Bug 1313596 - Increase HSTS Priming default cache timeout. r=mayhemer

MozReview-Commit-ID: 6sHuB4wIEu4

--HG--
extra : rebase_source : 9672c18384efe24f6cb5e1aa455217e37a97db90

dom/security/nsMixedContentBlocker.cpp

@@ -58,6 +58,8 @@ bool nsMixedContentBlocker::sBlockMixedDisplay = false;
 bool nsMixedContentBlocker::sUseHSTS = false;
 // Do we send an HSTS priming request
 bool nsMixedContentBlocker::sSendHSTSPriming = false;
+// Default HSTS Priming failure timeout to 7 days, in seconds
+uint32_t nsMixedContentBlocker::sHSTSPrimingCacheTimeout = (60 * 24 * 7);
 
 // Fired at the document that attempted to load mixed content.  The UI could
 // handle this event, for example, by displaying an info bar that offers the
@@ -208,6 +210,10 @@ nsMixedContentBlocker::nsMixedContentBlocker()
   // Cache the pref for sending HSTS priming
   Preferences::AddBoolVarCache(&sSendHSTSPriming,
                                "security.mixed_content.send_hsts_priming");
+
+  // Cache the pref for HSTS priming failure cache time
+  Preferences::AddUintVarCache(&sHSTSPrimingCacheTimeout,
+                               "security.mixed_content.hsts_priming_cache_timeout");
 }
 
 nsMixedContentBlocker::~nsMixedContentBlocker()

dom/security/nsMixedContentBlocker.h

@@ -94,8 +94,12 @@ public:
 
   static bool sBlockMixedScript;
   static bool sBlockMixedDisplay;
+  // Do we move HSTS before mixed-content
   static bool sUseHSTS;
+  // Do we send an HSTS priming request
   static bool sSendHSTSPriming;
+  // Default HSTS Priming failure timeout in seconds
+  static uint32_t sHSTSPrimingCacheTimeout;
 };
 
 #endif /* nsMixedContentBlocker_h___ */

dom/security/test/hsts/browser.ini

@@ -16,3 +16,4 @@ support-files =
 [browser_hsts-priming_block_active_css.js]
 [browser_hsts-priming_block_active_with_redir_same.js]
 [browser_hsts-priming_no-duplicates.js]
+[browser_hsts-priming_cache-timeout.js]

dom/security/test/hsts/browser_hsts-priming_cache-timeout.js

@@ -0,0 +1,36 @@
+/*
+ * Description of the test:
+ * Test that the network.hsts_priming.cache_timeout preferene causes the cache
+ * to timeout
+ */
+'use strict';
+
+//jscs:disable
+add_task(function*() {
+  //jscs:enable
+  Observer.add_observers(Services);
+  registerCleanupFunction(do_cleanup);
+
+  let which = "block_display";
+
+  SetupPrefTestEnvironment(which, [["security.mixed_content.hsts_priming_cache_timeout", 1]]);
+
+  yield execute_test("no-ssl", test_settings[which].mimetype);
+
+  let pre_promise = performance.now();
+
+  while ((performance.now() - pre_promise) < 2000) {
+    yield new Promise(function (resolve) {
+      setTimeout(resolve, 2000);
+    });
+  }
+
+  // clear the fact that we saw a priming request
+  test_settings[which].priming = {};
+
+  yield execute_test("no-ssl", test_settings[which].mimetype);
+  is(test_settings[which].priming["no-ssl"], true,
+    "Correctly send a priming request after expiration.");
+
+  SpecialPowers.popPrefEnv();
+});

dom/security/test/hsts/browser_hsts-priming_no-duplicates.js

@@ -19,6 +19,8 @@ add_task(function*() {
     yield execute_test(server, test_settings[which].mimetype);
   }
 
+  test_settings[which].priming = {};
+
   // run the tests twice to validate the cache is being used
   for (let server of Object.keys(test_servers)) {
     yield execute_test(server, test_settings[which].mimetype);

dom/security/test/hsts/head.js

@@ -255,7 +255,7 @@ function do_cleanup() {
   Services.obs.removeObserver(Observer, "http-on-examine-response");
 }
 
-function SetupPrefTestEnvironment(which) {
+function SetupPrefTestEnvironment(which, additional_prefs) {
   which_test = which;
   clear_sts_data();
 
@@ -265,14 +265,24 @@ function SetupPrefTestEnvironment(which) {
   // priming counts how many tests were finished
   settings.finished= {};
 
-  SpecialPowers.pushPrefEnv({'set': [["security.mixed_content.block_active_content",
-                                      settings.block_active],
-                                     ["security.mixed_content.block_display_content",
-                                      settings.block_display],
-                                     ["security.mixed_content.use_hsts",
-                                      settings.use_hsts],
-                                     ["security.mixed_content.send_hsts_priming",
-                                      settings.send_hsts_priming]]});
+  var prefs = [["security.mixed_content.block_active_content",
+                settings.block_active],
+               ["security.mixed_content.block_display_content",
+                settings.block_display],
+               ["security.mixed_content.use_hsts",
+                settings.use_hsts],
+               ["security.mixed_content.send_hsts_priming",
+                settings.send_hsts_priming]];
+
+  if (additional_prefs) {
+    for (let idx in additional_prefs) {
+      prefs.push(additional_prefs[idx]);
+    }
+  }
+
+  console.log("prefs=%s", prefs);
+
+  SpecialPowers.pushPrefEnv({'set': prefs});
 }
 
 // make the top-level test uri

modules/libpref/init/all.js

@@ -5517,6 +5517,8 @@ pref("security.mixed_content.use_hsts", false);
 // mixed-content blocking
 pref("security.mixed_content.use_hsts", true);
 #endif
+// Approximately 1 week default cache for HSTS priming failures
+pref ("security.mixed_content.hsts_priming_cache_timeout", 10080);
 
 // Disable Storage api in release builds.
 #ifdef NIGHTLY_BUILD

netwerk/protocol/http/nsHttpChannel.cpp

@@ -8002,10 +8002,12 @@ nsHttpChannel::OnHSTSPrimingFailed(nsresult aError, bool aCached)
                                 HSTSPrimingResult::eHSTS_PRIMING_FAILED_ACCEPT);
     }
 
-    // Don't visit again for at least one day
+    // Don't visit again for at least
+    // security.mixed_content.hsts_priming_cache_timeout seconds.
     nsISiteSecurityService* sss = gHttpHandler->GetSSService();
     NS_ENSURE_TRUE(sss, NS_ERROR_OUT_OF_MEMORY);
-    nsresult rv = sss->CacheNegativeHSTSResult(mURI, 24 * 60 * 60);
+    nsresult rv = sss->CacheNegativeHSTSResult(mURI,
+            nsMixedContentBlocker::sHSTSPrimingCacheTimeout);
     if (NS_FAILED(rv)) {
         NS_ERROR("nsISiteSecurityService::CacheNegativeHSTSResult failed");
     }