summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@wolfbeast.com>2020-03-31 09:44:30 +0200
committerwolfbeast <mcwerewolf@wolfbeast.com>2020-04-14 13:20:35 +0200
commit2407845ec187fc0bddcf061f41a5791c7041d9ff (patch)
treed367a246976a3f7e72842a4120b29d975d566b5d /security
parent3f09b298b0d3b737e88115c869af8393a75bfd31 (diff)
downloadUXP-2407845ec187fc0bddcf061f41a5791c7041d9ff.tar
UXP-2407845ec187fc0bddcf061f41a5791c7041d9ff.tar.gz
UXP-2407845ec187fc0bddcf061f41a5791c7041d9ff.tar.lz
UXP-2407845ec187fc0bddcf061f41a5791c7041d9ff.tar.xz
UXP-2407845ec187fc0bddcf061f41a5791c7041d9ff.zip
Issue #1280 - Un-bust certerror pages and ForgetAboutSite
Diffstat (limited to 'security')
-rw-r--r--security/manager/ssl/SSLServerCertVerification.cpp23
1 files changed, 5 insertions, 18 deletions
diff --git a/security/manager/ssl/SSLServerCertVerification.cpp b/security/manager/ssl/SSLServerCertVerification.cpp
index af985eb92..37a3b809f 100644
--- a/security/manager/ssl/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/SSLServerCertVerification.cpp
@@ -425,11 +425,9 @@ CertErrorRunnable::CheckCertOverrides()
uint32_t remaining_display_errors = mCollectedErrors;
- // If this is an HTTP Strict Transport Security host or a pinned host and the
- // certificate is bad, don't allow overrides (RFC 6797 section 12.1,
- // HPKP draft spec section 2.6).
+ // If this is an HTTP Strict Transport Security host, don't allow overrides
+ // RFC 6797 section 12.1.
bool strictTransportSecurityEnabled = false;
- bool hasPinningInformation = false;
nsCOMPtr<nsISiteSecurityService> sss(do_GetService(NS_SSSERVICE_CONTRACTID));
if (!sss) {
MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
@@ -449,21 +447,10 @@ CertErrorRunnable::CheckCertOverrides()
return new SSLServerCertVerificationResult(mInfoObject,
mDefaultErrorCodeToReport);
}
- nsrv = sss->IsSecureHost(nsISiteSecurityService::HEADER_HPKP,
- mInfoObject->GetHostNameRaw(),
- mProviderFlags,
- nullptr,
- &hasPinningInformation);
- if (NS_FAILED(nsrv)) {
- MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
- ("[%p][%p] checking for HPKP failed\n", mFdForLogging, this));
- return new SSLServerCertVerificationResult(mInfoObject,
- mDefaultErrorCodeToReport);
- }
- if (!strictTransportSecurityEnabled && !hasPinningInformation) {
+ if (!strictTransportSecurityEnabled) {
MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
- ("[%p][%p] no HSTS or HPKP - overrides allowed\n",
+ ("[%p][%p] no HSTS - overrides allowed\n",
mFdForLogging, this));
nsCOMPtr<nsICertOverrideService> overrideService =
do_GetService(NS_CERTOVERRIDE_CONTRACTID);
@@ -497,7 +484,7 @@ CertErrorRunnable::CheckCertOverrides()
}
} else {
MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
- ("[%p][%p] HSTS or HPKP - no overrides allowed\n",
+ ("[%p][%p] HSTS - no overrides allowed\n",
mFdForLogging, this));
}