summaryrefslogtreecommitdiffstats
path: root/security/manager/ssl/nsSiteSecurityService.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'security/manager/ssl/nsSiteSecurityService.cpp')
-rw-r--r--security/manager/ssl/nsSiteSecurityService.cpp87
1 files changed, 8 insertions, 79 deletions
diff --git a/security/manager/ssl/nsSiteSecurityService.cpp b/security/manager/ssl/nsSiteSecurityService.cpp
index 1b7f06a47..359cf04b3 100644
--- a/security/manager/ssl/nsSiteSecurityService.cpp
+++ b/security/manager/ssl/nsSiteSecurityService.cpp
@@ -29,15 +29,6 @@
#include "ScopedNSSTypes.h"
#include "SharedCertVerifier.h"
-// A note about the preload list:
-// When a site specifically disables HSTS by sending a header with
-// 'max-age: 0', we keep a "knockout" value that means "we have no information
-// regarding the HSTS state of this host" (any ancestor of "this host" can still
-// influence its HSTS status via include subdomains, however).
-// This prevents the preload list from overriding the site's current
-// desired HSTS status.
-#include "nsSTSPreloadList.inc"
-
using namespace mozilla;
using namespace mozilla::psm;
@@ -393,23 +384,10 @@ nsSiteSecurityService::RemoveState(uint32_t aType, nsIURI* aURI,
mozilla::DataStorageType storageType = isPrivate
? mozilla::DataStorage_Private
: mozilla::DataStorage_Persistent;
- // If this host is in the preload list, we have to store a knockout entry
- // if it's explicitly forced to not be HSTS anymore
- if (force && GetPreloadListEntry(hostname.get())) {
- SSSLOG(("SSS: storing knockout entry for %s", hostname.get()));
- SiteHSTSState siteState(0, SecurityPropertyKnockout, false);
- nsAutoCString stateString;
- siteState.ToString(stateString);
- nsAutoCString storageKey;
- SetStorageKey(storageKey, hostname, aType);
- rv = mSiteStateStorage->Put(storageKey, stateString, storageType);
- NS_ENSURE_SUCCESS(rv, rv);
- } else {
- SSSLOG(("SSS: removing entry for %s", hostname.get()));
- nsAutoCString storageKey;
- SetStorageKey(storageKey, hostname, aType);
- mSiteStateStorage->Remove(storageKey, storageType);
- }
+ SSSLOG(("SSS: removing entry for %s", hostname.get()));
+ nsAutoCString storageKey;
+ SetStorageKey(storageKey, hostname, aType);
+ mSiteStateStorage->Remove(storageKey, storageType);
return NS_OK;
}
@@ -969,31 +947,6 @@ nsSiteSecurityService::IsSecureURI(uint32_t aType, nsIURI* aURI,
return IsSecureHost(aType, hostname.get(), aFlags, aCached, aResult);
}
-int STSPreloadCompare(const void *key, const void *entry)
-{
- const char *keyStr = (const char *)key;
- const nsSTSPreload *preloadEntry = (const nsSTSPreload *)entry;
- return strcmp(keyStr, preloadEntry->mHost);
-}
-
-// Returns the preload list entry for the given host, if it exists.
-// Only does exact host matching - the user must decide how to use the returned
-// data. May return null.
-const nsSTSPreload *
-nsSiteSecurityService::GetPreloadListEntry(const char *aHost)
-{
- PRTime currentTime = PR_Now() + (mPreloadListTimeOffset * PR_USEC_PER_SEC);
- if (mUsePreloadList && currentTime < gPreloadListExpirationTime) {
- return (const nsSTSPreload *) bsearch(aHost,
- kSTSPreloadList,
- mozilla::ArrayLength(kSTSPreloadList),
- sizeof(nsSTSPreload),
- STSPreloadCompare);
- }
-
- return nullptr;
-}
-
NS_IMETHODIMP
nsSiteSecurityService::IsSecureHost(uint32_t aType, const char* aHost,
uint32_t aFlags, bool* aCached,
@@ -1053,8 +1006,6 @@ nsSiteSecurityService::IsSecureHost(uint32_t aType, const char* aHost,
return NS_OK;
}
- const nsSTSPreload *preload = nullptr;
-
// First check the exact host. This involves first checking for an entry in
// site security storage. If that entry exists, we don't want to check
// in the preload list. We only want to use the stored value if it is not a
@@ -1086,21 +1037,11 @@ nsSiteSecurityService::IsSecureHost(uint32_t aType, const char* aHost,
}
}
- // If the entry is expired and not in the preload list, we can remove it.
- if (expired && !GetPreloadListEntry(host.get())) {
+ // If the entry is expired we can remove it.
+ if (expired) {
mSiteStateStorage->Remove(storageKey, storageType);
}
}
- // Finally look in the preloaded list. This is the exact host,
- // so if an entry exists at all, this host is HSTS.
- else if (GetPreloadListEntry(host.get())) {
- SSSLOG(("%s is a preloaded STS host", host.get()));
- *aResult = true;
- if (aCached) {
- *aCached = true;
- }
- return NS_OK;
- }
SSSLOG(("no HSTS data for %s found, walking up domain", host.get()));
const char *subdomain;
@@ -1144,23 +1085,11 @@ nsSiteSecurityService::IsSecureHost(uint32_t aType, const char* aHost,
}
}
- // If the entry is expired and not in the preload list, we can remove it.
- if (expired && !GetPreloadListEntry(subdomain)) {
+ // If the entry is expired we can remove it.
+ if (expired) {
mSiteStateStorage->Remove(storageKey, storageType);
}
}
- // This is an ancestor, so if we get a match, we have to check if the
- // preloaded entry includes subdomains.
- else if ((preload = GetPreloadListEntry(subdomain)) != nullptr) {
- if (preload->mIncludeSubdomains) {
- SSSLOG(("%s is a preloaded STS host", subdomain));
- *aResult = true;
- if (aCached) {
- *aCached = true;
- }
- break;
- }
- }
SSSLOG(("no HSTS data for %s found, walking up domain", subdomain));
}