summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@wolfbeast.com>2020-03-31 09:44:30 +0200
committerwolfbeast <mcwerewolf@wolfbeast.com>2020-03-31 09:44:30 +0200
commita205ee7040b74ff67717ba44723abbdc0dab02e1 (patch)
tree72517c9cb8a2662bf61548cff52ff70ed0d20132 /security
parent3bc5d67c982cc4acdc4db2be1c1b517816401d54 (diff)
downloadUXP-a205ee7040b74ff67717ba44723abbdc0dab02e1.tar
UXP-a205ee7040b74ff67717ba44723abbdc0dab02e1.tar.gz
UXP-a205ee7040b74ff67717ba44723abbdc0dab02e1.tar.lz
UXP-a205ee7040b74ff67717ba44723abbdc0dab02e1.tar.xz
UXP-a205ee7040b74ff67717ba44723abbdc0dab02e1.zip
Issue #1280 - Un-bust certerror pages and ForgetAboutSite
Diffstat (limited to 'security')
-rw-r--r--security/manager/ssl/SSLServerCertVerification.cpp23
1 files changed, 5 insertions, 18 deletions
diff --git a/security/manager/ssl/SSLServerCertVerification.cpp b/security/manager/ssl/SSLServerCertVerification.cpp
index af985eb92..37a3b809f 100644
--- a/security/manager/ssl/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/SSLServerCertVerification.cpp
@@ -425,11 +425,9 @@ CertErrorRunnable::CheckCertOverrides()
uint32_t remaining_display_errors = mCollectedErrors;
- // If this is an HTTP Strict Transport Security host or a pinned host and the
- // certificate is bad, don't allow overrides (RFC 6797 section 12.1,
- // HPKP draft spec section 2.6).
+ // If this is an HTTP Strict Transport Security host, don't allow overrides
+ // RFC 6797 section 12.1.
bool strictTransportSecurityEnabled = false;
- bool hasPinningInformation = false;
nsCOMPtr<nsISiteSecurityService> sss(do_GetService(NS_SSSERVICE_CONTRACTID));
if (!sss) {
MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
@@ -449,21 +447,10 @@ CertErrorRunnable::CheckCertOverrides()
return new SSLServerCertVerificationResult(mInfoObject,
mDefaultErrorCodeToReport);
}
- nsrv = sss->IsSecureHost(nsISiteSecurityService::HEADER_HPKP,
- mInfoObject->GetHostNameRaw(),
- mProviderFlags,
- nullptr,
- &hasPinningInformation);
- if (NS_FAILED(nsrv)) {
- MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
- ("[%p][%p] checking for HPKP failed\n", mFdForLogging, this));
- return new SSLServerCertVerificationResult(mInfoObject,
- mDefaultErrorCodeToReport);
- }
- if (!strictTransportSecurityEnabled && !hasPinningInformation) {
+ if (!strictTransportSecurityEnabled) {
MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
- ("[%p][%p] no HSTS or HPKP - overrides allowed\n",
+ ("[%p][%p] no HSTS - overrides allowed\n",
mFdForLogging, this));
nsCOMPtr<nsICertOverrideService> overrideService =
do_GetService(NS_CERTOVERRIDE_CONTRACTID);
@@ -497,7 +484,7 @@ CertErrorRunnable::CheckCertOverrides()
}
} else {
MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
- ("[%p][%p] HSTS or HPKP - no overrides allowed\n",
+ ("[%p][%p] HSTS - no overrides allowed\n",
mFdForLogging, this));
}