bug 1025332 - use nsIDocshell.failedChannel in certificate exception dialog instead of recent bad certs service r=jaws

browser/base/content/browser.js

@@ -2321,12 +2321,19 @@ let BrowserOnClick = {
     let secHistogram = Services.telemetry.getHistogramById("SECURITY_UI");
     let isTopFrame = (aOwnerDoc.defaultView.parent === aOwnerDoc.defaultView);
 
+    let docshell = aOwnerDoc.defaultView.QueryInterface(Ci.nsIInterfaceRequestor)
+                                        .getInterface(Ci.nsIWebNavigation)
+                                        .QueryInterface(Ci.nsIDocShell);
+    let securityInfo = docshell.failedChannel.securityInfo;
+    let sslStatus = securityInfo.QueryInterface(Ci.nsISSLStatusProvider).SSLStatus;
+
     switch (elmId) {
       case "exceptionDialogButton":
         if (isTopFrame) {
           secHistogram.add(Ci.nsISecurityUITelemetry.WARNING_BAD_CERT_TOP_CLICK_ADD_EXCEPTION);
         }
-        let params = { exceptionAdded : false };
+        let params = { exceptionAdded : false,
+                       sslStatus : sslStatus };
 
         try {
           switch (Services.prefs.getIntPref("browser.ssl_override_behavior")) {

security/manager/pki/resources/content/exceptionDialog.js

@@ -62,14 +62,18 @@ function initExceptionDialog() {
       document.getElementById("locationTextBox").value = args[0].location;
       document.getElementById('checkCertButton').disabled = false;
       
-      // We can optionally pre-fetch the certificate too.  Don't do this
-      // synchronously, since it would prevent the window from appearing
-      // until the fetch is completed, which could be multiple seconds.
-      // Instead, let's use a timer to spawn the actual fetch, but update
-      // the dialog to "checking..." state right away, so that the UI
-      // is appropriately responsive.  Bug 453855
-      if (args[0].prefetchCert) {
-
+      if (args[0].sslStatus) {
+        gSSLStatus = args[0].sslStatus;
+        gCert = gSSLStatus.serverCert;
+        gBroken = true;
+        updateCertStatus();
+      } else if (args[0].prefetchCert) {
+        // We can optionally pre-fetch the certificate too.  Don't do this
+        // synchronously, since it would prevent the window from appearing
+        // until the fetch is completed, which could be multiple seconds.
+        // Instead, let's use a timer to spawn the actual fetch, but update
+        // the dialog to "checking..." state right away, so that the UI
+        // is appropriately responsive.  Bug 453855
         document.getElementById("checkCertButton").disabled = true;
         gChecking = true;
         updateCertStatus();
@@ -83,35 +87,6 @@ function initExceptionDialog() {
   }
 }
 
-// returns true if found and global status could be set
-function findRecentBadCert(uri) {
-  try {
-    var certDB = Components.classes["@mozilla.org/security/x509certdb;1"]
-                           .getService(Components.interfaces.nsIX509CertDB);
-    if (!certDB)
-      return false;
-    var recentCertsSvc = certDB.getRecentBadCerts(inPrivateBrowsingMode());
-    if (!recentCertsSvc)
-      return false;
-
-    var hostWithPort = uri.host + ":" + uri.port;
-    gSSLStatus = recentCertsSvc.getRecentBadCert(hostWithPort);
-    if (!gSSLStatus)
-      return false;
-
-    gCert = gSSLStatus.QueryInterface(Components.interfaces.nsISSLStatus).serverCert;
-    if (!gCert)
-      return false;
-
-    gBroken = true;
-  }
-  catch (e) {
-    return false;
-  }
-  updateCertStatus();  
-  return true;
-}
-
 /**
  * Attempt to download the certificate for the location specified, and populate
  * the Certificate Status section with the result.
@@ -126,10 +101,6 @@ function checkCert() {
 
   var uri = getURI();
 
-  // Is the cert already known in the list of recently seen bad certs?
-  if (findRecentBadCert(uri) == true)
-    return;
-
   var req = new XMLHttpRequest();
   try {
     if(uri) {