Bug 1501680 - Don't send credentials in ssl error reports. r=Gijs

Differential Revision: https://phabricator.services.mozilla.com/D10594 --HG-- extra : moz-landing-system : lando
2018-11-01 18:49:11 +00:00 · 2018-11-01 18:49:11 +00:00 · 1c2de6c900
--- a/security/manager/ssl/tests/unit/test_toolkit_securityreporter.js
+++ b/security/manager/ssl/tests/unit/test_toolkit_securityreporter.js
@ -44,6 +44,7 @@ function getReportCheck(expectReport, expectedError) {
                              function(request, response) {
      if (expectReport) {
        let report = JSON.parse(readDataFromRequest(request));
+        Assert.equal(request.getHeader("Cookie"), "", "No cookie sent.");
        Assert.equal(report.errorCode, expectedError);
        response.setStatusLine(null, 201, "Created");
        response.write("Created");
@ -87,6 +88,15 @@ function run_test() {
  // set strict-mode pinning enforcement so we can cause connection failures.
  Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 2);

+  // Add a cookie so that we can assert it's not sent along with the report.
+  Services.cookies.add("localhost", "/", "foo", "bar",
+                       false, false, false, Date.now() + 24000 * 60 * 60, {},
+                       Ci.nsICookie2.SAMESITE_UNSET);
+
+  registerCleanupFunction(() => {
+    Services.cookies.removeAll();
+  });
+
  // start a TLS server
  add_tls_server_setup("BadCertServer", "bad_certs");

--- a/toolkit/components/securityreporter/SecurityReporter.js
+++ b/toolkit/components/securityreporter/SecurityReporter.js
@ -83,6 +83,7 @@ SecurityReporter.prototype = {
    fetch(endpoint, {
      method: "POST",
      body: JSON.stringify(report),
+      credentials: "omit",
      headers: {
        "Content-Type": "application/json",
      },