summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authortrav90 <travawine@palemoon.org>2018-06-05 22:23:30 -0500
committertrav90 <travawine@palemoon.org>2018-06-05 22:23:30 -0500
commita32e0cb8c787b42e78e6a2c977523eff866436ca (patch)
treed4810f290453669a4c702f9a276a1046b906c5bd
parenta421f38160599152cd409e4fabd434a224f78487 (diff)
downloadUXP-a32e0cb8c787b42e78e6a2c977523eff866436ca.tar
UXP-a32e0cb8c787b42e78e6a2c977523eff866436ca.tar.gz
UXP-a32e0cb8c787b42e78e6a2c977523eff866436ca.tar.lz
UXP-a32e0cb8c787b42e78e6a2c977523eff866436ca.tar.xz
UXP-a32e0cb8c787b42e78e6a2c977523eff866436ca.zip
Update HSTS preload list generation script
Previous behavior: if an entry was in the previously-used list, and there would be an error connecting to or processing the host, it would adopt it using the previous status, with a new minimum required max age TTL. New behavior: if an entry is in the previously-used list, and there is an error connecting to or processing the host, it will be dropped from the preload list. The old behavior would allow entries to persist on the HSTS preload list when they drop off the 'net. Considering domain churn, it would cause issues for new owners for having a persisted HSTS entry preloaded in the browser. Bonus: it keeps our HSTS preload list lean.
-rw-r--r--security/manager/tools/getHSTSPreloadList.js9
1 files changed, 4 insertions, 5 deletions
diff --git a/security/manager/tools/getHSTSPreloadList.js b/security/manager/tools/getHSTSPreloadList.js
index 5b950f938..26fad8a89 100644
--- a/security/manager/tools/getHSTSPreloadList.js
+++ b/security/manager/tools/getHSTSPreloadList.js
@@ -261,16 +261,15 @@ function output(sortedStatuses, currentList) {
for (let status in sortedStatuses) {
// If we've encountered an error for this entry (other than the site not
- // sending an HSTS header), be safe and don't remove it from the list
- // (given that it was already on the list).
+ // sending an HSTS header), be safe and remove it from the list
+ // (preventing stale entries from accumulating).
if (status.error != ERROR_NONE &&
status.error != ERROR_NO_HSTS_HEADER &&
status.error != ERROR_MAX_AGE_TOO_LOW &&
status.name in currentList) {
- dump("INFO: error connecting to or processing " + status.name + " - using previous status on list\n");
+ dump("INFO: error connecting to or processing " + status.name + " - dropping from list\n");
writeTo(status.name + ": " + errorToString(status) + "\n", eos);
- status.maxAge = MINIMUM_REQUIRED_MAX_AGE;
- status.includeSubdomains = currentList[status.name];
+ status.maxAge = 0;
}
}