Issue #1280 - Un-bust certerror pages and ForgetAboutSite

author: wolfbeast <mcwerewolf@wolfbeast.com> 2020-03-31 09:44:30 +0200
committer: wolfbeast <mcwerewolf@wolfbeast.com> 2020-04-14 13:20:35 +0200
commit: 2407845ec187fc0bddcf061f41a5791c7041d9ff (patch)
tree: d367a246976a3f7e72842a4120b29d975d566b5d /docshell
parent: 3f09b298b0d3b737e88115c869af8393a75bfd31 (diff)
download: UXP-2407845ec187fc0bddcf061f41a5791c7041d9ff.tar
UXP-2407845ec187fc0bddcf061f41a5791c7041d9ff.tar.gz
UXP-2407845ec187fc0bddcf061f41a5791c7041d9ff.tar.lz
UXP-2407845ec187fc0bddcf061f41a5791c7041d9ff.tar.xz
UXP-2407845ec187fc0bddcf061f41a5791c7041d9ff.zip
1 files changed, 4 insertions, 13 deletions
diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp
index 6104ebfa7..f53d89e81 100644
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@@ -4943,13 +4943,11 @@ nsDocShell::DisplayLoadError(nsresult aError, nsIURI* aURI,
       if (errorClass == nsINSSErrorsService::ERROR_CLASS_BAD_CERT) {
         error.AssignLiteral("nssBadCert");
 
-        // If this is an HTTP Strict Transport Security host or a pinned host
-        // and the certificate is bad, don't allow overrides (RFC 6797 section
-        // 12.1, HPKP draft spec section 2.6).
+        // If this is an HTTP Strict Transport Security host, don't allow
+        // overrides (RFC 6797 section 12.1).
         uint32_t flags =
           UsePrivateBrowsing() ? nsISocketProvider::NO_PERMANENT_STORAGE : 0;
         bool isStsHost = false;
-        bool isPinnedHost = false;
         if (XRE_IsParentProcess()) {
           nsCOMPtr<nsISiteSecurityService> sss =
             do_GetService(NS_SSSERVICE_CONTRACTID, &rv);
@@ -4957,9 +4955,6 @@ nsDocShell::DisplayLoadError(nsresult aError, nsIURI* aURI,
           rv = sss->IsSecureURI(nsISiteSecurityService::HEADER_HSTS, aURI,
                                 flags, nullptr, &isStsHost);
           NS_ENSURE_SUCCESS(rv, rv);
-          rv = sss->IsSecureURI(nsISiteSecurityService::HEADER_HPKP, aURI,
-                                flags, nullptr, &isPinnedHost);
-          NS_ENSURE_SUCCESS(rv, rv);
         } else {
           mozilla::dom::ContentChild* cc =
             mozilla::dom::ContentChild::GetSingleton();
@@ -4967,8 +4962,6 @@ nsDocShell::DisplayLoadError(nsresult aError, nsIURI* aURI,
           SerializeURI(aURI, uri);
           cc->SendIsSecureURI(nsISiteSecurityService::HEADER_HSTS, uri, flags,
                               &isStsHost);
-          cc->SendIsSecureURI(nsISiteSecurityService::HEADER_HPKP, uri, flags,
-                              &isPinnedHost);
         }
 
         if (Preferences::GetBool(
@@ -4976,11 +4969,9 @@ nsDocShell::DisplayLoadError(nsresult aError, nsIURI* aURI,
           cssClass.AssignLiteral("expertBadCert");
         }
 
-        // HSTS/pinning takes precedence over the expert bad cert pref. We
+        // HSTS takes precedence over the expert bad cert pref. We
         // never want to show the "Add Exception" button for these sites.
-        // In the future we should differentiate between an HSTS host and a
-        // pinned host and display a more informative message to the user.
-        if (isStsHost || isPinnedHost) {
+        if (isStsHost) {
           cssClass.AssignLiteral("badStsCert");
         }
author	wolfbeast <mcwerewolf@wolfbeast.com>	2020-03-31 09:44:30 +0200
committer	wolfbeast <mcwerewolf@wolfbeast.com>	2020-04-14 13:20:35 +0200
commit	2407845ec187fc0bddcf061f41a5791c7041d9ff (patch)
tree	d367a246976a3f7e72842a4120b29d975d566b5d /docshell
parent	3f09b298b0d3b737e88115c869af8393a75bfd31 (diff)
download	UXP-2407845ec187fc0bddcf061f41a5791c7041d9ff.tar UXP-2407845ec187fc0bddcf061f41a5791c7041d9ff.tar.gz UXP-2407845ec187fc0bddcf061f41a5791c7041d9ff.tar.lz UXP-2407845ec187fc0bddcf061f41a5791c7041d9ff.tar.xz UXP-2407845ec187fc0bddcf061f41a5791c7041d9ff.zip