Bug 1492498 - Make certificate exceptions on the new cert error pages permanent by default. r=nhnt11,keeler

This includes a new test for the feature and a bit of test cleanup to factor out all exception related tests into their own test file. Differential Revision: https://phabricator.services.mozilla.com/D17109 --HG-- rename : browser/base/content/test/about/browser_aboutCertError.js => browser/base/content/test/about/browser_aboutCertError_exception.js extra : moz-landing-system : lando
2019-01-23 16:59:12 +00:00 · 2019-01-23 16:59:12 +00:00 · ad87a838f7
--- a/browser/app/profile/firefox.js
+++ b/browser/app/profile/firefox.js
@ -969,6 +969,7 @@ pref("browser.security.newcerterrorpage.mitm.enabled", false);
 #endif
 pref("security.certerrors.recordEventTelemetry", true);
 pref("security.certerrors.permanentOverride", true);
 // Whether to start the private browsing mode at application startup
 pref("browser.privatebrowsing.autostart", false);
--- a/browser/base/content/browser.js
+++ b/browser/base/content/browser.js
@ -2958,12 +2958,14 @@ var BrowserOnClick = {
            flags |= overrideService.ERROR_TIME;
          }
          let uri = Services.uriFixup.createFixupURI(location, 0);
          let permanentOverride =
            Services.prefs.getBoolPref("security.certerrors.permanentOverride");
          cert = securityInfo.serverCert;
          overrideService.rememberValidityOverride(
            uri.asciiHost, uri.port,
            cert,
            flags,
-            true);
+            !permanentOverride);
          browser.reload();
          return;
        }
--- a/browser/base/content/test/about/browser.ini
+++ b/browser/base/content/test/about/browser.ini
@ -11,6 +11,7 @@ prefs =
 [browser_aboutCertError.js]
 [browser_aboutCertError_clockSkew.js]
 [browser_aboutCertError_exception.js]
 [browser_aboutCertError_telemetry.js]
 [browser_aboutHome_search_POST.js]
 [browser_aboutHome_search_composing.js]
--- a/browser/base/content/test/about/browser_aboutCertError.js
+++ b/browser/base/content/test/about/browser_aboutCertError.js
@ -52,34 +52,6 @@ add_task(async function checkReturnToAboutHome() {
  }
 });
 add_task(async function checkExceptionDialogButton() {
  Services.prefs.setBoolPref(PREF_NEW_CERT_ERRORS, true);
  info("Loading a bad cert page and making sure the exceptionDialogButton directly adds an exception");
  let tab = await openErrorPage(BAD_CERT);
  let browser = tab.linkedBrowser;
  let loaded = BrowserTestUtils.browserLoaded(browser, false, BAD_CERT);
  info("Clicking the exceptionDialogButton in advanced panel");
  await ContentTask.spawn(browser, null, async function() {
    let doc = content.document;
    let exceptionButton = doc.getElementById("exceptionDialogButton");
    exceptionButton.click();
  });
  info("Loading the url after adding exception");
  await loaded;
  await ContentTask.spawn(browser, null, async function() {
    let doc = content.document;
    ok(!doc.documentURI.startsWith("about:certerror"), "Exception has been added");
  });
  let certOverrideService = Cc["@mozilla.org/security/certoverride;1"]
                              .getService(Ci.nsICertOverrideService);
  certOverrideService.clearValidityOverride("expired.example.com", -1);
  BrowserTestUtils.removeTab(gBrowser.selectedTab);
  Services.prefs.clearUserPref(PREF_NEW_CERT_ERRORS);
 });
 add_task(async function checkReturnToPreviousPage() {
  info("Loading a bad cert page and making sure 'return to previous page' goes back");
  for (let useFrame of [false, true]) {
@ -128,43 +100,6 @@ add_task(async function checkReturnToPreviousPage() {
  }
 });
 add_task(async function checkBadStsCert() {
  info("Loading a badStsCert and making sure exception button doesn't show up");
  for (let useFrame of [false, true]) {
    let tab = await openErrorPage(BAD_STS_CERT, useFrame);
    let browser = tab.linkedBrowser;
    await ContentTask.spawn(browser, {frame: useFrame}, async function({frame}) {
      let doc = frame ? content.document.querySelector("iframe").contentDocument : content.document;
      let exceptionButton = doc.getElementById("exceptionDialogButton");
      ok(ContentTaskUtils.is_hidden(exceptionButton), "Exception button is hidden.");
    });
    let message = await ContentTask.spawn(browser, {frame: useFrame}, async function({frame}) {
      let doc = frame ? content.document.querySelector("iframe").contentDocument : content.document;
      let advancedButton = doc.getElementById("advancedButton");
      advancedButton.click();
      return doc.getElementById("badCertTechnicalInfo").textContent;
    });
    if (Services.prefs.getBoolPref(PREF_NEW_CERT_ERRORS)) {
      ok(message.includes("SSL_ERROR_BAD_CERT_DOMAIN"), "Didn't find SSL_ERROR_BAD_CERT_DOMAIN.");
      ok(message.includes("The certificate is only valid for"), "Didn't find error message.");
      ok(message.includes("a certificate that is not valid for"), "Didn't find error message.");
      ok(message.includes("badchain.include-subdomains.pinning.example.com"), "Didn't find domain in error message.");
      BrowserTestUtils.removeTab(gBrowser.selectedTab);
      return;
    }
    ok(message.includes("SSL_ERROR_BAD_CERT_DOMAIN"), "Didn't find SSL_ERROR_BAD_CERT_DOMAIN.");
    ok(message.includes("The certificate is only valid for"), "Didn't find error message.");
    ok(message.includes("uses an invalid security certificate"), "Didn't find error message.");
    ok(message.includes("badchain.include-subdomains.pinning.example.com"), "Didn't find domain in error message.");
    BrowserTestUtils.removeTab(gBrowser.selectedTab);
  }
 });
 // This checks that the appinfo.appBuildID starts with a date string,
 // which is required for the misconfigured system time check.
 add_task(async function checkAppBuildIDIsDate() {
@ -240,41 +175,6 @@ add_task(async function checkAdvancedDetails() {
  }
 });
 add_task(async function checkhideAddExceptionButtonViaPref() {
  info("Loading a bad cert page and verifying the pref security.certerror.hideAddException");
  Services.prefs.setBoolPref("security.certerror.hideAddException", true);
  for (let useFrame of [false, true]) {
    let tab = await openErrorPage(BAD_CERT, useFrame);
    let browser = tab.linkedBrowser;
    await ContentTask.spawn(browser, {frame: useFrame}, async function({frame}) {
      let doc = frame ? content.document.querySelector("iframe").contentDocument : content.document;
      let exceptionButton = doc.querySelector(".exceptionDialogButtonContainer");
      ok(ContentTaskUtils.is_hidden(exceptionButton), "Exception button is hidden.");
    });
    BrowserTestUtils.removeTab(gBrowser.selectedTab);
  }
  Services.prefs.clearUserPref("security.certerror.hideAddException");
 });
 add_task(async function checkhideAddExceptionButtonInFrames() {
  info("Loading a bad cert page in a frame and verifying it's hidden.");
  let tab = await openErrorPage(BAD_CERT, true);
  let browser = tab.linkedBrowser;
  await ContentTask.spawn(browser, null, async function() {
    let doc = content.document.querySelector("iframe").contentDocument;
    let exceptionButton = doc.getElementById("exceptionDialogButton");
    ok(ContentTaskUtils.is_hidden(exceptionButton), "Exception button is hidden.");
  });
  BrowserTestUtils.removeTab(gBrowser.selectedTab);
 });
 add_task(async function checkAdvancedDetailsForHSTS() {
  info("Loading a bad STS cert page and verifying the advanced details section");
  for (let useFrame of [false, true]) {
@ -412,35 +312,3 @@ add_task(async function checkViewCertificate() {
  }
  Services.prefs.clearUserPref(PREF_NEW_CERT_ERRORS);
 });
 function getCertChain(securityInfoAsString) {
  let certChain = "";
  const serhelper = Cc["@mozilla.org/network/serialization-helper;1"]
                       .getService(Ci.nsISerializationHelper);
  let securityInfo = serhelper.deserializeObject(securityInfoAsString);
  securityInfo.QueryInterface(Ci.nsITransportSecurityInfo);
  for (let cert of securityInfo.failedCertChain.getEnumerator()) {
    certChain += getPEMString(cert);
  }
  return certChain;
 }
 function getDERString(cert) {
  var length = {};
  var derArray = cert.getRawDER(length);
  var derString = "";
  for (var i = 0; i < derArray.length; i++) {
    derString += String.fromCharCode(derArray[i]);
  }
  return derString;
 }
 function getPEMString(cert) {
  var derb64 = btoa(getDERString(cert));
  // Wrap the Base64 string into lines of 64 characters,
  // with CRLF line breaks (as specified in RFC 1421).
  var wrapped = derb64.replace(/(\S{64}(?!$))/g, "$1\r\n");
  return "-----BEGIN CERTIFICATE-----\r\n"
         + wrapped
         + "\r\n-----END CERTIFICATE-----\r\n";
 }
--- a/browser/base/content/test/about/browser_aboutCertError_exception.js
+++ b/browser/base/content/test/about/browser_aboutCertError_exception.js
@ -0,0 +1,159 @@
 /* Any copyright is dedicated to the Public Domain.
 * http://creativecommons.org/publicdomain/zero/1.0/ */
 "use strict";
 const BAD_CERT = "https://expired.example.com/";
 const BAD_STS_CERT = "https://badchain.include-subdomains.pinning.example.com:443";
 const PREF_NEW_CERT_ERRORS = "browser.security.newcerterrorpage.enabled";
 const PREF_PERMANENT_OVERRIDE = "security.certerrors.permanentOverride";
 add_task(async function checkExceptionDialogButton() {
  Services.prefs.setBoolPref(PREF_NEW_CERT_ERRORS, true);
  info("Loading a bad cert page and making sure the exceptionDialogButton directly adds an exception");
  let tab = await openErrorPage(BAD_CERT);
  let browser = tab.linkedBrowser;
  let loaded = BrowserTestUtils.browserLoaded(browser, false, BAD_CERT);
  info("Clicking the exceptionDialogButton in advanced panel");
  await ContentTask.spawn(browser, null, async function() {
    let doc = content.document;
    let exceptionButton = doc.getElementById("exceptionDialogButton");
    exceptionButton.click();
  });
  info("Loading the url after adding exception");
  await loaded;
  await ContentTask.spawn(browser, null, async function() {
    let doc = content.document;
    ok(!doc.documentURI.startsWith("about:certerror"), "Exception has been added");
  });
  let certOverrideService = Cc["@mozilla.org/security/certoverride;1"]
                              .getService(Ci.nsICertOverrideService);
  certOverrideService.clearValidityOverride("expired.example.com", -1);
  BrowserTestUtils.removeTab(gBrowser.selectedTab);
  Services.prefs.clearUserPref(PREF_NEW_CERT_ERRORS);
 });
 add_task(async function checkPermanentExceptionPref() {
  Services.prefs.setBoolPref(PREF_NEW_CERT_ERRORS, true);
  info("Loading a bad cert page and making sure the permanent state of exceptions can be controlled via pref");
  for (let permanentOverride of [false, true]) {
    Services.prefs.setBoolPref(PREF_PERMANENT_OVERRIDE, permanentOverride);
    let tab = await openErrorPage(BAD_CERT);
    let browser = tab.linkedBrowser;
    let loaded = BrowserTestUtils.browserLoaded(browser, false, BAD_CERT);
    info("Clicking the exceptionDialogButton in advanced panel");
    let securityInfoAsString = await ContentTask.spawn(browser, null, async function() {
      let doc = content.document;
      let exceptionButton = doc.getElementById("exceptionDialogButton");
      exceptionButton.click();
      let serhelper = Cc["@mozilla.org/network/serialization-helper;1"]
                       .getService(Ci.nsISerializationHelper);
      let serializable =  content.docShell.failedChannel.securityInfo
                                 .QueryInterface(Ci.nsITransportSecurityInfo)
                                 .QueryInterface(Ci.nsISerializable);
      return serhelper.serializeToString(serializable);
    });
    info("Loading the url after adding exception");
    await loaded;
    await ContentTask.spawn(browser, null, async function() {
      let doc = content.document;
      ok(!doc.documentURI.startsWith("about:certerror"), "Exception has been added");
    });
    let certOverrideService = Cc["@mozilla.org/security/certoverride;1"]
                                .getService(Ci.nsICertOverrideService);
    let isTemporary = {};
    let cert = getSecurityInfo(securityInfoAsString).serverCert;
    let hasException =
      certOverrideService.hasMatchingOverride("expired.example.com", -1, cert, {}, isTemporary);
    ok(hasException, "Has stored an exception for the page.");
    is(isTemporary.value, !permanentOverride,
      `Has stored a ${permanentOverride ? "permanent" : "temporary"} exception for the page.`);
    certOverrideService.clearValidityOverride("expired.example.com", -1);
    BrowserTestUtils.removeTab(gBrowser.selectedTab);
  }
  Services.prefs.clearUserPref(PREF_PERMANENT_OVERRIDE);
  Services.prefs.clearUserPref(PREF_NEW_CERT_ERRORS);
 });
 add_task(async function checkBadStsCert() {
  info("Loading a badStsCert and making sure exception button doesn't show up");
  for (let useFrame of [false, true]) {
    let tab = await openErrorPage(BAD_STS_CERT, useFrame);
    let browser = tab.linkedBrowser;
    await ContentTask.spawn(browser, {frame: useFrame}, async function({frame}) {
      let doc = frame ? content.document.querySelector("iframe").contentDocument : content.document;
      let exceptionButton = doc.getElementById("exceptionDialogButton");
      ok(ContentTaskUtils.is_hidden(exceptionButton), "Exception button is hidden.");
    });
    let message = await ContentTask.spawn(browser, {frame: useFrame}, async function({frame}) {
      let doc = frame ? content.document.querySelector("iframe").contentDocument : content.document;
      let advancedButton = doc.getElementById("advancedButton");
      advancedButton.click();
      return doc.getElementById("badCertTechnicalInfo").textContent;
    });
    if (Services.prefs.getBoolPref(PREF_NEW_CERT_ERRORS)) {
      ok(message.includes("SSL_ERROR_BAD_CERT_DOMAIN"), "Didn't find SSL_ERROR_BAD_CERT_DOMAIN.");
      ok(message.includes("The certificate is only valid for"), "Didn't find error message.");
      ok(message.includes("a certificate that is not valid for"), "Didn't find error message.");
      ok(message.includes("badchain.include-subdomains.pinning.example.com"), "Didn't find domain in error message.");
      BrowserTestUtils.removeTab(gBrowser.selectedTab);
      return;
    }
    ok(message.includes("SSL_ERROR_BAD_CERT_DOMAIN"), "Didn't find SSL_ERROR_BAD_CERT_DOMAIN.");
    ok(message.includes("The certificate is only valid for"), "Didn't find error message.");
    ok(message.includes("uses an invalid security certificate"), "Didn't find error message.");
    ok(message.includes("badchain.include-subdomains.pinning.example.com"), "Didn't find domain in error message.");
    BrowserTestUtils.removeTab(gBrowser.selectedTab);
  }
 });
 add_task(async function checkhideAddExceptionButtonViaPref() {
  info("Loading a bad cert page and verifying the pref security.certerror.hideAddException");
  Services.prefs.setBoolPref("security.certerror.hideAddException", true);
  for (let useFrame of [false, true]) {
    let tab = await openErrorPage(BAD_CERT, useFrame);
    let browser = tab.linkedBrowser;
    await ContentTask.spawn(browser, {frame: useFrame}, async function({frame}) {
      let doc = frame ? content.document.querySelector("iframe").contentDocument : content.document;
      let exceptionButton = doc.querySelector(".exceptionDialogButtonContainer");
      ok(ContentTaskUtils.is_hidden(exceptionButton), "Exception button is hidden.");
    });
    BrowserTestUtils.removeTab(gBrowser.selectedTab);
  }
  Services.prefs.clearUserPref("security.certerror.hideAddException");
 });
 add_task(async function checkhideAddExceptionButtonInFrames() {
  info("Loading a bad cert page in a frame and verifying it's hidden.");
  let tab = await openErrorPage(BAD_CERT, true);
  let browser = tab.linkedBrowser;
  await ContentTask.spawn(browser, null, async function() {
    let doc = content.document.querySelector("iframe").contentDocument;
    let exceptionButton = doc.getElementById("exceptionDialogButton");
    ok(ContentTaskUtils.is_hidden(exceptionButton), "Exception button is hidden.");
  });
  BrowserTestUtils.removeTab(gBrowser.selectedTab);
 });
--- a/browser/base/content/test/about/head.js
+++ b/browser/base/content/test/about/head.js
@ -4,6 +4,43 @@ XPCOMUtils.defineLazyModuleGetters(this, {
  FormHistory: "resource://gre/modules/FormHistory.jsm",
 });
 function getSecurityInfo(securityInfoAsString) {
  const serhelper = Cc["@mozilla.org/network/serialization-helper;1"]
                       .getService(Ci.nsISerializationHelper);
  let securityInfo = serhelper.deserializeObject(securityInfoAsString);
  securityInfo.QueryInterface(Ci.nsITransportSecurityInfo);
  return securityInfo;
 }
 function getCertChain(securityInfoAsString) {
  let certChain = "";
  let securityInfo = getSecurityInfo(securityInfoAsString);
  for (let cert of securityInfo.failedCertChain.getEnumerator()) {
    certChain += getPEMString(cert);
  }
  return certChain;
 }
 function getDERString(cert) {
  var length = {};
  var derArray = cert.getRawDER(length);
  var derString = "";
  for (var i = 0; i < derArray.length; i++) {
    derString += String.fromCharCode(derArray[i]);
  }
  return derString;
 }
 function getPEMString(cert) {
  var derb64 = btoa(getDERString(cert));
  // Wrap the Base64 string into lines of 64 characters,
  // with CRLF line breaks (as specified in RFC 1421).
  var wrapped = derb64.replace(/(\S{64}(?!$))/g, "$1\r\n");
  return "-----BEGIN CERTIFICATE-----\r\n"
         + wrapped
         + "\r\n-----END CERTIFICATE-----\r\n";
 }
 function injectErrorPageFrame(tab, src) {
  return ContentTask.spawn(tab.linkedBrowser, {frameSrc: src}, async function({frameSrc}) {
    let loaded = ContentTaskUtils.waitForEvent(content.wrappedJSObject, "DOMFrameContentLoaded");