Backed out changesets fb903f13f215, 9c5c712698e4, and 36d257ead3da (bug 1092835) for causing test_csp_allow_https_schemes.html permafail on Android 2.3.

CLOSED TREE
2024-09-13 09:24:08 -07:00 · 2014-12-09 14:00:47 -05:00 · 2014-12-09 14:00:47 -05:00 · 05d42674b2
commit 05d42674b2
parent 607484112e
12 changed files with 59 additions and 128 deletions
--- a/browser/devtools/webconsole/test/browser_webconsole_certificate_messages.js
+++ b/browser/devtools/webconsole/test/browser_webconsole_certificate_messages.js
@ -2,87 +2,72 @@
 /* Any copyright is dedicated to the Public Domain.
 * http://creativecommons.org/publicdomain/zero/1.0/ */

-// Tests that the Web Console shows weak crypto warnings (SHA-1 Certificate, SSLv3, and RC4)
+// Tests that the Web Console shows SHA-1 Certificate warnings

-const TEST_URI_PATH = "/browser/browser/devtools/webconsole/test/test-certificate-messages.html";
-let gWebconsoleTests = [
-  {url: "https://sha1ee.example.com" + TEST_URI_PATH,
-   name: "SHA1 warning displayed successfully",
-   warning: ["SHA-1"], nowarning: ["SSL 3.0", "RC4"]},
-  {url: "https://ssl3.example.com" + TEST_URI_PATH,
-   name: "SSL3 warning displayed successfully",
-   pref: [["security.tls.version.min", 0]],
-   warning: ["SSL 3.0"], nowarning: ["SHA-1", "RC4"]},
-  {url: "https://rc4.example.com" + TEST_URI_PATH,
-   name: "RC4 warning displayed successfully",
-   warning: ["RC4"], nowarning: ["SHA-1", "SSL 3.0"]},
-  {url: "https://ssl3rc4.example.com" + TEST_URI_PATH,
-   name: "SSL3 and RC4 warning displayed successfully",
-   pref: [["security.tls.version.min", 0]],
-   warning: ["SSL 3.0", "RC4"], nowarning: ["SHA-1"]},
-  {url: "https://sha256ee.example.com" + TEST_URI_PATH,
-   name: "SSL warnings appropriately not present",
-   warning: [], nowarning: ["SHA-1", "SSL 3.0", "RC4"]},
-];
+const TEST_BAD_URI = "https://sha1ee.example.com/browser/browser/devtools/webconsole/test/test-certificate-messages.html";
+const TEST_GOOD_URI = "https://sha256ee.example.com/browser/browser/devtools/webconsole/test/test-certificate-messages.html";
 const TRIGGER_MSG = "If you haven't seen ssl warnings yet, you won't";

 let gHud = undefined;
-let gCurrentTest;

 function test() {
  registerCleanupFunction(function () {
    gHud = null;
  });

-  addTab("data:text/html;charset=utf8,Web Console weak crypto warnings test");
+  addTab("data:text/html;charset=utf8,Web Console SHA-1 warning test");
  browser.addEventListener("load", function _onLoad() {
    browser.removeEventListener("load", _onLoad, true);
-    openConsole(null, runTestLoop);
+    openConsole(null, loadBadDocument);
  }, true);
 }

-function runTestLoop(theHud) {
-  gCurrentTest = gWebconsoleTests.shift();
-  if (!gCurrentTest) {
-    finishTest();
-  }
-  if (!gHud) {
-    gHud = theHud;
-  }
-  gHud.jsterm.clearOutput();
-  browser.addEventListener("load", onLoad, true);
-  if (gCurrentTest.pref) {
-    SpecialPowers.pushPrefEnv({"set": gCurrentTest.pref},
-      function() {
-        content.location = gCurrentTest.url;
-      });
-  } else {
-    content.location = gCurrentTest.url;
-  }
+function loadBadDocument(theHud) {
+  gHud = theHud;
+  browser.addEventListener("load", onBadLoad, true);
+  content.location = TEST_BAD_URI;
 }

-function onLoad(aEvent) {
-  browser.removeEventListener("load", onLoad, true);
+function onBadLoad(aEvent) {
+  browser.removeEventListener("load", onBadLoad, true);
+  testForWarningMessage();
+}
+
+function loadGoodDocument(theHud) {
+  gHud.jsterm.clearOutput()
+  browser.addEventListener("load", onGoodLoad, true);
+  content.location = TEST_GOOD_URI;
+}
+
+function onGoodLoad(aEvent) {
+  browser.removeEventListener("load", onGoodLoad, true);
+  testForNoWarning();
+}
+
+function testForWarningMessage() {
  let aOutputNode = gHud.outputNode;

  waitForSuccess({
-      name: gCurrentTest.name,
+      name: "SHA1 warning displayed successfully",
      validatorFn: function() {
-        if (gHud.outputNode.textContent.indexOf(TRIGGER_MSG) >= 0) {
-          for (let warning of gCurrentTest.warning) {
-            if (gHud.outputNode.textContent.indexOf(warning) < 0) {
-              return false;
-            }
-          }
-          for (let nowarning of gCurrentTest.nowarning) {
-            if (gHud.outputNode.textContent.indexOf(nowarning) >= 0) {
-              return false;
-            }
-          }
-          return true;
-        }
+        return gHud.outputNode.textContent.indexOf("SHA-1") > -1;
      },
-      successFn: runTestLoop,
+      successFn: loadGoodDocument,
+      failureFn: finishTest,
+    });
+}
+
+function testForNoWarning() {
+  let aOutputNode = gHud.outputNode;
+
+  waitForSuccess({
+      name: "SHA1 warning appropriately missed",
+      validatorFn: function() {
+        if (gHud.outputNode.textContent.indexOf(TRIGGER_MSG) > -1) {
+          return gHud.outputNode.textContent.indexOf("SHA-1") == -1;
+        }
+      },
+      successFn: finishTest,
      failureFn: finishTest,
    });
 }
--- a/build/pgo/certs/cert8.db
+++ b/build/pgo/certs/cert8.db
--- a/build/pgo/certs/key3.db
+++ b/build/pgo/certs/key3.db
--- a/build/pgo/server-locations.txt
+++ b/build/pgo/server-locations.txt
@ -233,8 +233,3 @@ https://include-subdomains.pinning.example.com:443                privileged,cer
 # Hosts for sha1 console warning tests
 https://sha1ee.example.com:443                                    privileged,cert=sha1_end_entity
 https://sha256ee.example.com:443                                  privileged,cert=sha256_end_entity
-
-# Hosts for ssl3/rc4 console warning tests
-https://ssl3.example.com:443        privileged,ssl3
-https://rc4.example.com:443         privileged,rc4
-https://ssl3rc4.example.com:443     privileged,ssl3,rc4
--- a/dom/locales/en-US/chrome/security/security.properties
+++ b/dom/locales/en-US/chrome/security/security.properties
@ -19,8 +19,3 @@ LoadingMixedActiveContent=Loading mixed (insecure) active content on a secure pa
 LoadingMixedDisplayContent=Loading mixed (insecure) display content on a secure page "%1$S"
 # LOCALIZATION NOTE: Do not translate "allow-scripts", "allow-same-origin", "sandbox" or "iframe"
 BothAllowScriptsAndSameOriginPresent=An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can remove its sandboxing.
-
-# LOCALIZATION NOTE: Do not translate "SSL 3.0".
-WeakProtocolVersionWarning=This site uses the protocol SSL 3.0 for encryption, which is deprecated and insecure.
-# LOCALIZATION NOTE: Do not translate "RC4".
-WeakCipherSuiteWarning=This site uses the cipher RC4 for encryption, which is deprecated and insecure.
--- a/layout/printing/nsIPrintProgress.idl
+++ b/layout/printing/nsIPrintProgress.idl
@ -8,7 +8,7 @@ interface nsIDOMWindow;
 interface nsIObserver;
 interface nsIPrompt;

-[scriptable, uuid(10b6ec13-09ed-4f7d-9df9-962c0d18306f)]
+[scriptable, uuid(594fd36d-5b1b-412f-a74e-ab72099a5bb2)]
 interface nsIPrintProgress: nsIWebProgressListener {

  /* Open the progress dialog
--- a/netwerk/protocol/http/nsHttpChannel.cpp
+++ b/netwerk/protocol/http/nsHttpChannel.cpp
@ -48,8 +48,6 @@
 #include "nsIScriptSecurityManager.h"
 #include "nsISSLStatus.h"
 #include "nsISSLStatusProvider.h"
-#include "nsITransportSecurityInfo.h"
-#include "nsIWebProgressListener.h"
 #include "LoadContextInfo.h"
 #include "netCore.h"
 #include "nsHttpTransaction.h"
@ -1218,25 +1216,6 @@ nsHttpChannel::ProcessSSLInformation()
    if (!sslstat)
        return;

-    nsCOMPtr<nsITransportSecurityInfo> securityInfo =
-        do_QueryInterface(mSecurityInfo);
-    uint32_t state;
-    if (securityInfo &&
-        NS_SUCCEEDED(securityInfo->GetSecurityState(&state)) &&
-        (state & nsIWebProgressListener::STATE_IS_BROKEN)) {
-        // Send weak crypto warnings to the web console
-        if (state & nsIWebProgressListener::STATE_USES_SSL_3) {
-            nsString consoleErrorTag = NS_LITERAL_STRING("WeakProtocolVersionWarning");
-            nsString consoleErrorCategory = NS_LITERAL_STRING("SSL");
-            AddSecurityMessage(consoleErrorTag, consoleErrorCategory);
-        }
-        if (state & nsIWebProgressListener::STATE_USES_WEAK_CRYPTO) {
-            nsString consoleErrorTag = NS_LITERAL_STRING("WeakCipherSuiteWarning");
-            nsString consoleErrorCategory = NS_LITERAL_STRING("SSL");
-            AddSecurityMessage(consoleErrorTag, consoleErrorCategory);
-        }
-    }
-
    // Send (SHA-1) signature algorithm errors to the web console
    nsCOMPtr<nsIX509Cert> cert;
    sslstat->GetServerCert(getter_AddRefs(cert));
--- a/security/manager/ssl/src/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/src/nsNSSCallbacks.cpp
@ -1172,8 +1172,7 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
                                           infoObject->GetPort(),
                                           versions.max);

-  bool usesWeakProtocol = false;
-  bool usesWeakCipher = false;
+  bool weakEncryption = false;
  SSLChannelInfo channelInfo;
  rv = SSL_GetChannelInfo(fd, &channelInfo, sizeof(channelInfo));
  MOZ_ASSERT(rv == SECSuccess);
@ -1192,9 +1191,9 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
                                sizeof cipherInfo);
    MOZ_ASSERT(rv == SECSuccess);
    if (rv == SECSuccess) {
-      usesWeakProtocol =
-        channelInfo.protocolVersion <= SSL_LIBRARY_VERSION_3_0;
-      usesWeakCipher = cipherInfo.symCipher == ssl_calg_rc4;
+      weakEncryption =
+        (channelInfo.protocolVersion <= SSL_LIBRARY_VERSION_3_0) ||
+        (cipherInfo.symCipher == ssl_calg_rc4);

      // keyExchange null=0, rsa=1, dh=2, fortezza=3, ecdh=4
      Telemetry::Accumulate(
@ -1266,23 +1265,15 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
  if (rv != SECSuccess) {
    siteSupportsSafeRenego = false;
  }
-  bool renegotiationUnsafe = !siteSupportsSafeRenego &&
-                             ioLayerHelpers.treatUnsafeNegotiationAsBroken();

-  uint32_t state;
-  if (usesWeakProtocol || usesWeakCipher || renegotiationUnsafe) {
-    state = nsIWebProgressListener::STATE_IS_BROKEN;
-    if (usesWeakProtocol) {
-      state |= nsIWebProgressListener::STATE_USES_SSL_3;
-    }
-    if (usesWeakCipher) {
-      state |= nsIWebProgressListener::STATE_USES_WEAK_CRYPTO;
-    }
+  if (!weakEncryption &&
+      (siteSupportsSafeRenego ||
+       !ioLayerHelpers.treatUnsafeNegotiationAsBroken())) {
+    infoObject->SetSecurityState(nsIWebProgressListener::STATE_IS_SECURE |
+                                 nsIWebProgressListener::STATE_SECURE_HIGH);
  } else {
-    state = nsIWebProgressListener::STATE_IS_SECURE |
-            nsIWebProgressListener::STATE_SECURE_HIGH;
+    infoObject->SetSecurityState(nsIWebProgressListener::STATE_IS_BROKEN);
  }
-  infoObject->SetSecurityState(state);

  // XXX Bug 883674: We shouldn't be formatting messages here in PSM; instead,
  // we should set a flag on the channel that higher (UI) level code can check
--- a/toolkit/components/downloads/nsIDownload.idl
+++ b/toolkit/components/downloads/nsIDownload.idl
@ -24,7 +24,7 @@ interface nsIMIMEInfo;
 *       nsIDownloadManager::DOWNLOAD_DIRTY 
 *       nsIDownloadManager::DOWNLOAD_BLOCKED_POLICY 
 */
-[scriptable, uuid(59f00997-c2ab-4a8b-901d-ccb761cadddd)]
+[scriptable, uuid(2258f465-656e-4566-87cb-f791dbaf0322)]
 interface nsIDownload : nsITransfer {
    
    /**
--- a/uriloader/base/nsITransfer.idl
+++ b/uriloader/base/nsITransfer.idl
@ -11,7 +11,7 @@ interface nsICancelable;
 interface nsIMIMEInfo;
 interface nsIFile;

-[scriptable, uuid(9b729b43-0d74-4762-bf11-8cb88a88ead3)]
+[scriptable, uuid(37ec75d3-97ad-4da8-afaa-eabe5b4afd73)]
 interface nsITransfer : nsIWebProgressListener2 {

    /**
--- a/uriloader/base/nsIWebProgressListener.idl
+++ b/uriloader/base/nsIWebProgressListener.idl
@ -17,7 +17,7 @@ interface nsIURI;
 * nsIWebProgress instances.  nsIWebProgress.idl describes the parent-child
 * relationship of nsIWebProgress instances.
 */
-[scriptable, uuid(90685740-e180-41f1-8394-441c470d5096)]
+[scriptable, uuid(a9df523b-efe2-421e-9d8e-3d7f807dda4c)]
 interface nsIWebProgressListener : nsISupports
 {
  /**
@ -252,20 +252,6 @@ interface nsIWebProgressListener : nsISupports

  const unsigned long STATE_IDENTITY_EV_TOPLEVEL    = 0x00100000;

-  /**
-    * Broken state flags
-    *
-    * These flags describe the reason of the broken state.
-    *
-    * STATE_USES_SSL_3
-    *   The topmost document uses SSL 3.0.
-    *
-    * STATE_USES_WEAK_CRYPTO
-    *   The topmost document uses a weak cipher suite such as RC4.
-    */
-  const unsigned long STATE_USES_SSL_3                = 0x01000000;
-  const unsigned long STATE_USES_WEAK_CRYPTO          = 0x02000000;
-
  /**
   * Notification indicating the state has changed for one of the requests
   * associated with aWebProgress.
--- a/uriloader/base/nsIWebProgressListener2.idl
+++ b/uriloader/base/nsIWebProgressListener2.idl
@ -7,7 +7,7 @@
 /**
 * An extended version of nsIWebProgressListener.
 */
-[scriptable, uuid(19e9d920-c67e-406c-aeea-77ac5a5c908d)]
+[scriptable, uuid(dde39de0-e4e0-11da-8ad9-0800200c9a66)]
 interface nsIWebProgressListener2 : nsIWebProgressListener {
  /**
   * Notification that the progress has changed for one of the requests