wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Backed out changesets 5f8a88c6d0c8 and 97fcb5a154d8 (bug 887052) for OSX mochitest-other orange.

Browse Source 
--HG--
rename : netwerk/base/public/nsISiteSecurityService.idl => netwerk/base/public/nsIStrictTransportSecurityService.idl
rename : security/manager/boot/src/nsSiteSecurityService.cpp => security/manager/boot/src/nsStrictTransportSecurityService.cpp
rename : security/manager/boot/src/nsSiteSecurityService.h => security/manager/boot/src/nsStrictTransportSecurityService.h
This commit is contained in:
Ryan VanderMeulen 2013-08-05 16:18:06 -04:00
parent 283a063cb5
commit e91e143e66
19 changed files with 281 additions and 307 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
content/base/test/test_websocket.html
View File

@ -1230,14 +1230,14 @@ function test41()
const Ci = Components.interfaces;
var ios = Cc["@mozilla.org/network/io-service;1"].getService(Ci.nsIIOService);
var thehost = ios.newURI("http://example.com", null, null);
var sss = Cc["@mozilla.org/ssservice;1"].getService(Ci.nsISiteSecurityService);
var stss = Cc["@mozilla.org/stsservice;1"].getService(Ci.nsIStrictTransportSecurityService);
var loadContext = window.QueryInterface(Ci.nsIInterfaceRequestor)
.getInterface(Ci.nsIWebNavigation)
.QueryInterface(Ci.nsILoadContext);
var flags = 0;
if (loadContext.usePrivateBrowsing)
flags |= Ci.nsISocketProvider.NO_PERMANENT_STORAGE;
sss.removeState(Ci.nsISiteSecurityService.HEADER_HSTS, thehost, flags);
stss.removeStsState(thehost, flags);
doTest(42);
}
}

9
docshell/base/nsDocShell.cpp
View File

@ -135,7 +135,7 @@
#include "nsIDOMHTMLAnchorElement.h"
#include "nsIWebBrowserChrome3.h"
#include "nsITabChild.h"
#include "nsISiteSecurityService.h"
#include "nsIStrictTransportSecurityService.h"
#include "nsStructuredCloneContainer.h"
#include "nsIStructuredCloneContainer.h"
#ifdef MOZ_PLACES
@ -4266,15 +4266,14 @@ nsDocShell::DisplayLoadError(nsresult aError, nsIURI *aURI,
// if this is a Strict-Transport-Security host and the cert
// is bad, don't allow overrides (STS Spec section 7.3).
nsCOMPtr<nsISiteSecurityService> sss =
do_GetService(NS_SSSERVICE_CONTRACTID, &rv);
nsCOMPtr<nsIStrictTransportSecurityService> stss =
do_GetService(NS_STSSERVICE_CONTRACTID, &rv);
NS_ENSURE_SUCCESS(rv, rv);
uint32_t flags =
mInPrivateBrowsing ? nsISocketProvider::NO_PERMANENT_STORAGE : 0;
bool isStsHost = false;
rv = sss->IsSecureURI(nsISiteSecurityService::HEADER_HSTS,
aURI, flags, &isStsHost);
rv = stss->IsStsURI(aURI, flags, &isStsHost);
NS_ENSURE_SUCCESS(rv, rv);
uint32_t bucketId;

2
netwerk/base/public/moz.build
View File

@ -85,7 +85,6 @@ XPIDL_SOURCES += [
'nsISerializationHelper.idl',
'nsIServerSocket.idl',
'nsISimpleStreamListener.idl',
'nsISiteSecurityService.idl',
'nsISocketTransport.idl',
'nsISocketTransportService.idl',
'nsISpeculativeConnect.idl',
@ -94,6 +93,7 @@ XPIDL_SOURCES += [
'nsIStreamListenerTee.idl',
'nsIStreamLoader.idl',
'nsIStreamTransportService.idl',
'nsIStrictTransportSecurityService.idl',
'nsISyncStreamListener.idl',
'nsISystemProxySettings.idl',
'nsIThreadRetargetableRequest.idl',

41
netwerk/base/public/nsISiteSecurityService.idl → netwerk/base/public/nsIStrictTransportSecurityService.idl
View File

@ -8,13 +8,9 @@ interface nsIURI;
interface nsIObserver;
interface nsIHttpChannel;
[scriptable, uuid(b20a9242-5732-45bc-9fa0-a178154f2721)]
interface nsISiteSecurityService : nsISupports
[scriptable, uuid(c6138514-f212-4747-98c2-7abfce3be293)]
interface nsIStrictTransportSecurityService : nsISupports
{
const uint32_t HEADER_HSTS = 0;
const uint32_t HEADER_HKPK = 1;
const uint32_t HEADER_OMS = 2;
/**
* Parses a given HTTP header and records the results internally.
* The format of the STS header is defined by the STS specification:
@ -33,12 +29,11 @@ interface nsISiteSecurityService : nsISupports
* NS_SUCCESS_LOSS_OF_INSIGNIFICANT_DATA
* if there are unrecognized tokens in the header.
*/
void processHeader(in uint32_t aType,
in nsIURI aSourceURI,
in string aHeader,
in uint32_t aFlags,
[optional] out unsigned long long aMaxAge,
[optional] out boolean aIncludeSubdomains);
void processStsHeader(in nsIURI aSourceURI,
in string aHeader,
in uint32_t aFlags,
[optional] out unsigned long long aMaxAge,
[optional] out boolean aIncludeSubdomains);
/**
* Removes the STS state of a host, including the includeSubdomains state
@ -48,15 +43,25 @@ interface nsISiteSecurityService : nsISupports
* @param aFlags options for this request as defined in nsISocketProvider:
* NO_PERMANENT_STORAGE
*/
void removeState(in uint32_t aType,
in nsIURI aURI,
in uint32_t aFlags);
void removeStsState(in nsIURI aURI,
in uint32_t aFlags);
/**
* Checks if the given security info is for an STS host with a broken
* transport layer (certificate errors like invalid CN).
*/
boolean shouldIgnoreHeader(in nsISupports aSecurityInfo);
boolean shouldIgnoreStsHeader(in nsISupports aSecurityInfo);
/**
* Checks whether or not the given hostname has STS state set.
* The host is an STS host if either it has the STS permission, or one of
* its super-domains has an STS "includeSubdomains" permission set.
*
* @param aHost the hostname (punycode) to query for STS state.
* @param aFlags options for this request as defined in nsISocketProvider:
* NO_PERMANENT_STORAGE
*/
boolean isStsHost(in string aHost, in uint32_t aFlags);
/**
* Checks whether or not the URI's hostname has STS state set.
@ -70,12 +75,12 @@ interface nsISiteSecurityService : nsISupports
* @param aFlags options for this request as defined in nsISocketProvider:
* NO_PERMANENT_STORAGE
*/
boolean isSecureURI(in uint32_t aType, in nsIURI aURI, in uint32_t aFlags);
boolean isStsURI(in nsIURI aURI, in uint32_t aFlags);
};
%{C++
#define NS_SSSERVICE_CONTRACTID "@mozilla.org/ssservice;1"
#define NS_STSSERVICE_CONTRACTID "@mozilla.org/stsservice;1"
#define STS_PERMISSION "sts/use"
#define STS_SUBDOMAIN_PERMISSION "sts/subd"

23
netwerk/protocol/http/nsHttpChannel.cpp
View File

@ -378,18 +378,17 @@ nsHttpChannel::Connect()
if (!usingSSL) {
// enforce Strict-Transport-Security
nsISiteSecurityService* sss = gHttpHandler->GetSSService();
NS_ENSURE_TRUE(sss, NS_ERROR_OUT_OF_MEMORY);
nsIStrictTransportSecurityService* stss = gHttpHandler->GetSTSService();
NS_ENSURE_TRUE(stss, NS_ERROR_OUT_OF_MEMORY);
bool isStsHost = false;
uint32_t flags = mPrivateBrowsing ? nsISocketProvider::NO_PERMANENT_STORAGE : 0;
rv = sss->IsSecureURI(nsISiteSecurityService::HEADER_HSTS, mURI, flags,
&isStsHost);
rv = stss->IsStsURI(mURI, flags, &isStsHost);
// if SSS fails, there's no reason to cancel the load, but it's
// if STS fails, there's no reason to cancel the load, but it's
// worrisome.
NS_ASSERTION(NS_SUCCEEDED(rv),
"Something is wrong with SSS: IsSecureURI failed.");
"Something is wrong with STS: IsStsURI failed.");
if (NS_SUCCEEDED(rv) && isStsHost) {
LOG(("nsHttpChannel::Connect() STS permissions found\n"));
@ -1144,8 +1143,8 @@ nsHttpChannel::ProcessSTSHeader()
if (PR_SUCCESS == PR_StringToNetAddr(asciiHost.get(), &hostAddr))
return NS_OK;
nsISiteSecurityService* sss = gHttpHandler->GetSSService();
NS_ENSURE_TRUE(sss, NS_ERROR_OUT_OF_MEMORY);
nsIStrictTransportSecurityService* stss = gHttpHandler->GetSTSService();
NS_ENSURE_TRUE(stss, NS_ERROR_OUT_OF_MEMORY);
// mSecurityInfo may not always be present, and if it's not then it is okay
// to just disregard any STS headers since we know nothing about the
@ -1156,7 +1155,7 @@ nsHttpChannel::ProcessSTSHeader()
// If there are certificate errors, we still load the data, we just ignore
// any STS headers that are present.
bool tlsIsBroken = false;
rv = sss->ShouldIgnoreHeader(mSecurityInfo, &tlsIsBroken);
rv = stss->ShouldIgnoreStsHeader(mSecurityInfo, &tlsIsBroken);
NS_ENSURE_SUCCESS(rv, NS_OK);
// If this was already an STS host, the connection should have been aborted
@ -1167,8 +1166,7 @@ nsHttpChannel::ProcessSTSHeader()
bool wasAlreadySTSHost;
uint32_t flags =
NS_UsePrivateBrowsing(this) ? nsISocketProvider::NO_PERMANENT_STORAGE : 0;
rv = sss->IsSecureURI(nsISiteSecurityService::HEADER_HSTS, mURI, flags,
&wasAlreadySTSHost);
rv = stss->IsStsURI(mURI, flags, &wasAlreadySTSHost);
// Failure here means STS is broken. Don't prevent the load, but this
// shouldn't fail.
NS_ENSURE_SUCCESS(rv, NS_OK);
@ -1196,8 +1194,7 @@ nsHttpChannel::ProcessSTSHeader()
// All other failures are fatal.
NS_ENSURE_SUCCESS(rv, rv);
rv = sss->ProcessHeader(nsISiteSecurityService::HEADER_HSTS, mURI,
stsHeader.get(), flags, NULL, NULL);
rv = stss->ProcessStsHeader(mURI, stsHeader.get(), flags, NULL, NULL);
if (NS_FAILED(rv)) {
AddSecurityMessage(NS_LITERAL_STRING("InvalidSTSHeaders"),
NS_LITERAL_STRING("Invalid HSTS Headers"));

17
netwerk/protocol/http/nsHttpHandler.cpp
View File

@ -475,12 +475,12 @@ nsHttpHandler::GetStreamConverterService(nsIStreamConverterService **result)
return NS_OK;
}
nsISiteSecurityService*
nsHttpHandler::GetSSService()
nsIStrictTransportSecurityService*
nsHttpHandler::GetSTSService()
{
if (!mSSService)
mSSService = do_GetService(NS_SSSERVICE_CONTRACTID);
return mSSService;
if (!mSTSService)
mSTSService = do_GetService(NS_STSSERVICE_CONTRACTID);
return mSTSService;
}
nsICookieService *
@ -1830,9 +1830,9 @@ NS_IMETHODIMP
nsHttpHandler::SpeculativeConnect(nsIURI *aURI,
nsIInterfaceRequestor *aCallbacks)
{
nsISiteSecurityService* sss = gHttpHandler->GetSSService();
nsIStrictTransportSecurityService* stss = gHttpHandler->GetSTSService();
bool isStsHost = false;
if (!sss)
if (!stss)
return NS_OK;
nsCOMPtr<nsILoadContext> loadContext = do_GetInterface(aCallbacks);
@ -1840,8 +1840,7 @@ nsHttpHandler::SpeculativeConnect(nsIURI *aURI,
if (loadContext && loadContext->UsePrivateBrowsing())
flags |= nsISocketProvider::NO_PERMANENT_STORAGE;
nsCOMPtr<nsIURI> clone;
if (NS_SUCCEEDED(sss->IsSecureURI(nsISiteSecurityService::HEADER_HSTS,
aURI, flags, &isStsHost)) && isStsHost) {
if (NS_SUCCEEDED(stss->IsStsURI(aURI, flags, &isStsHost)) && isStsHost) {
if (NS_SUCCEEDED(aURI->Clone(getter_AddRefs(clone)))) {
clone->SetScheme(NS_LITERAL_CSTRING("https"));
aURI = clone.get();

6
netwerk/protocol/http/nsHttpHandler.h
View File

@ -26,7 +26,7 @@
#include "nsICacheSession.h"
#include "nsICookieService.h"
#include "nsITimer.h"
#include "nsISiteSecurityService.h"
#include "nsIStrictTransportSecurityService.h"
#include "nsISpeculativeConnect.h"
class nsHttpConnectionInfo;
@ -196,7 +196,7 @@ public:
nsresult GetStreamConverterService(nsIStreamConverterService **);
nsresult GetIOService(nsIIOService** service);
nsICookieService * GetCookieService(); // not addrefed
nsISiteSecurityService * GetSSService();
nsIStrictTransportSecurityService * GetSTSService();
// callable from socket thread only
uint32_t Get32BitsOfPseudoRandom();
@ -308,7 +308,7 @@ private:
nsCOMPtr<nsIStreamConverterService> mStreamConvSvc;
nsCOMPtr<nsIObserverService> mObserverService;
nsCOMPtr<nsICookieService> mCookieService;
nsCOMPtr<nsISiteSecurityService> mSSService;
nsCOMPtr<nsIStrictTransportSecurityService> mSTSService;
// the authentication credentials cache
nsHttpAuthCache mAuthCache;

120
netwerk/test/TestSTSParser.cpp
View File

@ -9,7 +9,7 @@
#include "plstr.h"
#include "nsNetUtil.h"
#include "nsStringGlue.h"
#include "nsISiteSecurityService.h"
#include "nsIStrictTransportSecurityService.h"
#include "nsIPermissionManager.h"
#define EXPECT_SUCCESS(rv, ...) \
@ -40,7 +40,7 @@
bool
TestSuccess(const char* hdr, bool extraTokens,
uint64_t expectedMaxAge, bool expectedIncludeSubdomains,
nsISiteSecurityService* sss,
nsIStrictTransportSecurityService* stss,
nsIPermissionManager* pm)
{
nsCOMPtr<nsIURI> dummyUri;
@ -49,8 +49,7 @@ TestSuccess(const char* hdr, bool extraTokens,
uint64_t maxAge = 0;
bool includeSubdomains = false;
rv = sss->ProcessHeader(nsISiteSecurityService::HEADER_HSTS, dummyUri, hdr,
0, &maxAge, &includeSubdomains);
rv = stss->ProcessStsHeader(dummyUri, hdr, 0, &maxAge, &includeSubdomains);
EXPECT_SUCCESS(rv, "Failed to process valid header: %s", hdr);
REQUIRE_EQUAL(maxAge, expectedMaxAge, "Did not correctly parse maxAge");
@ -68,15 +67,14 @@ TestSuccess(const char* hdr, bool extraTokens,
}
bool TestFailure(const char* hdr,
nsISiteSecurityService* sss,
nsIPermissionManager* pm)
nsIStrictTransportSecurityService* stss,
nsIPermissionManager* pm)
{
nsCOMPtr<nsIURI> dummyUri;
nsresult rv = NS_NewURI(getter_AddRefs(dummyUri), "https://foo.com/bar.html");
EXPECT_SUCCESS(rv, "Failed to create URI");
rv = sss->ProcessHeader(nsISiteSecurityService::HEADER_HSTS, dummyUri, hdr,
0, NULL, NULL);
rv = stss->ProcessStsHeader(dummyUri, hdr, 0, NULL, NULL);
EXPECT_FAILURE(rv, "Parsed invalid header: %s", hdr);
passed(hdr);
return true;
@ -98,8 +96,8 @@ main(int32_t argc, char *argv[])
}
// grab handle to the service
nsCOMPtr<nsISiteSecurityService> sss;
sss = do_GetService("@mozilla.org/ssservice;1", &rv);
nsCOMPtr<nsIStrictTransportSecurityService> stss;
stss = do_GetService("@mozilla.org/stsservice;1", &rv);
NS_ENSURE_SUCCESS(rv, -1);
nsCOMPtr<nsIPermissionManager> pm;
@ -114,42 +112,42 @@ main(int32_t argc, char *argv[])
printf("*** Attempting to parse valid STS headers ...\n");
// SHOULD SUCCEED:
rvs.AppendElement(TestSuccess("max-age=100", false, 100, false, sss, pm));
rvs.AppendElement(TestSuccess("max-age =100", false, 100, false, sss, pm));
rvs.AppendElement(TestSuccess(" max-age=100", false, 100, false, sss, pm));
rvs.AppendElement(TestSuccess("max-age = 100 ", false, 100, false, sss, pm));
rvs.AppendElement(TestSuccess("max-age = \"100\" ", false, 100, false, sss, pm));
rvs.AppendElement(TestSuccess("max-age=\"100\"", false, 100, false, sss, pm));
rvs.AppendElement(TestSuccess(" max-age =\"100\" ", false, 100, false, sss, pm));
rvs.AppendElement(TestSuccess("\tmax-age\t=\t\"100\"\t", false, 100, false, sss, pm));
rvs.AppendElement(TestSuccess("max-age = 100 ", false, 100, false, sss, pm));
rvs.AppendElement(TestSuccess("max-age=100", false, 100, false, stss, pm));
rvs.AppendElement(TestSuccess("max-age =100", false, 100, false, stss, pm));
rvs.AppendElement(TestSuccess(" max-age=100", false, 100, false, stss, pm));
rvs.AppendElement(TestSuccess("max-age = 100 ", false, 100, false, stss, pm));
rvs.AppendElement(TestSuccess("max-age = \"100\" ", false, 100, false, stss, pm));
rvs.AppendElement(TestSuccess("max-age=\"100\"", false, 100, false, stss, pm));
rvs.AppendElement(TestSuccess(" max-age =\"100\" ", false, 100, false, stss, pm));
rvs.AppendElement(TestSuccess("\tmax-age\t=\t\"100\"\t", false, 100, false, stss, pm));
rvs.AppendElement(TestSuccess("max-age = 100 ", false, 100, false, stss, pm));
rvs.AppendElement(TestSuccess("maX-aGe=100", false, 100, false, sss, pm));
rvs.AppendElement(TestSuccess("MAX-age =100", false, 100, false, sss, pm));
rvs.AppendElement(TestSuccess("max-AGE=100", false, 100, false, sss, pm));
rvs.AppendElement(TestSuccess("Max-Age = 100 ", false, 100, false, sss, pm));
rvs.AppendElement(TestSuccess("MAX-AGE = 100 ", false, 100, false, sss, pm));
rvs.AppendElement(TestSuccess("maX-aGe=100", false, 100, false, stss, pm));
rvs.AppendElement(TestSuccess("MAX-age =100", false, 100, false, stss, pm));
rvs.AppendElement(TestSuccess("max-AGE=100", false, 100, false, stss, pm));
rvs.AppendElement(TestSuccess("Max-Age = 100 ", false, 100, false, stss, pm));
rvs.AppendElement(TestSuccess("MAX-AGE = 100 ", false, 100, false, stss, pm));
rvs.AppendElement(TestSuccess("max-age=100;includeSubdomains", false, 100, true, sss, pm));
rvs.AppendElement(TestSuccess("max-age=100\t; includeSubdomains", false, 100, true, sss, pm));
rvs.AppendElement(TestSuccess(" max-age=100; includeSubdomains", false, 100, true, sss, pm));
rvs.AppendElement(TestSuccess("max-age = 100 ; includeSubdomains", false, 100, true, sss, pm));
rvs.AppendElement(TestSuccess("max-age = 100 ; includeSubdomains", false, 100, true, sss, pm));
rvs.AppendElement(TestSuccess("max-age=100;includeSubdomains", false, 100, true, stss, pm));
rvs.AppendElement(TestSuccess("max-age=100\t; includeSubdomains", false, 100, true, stss, pm));
rvs.AppendElement(TestSuccess(" max-age=100; includeSubdomains", false, 100, true, stss, pm));
rvs.AppendElement(TestSuccess("max-age = 100 ; includeSubdomains", false, 100, true, stss, pm));
rvs.AppendElement(TestSuccess("max-age = 100 ; includeSubdomains", false, 100, true, stss, pm));
rvs.AppendElement(TestSuccess("maX-aGe=100; includeSUBDOMAINS", false, 100, true, sss, pm));
rvs.AppendElement(TestSuccess("MAX-age =100; includeSubDomains", false, 100, true, sss, pm));
rvs.AppendElement(TestSuccess("max-AGE=100; iNcLuDeSuBdoMaInS", false, 100, true, sss, pm));
rvs.AppendElement(TestSuccess("Max-Age = 100; includesubdomains ", false, 100, true, sss, pm));
rvs.AppendElement(TestSuccess("INCLUDESUBDOMAINS;MaX-AgE = 100 ", false, 100, true, sss, pm));
rvs.AppendElement(TestSuccess("maX-aGe=100; includeSUBDOMAINS", false, 100, true, stss, pm));
rvs.AppendElement(TestSuccess("MAX-age =100; includeSubDomains", false, 100, true, stss, pm));
rvs.AppendElement(TestSuccess("max-AGE=100; iNcLuDeSuBdoMaInS", false, 100, true, stss, pm));
rvs.AppendElement(TestSuccess("Max-Age = 100; includesubdomains ", false, 100, true, stss, pm));
rvs.AppendElement(TestSuccess("INCLUDESUBDOMAINS;MaX-AgE = 100 ", false, 100, true, stss, pm));
// Turns out, the actual directive is entirely optional (hence the
// trailing semicolon)
rvs.AppendElement(TestSuccess("max-age=100;includeSubdomains;", true, 100, true, sss, pm));
rvs.AppendElement(TestSuccess("max-age=100;includeSubdomains;", true, 100, true, stss, pm));
// these are weird tests, but are testing that some extended syntax is
// still allowed (but it is ignored)
rvs.AppendElement(TestSuccess("max-age=100 ; includesubdomainsSomeStuff", true, 100, false, sss, pm));
rvs.AppendElement(TestSuccess("\r\n\t\t \tcompletelyUnrelated = foobar; max-age= 34520103 \t \t; alsoUnrelated;asIsThis;\tincludeSubdomains\t\t \t", true, 34520103, true, sss, pm));
rvs.AppendElement(TestSuccess("max-age=100; unrelated=\"quoted \\\"thingy\\\"\"", true, 100, false, sss, pm));
rvs.AppendElement(TestSuccess("max-age=100 ; includesubdomainsSomeStuff", true, 100, false, stss, pm));
rvs.AppendElement(TestSuccess("\r\n\t\t \tcompletelyUnrelated = foobar; max-age= 34520103 \t \t; alsoUnrelated;asIsThis;\tincludeSubdomains\t\t \t", true, 34520103, true, stss, pm));
rvs.AppendElement(TestSuccess("max-age=100; unrelated=\"quoted \\\"thingy\\\"\"", true, 100, false, stss, pm));
rv0 = rvs.Contains(false) ? 1 : 0;
if (rv0 == 0)
@ -160,37 +158,37 @@ main(int32_t argc, char *argv[])
// SHOULD FAIL:
printf("*** Attempting to parse invalid STS headers (should not parse)...\n");
// invalid max-ages
rvs.AppendElement(TestFailure("max-age", sss, pm));
rvs.AppendElement(TestFailure("max-age ", sss, pm));
rvs.AppendElement(TestFailure("max-age=p", sss, pm));
rvs.AppendElement(TestFailure("max-age=*1p2", sss, pm));
rvs.AppendElement(TestFailure("max-age=.20032", sss, pm));
rvs.AppendElement(TestFailure("max-age=!20032", sss, pm));
rvs.AppendElement(TestFailure("max-age==20032", sss, pm));
rvs.AppendElement(TestFailure("max-age", stss, pm));
rvs.AppendElement(TestFailure("max-age ", stss, pm));
rvs.AppendElement(TestFailure("max-age=p", stss, pm));
rvs.AppendElement(TestFailure("max-age=*1p2", stss, pm));
rvs.AppendElement(TestFailure("max-age=.20032", stss, pm));
rvs.AppendElement(TestFailure("max-age=!20032", stss, pm));
rvs.AppendElement(TestFailure("max-age==20032", stss, pm));
// invalid headers
rvs.AppendElement(TestFailure("foobar", sss, pm));
rvs.AppendElement(TestFailure("maxage=100", sss, pm));
rvs.AppendElement(TestFailure("maxa-ge=100", sss, pm));
rvs.AppendElement(TestFailure("max-ag=100", sss, pm));
rvs.AppendElement(TestFailure("includesubdomains", sss, pm));
rvs.AppendElement(TestFailure(";", sss, pm));
rvs.AppendElement(TestFailure("max-age=\"100", sss, pm));
rvs.AppendElement(TestFailure("foobar", stss, pm));
rvs.AppendElement(TestFailure("maxage=100", stss, pm));
rvs.AppendElement(TestFailure("maxa-ge=100", stss, pm));
rvs.AppendElement(TestFailure("max-ag=100", stss, pm));
rvs.AppendElement(TestFailure("includesubdomains", stss, pm));
rvs.AppendElement(TestFailure(";", stss, pm));
rvs.AppendElement(TestFailure("max-age=\"100", stss, pm));
// The max-age directive here doesn't conform to the spec, so it MUST
// be ignored. Consequently, the REQUIRED max-age directive is not
// present in this header, and so it is invalid.
rvs.AppendElement(TestFailure("max-age=100, max-age=200; includeSubdomains", sss, pm));
rvs.AppendElement(TestFailure("max-age=100 includesubdomains", sss, pm));
rvs.AppendElement(TestFailure("max-age=100 bar foo", sss, pm));
rvs.AppendElement(TestFailure("max-age=100randomstuffhere", sss, pm));
rvs.AppendElement(TestFailure("max-age=100, max-age=200; includeSubdomains", stss, pm));
rvs.AppendElement(TestFailure("max-age=100 includesubdomains", stss, pm));
rvs.AppendElement(TestFailure("max-age=100 bar foo", stss, pm));
rvs.AppendElement(TestFailure("max-age=100randomstuffhere", stss, pm));
// All directives MUST appear only once in an STS header field.
rvs.AppendElement(TestFailure("max-age=100; max-age=200", sss, pm));
rvs.AppendElement(TestFailure("includeSubdomains; max-age=200; includeSubdomains", sss, pm));
rvs.AppendElement(TestFailure("max-age=200; includeSubdomains; includeSubdomains", sss, pm));
rvs.AppendElement(TestFailure("max-age=100; max-age=200", stss, pm));
rvs.AppendElement(TestFailure("includeSubdomains; max-age=200; includeSubdomains", stss, pm));
rvs.AppendElement(TestFailure("max-age=200; includeSubdomains; includeSubdomains", stss, pm));
// The includeSubdomains directive is valueless.
rvs.AppendElement(TestFailure("max-age=100; includeSubdomains=unexpected", sss, pm));
rvs.AppendElement(TestFailure("max-age=100; includeSubdomains=unexpected", stss, pm));
// LWS must have at least one space or horizontal tab
rvs.AppendElement(TestFailure("\r\nmax-age=200", sss, pm));
rvs.AppendElement(TestFailure("\r\nmax-age=200", stss, pm));
rv1 = rvs.Contains(false) ? 1 : 0;
if (rv1 == 0)

2
security/manager/boot/src/moz.build
View File

@ -12,7 +12,7 @@ CPP_SOURCES += [
'nsSecureBrowserUIImpl.cpp',
'nsSecurityHeaderParser.cpp',
'nsSecurityWarningDialogs.cpp',
'nsSiteSecurityService.cpp',
'nsStrictTransportSecurityService.cpp',
]
LIBRARY_NAME = 'pipboot'

10
security/manager/boot/src/nsBOOTModule.cpp
View File

@ -8,23 +8,23 @@
#include "nsEntropyCollector.h"
#include "nsSecureBrowserUIImpl.h"
#include "nsSecurityWarningDialogs.h"
#include "nsSiteSecurityService.h"
#include "nsStrictTransportSecurityService.h"
NS_GENERIC_FACTORY_CONSTRUCTOR(nsEntropyCollector)
NS_GENERIC_FACTORY_CONSTRUCTOR(nsSecureBrowserUIImpl)
NS_GENERIC_FACTORY_CONSTRUCTOR_INIT(nsSecurityWarningDialogs, Init)
NS_GENERIC_FACTORY_CONSTRUCTOR_INIT(nsSiteSecurityService, Init)
NS_GENERIC_FACTORY_CONSTRUCTOR_INIT(nsStrictTransportSecurityService, Init)
NS_DEFINE_NAMED_CID(NS_ENTROPYCOLLECTOR_CID);
NS_DEFINE_NAMED_CID(NS_SECURITYWARNINGDIALOGS_CID);
NS_DEFINE_NAMED_CID(NS_SECURE_BROWSER_UI_CID);
NS_DEFINE_NAMED_CID(NS_SITE_SECURITY_SERVICE_CID);
NS_DEFINE_NAMED_CID(NS_STRICT_TRANSPORT_SECURITY_CID);
static const mozilla::Module::CIDEntry kBOOTCIDs[] = {
{ &kNS_ENTROPYCOLLECTOR_CID, false, nullptr, nsEntropyCollectorConstructor },
{ &kNS_SECURITYWARNINGDIALOGS_CID, false, nullptr, nsSecurityWarningDialogsConstructor },
{ &kNS_SECURE_BROWSER_UI_CID, false, nullptr, nsSecureBrowserUIImplConstructor },
{ &kNS_SITE_SECURITY_SERVICE_CID, false, nullptr, nsSiteSecurityServiceConstructor },
{ &kNS_STRICT_TRANSPORT_SECURITY_CID, false, nullptr, nsStrictTransportSecurityServiceConstructor },
{ nullptr }
};
@ -32,7 +32,7 @@ static const mozilla::Module::ContractIDEntry kBOOTContracts[] = {
{ NS_ENTROPYCOLLECTOR_CONTRACTID, &kNS_ENTROPYCOLLECTOR_CID },
{ NS_SECURITYWARNINGDIALOGS_CONTRACTID, &kNS_SECURITYWARNINGDIALOGS_CID },
{ NS_SECURE_BROWSER_UI_CONTRACTID, &kNS_SECURE_BROWSER_UI_CID },
{ NS_SSSERVICE_CONTRACTID, &kNS_SITE_SECURITY_SERVICE_CID },
{ NS_STSSERVICE_CONTRACTID, &kNS_STRICT_TRANSPORT_SECURITY_CID },
{ nullptr }
};

130
security/manager/boot/src/nsSiteSecurityService.cpp → security/manager/boot/src/nsStrictTransportSecurityService.cpp
View File

@ -9,7 +9,7 @@
#include "nsIPermissionManager.h"
#include "nsISSLStatus.h"
#include "nsISSLStatusProvider.h"
#include "nsSiteSecurityService.h"
#include "nsStrictTransportSecurityService.h"
#include "nsIURI.h"
#include "nsNetUtil.h"
#include "nsThreadUtils.h"
@ -49,7 +49,7 @@ GetSTSLog()
////////////////////////////////////////////////////////////////////////////////
nsSSSHostEntry::nsSSSHostEntry(const char* aHost)
nsSTSHostEntry::nsSTSHostEntry(const char* aHost)
: mHost(aHost)
, mExpireTime(0)
, mStsPermission(STS_UNSET)
@ -58,7 +58,7 @@ nsSSSHostEntry::nsSSSHostEntry(const char* aHost)
{
}
nsSSSHostEntry::nsSSSHostEntry(const nsSSSHostEntry& toCopy)
nsSTSHostEntry::nsSTSHostEntry(const nsSTSHostEntry& toCopy)
: mHost(toCopy.mHost)
, mExpireTime(toCopy.mExpireTime)
, mStsPermission(toCopy.mStsPermission)
@ -70,21 +70,21 @@ nsSSSHostEntry::nsSSSHostEntry(const nsSSSHostEntry& toCopy)
////////////////////////////////////////////////////////////////////////////////
nsSiteSecurityService::nsSiteSecurityService()
nsStrictTransportSecurityService::nsStrictTransportSecurityService()
: mUsePreloadList(true)
{
}
nsSiteSecurityService::~nsSiteSecurityService()
nsStrictTransportSecurityService::~nsStrictTransportSecurityService()
{
}
NS_IMPL_ISUPPORTS2(nsSiteSecurityService,
NS_IMPL_ISUPPORTS2(nsStrictTransportSecurityService,
nsIObserver,
nsISiteSecurityService)
nsIStrictTransportSecurityService)
nsresult
nsSiteSecurityService::Init()
nsStrictTransportSecurityService::Init()
{
nsresult rv;
@ -103,7 +103,7 @@ nsSiteSecurityService::Init()
}
nsresult
nsSiteSecurityService::GetHost(nsIURI *aURI, nsACString &aResult)
nsStrictTransportSecurityService::GetHost(nsIURI *aURI, nsACString &aResult)
{
nsCOMPtr<nsIURI> innerURI = NS_GetInnermostURI(aURI);
if (!innerURI) return NS_ERROR_FAILURE;
@ -117,8 +117,8 @@ nsSiteSecurityService::GetHost(nsIURI *aURI, nsACString &aResult)
}
nsresult
nsSiteSecurityService::GetPrincipalForURI(nsIURI* aURI,
nsIPrincipal** aPrincipal)
nsStrictTransportSecurityService::GetPrincipalForURI(nsIURI* aURI,
nsIPrincipal** aPrincipal)
{
nsresult rv;
nsCOMPtr<nsIScriptSecurityManager> securityManager =
@ -140,16 +140,15 @@ nsSiteSecurityService::GetPrincipalForURI(nsIURI* aURI,
}
nsresult
nsSiteSecurityService::SetState(uint32_t aType,
nsIURI* aSourceURI,
int64_t maxage,
bool includeSubdomains,
uint32_t flags)
nsStrictTransportSecurityService::SetStsState(nsIURI* aSourceURI,
int64_t maxage,
bool includeSubdomains,
uint32_t flags)
{
// If max-age is zero, that's an indication to immediately remove the
// permissions, so here's a shortcut.
if (!maxage) {
return RemoveState(aType, aSourceURI, flags);
return RemoveStsState(aSourceURI, flags);
}
// Expire time is millis from now. Since STS max-age is in seconds, and
@ -192,14 +191,11 @@ nsSiteSecurityService::SetState(uint32_t aType,
}
NS_IMETHODIMP
nsSiteSecurityService::RemoveState(uint32_t aType, nsIURI* aURI, uint32_t aFlags)
nsStrictTransportSecurityService::RemoveStsState(nsIURI* aURI, uint32_t aFlags)
{
// Should be called on the main thread (or via proxy) since the permission
// manager is used and it's not threadsafe.
NS_ENSURE_TRUE(NS_IsMainThread(), NS_ERROR_UNEXPECTED);
// Only HSTS is supported at the moment.
NS_ENSURE_TRUE(aType == nsISiteSecurityService::HEADER_HSTS,
NS_ERROR_NOT_IMPLEMENTED);
nsAutoCString hostname;
nsresult rv = GetHost(aURI, hostname);
@ -219,19 +215,15 @@ nsSiteSecurityService::RemoveState(uint32_t aType, nsIURI* aURI, uint32_t aFlags
}
NS_IMETHODIMP
nsSiteSecurityService::ProcessHeader(uint32_t aType,
nsIURI* aSourceURI,
const char* aHeader,
uint32_t aFlags,
uint64_t *aMaxAge,
bool *aIncludeSubdomains)
nsStrictTransportSecurityService::ProcessStsHeader(nsIURI* aSourceURI,
const char* aHeader,
uint32_t aFlags,
uint64_t *aMaxAge,
bool *aIncludeSubdomains)
{
// Should be called on the main thread (or via proxy) since the permission
// manager is used and it's not threadsafe.
NS_ENSURE_TRUE(NS_IsMainThread(), NS_ERROR_UNEXPECTED);
// Only HSTS is supported at the moment.
NS_ENSURE_TRUE(aType == nsISiteSecurityService::HEADER_HSTS,
NS_ERROR_NOT_IMPLEMENTED);
if (aMaxAge != nullptr) {
*aMaxAge = 0;
@ -243,19 +235,18 @@ nsSiteSecurityService::ProcessHeader(uint32_t aType,
char * header = NS_strdup(aHeader);
if (!header) return NS_ERROR_OUT_OF_MEMORY;
nsresult rv = ProcessHeaderMutating(aType, aSourceURI, header, aFlags,
aMaxAge, aIncludeSubdomains);
nsresult rv = ProcessStsHeaderMutating(aSourceURI, header, aFlags,
aMaxAge, aIncludeSubdomains);
NS_Free(header);
return rv;
}
nsresult
nsSiteSecurityService::ProcessHeaderMutating(uint32_t aType,
nsIURI* aSourceURI,
char* aHeader,
uint32_t aFlags,
uint64_t *aMaxAge,
bool *aIncludeSubdomains)
nsStrictTransportSecurityService::ProcessStsHeaderMutating(nsIURI* aSourceURI,
char* aHeader,
uint32_t aFlags,
uint64_t *aMaxAge,
bool *aIncludeSubdomains)
{
STSLOG(("STS: processing header '%s'", aHeader));
@ -351,7 +342,7 @@ nsSiteSecurityService::ProcessHeaderMutating(uint32_t aType,
}
// record the successfully parsed header data.
SetState(aType, aSourceURI, maxAge, foundIncludeSubdomains, aFlags);
SetStsState(aSourceURI, maxAge, foundIncludeSubdomains, aFlags);
if (aMaxAge != nullptr) {
*aMaxAge = (uint64_t)maxAge;
@ -366,6 +357,21 @@ nsSiteSecurityService::ProcessHeaderMutating(uint32_t aType,
NS_OK;
}
NS_IMETHODIMP
nsStrictTransportSecurityService::IsStsHost(const char* aHost, uint32_t aFlags, bool* aResult)
{
// Should be called on the main thread (or via proxy) since the permission
// manager is used and it's not threadsafe.
NS_ENSURE_TRUE(NS_IsMainThread(), NS_ERROR_UNEXPECTED);
nsCOMPtr<nsIURI> uri;
nsDependentCString hostString(aHost);
nsresult rv = NS_NewURI(getter_AddRefs(uri),
NS_LITERAL_CSTRING("https://") + hostString);
NS_ENSURE_SUCCESS(rv, rv);
return IsStsURI(uri, aFlags, aResult);
}
int STSPreloadCompare(const void *key, const void *entry)
{
const char *keyStr = (const char *)key;
@ -377,7 +383,7 @@ int STSPreloadCompare(const void *key, const void *entry)
// Only does exact host matching - the user must decide how to use the returned
// data. May return null.
const nsSTSPreload *
nsSiteSecurityService::GetPreloadListEntry(const char *aHost)
nsStrictTransportSecurityService::GetPreloadListEntry(const char *aHost)
{
PRTime currentTime = PR_Now();
int32_t timeOffset = 0;
@ -399,15 +405,11 @@ nsSiteSecurityService::GetPreloadListEntry(const char *aHost)
}
NS_IMETHODIMP
nsSiteSecurityService::IsSecureURI(uint32_t aType, nsIURI* aURI,
uint32_t aFlags, bool* aResult)
nsStrictTransportSecurityService::IsStsURI(nsIURI* aURI, uint32_t aFlags, bool* aResult)
{
// Should be called on the main thread (or via proxy) since the permission
// manager is used and it's not threadsafe.
NS_ENSURE_TRUE(NS_IsMainThread(), NS_ERROR_UNEXPECTED);
// Only HSTS is supported at the moment.
NS_ENSURE_TRUE(aType == nsISiteSecurityService::HEADER_HSTS,
NS_ERROR_NOT_IMPLEMENTED);
// set default in case if we can't find any STS information
*aResult = false;
@ -417,7 +419,7 @@ nsSiteSecurityService::IsSecureURI(uint32_t aType, nsIURI* aURI,
NS_ENSURE_SUCCESS(rv, rv);
const nsSTSPreload *preload = nullptr;
nsSSSHostEntry *pbEntry = nullptr;
nsSTSHostEntry *pbEntry = nullptr;
bool isPrivate = aFlags & nsISocketProvider::NO_PERMANENT_STORAGE;
if (isPrivate) {
@ -544,8 +546,8 @@ nsSiteSecurityService::IsSecureURI(uint32_t aType, nsIURI* aURI,
// Verify the trustworthiness of the security info (are there any cert errors?)
NS_IMETHODIMP
nsSiteSecurityService::ShouldIgnoreHeader(nsISupports* aSecurityInfo,
bool* aResult)
nsStrictTransportSecurityService::ShouldIgnoreStsHeader(nsISupports* aSecurityInfo,
bool* aResult)
{
nsresult rv;
bool tlsIsBroken = false;
@ -575,13 +577,13 @@ nsSiteSecurityService::ShouldIgnoreHeader(nsISupports* aSecurityInfo,
}
//------------------------------------------------------------
// nsSiteSecurityService::nsIObserver
// nsStrictTransportSecurityService::nsIObserver
//------------------------------------------------------------
NS_IMETHODIMP
nsSiteSecurityService::Observe(nsISupports *subject,
const char *topic,
const PRUnichar *data)
nsStrictTransportSecurityService::Observe(nsISupports *subject,
const char *topic,
const PRUnichar *data)
{
if (strcmp(topic, "last-pb-context-exited") == 0) {
mPrivateModeHostTable.Clear();
@ -598,12 +600,12 @@ nsSiteSecurityService::Observe(nsISupports *subject,
// we're in private browsing mode.
//------------------------------------------------------------
nsresult
nsSiteSecurityService::AddPermission(nsIURI *aURI,
const char *aType,
uint32_t aPermission,
uint32_t aExpireType,
int64_t aExpireTime,
bool aIsPrivate)
nsStrictTransportSecurityService::AddPermission(nsIURI *aURI,
const char *aType,
uint32_t aPermission,
uint32_t aExpireType,
int64_t aExpireTime,
bool aIsPrivate)
{
// Private mode doesn't address user-set (EXPIRE_NEVER) permissions: let
// those be stored persistently.
@ -634,7 +636,7 @@ nsSiteSecurityService::AddPermission(nsIURI *aURI,
// PutEntry returns an existing entry if there already is one, or it
// creates a new one if there isn't.
nsSSSHostEntry* entry = mPrivateModeHostTable.PutEntry(host.get());
nsSTSHostEntry* entry = mPrivateModeHostTable.PutEntry(host.get());
if (!entry) {
return NS_ERROR_OUT_OF_MEMORY;
}
@ -644,7 +646,7 @@ nsSiteSecurityService::AddPermission(nsIURI *aURI,
// includeSubdomains (first for the main permission and second for the
// subdomains permission). If AddPermission() gets called a second time
// with the STS_SUBDOMAIN_PERMISSION, we just have to flip that bit in
// the nsSSSHostEntry.
// the nsSTSHostEntry.
if (strcmp(aType, STS_SUBDOMAIN_PERMISSION) == 0) {
entry->mIncludeSubdomains = true;
}
@ -658,9 +660,9 @@ nsSiteSecurityService::AddPermission(nsIURI *aURI,
}
nsresult
nsSiteSecurityService::RemovePermission(const nsCString &aHost,
const char *aType,
bool aIsPrivate)
nsStrictTransportSecurityService::RemovePermission(const nsCString &aHost,
const char *aType,
bool aIsPrivate)
{
// Build up a principal for use with the permission manager.
// normalize all URIs with https://
@ -684,7 +686,7 @@ nsSiteSecurityService::RemovePermission(const nsCString &aHost,
// Make changes in mPrivateModeHostTable only, so any changes will be
// rolled back when exiting private mode.
nsSSSHostEntry* entry = mPrivateModeHostTable.GetEntry(aHost.get());
nsSTSHostEntry* entry = mPrivateModeHostTable.GetEntry(aHost.get());
if (!entry) {
entry = mPrivateModeHostTable.PutEntry(aHost.get());

44
security/manager/boot/src/nsSiteSecurityService.h → security/manager/boot/src/nsStrictTransportSecurityService.h
View File

@ -6,10 +6,10 @@
* This wraps nsSimpleURI so that all calls to it are done on the main thread.
*/
#ifndef __nsSiteSecurityService_h__
#define __nsSiteSecurityService_h__
#ifndef __nsStrictTransportSecurityService_h__
#define __nsStrictTransportSecurityService_h__
#include "nsISiteSecurityService.h"
#include "nsIStrictTransportSecurityService.h"
#include "nsIObserver.h"
#include "nsIObserverService.h"
#include "nsIPermissionManager.h"
@ -20,16 +20,16 @@
#include "prtime.h"
// {16955eee-6c48-4152-9309-c42a465138a1}
#define NS_SITE_SECURITY_SERVICE_CID \
#define NS_STRICT_TRANSPORT_SECURITY_CID \
{0x16955eee, 0x6c48, 0x4152, \
{0x93, 0x09, 0xc4, 0x2a, 0x46, 0x51, 0x38, 0xa1} }
////////////////////////////////////////////////////////////////////////////////
// nsSSSHostEntry - similar to the nsHostEntry class in
// nsSTSHostEntry - similar to the nsHostEntry class in
// nsPermissionManager.cpp, but specific to private-mode caching of STS
// permissions.
//
// Each nsSSSHostEntry contains:
// Each nsSTSHostEntry contains:
// - Expiry time (PRTime, milliseconds)
// - Expired flag (bool, default false)
// - STS permission (uint32_t, default STS_UNSET)
@ -37,7 +37,7 @@
//
// Note: the subdomains flag has no meaning if the STS permission is STS_UNSET.
//
// The existence of the nsSSSHostEntry implies STS state is set for the given
// The existence of the nsSTSHostEntry implies STS state is set for the given
// host -- unless the expired flag is set, in which case not only is the STS
// state not set for the host, but any permission actually present in the
// permission manager should be ignored.
@ -45,7 +45,7 @@
// Note: Only one expiry time is stored since the subdomains and STS
// permissions are both encountered at the same time in the HTTP header; if the
// includeSubdomains directive isn't present in the header, it means to delete
// the permission, so the subdomains flag in the nsSSSHostEntry means both that
// the permission, so the subdomains flag in the nsSTSHostEntry means both that
// the permission doesn't exist and any permission in the real permission
// manager should be ignored since newer information about it has been
// encountered in private browsing mode.
@ -55,11 +55,11 @@
// encountered. Furthermore, any user-set permissions are stored persistently
// and can't be shadowed.
class nsSSSHostEntry : public PLDHashEntryHdr
class nsSTSHostEntry : public PLDHashEntryHdr
{
public:
explicit nsSSSHostEntry(const char* aHost);
explicit nsSSSHostEntry(const nsSSSHostEntry& toCopy);
explicit nsSTSHostEntry(const char* aHost);
explicit nsSTSHostEntry(const nsSTSHostEntry& toCopy);
nsCString mHost;
PRTime mExpireTime;
@ -121,26 +121,24 @@ class nsSSSHostEntry : public PLDHashEntryHdr
class nsSTSPreload;
class nsSiteSecurityService : public nsISiteSecurityService
, public nsIObserver
class nsStrictTransportSecurityService : public nsIStrictTransportSecurityService
, public nsIObserver
{
public:
NS_DECL_THREADSAFE_ISUPPORTS
NS_DECL_NSIOBSERVER
NS_DECL_NSISITESECURITYSERVICE
NS_DECL_NSISTRICTTRANSPORTSECURITYSERVICE
nsSiteSecurityService();
nsStrictTransportSecurityService();
nsresult Init();
virtual ~nsSiteSecurityService();
virtual ~nsStrictTransportSecurityService();
private:
nsresult GetHost(nsIURI *aURI, nsACString &aResult);
nsresult GetPrincipalForURI(nsIURI *aURI, nsIPrincipal **aPrincipal);
nsresult SetState(uint32_t aType, nsIURI* aSourceURI, int64_t maxage,
bool includeSubdomains, uint32_t flags);
nsresult ProcessHeaderMutating(uint32_t aType, nsIURI* aSourceURI,
char* aHeader, uint32_t flags,
uint64_t *aMaxAge, bool *aIncludeSubdomains);
nsresult SetStsState(nsIURI* aSourceURI, int64_t maxage, bool includeSubdomains, uint32_t flags);
nsresult ProcessStsHeaderMutating(nsIURI* aSourceURI, char* aHeader, uint32_t flags,
uint64_t *aMaxAge, bool *aIncludeSubdomains);
const nsSTSPreload *GetPreloadListEntry(const char *aHost);
// private-mode-preserving permission manager overlay functions
@ -158,8 +156,8 @@ private:
nsCOMPtr<nsIPermissionManager> mPermMgr;
nsCOMPtr<nsIObserverService> mObserverService;
nsTHashtable<nsSSSHostEntry> mPrivateModeHostTable;
nsTHashtable<nsSTSHostEntry> mPrivateModeHostTable;
bool mUsePreloadList;
};
#endif // __nsSiteSecurityService_h__
#endif // __nsStrictTransportSecurityService_h__

20
security/manager/ssl/src/SSLServerCertVerification.cpp
View File

@ -98,7 +98,7 @@
#include "CertVerifier.h"
#include "nsIBadCertListener2.h"
#include "nsICertOverrideService.h"
#include "nsISiteSecurityService.h"
#include "nsIStrictTransportSecurityService.h"
#include "nsNSSComponent.h"
#include "nsNSSCleaner.h"
#include "nsRecentBadCerts.h"
@ -310,26 +310,19 @@ CertErrorRunnable::CheckCertOverrides()
uint32_t remaining_display_errors = mCollectedErrors;
nsresult nsrv;
nsCString hostString(mInfoObject->GetHostName());
// Enforce Strict-Transport-Security for hosts that are "STS" hosts:
// connections must be dropped when there are any certificate errors
// (STS Spec section 7.3).
bool strictTransportSecurityEnabled = false;
nsCOMPtr<nsISiteSecurityService> sss
= do_GetService(NS_SSSERVICE_CONTRACTID, &nsrv);
nsCOMPtr<nsIStrictTransportSecurityService> stss
= do_GetService(NS_STSSERVICE_CONTRACTID, &nsrv);
if (NS_SUCCEEDED(nsrv)) {
nsCOMPtr<nsISSLSocketControl> sslSocketControl = do_QueryInterface(
NS_ISUPPORTS_CAST(nsITransportSecurityInfo*, mInfoObject));
nsCOMPtr<nsIURI> uri;
nsrv = NS_NewURI(getter_AddRefs(uri),
NS_LITERAL_CSTRING("https://") + hostString);
if (NS_SUCCEEDED(nsrv)) {
nsrv = sss->IsSecureURI(nsISiteSecurityService::HEADER_HSTS,
uri,
mProviderFlags,
&strictTransportSecurityEnabled);
}
nsrv = stss->IsStsHost(mInfoObject->GetHostName(),
mProviderFlags,
&strictTransportSecurityEnabled);
}
if (NS_FAILED(nsrv)) {
return new SSLServerCertVerificationResult(mInfoObject,
@ -347,6 +340,7 @@ CertErrorRunnable::CheckCertOverrides()
{
bool haveOverride;
bool isTemporaryOverride; // we don't care
nsCString hostString(mInfoObject->GetHostName());
nsrv = overrideService->HasMatchingOverride(hostString, port,
mCert,
&overrideBits,

12
security/manager/ssl/tests/mochitest/browser/browser_bug627234_perwindowpb.js
View File

@ -10,8 +10,8 @@ function test() {
let windowsToClose = [];
let testURI = "about:blank";
let uri;
let gSSService = Cc["@mozilla.org/ssservice;1"].
getService(Ci.nsISiteSecurityService);
let gSTSService = Cc["@mozilla.org/stsservice;1"].
getService(Ci.nsIStrictTransportSecurityService);
function privacyFlags(aIsPrivateMode) {
return aIsPrivateMode ? Ci.nsISocketProvider.NO_PERMANENT_STORAGE : 0;
@ -22,9 +22,8 @@ function test() {
aWindow.gBrowser.selectedBrowser.removeEventListener("load", onLoad, true);
uri = aWindow.Services.io.newURI("https://localhost/img.png", null, null);
gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTA, uri,
"max-age=1000", privacyFlags(aIsPrivateMode));
ok(gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, privacyFlags(aIsPrivateMode)), "checking sts host");
gSTSService.processStsHeader(uri, "max-age=1000", privacyFlags(aIsPrivateMode));
ok(gSTSService.isStsHost("localhost", privacyFlags(aIsPrivateMode)), "checking sts host");
aCallback();
}, true);
@ -48,8 +47,7 @@ function test() {
aWin.close();
});
uri = Services.io.newURI("http://localhost", null, null);
gSSService.removeState(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
privacyFlags(true));
gSTSService.removeStsState(uri, privacyFlags(true));
});
// test first when on private mode

4
security/manager/ssl/tests/mochitest/stricttransportsecurity/test_stricttransportsecurity.html
View File

@ -53,8 +53,8 @@
var ios = Cc["@mozilla.org/network/io-service;1"].getService(Ci.nsIIOService);
var thehost = ios.newURI("http://example.com", null, null);
var sss = Cc["@mozilla.org/ssservice;1"].getService(Ci.nsISiteSecurityService);
sss.removeState(Ci.nsISiteSecurityService.HEADER_HSTS, thehost, 0);
var stss = Cc["@mozilla.org/stsservice;1"].getService(Ci.nsIStrictTransportSecurityService);
stss.removeStsState(thehost, 0);
}
function loadVerifyFrames(round) {

17
security/manager/ssl/tests/mochitest/stricttransportsecurity/test_sts_privatebrowsing_perwindowpb.html
View File

@ -187,21 +187,20 @@
var ios =
Cc["@mozilla.org/network/io-service;1"].getService(Ci.nsIIOService);
var thehost = ios.newURI("http://example.com", null, null);
var sss =
Cc["@mozilla.org/ssservice;1"].
getService(Ci.nsISiteSecurityService);
var stss =
Cc["@mozilla.org/stsservice;1"].
getService(Ci.nsIStrictTransportSecurityService);
var flags = isPrivate ? Ci.nsISocketProvider.NO_PERMANENT_STORAGE : 0
sss.removeState(Ci.nsISiteSecurityService.HEADER_HSTS, thehost, flags);
stss.removeStsState(thehost, flags);
dump_STSState(isPrivate);
}
function dump_STSState(isPrivate) {
var sss =
Cc["@mozilla.org/ssservice;1"].
getService(Ci.nsISiteSecurityService);
var stss =
Cc["@mozilla.org/stsservice;1"].
getService(Ci.nsIStrictTransportSecurityService);
var flags = isPrivate ? Ci.nsISocketProvider.NO_PERMANENT_STORAGE : 0
var uri = SpecialPowers.Services.io.newURI("https://example.com", null, null);
SimpleTest.info("State of example.com: " + sss.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, flags));
SimpleTest.info("State of example.com: " + stss.isStsHost("example.com", flags));
}
// These are executed in the order presented.

108
security/manager/ssl/tests/unit/test_sts_preloadlist_perwindowpb.js
View File

@ -4,8 +4,8 @@
// invested in HSTS. Additionally, www.torproject.org was deemed likely to
// continue to use HSTS.
var gSSService = Cc["@mozilla.org/ssservice;1"]
.getService(Ci.nsISiteSecurityService);
var gSTSService = Cc["@mozilla.org/stsservice;1"]
.getService(Ci.nsIStrictTransportSecurityService);
function Observer() {}
Observer.prototype = {
@ -17,7 +17,7 @@ Observer.prototype = {
var gObserver = new Observer();
// nsISiteSecurityService.removeStsState removes a given domain's
// nsIStrictTransportSecurityService.removeStsState removes a given domain's
// HSTS status. This means that a domain on the preload list will be
// considered not HSTS if this is called. So, to reset everything to its
// original state, we have to reach into the permission manager and clear
@ -25,7 +25,7 @@ var gObserver = new Observer();
function clearStsState() {
var permissionManager = Cc["@mozilla.org/permissionmanager;1"]
.getService(Ci.nsIPermissionManager);
// This is a list of every host we call processHeader with
// This is a list of every host we call processStsHeader with
// (so we can remove any state added to the sts service)
var hosts = ["bugzilla.mozilla.org", "login.persona.org",
"subdomain.www.torproject.org",
@ -52,63 +52,54 @@ function run_test() {
run_next_test();
}
function is_sts_host(aHost, aFlags) {
var uri = Services.io.newURI("http://" + aHost, null, null);
return gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, aFlags);
}
function test_part1() {
// check that a host not in the list is not identified as an sts host
do_check_false(is_sts_host("nonexistent.mozilla.com", 0));
do_check_false(gSTSService.isStsHost("nonexistent.mozilla.com", 0));
// check that an ancestor domain is not identified as an sts host
do_check_false(is_sts_host("com", 0));
do_check_false(gSTSService.isStsHost("com", 0));
// check that the pref to toggle using the preload list works
Services.prefs.setBoolPref("network.stricttransportsecurity.preloadlist", false);
do_check_false(is_sts_host("bugzilla.mozilla.org", 0));
do_check_false(gSTSService.isStsHost("bugzilla.mozilla.org", 0));
Services.prefs.setBoolPref("network.stricttransportsecurity.preloadlist", true);
do_check_true(is_sts_host("bugzilla.mozilla.org", 0));
do_check_true(gSTSService.isStsHost("bugzilla.mozilla.org", 0));
// check that a subdomain is an sts host (includeSubdomains is set)
do_check_true(is_sts_host("subdomain.bugzilla.mozilla.org", 0));
do_check_true(gSTSService.isStsHost("subdomain.bugzilla.mozilla.org", 0));
// check that another subdomain is an sts host (includeSubdomains is set)
do_check_true(is_sts_host("a.b.c.def.bugzilla.mozilla.org", 0));
do_check_true(gSTSService.isStsHost("a.b.c.def.bugzilla.mozilla.org", 0));
// check that a subdomain is not an sts host (includeSubdomains is not set)
do_check_false(is_sts_host("subdomain.www.torproject.org", 0));
do_check_false(gSTSService.isStsHost("subdomain.www.torproject.org", 0));
// check that a host with a dot on the end won't break anything
do_check_false(is_sts_host("notsts.nonexistent.mozilla.com.", 0));
do_check_false(gSTSService.isStsHost("notsts.nonexistent.mozilla.com.", 0));
// check that processing a header with max-age: 0 will remove a preloaded
// site from the list
var uri = Services.io.newURI("http://bugzilla.mozilla.org", null, null);
gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
"max-age=0", 0);
do_check_false(is_sts_host("bugzilla.mozilla.org", 0));
do_check_false(is_sts_host("subdomain.bugzilla.mozilla.org", 0));
gSTSService.processStsHeader(uri, "max-age=0", 0);
do_check_false(gSTSService.isStsHost("bugzilla.mozilla.org", 0));
do_check_false(gSTSService.isStsHost("subdomain.bugzilla.mozilla.org", 0));
// check that processing another header (with max-age non-zero) will
// re-enable a site's sts status
gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
"max-age=1000", 0);
do_check_true(is_sts_host("bugzilla.mozilla.org", 0));
gSTSService.processStsHeader(uri, "max-age=1000", 0);
do_check_true(gSTSService.isStsHost("bugzilla.mozilla.org", 0));
// but this time include subdomains was not set, so test for that
do_check_false(is_sts_host("subdomain.bugzilla.mozilla.org", 0));
do_check_false(gSTSService.isStsHost("subdomain.bugzilla.mozilla.org", 0));
clearStsState();
// check that processing a header with max-age: 0 from a subdomain of a site
// will not remove that (ancestor) site from the list
var uri = Services.io.newURI("http://subdomain.www.torproject.org", null, null);
gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
"max-age=0", 0);
do_check_true(is_sts_host("www.torproject.org", 0));
do_check_false(is_sts_host("subdomain.www.torproject.org", 0));
gSTSService.processStsHeader(uri, "max-age=0", 0);
do_check_true(gSTSService.isStsHost("www.torproject.org", 0));
do_check_false(gSTSService.isStsHost("subdomain.www.torproject.org", 0));
var uri = Services.io.newURI("http://subdomain.bugzilla.mozilla.org", null, null);
gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
"max-age=0", 0);
gSTSService.processStsHeader(uri, "max-age=0", 0);
// we received a header with "max-age=0", so we have "no information"
// regarding the sts state of subdomain.bugzilla.mozilla.org specifically,
// but it is actually still an STS host, because of the preloaded
@ -118,21 +109,20 @@ function test_part1() {
// |-- subdomain.bugzilla.mozilla.org IS sts host
// | `-- another.subdomain.bugzilla.mozilla.org IS sts host
// `-- sibling.bugzilla.mozilla.org IS sts host
do_check_true(is_sts_host("bugzilla.mozilla.org", 0));
do_check_true(is_sts_host("subdomain.bugzilla.mozilla.org", 0));
do_check_true(is_sts_host("sibling.bugzilla.mozilla.org", 0));
do_check_true(is_sts_host("another.subdomain.bugzilla.mozilla.org", 0));
do_check_true(gSTSService.isStsHost("bugzilla.mozilla.org", 0));
do_check_true(gSTSService.isStsHost("subdomain.bugzilla.mozilla.org", 0));
do_check_true(gSTSService.isStsHost("sibling.bugzilla.mozilla.org", 0));
do_check_true(gSTSService.isStsHost("another.subdomain.bugzilla.mozilla.org", 0));
gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
"max-age=1000", 0);
gSTSService.processStsHeader(uri, "max-age=1000", 0);
// Here's what we have now:
// |-- bugzilla.mozilla.org (in preload list, includes subdomains) IS sts host
// |-- subdomain.bugzilla.mozilla.org (include subdomains is false) IS sts host
// | `-- another.subdomain.bugzilla.mozilla.org IS NOT sts host
// `-- sibling.bugzilla.mozilla.org IS sts host
do_check_true(is_sts_host("subdomain.bugzilla.mozilla.org", 0));
do_check_true(is_sts_host("sibling.bugzilla.mozilla.org", 0));
do_check_false(is_sts_host("another.subdomain.bugzilla.mozilla.org", 0));
do_check_true(gSTSService.isStsHost("subdomain.bugzilla.mozilla.org", 0));
do_check_true(gSTSService.isStsHost("sibling.bugzilla.mozilla.org", 0));
do_check_false(gSTSService.isStsHost("another.subdomain.bugzilla.mozilla.org", 0));
// Simulate leaving private browsing mode
Services.obs.notifyObservers(null, "last-pb-context-exited", null);
@ -143,27 +133,24 @@ const IS_PRIVATE = Ci.nsISocketProvider.NO_PERMANENT_STORAGE;
function test_private_browsing1() {
clearStsState();
// sanity - bugzilla.mozilla.org is preloaded, includeSubdomains set
do_check_true(is_sts_host("bugzilla.mozilla.org", IS_PRIVATE));
do_check_true(is_sts_host("a.b.c.subdomain.bugzilla.mozilla.org", IS_PRIVATE));
do_check_true(gSTSService.isStsHost("bugzilla.mozilla.org", IS_PRIVATE));
do_check_true(gSTSService.isStsHost("a.b.c.subdomain.bugzilla.mozilla.org", IS_PRIVATE));
var uri = Services.io.newURI("http://bugzilla.mozilla.org", null, null);
gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
"max-age=0", IS_PRIVATE);
do_check_false(is_sts_host("bugzilla.mozilla.org", IS_PRIVATE));
do_check_false(is_sts_host("a.b.subdomain.bugzilla.mozilla.org", IS_PRIVATE));
gSTSService.processStsHeader(uri, "max-age=0", IS_PRIVATE);
do_check_false(gSTSService.isStsHost("bugzilla.mozilla.org", IS_PRIVATE));
do_check_false(gSTSService.isStsHost("a.b.subdomain.bugzilla.mozilla.org", IS_PRIVATE));
// check adding it back in
gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
"max-age=1000", IS_PRIVATE);
do_check_true(is_sts_host("bugzilla.mozilla.org", IS_PRIVATE));
gSTSService.processStsHeader(uri, "max-age=1000", IS_PRIVATE);
do_check_true(gSTSService.isStsHost("bugzilla.mozilla.org", IS_PRIVATE));
// but no includeSubdomains this time
do_check_false(is_sts_host("b.subdomain.bugzilla.mozilla.org", IS_PRIVATE));
do_check_false(gSTSService.isStsHost("b.subdomain.bugzilla.mozilla.org", IS_PRIVATE));
// do the hokey-pokey...
gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
"max-age=0", IS_PRIVATE);
do_check_false(is_sts_host("bugzilla.mozilla.org", IS_PRIVATE));
do_check_false(is_sts_host("subdomain.bugzilla.mozilla.org", IS_PRIVATE));
gSTSService.processStsHeader(uri, "max-age=0", IS_PRIVATE);
do_check_false(gSTSService.isStsHost("bugzilla.mozilla.org", IS_PRIVATE));
do_check_false(gSTSService.isStsHost("subdomain.bugzilla.mozilla.org", IS_PRIVATE));
// TODO unfortunately we don't have a good way to know when an entry
// has expired in the permission manager, so we can't yet extend this test
@ -174,12 +161,11 @@ function test_private_browsing1() {
// a site on the preload list, and that header later expires. We need to
// then treat that host as no longer an sts host.)
// (sanity check first - this should be in the preload list)
do_check_true(is_sts_host("login.persona.org", IS_PRIVATE));
do_check_true(gSTSService.isStsHost("login.persona.org", IS_PRIVATE));
var uri = Services.io.newURI("http://login.persona.org", null, null);
gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
"max-age=1", IS_PRIVATE);
gSTSService.processStsHeader(uri, "max-age=1", IS_PRIVATE);
do_timeout(1250, function() {
do_check_false(is_sts_host("login.persona.org", IS_PRIVATE));
do_check_false(gSTSService.isStsHost("login.persona.org", IS_PRIVATE));
// Simulate leaving private browsing mode
Services.obs.notifyObservers(null, "last-pb-context-exited", null);
});
@ -187,13 +173,13 @@ function test_private_browsing1() {
function test_private_browsing2() {
// if this test gets this far, it means there's a private browsing service
do_check_true(is_sts_host("bugzilla.mozilla.org", 0));
do_check_true(gSTSService.isStsHost("bugzilla.mozilla.org", 0));
// the bugzilla.mozilla.org entry has includeSubdomains set
do_check_true(is_sts_host("subdomain.bugzilla.mozilla.org", 0));
do_check_true(gSTSService.isStsHost("subdomain.bugzilla.mozilla.org", 0));
// Now that we're out of private browsing mode, we need to make sure
// we've "forgotten" that we "forgot" this site's sts status.
do_check_true(is_sts_host("login.persona.org", 0));
do_check_true(gSTSService.isStsHost("login.persona.org", 0));
run_next_test();
}

11
security/manager/ssl/tests/unit/test_sts_preloadlist_selfdestruct.js
View File

@ -2,21 +2,20 @@
// on the preload list for a long time.
function run_test() {
let SSService = Cc["@mozilla.org/ssservice;1"]
.getService(Ci.nsISiteSecurityService);
let STSService = Cc["@mozilla.org/stsservice;1"]
.getService(Ci.nsIStrictTransportSecurityService);
let uri = Services.io.newURI("https://bugzilla.mozilla.org", null, null);
// check that a host on the preload list is identified as an sts host
do_check_true(SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0));
do_check_true(STSService.isStsHost("bugzilla.mozilla.org", 0));
// now simulate that it's 19 weeks later than it actually is
let offsetSeconds = 19 * 7 * 24 * 60 * 60;
Services.prefs.setIntPref("test.currentTimeOffsetSeconds", offsetSeconds);
// check that the preloaded host is no longer considered sts
do_check_false(SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0));
do_check_false(STSService.isStsHost("bugzilla.mozilla.org", 0));
// just make sure we can get everything back to normal
Services.prefs.clearUserPref("test.currentTimeOffsetSeconds");
do_check_true(SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0));
do_check_true(STSService.isStsHost("bugzilla.mozilla.org", 0));
}

8
security/manager/tools/getHSTSPreloadList.js
View File

@ -47,7 +47,7 @@ const HEADER = "/* This Source Code Form is subject to the terms of the Mozilla
"\n" +
"/*****************************************************************************/\n" +
"/* This is an automatically generated file. If you're not */\n" +
"/* nsSiteSecurityService.cpp, you shouldn't be #including it. */\n" +
"/* nsStrictTransportSecurityService.cpp, you shouldn't be #including it. */\n" +
"/*****************************************************************************/\n" +
"\n" +
"#include <stdint.h>\n";
@ -110,8 +110,8 @@ function getHosts(rawdata) {
return hosts;
}
var gSSService = Cc["@mozilla.org/ssservice;1"]
.getService(Ci.nsISiteSecurityService);
var gSTSService = Cc["@mozilla.org/stsservice;1"]
.getService(Ci.nsIStrictTransportSecurityService);
function processStsHeader(host, header, status) {
var maxAge = { value: 0 };
@ -120,7 +120,7 @@ function processStsHeader(host, header, status) {
if (header != null) {
try {
var uri = Services.io.newURI("https://" + host.name, null, null);
gSSService.processStsHeader(uri, header, 0, maxAge, includeSubdomains);
gSTSService.processStsHeader(uri, header, 0, maxAge, includeSubdomains);
}
catch (e) {
dump("ERROR: could not process header '" + header + "' from " +