mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Backed out 2 changesets (bug 1529643) for eslint failure at NetErrorChild.jsm on a CLOSED TREE. 

Backed out changeset 000dfd4caca0 (bug 1529643)
Backed out changeset e4718a35d70b (bug 1529643)
This commit is contained in:
Gurzau Raul 2019-03-14 01:09:43 +02:00
Родитель fc5efa3bc0
Коммит c747f02899
11 изменённых файлов: 0 добавлений и 277 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

20
browser/actors/NetErrorChild.jsm
Просмотреть файл

@ -28,8 +28,6 @@ XPCOMUtils.defineLazyPreferenceGetter(this, "newErrorPagesEnabled",
"browser.security.newcerterrorpage.enabled");
XPCOMUtils.defineLazyPreferenceGetter(this, "mitmErrorPageEnabled",
"browser.security.newcerterrorpage.mitm.enabled");
XPCOMUtils.defineLazyPreferenceGetter(this, "mitmPrimingEnabled",
"security.certerrors.mitm.priming.enabled");
XPCOMUtils.defineLazyGetter(this, "gNSSErrorsBundle", function() {
return Services.strings.createBundle("chrome://pipnss/locale/nsserrors.properties");
});
@ -380,16 +378,6 @@ class NetErrorChild extends ActorChild {
}
}
// Check if the connection is being man-in-the-middled. When the parent
// detects an intercepted connection, the page may be reloaded with a new
// error code (MOZILLA_PKIX_ERROR_MITM_DETECTED).
if (newErrorPagesEnabled && mitmPrimingEnabled &&
msg.data.code == SEC_ERROR_UNKNOWN_ISSUER &&
// Only do this check for top-level failures.
doc.ownerGlobal.top === doc.ownerGlobal) {
this.mm.sendAsyncMessage("Browser:PrimeMitm");
}
let div = doc.getElementById("certificateErrorText");
div.textContent = msg.data.info;
this._setTechDetails(msg, doc);
@ -465,14 +453,6 @@ class NetErrorChild extends ActorChild {
break;
case MOZILLA_PKIX_ERROR_MITM_DETECTED:
if (newErrorPagesEnabled && mitmErrorPageEnabled) {
let autoEnabledEnterpriseRoots =
Services.prefs.getBoolPref("security.enterprise_roots.auto-enabled", false);
if (mitmPrimingEnabled && autoEnabledEnterpriseRoots) {
// If we automatically tried to import enterprise root certs but it didn't
// fix the MITM, reset the pref.
this.mm.sendAsyncMessage("Browser:ResetEnterpriseRootsPref");
}
// We don't actually know what the MitM is called (since we don't
// maintain a list), so we'll try and display the common name of the
// root issuer to the user. In the worst case they are as clueless as

3
browser/app/profile/firefox.js
Просмотреть файл

@ -971,9 +971,6 @@ pref("browser.security.newcerterrorpage.enabled", true);
pref("browser.security.newcerterrorpage.mitm.enabled", true);
pref("security.certerrors.recordEventTelemetry", true);
pref("security.certerrors.permanentOverride", true);
pref("security.certerrors.mitm.priming.enabled", true);
pref("security.certerrors.mitm.priming.endpoint", "https://mitmdetection.services.mozilla.com/");
pref("security.certerrors.mitm.auto_enable_enterprise_roots", false);
// Whether to start the private browsing mode at application startup
pref("browser.privatebrowsing.autostart", false);

74
browser/base/content/browser.js
Просмотреть файл

@ -2935,9 +2935,6 @@ function PageProxyClickHandler(aEvent) {
const TLS_ERROR_REPORT_TELEMETRY_AUTO_CHECKED = 2;
const TLS_ERROR_REPORT_TELEMETRY_AUTO_UNCHECKED = 3;
const SEC_ERROR_BASE = Ci.nsINSSErrorsService.NSS_SEC_ERROR_BASE;
const SEC_ERROR_UNKNOWN_ISSUER = SEC_ERROR_BASE + 13;
const PREF_SSL_IMPACT_ROOTS = ["security.tls.version.", "security.ssl3."];
/**
@ -2956,8 +2953,6 @@ var BrowserOnClick = {
mm.addMessageListener("Browser:ResetSSLPreferences", this);
mm.addMessageListener("Browser:SSLErrorReportTelemetry", this);
mm.addMessageListener("Browser:SSLErrorGoBack", this);
mm.addMessageListener("Browser:PrimeMitm", this);
mm.addMessageListener("Browser:ResetEnterpriseRootsPref", this);
Services.obs.addObserver(this, "captive-portal-login-abort");
Services.obs.addObserver(this, "captive-portal-login-success");
@ -2972,8 +2967,6 @@ var BrowserOnClick = {
mm.removeMessageListener("Browser:ResetSSLPreferences", this);
mm.removeMessageListener("Browser:SSLErrorReportTelemetry", this);
mm.removeMessageListener("Browser:SSLErrorGoBack", this);
mm.removeMessageListener("Browser:PrimeMitm", this);
mm.removeMessageListener("Browser:ResetEnterpriseRootsPref", this);
Services.obs.removeObserver(this, "captive-portal-login-abort");
Services.obs.removeObserver(this, "captive-portal-login-success");
@ -3038,76 +3031,9 @@ var BrowserOnClick = {
case "Browser:SSLErrorGoBack":
goBackFromErrorPage();
break;
case "Browser:PrimeMitm":
this.primeMitm(msg.target);
break;
case "Browser:ResetEnterpriseRootsPref":
Services.prefs.clearUserPref("security.enterprise_roots.enabled");
Services.prefs.clearUserPref("security.enterprise_roots.auto-enabled");
break;
}
},
/**
* This function does a canary request to a reliable, maintained endpoint, in
* order to help network code detect a system-wide man-in-the-middle.
*/
primeMitm(browser) {
// If we already have a mitm canary issuer stored, then don't bother with the
// extra request. This will be cleared on every update ping.
if (Services.prefs.getStringPref("security.pki.mitm_canary_issuer", null)) {
return;
}
let url = Services.prefs.getStringPref("security.certerrors.mitm.priming.endpoint");
let request = new XMLHttpRequest({mozAnon: true});
request.open("HEAD", url);
request.channel.loadFlags |= Ci.nsIRequest.LOAD_BYPASS_CACHE;
request.channel.loadFlags |= Ci.nsIRequest.INHIBIT_CACHING;
request.addEventListener("error", event => {
// Make sure the user is still on the cert error page.
if (!browser.documentURI.spec.startsWith("about:certerror")) {
return;
}
let secInfo = request.channel.securityInfo.QueryInterface(Ci.nsITransportSecurityInfo);
if (secInfo.errorCode != SEC_ERROR_UNKNOWN_ISSUER) {
return;
}
// When we get to this point there's already something deeply wrong, it's very likely
// that there is indeed a system-wide MitM.
if (secInfo.serverCert && secInfo.serverCert.issuerName) {
// Grab the issuer of the certificate used in the exchange and store it so that our
// network-level MitM detection code has a comparison baseline.
Services.prefs.setStringPref("security.pki.mitm_canary_issuer", secInfo.serverCert.issuerName);
// MitM issues are sometimes caused by software not registering their root certs in the
// Firefox root store. We might opt for using third party roots from the system root store.
if (Services.prefs.getBoolPref("security.certerrors.mitm.auto_enable_enterprise_roots")) {
if (!Services.prefs.getBoolPref("security.enterprise_roots.enabled")) {
// Loading enterprise roots happens on a background thread, so wait for import to finish.
BrowserUtils.promiseObserved("psm:enterprise-certs-imported").then(() => {
if (browser.documentURI.spec.startsWith("about:certerror")) {
browser.reload();
}
});
Services.prefs.setBoolPref("security.enterprise_roots.enabled", true);
// Record that this pref was automatically set.
Services.prefs.setBoolPref("security.enterprise_roots.auto-enabled", true);
}
} else {
// Need to reload the page to make sure network code picks up the canary issuer pref.
browser.reload();
}
}
});
request.send(null);
},
onCertError(browser, elementId, isTopFrame, location, securityInfoAsString, frameId) {
let securityInfo;
let cert;

1
browser/base/content/test/about/browser.ini
Просмотреть файл

@ -12,7 +12,6 @@ prefs =
[browser_aboutCertError.js]
[browser_aboutCertError_clockSkew.js]
[browser_aboutCertError_exception.js]
[browser_aboutCertError_mitm.js]
[browser_aboutCertError_telemetry.js]
[browser_aboutHome_search_POST.js]
[browser_aboutHome_search_composing.js]

97
browser/base/content/test/about/browser_aboutCertError_mitm.js
Просмотреть файл

@ -1,97 +0,0 @@
/* Any copyright is dedicated to the Public Domain.
* http://creativecommons.org/publicdomain/zero/1.0/ */
"use strict";
const PREF_NEW_CERT_ERRORS = "browser.security.newcerterrorpage.enabled";
const PREF_MITM_PRIMING = "security.certerrors.mitm.priming.enabled";
const PREF_MITM_PRIMING_ENDPOINT = "security.certerrors.mitm.priming.endpoint";
const PREF_MITM_CANARY_ISSUER = "security.pki.mitm_canary_issuer";
const PREF_MITM_AUTO_ENABLE_ENTERPRISE_ROOTS = "security.certerrors.mitm.auto_enable_enterprise_roots";
const PREF_ENTERPRISE_ROOTS = "security.enterprise_roots.enabled";
const UNKNOWN_ISSUER = "https://untrusted.example.com";
// Check that basic MitM priming works and the MitM error page is displayed successfully.
add_task(async function checkMitmPriming() {
await SpecialPowers.pushPrefEnv({"set": [
[PREF_NEW_CERT_ERRORS, true],
[PREF_MITM_PRIMING, true],
[PREF_MITM_PRIMING_ENDPOINT, UNKNOWN_ISSUER],
]});
let browser;
let certErrorLoaded;
await BrowserTestUtils.openNewForegroundTab(gBrowser, () => {
gBrowser.selectedTab = BrowserTestUtils.addTab(gBrowser, UNKNOWN_ISSUER);
browser = gBrowser.selectedBrowser;
certErrorLoaded = BrowserTestUtils.waitForErrorPage(browser);
}, false);
await certErrorLoaded;
// The page will reload after the initial canary request, so we'll just
// wait until we're seeing the dedicated MitM page.
await TestUtils.waitForCondition(function() {
return ContentTask.spawn(browser, {}, () => {
return content.document.body.getAttribute("code") == "MOZILLA_PKIX_ERROR_MITM_DETECTED";
});
}, "Loads the MitM error page.");
ok(true, "Successfully loaded the MitM error page.");
is(Services.prefs.getStringPref(PREF_MITM_CANARY_ISSUER), "CN=Unknown CA", "Stored the correct issuer");
await ContentTask.spawn(browser, {}, () => {
let mitmName1 = content.document.querySelector("#errorShortDescText .mitm-name");
ok(ContentTaskUtils.is_visible(mitmName1), "Potential man in the middle is displayed");
is(mitmName1.textContent, "Unknown CA", "Shows the name of the issuer.");
let mitmName2 = content.document.querySelector("#errorWhatToDoText .mitm-name");
ok(ContentTaskUtils.is_visible(mitmName2), "Potential man in the middle is displayed");
is(mitmName2.textContent, "Unknown CA", "Shows the name of the issuer.");
});
BrowserTestUtils.removeTab(gBrowser.selectedTab);
Services.prefs.clearUserPref(PREF_MITM_CANARY_ISSUER);
});
// Check that we set the enterprise roots pref correctly on MitM
add_task(async function checkMitmAutoEnableEnterpriseRoots() {
await SpecialPowers.pushPrefEnv({"set": [
[PREF_NEW_CERT_ERRORS, true],
[PREF_MITM_PRIMING, true],
[PREF_MITM_PRIMING_ENDPOINT, UNKNOWN_ISSUER],
[PREF_MITM_AUTO_ENABLE_ENTERPRISE_ROOTS, true],
]});
let browser;
let certErrorLoaded;
let prefChanged = TestUtils.waitForPrefChange(PREF_ENTERPRISE_ROOTS, value => value === true);
await BrowserTestUtils.openNewForegroundTab(gBrowser, () => {
gBrowser.selectedTab = BrowserTestUtils.addTab(gBrowser, UNKNOWN_ISSUER);
browser = gBrowser.selectedBrowser;
certErrorLoaded = BrowserTestUtils.waitForErrorPage(browser);
}, false);
await certErrorLoaded;
await prefChanged;
// The page will reload after the initial canary request, so we'll just
// wait until we're seeing the dedicated MitM page.
await TestUtils.waitForCondition(function() {
return ContentTask.spawn(browser, {}, () => {
return content.document.body.getAttribute("code") == "MOZILLA_PKIX_ERROR_MITM_DETECTED";
});
}, "Loads the MitM error page.");
ok(true, "Successfully loaded the MitM error page.");
ok(!Services.prefs.prefHasUserValue(PREF_ENTERPRISE_ROOTS), "Flipped the enterprise roots pref back");
BrowserTestUtils.removeTab(gBrowser.selectedTab);
Services.prefs.clearUserPref(PREF_MITM_CANARY_ISSUER);
});

3
testing/geckodriver/src/prefs.rs
Просмотреть файл

@ -141,9 +141,6 @@ lazy_static! {
// c.f. https://github.com/mozilla/geckodriver/issues/225.
("plugin.state.flash", Pref::new(0)),
// Don't do network connections for mitm priming
("security.certerrors.mitm.priming.enabled", Pref::new(false)),
// Ensure blocklist updates don't hit the network
("services.settings.server", Pref::new("http://%(server)s/dummy/blocklist/")),

3
testing/marionette/client/marionette_driver/geckoinstance.py
Просмотреть файл

@ -116,9 +116,6 @@ class GeckoInstance(object):
# Make sure SNTP requests don't hit the network
"network.sntp.pools": "%(server)s",
# Don't do network connections for mitm priming
"security.certerrors.mitm.priming.enabled": False,
# Tests don't wait for the notification button security delay
"security.notification_enable_delay": 0,

3
testing/marionette/components/marionette.js
Просмотреть файл

@ -241,9 +241,6 @@ const RECOMMENDED_PREFS = new Map([
// Make sure SNTP requests do not hit the network
["network.sntp.pools", "%(server)s"],
// Don't do network connections for mitm priming
["security.certerrors.mitm.priming.enabled", false],
// Local documents have access to all other local documents,
// including directory listings
["security.fileuri.strict_origin_policy", false],

47
testing/modules/TestUtils.jsm
Просмотреть файл

@ -69,53 +69,6 @@ var TestUtils = {
});
},
/**
* Waits for the specified preference to be change.
*
* @param {string} prefName
* The pref to observe.
* @param {function} checkFn [optional]
* Called with the new preference value as argument, should return true if the
* notification is the expected one, or false if it should be ignored
* and listening should continue. If not specified, the first
* notification for the specified topic resolves the returned promise.
*
* @note Because this function is intended for testing, any error in checkFn
* will cause the returned promise to be rejected instead of waiting for
* the next notification, since this is probably a bug in the test.
*
* @return {Promise}
* @resolves The value of the preference.
*/
waitForPrefChange(prefName, checkFn) {
return new Promise((resolve, reject) => {
Services.prefs.addObserver(prefName, function observer(subject, topic, data) {
try {
let prefValue = null;
switch (Services.prefs.getPrefType(prefName)) {
case Services.prefs.PREF_STRING:
prefValue = Services.prefs.getStringPref(prefName);
break;
case Services.prefs.PREF_INT:
prefValue = Services.prefs.getIntPref(prefName);
break;
case Services.prefs.PREF_BOOL:
prefValue = Services.prefs.getBoolPref(prefName);
break;
}
if (checkFn && !checkFn(prefValue)) {
return;
}
Services.prefs.removeObserver(prefName, observer);
resolve(prefValue);
} catch (ex) {
Services.prefs.removeObserver(prefName, observer);
reject(ex);
}
});
});
},
/**
* Takes a screenshot of an area and returns it as a data URL.
*

2
testing/profiles/common/user.js
Просмотреть файл

@ -43,8 +43,6 @@ user_pref("general.useragent.updates.enabled", false);
user_pref("gfx.webrender.all.qualified", false);
user_pref("hangmonitor.timeout", 0); // no hang monitor
user_pref("media.gmp-manager.updateEnabled", false);
// Don't do network connections for mitm priming
user_pref("security.certerrors.mitm.priming.enabled", false);
// Make enablePrivilege continue to work for test code. :-(
user_pref("security.turn_off_all_security_so_that_viruses_can_take_over_this_computer", true);
user_pref("xpinstall.signatures.required", false);

24
toolkit/modules/BrowserUtils.jsm
Просмотреть файл

@ -687,28 +687,4 @@ var BrowserUtils = {
}
return fragment;
},
/**
* Returns a Promise which resolves when the given observer topic has been
* observed.
*
* @param {string} topic
* The topic to observe.
* @param {function(nsISupports, string)} [test]
* An optional test function which, when called with the
* observer's subject and data, should return true if this is the
* expected notification, false otherwise.
* @returns {Promise<object>}
*/
promiseObserved(topic, test = () => true) {
return new Promise(resolve => {
let observer = (subject, topic, data) => {
if (test(subject, data)) {
Services.obs.removeObserver(observer, topic);
resolve({subject, data});
}
};
Services.obs.addObserver(observer, topic);
});
},
};