diff options
| author | wolfbeast <mcwerewolf@wolfbeast.com> | 2020-03-31 09:44:30 +0200 |
|---|---|---|
| committer | wolfbeast <mcwerewolf@wolfbeast.com> | 2020-04-14 13:20:35 +0200 |
| commit | 2407845ec187fc0bddcf061f41a5791c7041d9ff (patch) | |
| tree | d367a246976a3f7e72842a4120b29d975d566b5d /security | |
| parent | 3f09b298b0d3b737e88115c869af8393a75bfd31 (diff) | |
| download | UXP-2407845ec187fc0bddcf061f41a5791c7041d9ff.tar UXP-2407845ec187fc0bddcf061f41a5791c7041d9ff.tar.gz UXP-2407845ec187fc0bddcf061f41a5791c7041d9ff.tar.lz UXP-2407845ec187fc0bddcf061f41a5791c7041d9ff.tar.xz UXP-2407845ec187fc0bddcf061f41a5791c7041d9ff.zip | |
Issue #1280 - Un-bust certerror pages and ForgetAboutSite
Diffstat (limited to 'security')
| -rw-r--r-- | security/manager/ssl/SSLServerCertVerification.cpp | 23 |
1 files changed, 5 insertions, 18 deletions
diff --git a/security/manager/ssl/SSLServerCertVerification.cpp b/security/manager/ssl/SSLServerCertVerification.cpp index af985eb92..37a3b809f 100644 --- a/security/manager/ssl/SSLServerCertVerification.cpp +++ b/security/manager/ssl/SSLServerCertVerification.cpp @@ -425,11 +425,9 @@ CertErrorRunnable::CheckCertOverrides() uint32_t remaining_display_errors = mCollectedErrors; - // If this is an HTTP Strict Transport Security host or a pinned host and the - // certificate is bad, don't allow overrides (RFC 6797 section 12.1, - // HPKP draft spec section 2.6). + // If this is an HTTP Strict Transport Security host, don't allow overrides + // RFC 6797 section 12.1. bool strictTransportSecurityEnabled = false; - bool hasPinningInformation = false; nsCOMPtr<nsISiteSecurityService> sss(do_GetService(NS_SSSERVICE_CONTRACTID)); if (!sss) { MOZ_LOG(gPIPNSSLog, LogLevel::Debug, @@ -449,21 +447,10 @@ CertErrorRunnable::CheckCertOverrides() return new SSLServerCertVerificationResult(mInfoObject, mDefaultErrorCodeToReport); } - nsrv = sss->IsSecureHost(nsISiteSecurityService::HEADER_HPKP, - mInfoObject->GetHostNameRaw(), - mProviderFlags, - nullptr, - &hasPinningInformation); - if (NS_FAILED(nsrv)) { - MOZ_LOG(gPIPNSSLog, LogLevel::Debug, - ("[%p][%p] checking for HPKP failed\n", mFdForLogging, this)); - return new SSLServerCertVerificationResult(mInfoObject, - mDefaultErrorCodeToReport); - } - if (!strictTransportSecurityEnabled && !hasPinningInformation) { + if (!strictTransportSecurityEnabled) { MOZ_LOG(gPIPNSSLog, LogLevel::Debug, - ("[%p][%p] no HSTS or HPKP - overrides allowed\n", + ("[%p][%p] no HSTS - overrides allowed\n", mFdForLogging, this)); nsCOMPtr<nsICertOverrideService> overrideService = do_GetService(NS_CERTOVERRIDE_CONTRACTID); @@ -497,7 +484,7 @@ CertErrorRunnable::CheckCertOverrides() } } else { MOZ_LOG(gPIPNSSLog, LogLevel::Debug, - ("[%p][%p] HSTS or HPKP - no overrides allowed\n", + ("[%p][%p] HSTS - no overrides allowed\n", mFdForLogging, this)); } |