems },
- { "google.co.je", true, false, false, -1, &kPinset_google_root_pems },
- { "google.co.jp", true, false, false, -1, &kPinset_google_root_pems },
- { "google.co.ke", true, false, false, -1, &kPinset_google_root_pems },
- { "google.co.kr", true, false, false, -1, &kPinset_google_root_pems },
- { "google.co.ls", true, false, false, -1, &kPinset_google_root_pems },
- { "google.co.ma", true, false, false, -1, &kPinset_google_root_pems },
- { "google.co.mz", true, false, false, -1, &kPinset_google_root_pems },
- { "google.co.nz", true, false, false, -1, &kPinset_google_root_pems },
- { "google.co.th", true, false, false, -1, &kPinset_google_root_pems },
- { "google.co.tz", true, false, false, -1, &kPinset_google_root_pems },
- { "google.co.ug", true, false, false, -1, &kPinset_google_root_pems },
- { "google.co.uk", true, false, false, -1, &kPinset_google_root_pems },
- { "google.co.uz", true, false, false, -1, &kPinset_google_root_pems },
- { "google.co.ve", true, false, false, -1, &kPinset_google_root_pems },
- { "google.co.vi", true, false, false, -1, &kPinset_google_root_pems },
- { "google.co.za", true, false, false, -1, &kPinset_google_root_pems },
- { "google.co.zm", true, false, false, -1, &kPinset_google_root_pems },
- { "google.co.zw", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.af", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.ag", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.ai", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.ar", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.au", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.bd", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.bh", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.bn", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.bo", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.br", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.by", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.bz", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.cn", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.co", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.cu", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.cy", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.do", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.ec", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.eg", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.et", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.fj", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.ge", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.gh", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.gi", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.gr", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.gt", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.hk", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.iq", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.jm", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.jo", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.kh", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.kw", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.lb", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.ly", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.mt", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.mx", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.my", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.na", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.nf", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.ng", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.ni", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.np", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.nr", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.om", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.pa", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.pe", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.ph", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.pk", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.pl", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.pr", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.py", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.qa", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.ru", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.sa", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.sb", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.sg", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.sl", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.sv", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.tj", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.tn", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.tr", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.tw", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.ua", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.uy", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.vc", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.ve", true, false, false, -1, &kPinset_google_root_pems },
- { "google.com.vn", true, false, false, -1, &kPinset_google_root_pems },
- { "google.cv", true, false, false, -1, &kPinset_google_root_pems },
- { "google.cz", true, false, false, -1, &kPinset_google_root_pems },
- { "google.de", true, false, false, -1, &kPinset_google_root_pems },
- { "google.dj", true, false, false, -1, &kPinset_google_root_pems },
- { "google.dk", true, false, false, -1, &kPinset_google_root_pems },
- { "google.dm", true, false, false, -1, &kPinset_google_root_pems },
- { "google.dz", true, false, false, -1, &kPinset_google_root_pems },
- { "google.ee", true, false, false, -1, &kPinset_google_root_pems },
- { "google.es", true, false, false, -1, &kPinset_google_root_pems },
- { "google.fi", true, false, false, -1, &kPinset_google_root_pems },
- { "google.fm", true, false, false, -1, &kPinset_google_root_pems },
- { "google.fr", true, false, false, -1, &kPinset_google_root_pems },
- { "google.ga", true, false, false, -1, &kPinset_google_root_pems },
- { "google.ge", true, false, false, -1, &kPinset_google_root_pems },
- { "google.gg", true, false, false, -1, &kPinset_google_root_pems },
- { "google.gl", true, false, false, -1, &kPinset_google_root_pems },
- { "google.gm", true, false, false, -1, &kPinset_google_root_pems },
- { "google.gp", true, false, false, -1, &kPinset_google_root_pems },
- { "google.gr", true, false, false, -1, &kPinset_google_root_pems },
- { "google.gy", true, false, false, -1, &kPinset_google_root_pems },
- { "google.hk", true, false, false, -1, &kPinset_google_root_pems },
- { "google.hn", true, false, false, -1, &kPinset_google_root_pems },
- { "google.hr", true, false, false, -1, &kPinset_google_root_pems },
- { "google.ht", true, false, false, -1, &kPinset_google_root_pems },
- { "google.hu", true, false, false, -1, &kPinset_google_root_pems },
- { "google.ie", true, false, false, -1, &kPinset_google_root_pems },
- { "google.im", true, false, false, -1, &kPinset_google_root_pems },
- { "google.info", true, false, false, -1, &kPinset_google_root_pems },
- { "google.iq", true, false, false, -1, &kPinset_google_root_pems },
- { "google.is", true, false, false, -1, &kPinset_google_root_pems },
- { "google.it", true, false, false, -1, &kPinset_google_root_pems },
- { "google.it.ao", true, false, false, -1, &kPinset_google_root_pems },
- { "google.je", true, false, false, -1, &kPinset_google_root_pems },
- { "google.jo", true, false, false, -1, &kPinset_google_root_pems },
- { "google.jobs", true, false, false, -1, &kPinset_google_root_pems },
- { "google.jp", true, false, false, -1, &kPinset_google_root_pems },
- { "google.kg", true, false, false, -1, &kPinset_google_root_pems },
- { "google.ki", true, false, false, -1, &kPinset_google_root_pems },
- { "google.kz", true, false, false, -1, &kPinset_google_root_pems },
- { "google.la", true, false, false, -1, &kPinset_google_root_pems },
- { "google.li", true, false, false, -1, &kPinset_google_root_pems },
- { "google.lk", true, false, false, -1, &kPinset_google_root_pems },
- { "google.lt", true, false, false, -1, &kPinset_google_root_pems },
- { "google.lu", true, false, false, -1, &kPinset_google_root_pems },
- { "google.lv", true, false, false, -1, &kPinset_google_root_pems },
- { "google.md", true, false, false, -1, &kPinset_google_root_pems },
- { "google.me", true, false, false, -1, &kPinset_google_root_pems },
- { "google.mg", true, false, false, -1, &kPinset_google_root_pems },
- { "google.mk", true, false, false, -1, &kPinset_google_root_pems },
- { "google.ml", true, false, false, -1, &kPinset_google_root_pems },
- { "google.mn", true, false, false, -1, &kPinset_google_root_pems },
- { "google.ms", true, false, false, -1, &kPinset_google_root_pems },
- { "google.mu", true, false, false, -1, &kPinset_google_root_pems },
- { "google.mv", true, false, false, -1, &kPinset_google_root_pems },
- { "google.mw", true, false, false, -1, &kPinset_google_root_pems },
- { "google.ne", true, false, false, -1, &kPinset_google_root_pems },
- { "google.ne.jp", true, false, false, -1, &kPinset_google_root_pems },
- { "google.net", true, false, false, -1, &kPinset_google_root_pems },
- { "google.nl", true, false, false, -1, &kPinset_google_root_pems },
- { "google.no", true, false, false, -1, &kPinset_google_root_pems },
- { "google.nr", true, false, false, -1, &kPinset_google_root_pems },
- { "google.nu", true, false, false, -1, &kPinset_google_root_pems },
- { "google.off.ai", true, false, false, -1, &kPinset_google_root_pems },
- { "google.pk", true, false, false, -1, &kPinset_google_root_pems },
- { "google.pl", true, false, false, -1, &kPinset_google_root_pems },
- { "google.pn", true, false, false, -1, &kPinset_google_root_pems },
- { "google.ps", true, false, false, -1, &kPinset_google_root_pems },
- { "google.pt", true, false, false, -1, &kPinset_google_root_pems },
- { "google.ro", true, false, false, -1, &kPinset_google_root_pems },
- { "google.rs", true, false, false, -1, &kPinset_google_root_pems },
- { "google.ru", true, false, false, -1, &kPinset_google_root_pems },
- { "google.rw", true, false, false, -1, &kPinset_google_root_pems },
- { "google.sc", true, false, false, -1, &kPinset_google_root_pems },
- { "google.se", true, false, false, -1, &kPinset_google_root_pems },
- { "google.sh", true, false, false, -1, &kPinset_google_root_pems },
- { "google.si", true, false, false, -1, &kPinset_google_root_pems },
- { "google.sk", true, false, false, -1, &kPinset_google_root_pems },
- { "google.sm", true, false, false, -1, &kPinset_google_root_pems },
- { "google.sn", true, false, false, -1, &kPinset_google_root_pems },
- { "google.so", true, false, false, -1, &kPinset_google_root_pems },
- { "google.st", true, false, false, -1, &kPinset_google_root_pems },
- { "google.td", true, false, false, -1, &kPinset_google_root_pems },
- { "google.tg", true, false, false, -1, &kPinset_google_root_pems },
- { "google.tk", true, false, false, -1, &kPinset_google_root_pems },
- { "google.tl", true, false, false, -1, &kPinset_google_root_pems },
- { "google.tm", true, false, false, -1, &kPinset_google_root_pems },
- { "google.tn", true, false, false, -1, &kPinset_google_root_pems },
- { "google.to", true, false, false, -1, &kPinset_google_root_pems },
- { "google.tt", true, false, false, -1, &kPinset_google_root_pems },
- { "google.us", true, false, false, -1, &kPinset_google_root_pems },
- { "google.uz", true, false, false, -1, &kPinset_google_root_pems },
- { "google.vg", true, false, false, -1, &kPinset_google_root_pems },
- { "google.vu", true, false, false, -1, &kPinset_google_root_pems },
- { "google.ws", true, false, false, -1, &kPinset_google_root_pems },
- { "googleadservices.com", true, false, false, -1, &kPinset_google_root_pems },
- { "googleapis.com", true, false, false, -1, &kPinset_google_root_pems },
- { "googlecode.com", true, false, false, -1, &kPinset_google_root_pems },
- { "googlecommerce.com", true, false, false, -1, &kPinset_google_root_pems },
- { "googlegroups.com", true, false, false, -1, &kPinset_google_root_pems },
- { "googlemail.com", false, false, false, -1, &kPinset_google_root_pems },
- { "googleplex.com", true, false, false, -1, &kPinset_google_root_pems },
- { "googlesource.com", true, false, false, -1, &kPinset_google_root_pems },
- { "googlesyndication.com", true, false, false, -1, &kPinset_google_root_pems },
- { "googletagmanager.com", true, false, false, -1, &kPinset_google_root_pems },
- { "googletagservices.com", true, false, false, -1, &kPinset_google_root_pems },
- { "googleusercontent.com", true, false, false, -1, &kPinset_google_root_pems },
- { "googlevideo.com", true, false, false, -1, &kPinset_google_root_pems },
- { "googleweblight.com", true, false, false, -1, &kPinset_google_root_pems },
- { "goto.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "gr.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "groups.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "gstatic.com", true, false, false, -1, &kPinset_google_root_pems },
- { "gvt1.com", true, false, false, -1, &kPinset_google_root_pems },
- { "gvt2.com", true, false, false, -1, &kPinset_google_root_pems },
- { "gvt3.com", true, false, false, -1, &kPinset_google_root_pems },
- { "hangouts.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "history.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "hk.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "hn.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "hostedtalkgadget.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "hu.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "id.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "ie.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "in.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "inbox.google.com", true, false, false, -1, &kPinset_google_root_pems },
{ "include-subdomains.pinning.example.com", true, false, false, -1, &kPinset_mozilla_test },
- { "it.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "kr.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "kz.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "li.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "login.corp.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "login.yahoo.com", true, true, false, -1, &kPinset_yahoo },
- { "lt.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "lu.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "lv.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "m.facebook.com", true, false, false, -1, &kPinset_facebook },
- { "mail-settings.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "mail.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "mail.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "maktoob.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "malaysia.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "market.android.com", true, false, false, -1, &kPinset_google_root_pems },
- { "mbasic.facebook.com", true, false, false, -1, &kPinset_facebook },
- { "meet.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "messenger.com", false, false, false, -1, &kPinset_facebook },
- { "mobile.twitter.com", true, false, false, -1, &kPinset_twitterCom },
- { "mt.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "mtouch.facebook.com", true, false, false, -1, &kPinset_facebook },
- { "mu.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "mw.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "mx.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "myaccount.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "myactivity.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "ncsccs.com", true, true, false, -1, &kPinset_ncsccs },
- { "ni.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "nl.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "no.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "np.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "nz.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "oauth.twitter.com", true, false, false, -1, &kPinset_twitterCom },
- { "pa.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "passwords.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "payments.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "pe.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "ph.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "pinning-test.badssl.com", true, false, false, -1, &kPinset_test },
- { "pinningtest.appspot.com", true, false, false, -1, &kPinset_test },
- { "pixel.facebook.com", true, false, false, -1, &kPinset_facebook },
- { "pixel.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "pk.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "pl.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "platform.twitter.com", true, false, false, -1, &kPinset_twitterCDN },
- { "play.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "plus.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "plus.sandbox.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "pr.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "profiles.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "py.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "qc.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "research.facebook.com", true, false, false, -1, &kPinset_facebook },
- { "ro.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "ru.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "rw.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "script.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "se.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "secure.facebook.com", true, false, false, -1, &kPinset_facebook },
- { "security.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "services.mozilla.com", true, false, true, 6, &kPinset_mozilla_services },
- { "sg.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "sirburton.com", true, true, false, -1, &kPinset_ncsccs },
- { "sites.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "spideroak.com", true, false, false, -1, &kPinset_spideroak },
- { "spreadsheets.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "static.googleadsserving.cn", true, false, false, -1, &kPinset_google_root_pems },
- { "stats.g.doubleclick.net", true, false, false, -1, &kPinset_google_root_pems },
- { "sv.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "swehack.org", true, true, false, -1, &kPinset_swehackCom },
- { "t.facebook.com", true, false, false, -1, &kPinset_facebook },
- { "tablet.facebook.com", true, false, false, -1, &kPinset_facebook },
- { "talk.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "talkgadget.google.com", true, false, false, -1, &kPinset_google_root_pems },
{ "test-mode.pinning.example.com", true, true, false, -1, &kPinset_mozilla_test },
- { "th.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "themathematician.uk", true, true, false, -1, &kPinset_ncsccs },
- { "torproject.org", false, false, false, -1, &kPinset_tor },
- { "touch.facebook.com", true, false, false, -1, &kPinset_facebook },
- { "tr.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "translate.googleapis.com", true, false, false, -1, &kPinset_google_root_pems },
- { "tv.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "tw.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "twimg.com", true, false, false, -1, &kPinset_twitterCDN },
- { "twitter.com", true, false, false, -1, &kPinset_twitterCDN },
- { "ua.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "uk.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "upload.facebook.com", true, false, false, -1, &kPinset_facebook },
- { "urchin.com", true, false, false, -1, &kPinset_google_root_pems },
- { "uy.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "uz.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "ve.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "vn.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "w-spotlight.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
- { "wallet.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "webfilings-eu-mirror.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
- { "webfilings-eu.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
- { "webfilings-mirror-hrd.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
- { "webfilings.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
- { "wf-bigsky-master.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
- { "wf-demo-eu.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
- { "wf-demo-hrd.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
- { "wf-dogfood-hrd.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
- { "wf-pentest.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
- { "wf-staging-hr.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
- { "wf-training-hrd.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
- { "wf-training-master.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
- { "wf-trial-hrd.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
- { "withgoogle.com", true, false, false, -1, &kPinset_google_root_pems },
- { "withyoutube.com", true, false, false, -1, &kPinset_google_root_pems },
- { "www.dropbox.com", true, false, false, -1, &kPinset_dropbox },
- { "www.facebook.com", true, false, false, -1, &kPinset_facebook },
- { "www.gmail.com", false, false, false, -1, &kPinset_google_root_pems },
- { "www.googlegroups.com", true, false, false, -1, &kPinset_google_root_pems },
- { "www.googlemail.com", false, false, false, -1, &kPinset_google_root_pems },
- { "www.messenger.com", true, false, false, -1, &kPinset_facebook },
- { "www.torproject.org", true, false, false, -1, &kPinset_tor },
- { "www.tumblr.com", false, true, false, -1, &kPinset_tumblr },
- { "www.twitter.com", true, false, false, -1, &kPinset_twitterCom },
- { "xa.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "xbrlsuccess.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
- { "xn--7xa.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "youtu.be", true, false, false, -1, &kPinset_google_root_pems },
- { "youtube-nocookie.com", true, false, false, -1, &kPinset_google_root_pems },
- { "youtube.com", true, false, false, -1, &kPinset_google_root_pems },
- { "ytimg.com", true, false, false, -1, &kPinset_google_root_pems },
- { "za.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "zh.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
};
-// Pinning Preload List Length = 476;
+// Pinning Preload List Length = 3;
static const int32_t kUnknownId = -1;
-static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1524772960289000);
+static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1609459199000000);
diff --git a/security/manager/ssl/nsSiteSecurityService.cpp b/security/manager/ssl/nsSiteSecurityService.cpp
index 44ee7dcc0..1b7f06a47 100644
--- a/security/manager/ssl/nsSiteSecurityService.cpp
+++ b/security/manager/ssl/nsSiteSecurityService.cpp
@@ -212,6 +212,7 @@ nsSiteSecurityService::nsSiteSecurityService()
, mUsePreloadList(true)
, mUseStsService(true)
, mPreloadListTimeOffset(0)
+ , mHPKPEnabled(false)
{
}
@@ -240,6 +241,10 @@ nsSiteSecurityService::Init()
"network.stricttransportsecurity.preloadlist", true);
mozilla::Preferences::AddStrongObserver(this,
"network.stricttransportsecurity.preloadlist");
+ mHPKPEnabled = mozilla::Preferences::GetBool(
+ "security.cert_pinning.hpkp.enabled", false);
+ mozilla::Preferences::AddStrongObserver(this,
+ "security.cert_pinning.hpkp.enabled");
mUseStsService = mozilla::Preferences::GetBool(
"network.stricttransportsecurity.enabled", true);
mozilla::Preferences::AddStrongObserver(this,
@@ -687,6 +692,17 @@ nsSiteSecurityService::ProcessPKPHeader(nsIURI* aSourceURI,
if (aFailureResult) {
*aFailureResult = nsISiteSecurityService::ERROR_UNKNOWN;
}
+ if (!mHPKPEnabled) {
+ SSSLOG(("SSS: HPKP disabled: not processing header '%s'", aHeader));
+ if (aMaxAge) {
+ *aMaxAge = 0;
+ }
+ if (aIncludeSubdomains) {
+ *aIncludeSubdomains = false;
+ }
+ return NS_OK;
+ }
+
SSSLOG(("SSS: processing HPKP header '%s'", aHeader));
NS_ENSURE_ARG(aSSLStatus);
@@ -1185,17 +1201,24 @@ nsSiteSecurityService::GetKeyPinsForHostname(const char* aHostname,
mozilla::pkix::Time& aEvalTime,
/*out*/ nsTArray<nsCString>& pinArray,
/*out*/ bool* aIncludeSubdomains,
- /*out*/ bool* afound) {
+ /*out*/ bool* aFound) {
// Child processes are not allowed direct access to this.
if (!XRE_IsParentProcess()) {
MOZ_CRASH("Child process: no direct access to nsISiteSecurityService::GetKeyPinsForHostname");
}
- NS_ENSURE_ARG(afound);
+ NS_ENSURE_ARG(aFound);
NS_ENSURE_ARG(aHostname);
+ if (!mHPKPEnabled) {
+ SSSLOG(("HPKP disabled - returning 'pins not found' for %s",
+ aHostname));
+ *aFound = false;
+ return NS_OK;
+ }
+
SSSLOG(("Top of GetKeyPinsForHostname for %s", aHostname));
- *afound = false;
+ *aFound = false;
*aIncludeSubdomains = false;
pinArray.Clear();
@@ -1228,7 +1251,7 @@ nsSiteSecurityService::GetKeyPinsForHostname(const char* aHostname,
}
pinArray = foundEntry.mSHA256keys;
*aIncludeSubdomains = foundEntry.mIncludeSubdomains;
- *afound = true;
+ *aFound = true;
return NS_OK;
}
@@ -1248,6 +1271,13 @@ nsSiteSecurityService::SetKeyPins(const char* aHost, bool aIncludeSubdomains,
NS_ENSURE_ARG_POINTER(aResult);
NS_ENSURE_ARG_POINTER(aSha256Pins);
+
+ if (!mHPKPEnabled) {
+ SSSLOG(("SSS: HPKP disabled: not setting pins"));
+ *aResult = false;
+ return NS_OK;
+ }
+
SSSLOG(("Top of SetPins"));
nsTArray<nsCString> sha256keys;
@@ -1313,6 +1343,8 @@ nsSiteSecurityService::Observe(nsISupports *subject,
"network.stricttransportsecurity.enabled", true);
mPreloadListTimeOffset =
mozilla::Preferences::GetInt("test.currentTimeOffsetSeconds", 0);
+ mHPKPEnabled = mozilla::Preferences::GetBool(
+ "security.cert_pinning.hpkp.enabled", false);
mProcessPKPHeadersFromNonBuiltInRoots = mozilla::Preferences::GetBool(
"security.cert_pinning.process_headers_from_non_builtin_roots", false);
mMaxMaxAge = mozilla::Preferences::GetInt(
diff --git a/security/manager/ssl/nsSiteSecurityService.h b/security/manager/ssl/nsSiteSecurityService.h
index 63afee377..c14543684 100644
--- a/security/manager/ssl/nsSiteSecurityService.h
+++ b/security/manager/ssl/nsSiteSecurityService.h
@@ -152,6 +152,7 @@ private:
bool mUsePreloadList;
bool mUseStsService;
int64_t mPreloadListTimeOffset;
+ bool mHPKPEnabled;
bool mProcessPKPHeadersFromNonBuiltInRoots;
RefPtr<mozilla::DataStorage> mSiteStateStorage;
RefPtr<mozilla::DataStorage> mPreloadStateStorage;
diff --git a/security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js b/security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js
index 4db133e43..c075428ee 100644
--- a/security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js
+++ b/security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js
@@ -12,6 +12,7 @@
var { ForgetAboutSite } = Cu.import("resource://gre/modules/ForgetAboutSite.jsm", {});
do_register_cleanup(() => {
+ Services.prefs.clearUserPref("security.cert_pinning.hpkp.enabled");
Services.prefs.clearUserPref("security.cert_pinning.enforcement_level");
Services.prefs.clearUserPref(
"security.cert_pinning.process_headers_from_non_builtin_roots");
@@ -26,6 +27,7 @@ const GOOD_MAX_AGE = `max-age=${GOOD_MAX_AGE_SECONDS};`;
do_get_profile(); // must be done before instantiating nsIX509CertDB
+Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", true);
Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 2);
Services.prefs.setBoolPref(
"security.cert_pinning.process_headers_from_non_builtin_roots", true);
@@ -44,6 +46,26 @@ var uri = Services.io.newURI("https://a.pinning2.example.com", null, null);
var sslStatus = new FakeSSLStatus(constructCertFromFile(
"test_pinning_dynamic/a.pinning2.example.com-pinningroot.pem"));
+ // Test that with HPKP disabled, processing HPKP headers results in no
+ // information being saved.
+ add_task(async function() {
+ Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", false);
+ sss.processHeader(
+ Ci.nsISiteSecurityService.HEADER_HPKP,
+ uri,
+ GOOD_MAX_AGE + VALID_PIN + BACKUP_PIN,
+ secInfo,
+ 0,
+ Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST
+ );
+
+ Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", true);
+ Assert.ok(
+ !sss.isSecureURI(Ci.nsISiteSecurityService.HEADER_HPKP, uri, 0),
+ "a.pinning.example.com should not be HPKP"
+ );
+ });
+
// Test the normal case of processing HSTS and HPKP headers for
// a.pinning2.example.com, using "Forget About Site" on a.pinning2.example.com,
// and then checking that the platform doesn't consider a.pinning2.example.com
diff --git a/security/manager/ssl/tests/unit/test_ocsp_must_staple.js b/security/manager/ssl/tests/unit/test_ocsp_must_staple.js
index 24b32d6bc..ece1757ac 100644
--- a/security/manager/ssl/tests/unit/test_ocsp_must_staple.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_must_staple.js
@@ -28,6 +28,7 @@ function add_tests() {
PRErrorCodeSuccess, true);
add_test(() => {
+ Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", true);
Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 1);
Services.prefs.setBoolPref("security.cert_pinning.process_headers_from_non_builtin_roots", true);
let uri = Services.io.newURI("https://ocsp-stapling-must-staple-ee-with-must-staple-int.example.com",
@@ -45,6 +46,7 @@ function add_tests() {
// Clear accumulated state.
ssservice.removeState(Ci.nsISiteSecurityService.HEADER_HPKP, uri, 0);
+ Services.prefs.clearUserPref("security.cert_pinning.hpkp.enabled");
Services.prefs.clearUserPref("security.cert_pinning.process_headers_from_non_builtin_roots");
Services.prefs.clearUserPref("security.cert_pinning.enforcement_level");
run_next_test();
diff --git a/security/manager/ssl/tests/unit/test_pinning.js b/security/manager/ssl/tests/unit/test_pinning.js
index 4d3c2fac8..f18182002 100644
--- a/security/manager/ssl/tests/unit/test_pinning.js
+++ b/security/manager/ssl/tests/unit/test_pinning.js
@@ -246,6 +246,9 @@ function check_pinning_telemetry() {
}
function run_test() {
+ // Ensure that static pinning works when HPKP is disabled.
+ Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", false);
+
add_tls_server_setup("BadCertServer", "bad_certs");
// Add a user-specified trust anchor.
diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic.js b/security/manager/ssl/tests/unit/test_pinning_dynamic.js
index 2c314b53a..7333ad6b3 100644
--- a/security/manager/ssl/tests/unit/test_pinning_dynamic.js
+++ b/security/manager/ssl/tests/unit/test_pinning_dynamic.js
@@ -41,6 +41,7 @@ const NON_ISSUED_KEY_HASH = "KHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAN=";
const PINNING_ROOT_KEY_HASH = "VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8=";
function run_test() {
+ Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", true);
Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 2);
let stateFile = profileDir.clone();
diff --git a/security/manager/ssl/tests/unit/test_pinning_header_parsing.js b/security/manager/ssl/tests/unit/test_pinning_header_parsing.js
index fb4b32353..0dcf6993b 100644
--- a/security/manager/ssl/tests/unit/test_pinning_header_parsing.js
+++ b/security/manager/ssl/tests/unit/test_pinning_header_parsing.js
@@ -98,6 +98,7 @@ const REPORT_URI = "report-uri=\"https://www.example.com/report/\";";
const UNRECOGNIZED_DIRECTIVE = "unreconized-dir=12343;";
function run_test() {
+ Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", true);
Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 2);
Services.prefs.setIntPref("security.cert_pinning.max_max_age_seconds", MAX_MAX_AGE_SECONDS);
Services.prefs.setBoolPref("security.cert_pinning.process_headers_from_non_builtin_roots", true);
@@ -138,4 +139,9 @@ function run_test() {
checkPassSettingPin(VALID_PIN1 + GOOD_MAX_AGE + BACKUP_PIN2 + REPORT_URI + INCLUDE_SUBDOMAINS);
checkPassSettingPin(INCLUDE_SUBDOMAINS + VALID_PIN1 + GOOD_MAX_AGE + BACKUP_PIN2);
checkPassSettingPin(GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN1 + UNRECOGNIZED_DIRECTIVE);
+
+ Services.prefs.clearUserPref("security.cert_pinning.hpkp.enabled");
+ Services.prefs.clearUserPref("security.cert_pinning.enforcement_level");
+ Services.prefs.clearUserPref("security.cert_pinning.max_max_age_seconds");
+ Services.prefs.clearUserPref("security.cert_pinning.process_headers_from_non_builtin_roots");
}
diff --git a/security/manager/ssl/tests/unit/test_sss_readstate_garbage.js b/security/manager/ssl/tests/unit/test_sss_readstate_garbage.js
index d4165f7f4..1ca277da4 100644
--- a/security/manager/ssl/tests/unit/test_sss_readstate_garbage.js
+++ b/security/manager/ssl/tests/unit/test_sss_readstate_garbage.js
@@ -31,6 +31,7 @@ function checkStateRead(aSubject, aTopic, aData) {
}
function run_test() {
+ Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", true);
let profileDir = do_get_profile();
let stateFile = profileDir.clone();
stateFile.append(SSS_STATE_FILE_NAME);
diff --git a/security/manager/ssl/tests/unit/test_sss_savestate.js b/security/manager/ssl/tests/unit/test_sss_savestate.js
index a4d8b5297..fefa64ea6 100644
--- a/security/manager/ssl/tests/unit/test_sss_savestate.js
+++ b/security/manager/ssl/tests/unit/test_sss_savestate.js
@@ -96,6 +96,7 @@ function checkStateWritten(aSubject, aTopic, aData) {
}
function run_test() {
+ Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", true);
Services.prefs.setIntPref("test.datastorage.write_timer_ms", 100);
gProfileDir = do_get_profile();
let SSService = Cc["@mozilla.org/ssservice;1"]