From 2407845ec187fc0bddcf061f41a5791c7041d9ff Mon Sep 17 00:00:00 2001
From: wolfbeast <mcwerewolf@wolfbeast.com>
Date: Tue, 31 Mar 2020 09:44:30 +0200
Subject: Issue #1280 - Un-bust certerror pages and ForgetAboutSite

---
 docshell/base/nsDocShell.cpp | 17 ++++-------------
 1 file changed, 4 insertions(+), 13 deletions(-)

(limited to 'docshell')

diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp
index 6104ebfa7..f53d89e81 100644
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@@ -4943,13 +4943,11 @@ nsDocShell::DisplayLoadError(nsresult aError, nsIURI* aURI,
       if (errorClass == nsINSSErrorsService::ERROR_CLASS_BAD_CERT) {
         error.AssignLiteral("nssBadCert");
 
-        // If this is an HTTP Strict Transport Security host or a pinned host
-        // and the certificate is bad, don't allow overrides (RFC 6797 section
-        // 12.1, HPKP draft spec section 2.6).
+        // If this is an HTTP Strict Transport Security host, don't allow
+        // overrides (RFC 6797 section 12.1).
         uint32_t flags =
           UsePrivateBrowsing() ? nsISocketProvider::NO_PERMANENT_STORAGE : 0;
         bool isStsHost = false;
-        bool isPinnedHost = false;
         if (XRE_IsParentProcess()) {
           nsCOMPtr<nsISiteSecurityService> sss =
             do_GetService(NS_SSSERVICE_CONTRACTID, &rv);
@@ -4957,9 +4955,6 @@ nsDocShell::DisplayLoadError(nsresult aError, nsIURI* aURI,
           rv = sss->IsSecureURI(nsISiteSecurityService::HEADER_HSTS, aURI,
                                 flags, nullptr, &isStsHost);
           NS_ENSURE_SUCCESS(rv, rv);
-          rv = sss->IsSecureURI(nsISiteSecurityService::HEADER_HPKP, aURI,
-                                flags, nullptr, &isPinnedHost);
-          NS_ENSURE_SUCCESS(rv, rv);
         } else {
           mozilla::dom::ContentChild* cc =
             mozilla::dom::ContentChild::GetSingleton();
@@ -4967,8 +4962,6 @@ nsDocShell::DisplayLoadError(nsresult aError, nsIURI* aURI,
           SerializeURI(aURI, uri);
           cc->SendIsSecureURI(nsISiteSecurityService::HEADER_HSTS, uri, flags,
                               &isStsHost);
-          cc->SendIsSecureURI(nsISiteSecurityService::HEADER_HPKP, uri, flags,
-                              &isPinnedHost);
         }
 
         if (Preferences::GetBool(
@@ -4976,11 +4969,9 @@ nsDocShell::DisplayLoadError(nsresult aError, nsIURI* aURI,
           cssClass.AssignLiteral("expertBadCert");
         }
 
-        // HSTS/pinning takes precedence over the expert bad cert pref. We
+        // HSTS takes precedence over the expert bad cert pref. We
         // never want to show the "Add Exception" button for these sites.
-        // In the future we should differentiate between an HSTS host and a
-        // pinned host and display a more informative message to the user.
-        if (isStsHost || isPinnedHost) {
+        if (isStsHost) {
           cssClass.AssignLiteral("badStsCert");
         }
 
-- 
cgit v1.2.3