From d0f6470c17965fc76f512040a9ff7d1fe4df8c51 Mon Sep 17 00:00:00 2001 From: Andreea Pavel Date: Wed, 25 Jul 2018 19:34:58 +0300 Subject: [PATCH] Backed out changeset c235d6f86c22 (bug 1475647) for breaking firefox ui at testing/firefox-ui/tests/puppeteer/test_tabbar.py on a CLOSED TREE --- browser/base/content/browser-siteIdentity.js | 8 +++-- browser/base/content/browser.js | 6 ++-- browser/base/content/pageinfo/security.js | 5 +++- devtools/shared/security/auth.js | 2 +- devtools/shared/security/socket.js | 2 +- devtools/shared/webconsole/network-helper.js | 1 + .../test/unit/test_security-info-parser.js | 3 +- .../test/unit/test_security-info-state.js | 3 +- .../unit/test_security-info-static-hpkp.js | 3 +- dom/ipc/TabParent.cpp | 10 ------- mobile/android/chrome/content/browser.js | 5 ++-- mobile/android/chrome/content/content.js | 3 +- .../modules/geckoview/GeckoViewProgress.jsm | 3 +- netwerk/base/nsISecureBrowserUI.idl | 2 -- netwerk/protocol/http/AlternateServices.cpp | 2 ++ netwerk/protocol/http/Http2Session.cpp | 2 ++ netwerk/protocol/http/nsHttpChannel.cpp | 17 ++++++----- netwerk/protocol/http/nsHttpNTLMAuth.cpp | 8 ++--- netwerk/socket/nsITransportSecurityInfo.idl | 3 -- .../pki/resources/content/exceptionDialog.js | 30 +++++++------------ .../manager/ssl/TransportSecurityInfo.cpp | 3 +- security/manager/ssl/TransportSecurityInfo.h | 3 ++ security/manager/ssl/moz.build | 1 + security/manager/ssl/nsISSLStatusProvider.idl | 13 ++++++++ .../manager/ssl/nsSecureBrowserUIImpl.cpp | 20 ++++++++----- security/manager/ssl/nsSecureBrowserUIImpl.h | 9 ++++-- security/manager/ssl/tests/unit/head_psm.js | 9 ++++-- .../unit/test_cert_overrides_read_only.js | 3 +- security/manager/ssl/tests/unit/test_ct.js | 3 +- .../ssl/tests/unit/test_session_resumption.js | 12 ++++++-- .../manager/ssl/tests/unit/test_ssl_status.js | 8 ++--- security/manager/tools/getHSTSPreloadList.js | 4 +-- .../firefox/firefox_puppeteer/api/security.py | 3 +- toolkit/content/browser-child.js | 18 +++++------ toolkit/modules/CertUtils.jsm | 2 +- toolkit/modules/RemoteSecurityUI.jsm | 12 ++++---- toolkit/modules/RemoteWebProgress.jsm | 12 ++++---- toolkit/modules/addons/SecurityInfo.jsm | 1 + .../tests/chrome/test_bug544442_checkCert.xul | 2 +- toolkit/mozapps/update/nsUpdateService.js | 2 +- 40 files changed, 147 insertions(+), 111 deletions(-) create mode 100644 security/manager/ssl/nsISSLStatusProvider.idl diff --git a/browser/base/content/browser-siteIdentity.js b/browser/base/content/browser-siteIdentity.js index ca529b5ac125..f21fb38f65b3 100644 --- a/browser/base/content/browser-siteIdentity.js +++ b/browser/base/content/browser-siteIdentity.js @@ -347,8 +347,12 @@ var gIdentityHandler = { // Firstly, populate the state properties required to display the UI. See // the documentation of the individual properties for details. this.setURI(uri); - this._sslStatus = gBrowser.securityUI.secInfo && - gBrowser.securityUI.secInfo.SSLStatus; + this._sslStatus = gBrowser.securityUI + .QueryInterface(Ci.nsISSLStatusProvider) + .SSLStatus; + if (this._sslStatus) { + this._sslStatus.QueryInterface(Ci.nsISSLStatus); + } // Then, update the user interface with the available data. this.refreshIdentityBlock(); diff --git a/browser/base/content/browser.js b/browser/base/content/browser.js index 1afdc14b027c..5f590fd63460 100644 --- a/browser/base/content/browser.js +++ b/browser/base/content/browser.js @@ -2994,7 +2994,8 @@ var BrowserOnClick = { } securityInfo = getSecurityInfo(securityInfoAsString); - sslStatus = securityInfo.SSLStatus; + sslStatus = securityInfo.QueryInterface(Ci.nsISSLStatusProvider) + .SSLStatus; let params = { exceptionAdded: false, sslStatus }; @@ -3035,7 +3036,8 @@ var BrowserOnClick = { } securityInfo = getSecurityInfo(securityInfoAsString); - sslStatus = securityInfo.SSLStatus; + sslStatus = securityInfo.QueryInterface(Ci.nsISSLStatusProvider) + .SSLStatus; let errorInfo = getDetailedCertErrorInfo(location, securityInfo); let validityInfo = { diff --git a/browser/base/content/pageinfo/security.js b/browser/base/content/pageinfo/security.js index 2ab144818ecd..a57560e794e7 100644 --- a/browser/base/content/pageinfo/security.js +++ b/browser/base/content/pageinfo/security.js @@ -27,6 +27,7 @@ var security = { }, _getSecurityInfo() { + const nsISSLStatusProvider = Ci.nsISSLStatusProvider; const nsISSLStatus = Ci.nsISSLStatus; // We don't have separate info for a frame, return null until further notice @@ -49,9 +50,11 @@ var security = { (ui.state & Ci.nsIWebProgressListener.STATE_IS_INSECURE); var isEV = (ui.state & Ci.nsIWebProgressListener.STATE_IDENTITY_EV_TOPLEVEL); - var status = ui.secInfo && ui.secInfo.SSLStatus; + ui.QueryInterface(nsISSLStatusProvider); + var status = ui.SSLStatus; if (!isInsecure && status) { + status.QueryInterface(nsISSLStatus); var cert = status.serverCert; var issuerName = cert.issuerOrganization || cert.issuerName; diff --git a/devtools/shared/security/auth.js b/devtools/shared/security/auth.js index 86b304c59432..98c325186513 100644 --- a/devtools/shared/security/auth.js +++ b/devtools/shared/security/auth.js @@ -300,7 +300,7 @@ OOBCert.Client.prototype = { // Client verifies that Server's cert matches hash(ServerCert) from the // advertisement dumpv("Validate server cert hash"); - const serverCert = socket.securityInfo.QueryInterface(Ci.nsITransportSecurityInfo) + const serverCert = socket.securityInfo.QueryInterface(Ci.nsISSLStatusProvider) .SSLStatus.serverCert; const advertisedCert = cert; if (serverCert.sha256Fingerprint != advertisedCert.sha256) { diff --git a/devtools/shared/security/socket.js b/devtools/shared/security/socket.js index 98fe37ea38b0..55d70ac598fe 100644 --- a/devtools/shared/security/socket.js +++ b/devtools/shared/security/socket.js @@ -353,7 +353,7 @@ function _isInputAlive(input) { */ function _storeCertOverride(s, host, port) { // eslint-disable-next-line no-shadow - const cert = s.securityInfo.QueryInterface(Ci.nsITransportSecurityInfo) + const cert = s.securityInfo.QueryInterface(Ci.nsISSLStatusProvider) .SSLStatus.serverCert; const overrideBits = Ci.nsICertOverrideService.ERROR_UNTRUSTED | Ci.nsICertOverrideService.ERROR_MISMATCH; diff --git a/devtools/shared/webconsole/network-helper.js b/devtools/shared/webconsole/network-helper.js index 9c590335f075..663d70f43213 100644 --- a/devtools/shared/webconsole/network-helper.js +++ b/devtools/shared/webconsole/network-helper.js @@ -600,6 +600,7 @@ var NetworkHelper = { */ securityInfo.QueryInterface(Ci.nsITransportSecurityInfo); + securityInfo.QueryInterface(Ci.nsISSLStatusProvider); const wpl = Ci.nsIWebProgressListener; const NSSErrorsService = Cc["@mozilla.org/nss_errors_service;1"] diff --git a/devtools/shared/webconsole/test/unit/test_security-info-parser.js b/devtools/shared/webconsole/test/unit/test_security-info-parser.js index fcf05f7d8065..3edddcd97196 100644 --- a/devtools/shared/webconsole/test/unit/test_security-info-parser.js +++ b/devtools/shared/webconsole/test/unit/test_security-info-parser.js @@ -33,7 +33,8 @@ const MockCertificate = { }; const MockSecurityInfo = { - QueryInterface: ChromeUtils.generateQI([Ci.nsITransportSecurityInfo]), + QueryInterface: ChromeUtils.generateQI([Ci.nsITransportSecurityInfo, + Ci.nsISSLStatusProvider]), securityState: wpl.STATE_IS_SECURE, errorCode: 0, SSLStatus: { diff --git a/devtools/shared/webconsole/test/unit/test_security-info-state.js b/devtools/shared/webconsole/test/unit/test_security-info-state.js index 8e269c4fe1d5..3d458ef09a21 100644 --- a/devtools/shared/webconsole/test/unit/test_security-info-state.js +++ b/devtools/shared/webconsole/test/unit/test_security-info-state.js @@ -19,7 +19,8 @@ Object.defineProperty(this, "NetworkHelper", { const wpl = Ci.nsIWebProgressListener; const MockSecurityInfo = { - QueryInterface: ChromeUtils.generateQI([Ci.nsITransportSecurityInfo]), + QueryInterface: ChromeUtils.generateQI([Ci.nsITransportSecurityInfo, + Ci.nsISSLStatusProvider]), securityState: wpl.STATE_IS_BROKEN, errorCode: 0, SSLStatus: { diff --git a/devtools/shared/webconsole/test/unit/test_security-info-static-hpkp.js b/devtools/shared/webconsole/test/unit/test_security-info-static-hpkp.js index e97d43a9c6d9..e710d758f9af 100644 --- a/devtools/shared/webconsole/test/unit/test_security-info-static-hpkp.js +++ b/devtools/shared/webconsole/test/unit/test_security-info-static-hpkp.js @@ -20,7 +20,8 @@ Object.defineProperty(this, "NetworkHelper", { const wpl = Ci.nsIWebProgressListener; const MockSecurityInfo = { - QueryInterface: ChromeUtils.generateQI([Ci.nsITransportSecurityInfo]), + QueryInterface: ChromeUtils.generateQI([Ci.nsITransportSecurityInfo, + Ci.nsISSLStatusProvider]), securityState: wpl.STATE_IS_SECURE, errorCode: 0, SSLStatus: { diff --git a/dom/ipc/TabParent.cpp b/dom/ipc/TabParent.cpp index c2bc70e3e36d..cda79a7fb5d8 100644 --- a/dom/ipc/TabParent.cpp +++ b/dom/ipc/TabParent.cpp @@ -59,7 +59,6 @@ #include "nsIInterfaceRequestorUtils.h" #include "nsILoadInfo.h" #include "nsIPromptFactory.h" -#include "nsITransportSecurityInfo.h" #include "nsIURI.h" #include "nsIWindowWatcher.h" #include "nsIWebBrowserChrome.h" @@ -894,15 +893,6 @@ TabParent::GetState(uint32_t *aState) return NS_OK; } -NS_IMETHODIMP -TabParent::GetSecInfo(nsITransportSecurityInfo** _result) -{ - NS_ENSURE_ARG_POINTER(_result); - NS_WARNING("TransportSecurityInfo not valid here"); - *_result = nullptr; - return NS_OK; -} - NS_IMETHODIMP TabParent::SetDocShell(nsIDocShell *aDocShell) { diff --git a/mobile/android/chrome/content/browser.js b/mobile/android/chrome/content/browser.js index 8097f2b1d5ce..001dc8a4b6be 100644 --- a/mobile/android/chrome/content/browser.js +++ b/mobile/android/chrome/content/browser.js @@ -5687,8 +5687,9 @@ var IdentityHandler = { * (if available). Return the data needed to update the UI. */ checkIdentity: function checkIdentity(aState, aBrowser) { - this._lastStatus = aBrowser.securityUI.secInfo && - aBrowser.securityUI.secInfo.SSLStatus; + this._lastStatus = aBrowser.securityUI + .QueryInterface(Ci.nsISSLStatusProvider) + .SSLStatus; // Don't pass in the actual location object, since it can cause us to // hold on to the window object too long. Just pass in the fields we diff --git a/mobile/android/chrome/content/content.js b/mobile/android/chrome/content/content.js index dd5de8941d56..f7ea084b5e9a 100644 --- a/mobile/android/chrome/content/content.js +++ b/mobile/android/chrome/content/content.js @@ -360,7 +360,8 @@ var AboutCertErrorListener = { let securityInfo = docShell.failedChannel && docShell.failedChannel.securityInfo; securityInfo.QueryInterface(Ci.nsITransportSecurityInfo) .QueryInterface(Ci.nsISerializable); - let sslStatus = securityInfo.SSLStatus; + let sslStatus = securityInfo.QueryInterface(Ci.nsISSLStatusProvider) + .SSLStatus; this._setTechDetails(sslStatus, securityInfo, ownerDoc.location.href); }, }; diff --git a/mobile/android/modules/geckoview/GeckoViewProgress.jsm b/mobile/android/modules/geckoview/GeckoViewProgress.jsm index 2ed06f85f3cd..c2f9db5facda 100644 --- a/mobile/android/modules/geckoview/GeckoViewProgress.jsm +++ b/mobile/android/modules/geckoview/GeckoViewProgress.jsm @@ -159,7 +159,8 @@ var IdentityHandler = { result.host = uri.host; } - let status = aBrowser.securityUI.secInfo.SSLStatus; + let status = aBrowser.securityUI.QueryInterface(Ci.nsISSLStatusProvider) + .SSLStatus.QueryInterface(Ci.nsISSLStatus); let cert = status.serverCert; result.organization = cert.organization; diff --git a/netwerk/base/nsISecureBrowserUI.idl b/netwerk/base/nsISecureBrowserUI.idl index 3f12d7bd3871..a2782d79b142 100644 --- a/netwerk/base/nsISecureBrowserUI.idl +++ b/netwerk/base/nsISecureBrowserUI.idl @@ -8,7 +8,6 @@ interface mozIDOMWindowProxy; interface nsIDocShell; -interface nsITransportSecurityInfo; [scriptable, uuid(718c662a-f810-4a80-a6c9-0b1810ecade2)] interface nsISecureBrowserUI : nsISupports @@ -17,7 +16,6 @@ interface nsISecureBrowserUI : nsISupports void setDocShell(in nsIDocShell docShell); readonly attribute unsigned long state; - readonly attribute nsITransportSecurityInfo secInfo; }; %{C++ diff --git a/netwerk/protocol/http/AlternateServices.cpp b/netwerk/protocol/http/AlternateServices.cpp index 90e714efa3fa..4600d138863a 100644 --- a/netwerk/protocol/http/AlternateServices.cpp +++ b/netwerk/protocol/http/AlternateServices.cpp @@ -15,6 +15,8 @@ #include "nsThreadUtils.h" #include "nsHttpTransaction.h" #include "NullHttpTransaction.h" +#include "nsISSLStatusProvider.h" +#include "nsISSLStatus.h" #include "nsISSLSocketControl.h" #include "nsIWellKnownOpportunisticUtils.h" diff --git a/netwerk/protocol/http/Http2Session.cpp b/netwerk/protocol/http/Http2Session.cpp index 2ad359c11a9a..e3417e0ffcba 100644 --- a/netwerk/protocol/http/Http2Session.cpp +++ b/netwerk/protocol/http/Http2Session.cpp @@ -27,6 +27,8 @@ #include "nsHttpConnection.h" #include "nsIRequestContext.h" #include "nsISSLSocketControl.h" +#include "nsISSLStatus.h" +#include "nsISSLStatusProvider.h" #include "nsISupportsPriority.h" #include "nsStandardURL.h" #include "nsURLHelper.h" diff --git a/netwerk/protocol/http/nsHttpChannel.cpp b/netwerk/protocol/http/nsHttpChannel.cpp index b9c70e93a756..83cbed9fffd3 100644 --- a/netwerk/protocol/http/nsHttpChannel.cpp +++ b/netwerk/protocol/http/nsHttpChannel.cpp @@ -69,6 +69,7 @@ #include "nsIScriptError.h" #include "nsIScriptSecurityManager.h" #include "nsISSLStatus.h" +#include "nsISSLStatusProvider.h" #include "nsITransportSecurityInfo.h" #include "nsIWebProgressListener.h" #include "LoadContextInfo.h" @@ -1895,11 +1896,11 @@ nsHttpChannel::ProcessSecurityHeaders() uint32_t flags = NS_UsePrivateBrowsing(this) ? nsISocketProvider::NO_PERMANENT_STORAGE : 0; - // Get the TransportSecurityInfo - nsCOMPtr transSecInfo = do_QueryInterface(mSecurityInfo); - NS_ENSURE_TRUE(transSecInfo, NS_ERROR_FAILURE); + // Get the SSLStatus + nsCOMPtr sslprov = do_QueryInterface(mSecurityInfo); + NS_ENSURE_TRUE(sslprov, NS_ERROR_FAILURE); nsCOMPtr sslStatus; - rv = transSecInfo->GetSSLStatus(getter_AddRefs(sslStatus)); + rv = sslprov->GetSSLStatus(getter_AddRefs(sslStatus)); NS_ENSURE_SUCCESS(rv, rv); NS_ENSURE_TRUE(sslStatus, NS_ERROR_FAILURE); @@ -2030,15 +2031,17 @@ nsHttpChannel::ProcessSSLInformation() !IsHTTPS() || mPrivateBrowsing) return; - nsCOMPtr securityInfo = + nsCOMPtr statusProvider = do_QueryInterface(mSecurityInfo); - if (!securityInfo) + if (!statusProvider) return; nsCOMPtr sslstat; - securityInfo->GetSSLStatus(getter_AddRefs(sslstat)); + statusProvider->GetSSLStatus(getter_AddRefs(sslstat)); if (!sslstat) return; + nsCOMPtr securityInfo = + do_QueryInterface(mSecurityInfo); uint32_t state; if (securityInfo && NS_SUCCEEDED(securityInfo->GetSecurityState(&state)) && diff --git a/netwerk/protocol/http/nsHttpNTLMAuth.cpp b/netwerk/protocol/http/nsHttpNTLMAuth.cpp index dc21f0fb5c0a..718197060c09 100644 --- a/netwerk/protocol/http/nsHttpNTLMAuth.cpp +++ b/netwerk/protocol/http/nsHttpNTLMAuth.cpp @@ -24,7 +24,7 @@ #include "nsIChannel.h" #include "nsIX509Cert.h" #include "nsISSLStatus.h" -#include "nsITransportSecurityInfo.h" +#include "nsISSLStatusProvider.h" #endif #include "mozilla/Attributes.h" #include "mozilla/Base64.h" @@ -335,12 +335,12 @@ nsHttpNTLMAuth::GenerateCredentials(nsIHttpAuthenticableChannel *authChannel, if (NS_FAILED(rv)) return rv; - nsCOMPtr secInfo = + nsCOMPtr statusProvider = do_QueryInterface(security); - if (mUseNative && secInfo) { + if (mUseNative && statusProvider) { nsCOMPtr status; - rv = secInfo->GetSSLStatus(getter_AddRefs(status)); + rv = statusProvider->GetSSLStatus(getter_AddRefs(status)); if (NS_FAILED(rv)) return rv; diff --git a/netwerk/socket/nsITransportSecurityInfo.idl b/netwerk/socket/nsITransportSecurityInfo.idl index 9ed3d2fdd4c6..a0a165038cc9 100644 --- a/netwerk/socket/nsITransportSecurityInfo.idl +++ b/netwerk/socket/nsITransportSecurityInfo.idl @@ -6,7 +6,6 @@ #include "nsISupports.idl" -interface nsISSLStatus; interface nsIX509CertList; [builtinclass, scriptable, uuid(216112d3-28bc-4671-b057-f98cc09ba1ea)] @@ -22,7 +21,5 @@ interface nsITransportSecurityInfo : nsISupports { * If verification succeeded, this will be null. */ readonly attribute nsIX509CertList failedCertChain; - - readonly attribute nsISSLStatus SSLStatus; }; diff --git a/security/manager/pki/resources/content/exceptionDialog.js b/security/manager/pki/resources/content/exceptionDialog.js index 3629028c5e4c..72c7d455e958 100644 --- a/security/manager/pki/resources/content/exceptionDialog.js +++ b/security/manager/pki/resources/content/exceptionDialog.js @@ -26,9 +26,7 @@ function initExceptionDialog() { gNsISecTel = Ci.nsISecurityUITelemetry; var brandName = gBundleBrand.getString("brandShortName"); - setText("warningText", - gPKIBundle.getFormattedString("addExceptionBrandedWarning2", - [brandName])); + setText("warningText", gPKIBundle.getFormattedString("addExceptionBrandedWarning2", [brandName])); gDialog.getButton("extra1").disabled = true; var args = window.arguments; @@ -77,7 +75,7 @@ function initExceptionDialog() { function grabCert(req, evt) { if (req.channel && req.channel.securityInfo) { gSSLStatus = req.channel.securityInfo - .QueryInterface(Ci.nsITransportSecurityInfo).SSLStatus; + .QueryInterface(Ci.nsISSLStatusProvider).SSLStatus; gCert = gSSLStatus ? gSSLStatus.QueryInterface(Ci.nsISSLStatus).serverCert : null; } @@ -161,8 +159,7 @@ function resetDialog() { */ function handleTextChange() { var checkCertButton = document.getElementById("checkCertButton"); - checkCertButton.disabled = - !(document.getElementById("locationTextBox").value); + checkCertButton.disabled = !(document.getElementById("locationTextBox").value); if (gNeedReset) { gNeedReset = false; resetDialog(); @@ -204,8 +201,7 @@ function updateCertStatus() { } } if (gSSLStatus.isUntrusted) { - bucketId += - gNsISecTel.WARNING_BAD_CERT_TOP_ADD_EXCEPTION_FLAG_UNTRUSTED; + bucketId += gNsISecTel.WARNING_BAD_CERT_TOP_ADD_EXCEPTION_FLAG_UNTRUSTED; if (!use1) { use1 = true; shortDesc = uts; @@ -233,8 +229,7 @@ function updateCertStatus() { pe.disabled = inPrivateBrowsing; pe.checked = !inPrivateBrowsing; - setText("headerDescription", - gPKIBundle.getString("addExceptionInvalidHeader")); + setText("headerDescription", gPKIBundle.getString("addExceptionInvalidHeader")); } else { shortDesc = "addExceptionValidShort"; longDesc = "addExceptionValidLong"; @@ -306,27 +301,22 @@ function addException() { var overrideService = Cc["@mozilla.org/security/certoverride;1"] .getService(Ci.nsICertOverrideService); var flags = 0; - let confirmBucketId = - gNsISecTel.WARNING_BAD_CERT_TOP_CONFIRM_ADD_EXCEPTION_BASE; + let confirmBucketId = gNsISecTel.WARNING_BAD_CERT_TOP_CONFIRM_ADD_EXCEPTION_BASE; if (gSSLStatus.isUntrusted) { flags |= overrideService.ERROR_UNTRUSTED; - confirmBucketId += - gNsISecTel.WARNING_BAD_CERT_TOP_CONFIRM_ADD_EXCEPTION_FLAG_UNTRUSTED; + confirmBucketId += gNsISecTel.WARNING_BAD_CERT_TOP_CONFIRM_ADD_EXCEPTION_FLAG_UNTRUSTED; } if (gSSLStatus.isDomainMismatch) { flags |= overrideService.ERROR_MISMATCH; - confirmBucketId += - gNsISecTel.WARNING_BAD_CERT_TOP_CONFIRM_ADD_EXCEPTION_FLAG_DOMAIN; + confirmBucketId += gNsISecTel.WARNING_BAD_CERT_TOP_CONFIRM_ADD_EXCEPTION_FLAG_DOMAIN; } if (gSSLStatus.isNotValidAtThisTime) { flags |= overrideService.ERROR_TIME; - confirmBucketId += - gNsISecTel.WARNING_BAD_CERT_TOP_CONFIRM_ADD_EXCEPTION_FLAG_TIME; + confirmBucketId += gNsISecTel.WARNING_BAD_CERT_TOP_CONFIRM_ADD_EXCEPTION_FLAG_TIME; } var permanentCheckbox = document.getElementById("permanent"); - var shouldStorePermanently = permanentCheckbox.checked && - !inPrivateBrowsingMode(); + var shouldStorePermanently = permanentCheckbox.checked && !inPrivateBrowsingMode(); if (!permanentCheckbox.checked) { gSecHistogram.add(gNsISecTel.WARNING_BAD_CERT_TOP_DONT_REMEMBER_EXCEPTION); } diff --git a/security/manager/ssl/TransportSecurityInfo.cpp b/security/manager/ssl/TransportSecurityInfo.cpp index 287ba44e6c92..b39949b6c487 100644 --- a/security/manager/ssl/TransportSecurityInfo.cpp +++ b/security/manager/ssl/TransportSecurityInfo.cpp @@ -51,6 +51,7 @@ TransportSecurityInfo::TransportSecurityInfo() NS_IMPL_ISUPPORTS(TransportSecurityInfo, nsITransportSecurityInfo, nsIInterfaceRequestor, + nsISSLStatusProvider, nsIAssociatedContentSecurity, nsISerializable, nsIClassInfo) @@ -364,7 +365,7 @@ TransportSecurityInfo::GetClassIDNoAlloc(nsCID *aClassIDNoAlloc) return NS_OK; } -NS_IMETHODIMP +nsresult TransportSecurityInfo::GetSSLStatus(nsISSLStatus** _result) { NS_ENSURE_ARG_POINTER(_result); diff --git a/security/manager/ssl/TransportSecurityInfo.h b/security/manager/ssl/TransportSecurityInfo.h index 4361d8249d87..86974e641ac5 100644 --- a/security/manager/ssl/TransportSecurityInfo.h +++ b/security/manager/ssl/TransportSecurityInfo.h @@ -16,6 +16,7 @@ #include "nsDataHashtable.h" #include "nsIAssociatedContentSecurity.h" #include "nsIInterfaceRequestor.h" +#include "nsISSLStatusProvider.h" #include "nsITransportSecurityInfo.h" #include "nsSSLStatus.h" #include "nsString.h" @@ -25,6 +26,7 @@ namespace mozilla { namespace psm { class TransportSecurityInfo : public nsITransportSecurityInfo , public nsIInterfaceRequestor + , public nsISSLStatusProvider , public nsIAssociatedContentSecurity , public nsISerializable , public nsIClassInfo @@ -37,6 +39,7 @@ public: NS_DECL_THREADSAFE_ISUPPORTS NS_DECL_NSITRANSPORTSECURITYINFO NS_DECL_NSIINTERFACEREQUESTOR + NS_DECL_NSISSLSTATUSPROVIDER NS_DECL_NSIASSOCIATEDCONTENTSECURITY NS_DECL_NSISERIALIZABLE NS_DECL_NSICLASSINFO diff --git a/security/manager/ssl/moz.build b/security/manager/ssl/moz.build index d8d7512967c6..d4092d2773cc 100644 --- a/security/manager/ssl/moz.build +++ b/security/manager/ssl/moz.build @@ -36,6 +36,7 @@ XPIDL_SOURCES += [ 'nsISecurityUITelemetry.idl', 'nsISiteSecurityService.idl', 'nsISSLStatus.idl', + 'nsISSLStatusProvider.idl', 'nsITokenDialogs.idl', 'nsITokenPasswordDialogs.idl', 'nsIX509Cert.idl', diff --git a/security/manager/ssl/nsISSLStatusProvider.idl b/security/manager/ssl/nsISSLStatusProvider.idl new file mode 100644 index 000000000000..83048f179436 --- /dev/null +++ b/security/manager/ssl/nsISSLStatusProvider.idl @@ -0,0 +1,13 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" + +interface nsISSLStatus; + +[scriptable, uuid(179b1ab1-0950-4427-9556-6f496dc4a27f)] +interface nsISSLStatusProvider : nsISupports { + readonly attribute nsISSLStatus SSLStatus; +}; diff --git a/security/manager/ssl/nsSecureBrowserUIImpl.cpp b/security/manager/ssl/nsSecureBrowserUIImpl.cpp index 48cf86723d15..a2f24df7c4af 100644 --- a/security/manager/ssl/nsSecureBrowserUIImpl.cpp +++ b/security/manager/ssl/nsSecureBrowserUIImpl.cpp @@ -89,7 +89,8 @@ nsSecureBrowserUIImpl::nsSecureBrowserUIImpl() NS_IMPL_ISUPPORTS(nsSecureBrowserUIImpl, nsISecureBrowserUI, nsIWebProgressListener, - nsISupportsWeakReference) + nsISupportsWeakReference, + nsISSLStatusProvider) NS_IMETHODIMP nsSecureBrowserUIImpl::Init(mozIDOMWindowProxy* aWindow) @@ -373,21 +374,23 @@ nsSecureBrowserUIImpl::EvaluateAndUpdateSecurityState(nsIRequest* aRequest, ("SecureUI:%p: OnStateChange: remember mNewToplevelSecurityState => %x\n", this, mNewToplevelSecurityState)); - nsCOMPtr psmInfo(do_QueryInterface(info)); - if (psmInfo) { + nsCOMPtr sp(do_QueryInterface(info)); + if (sp) { // Ignore result updateStatus = true; - (void) psmInfo->GetSSLStatus(getter_AddRefs(temp_SSLStatus)); + (void) sp->GetSSLStatus(getter_AddRefs(temp_SSLStatus)); if (temp_SSLStatus) { bool aTemp; if (NS_SUCCEEDED(temp_SSLStatus->GetIsExtendedValidation(&aTemp))) { mNewToplevelIsEV = aTemp; } } - mSecInfo = psmInfo; } mNewToplevelSecurityStateKnown = true; + if (updateStatus) { + mSSLStatus = temp_SSLStatus; + } MOZ_LOG(gSecureDocLog, LogLevel::Debug, ("SecureUI:%p: remember securityInfo %p\n", this, info)); @@ -1011,7 +1014,7 @@ nsSecureBrowserUIImpl::UpdateSecurityState(nsIRequest* aRequest, // If we have no security, we also shouldn't have any SSL status. if (newSecurityState == lis_no_security) { - mSecInfo = nullptr; + mSSLStatus = nullptr; } } @@ -1163,8 +1166,9 @@ nsSecureBrowserUIImpl::OnSecurityChange(nsIWebProgress* aWebProgress, return NS_OK; } +// nsISSLStatusProvider methods NS_IMETHODIMP -nsSecureBrowserUIImpl::GetSecInfo(nsITransportSecurityInfo** _result) +nsSecureBrowserUIImpl::GetSSLStatus(nsISSLStatus** _result) { NS_ENSURE_ARG_POINTER(_result); MOZ_ASSERT(NS_IsMainThread()); @@ -1183,7 +1187,7 @@ nsSecureBrowserUIImpl::GetSecInfo(nsITransportSecurityInfo** _result) return NS_OK; } - *_result = mSecInfo; + *_result = mSSLStatus; NS_IF_ADDREF(*_result); return NS_OK; diff --git a/security/manager/ssl/nsSecureBrowserUIImpl.h b/security/manager/ssl/nsSecureBrowserUIImpl.h index d8c3b0f9a7cf..0c8fae120e6d 100644 --- a/security/manager/ssl/nsSecureBrowserUIImpl.h +++ b/security/manager/ssl/nsSecureBrowserUIImpl.h @@ -10,13 +10,14 @@ #include "mozilla/ReentrancyGuard.h" #include "nsCOMPtr.h" #include "nsINetUtil.h" +#include "nsISSLStatusProvider.h" #include "nsISecureBrowserUI.h" #include "nsISecurityEventSink.h" #include "nsIURI.h" #include "nsIWebProgressListener.h" #include "nsWeakReference.h" -class nsITransportSecurityInfo; +class nsISSLStatus; class nsIChannel; #define NS_SECURE_BROWSER_UI_CID \ @@ -25,7 +26,8 @@ class nsIChannel; class nsSecureBrowserUIImpl : public nsISecureBrowserUI, public nsIWebProgressListener, - public nsSupportsWeakReference + public nsSupportsWeakReference, + public nsISSLStatusProvider { friend class mozilla::ReentrancyGuard; @@ -35,6 +37,7 @@ public: NS_DECL_ISUPPORTS NS_DECL_NSIWEBPROGRESSLISTENER NS_DECL_NSISECUREBROWSERUI + NS_DECL_NSISSLSTATUSPROVIDER protected: virtual ~nsSecureBrowserUIImpl() {}; @@ -84,7 +87,7 @@ protected: void ObtainEventSink(nsIChannel *channel, nsCOMPtr &sink); - nsCOMPtr mSecInfo; + nsCOMPtr mSSLStatus; nsCOMPtr mCurrentToplevelSecurityInfo; PLDHashTable mTransferringRequests; diff --git a/security/manager/ssl/tests/unit/head_psm.js b/security/manager/ssl/tests/unit/head_psm.js index 5429475586d1..5a292a36c42d 100644 --- a/security/manager/ssl/tests/unit/head_psm.js +++ b/security/manager/ssl/tests/unit/head_psm.js @@ -720,7 +720,8 @@ FakeSSLStatus.prototype = { // Helper function for add_cert_override_test. Probably doesn't need to be // called directly. function add_cert_override(aHost, aExpectedBits, aSecurityInfo) { - let sslstatus = aSecurityInfo.SSLStatus; + let sslstatus = aSecurityInfo.QueryInterface(Ci.nsISSLStatusProvider) + .SSLStatus; let bits = (sslstatus.isUntrusted ? Ci.nsICertOverrideService.ERROR_UNTRUSTED : 0) | (sslstatus.isDomainMismatch ? Ci.nsICertOverrideService.ERROR_MISMATCH : 0) | @@ -748,7 +749,8 @@ function add_cert_override_test(aHost, aExpectedBits, aExpectedError, Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN, "Cert override flag should be set on the security state"); if (aExpectedSSLStatus) { - let sslstatus = aSecurityInfo.SSLStatus; + let sslstatus = aSecurityInfo.QueryInterface(Ci.nsISSLStatusProvider) + .SSLStatus; if (aExpectedSSLStatus.failedCertChain) { ok(aExpectedSSLStatus.failedCertChain.equals(sslstatus.failedCertChain)); } @@ -761,7 +763,8 @@ function add_cert_override_test(aHost, aExpectedBits, aExpectedError, // SSLStatus set on it. In this case, the error was not overridable anyway, so // we consider it a success. function attempt_adding_cert_override(aHost, aExpectedBits, aSecurityInfo) { - let sslstatus = aSecurityInfo.SSLStatus; + let sslstatus = aSecurityInfo.QueryInterface(Ci.nsISSLStatusProvider) + .SSLStatus; if (sslstatus) { let bits = (sslstatus.isUntrusted ? Ci.nsICertOverrideService.ERROR_UNTRUSTED : 0) | diff --git a/security/manager/ssl/tests/unit/test_cert_overrides_read_only.js b/security/manager/ssl/tests/unit/test_cert_overrides_read_only.js index 9910827cfba8..3bdc0c1077be 100644 --- a/security/manager/ssl/tests/unit/test_cert_overrides_read_only.js +++ b/security/manager/ssl/tests/unit/test_cert_overrides_read_only.js @@ -10,7 +10,8 @@ // Helper function for add_read_only_cert_override_test. Probably doesn't need // to be called directly. function add_read_only_cert_override(aHost, aExpectedBits, aSecurityInfo) { - let sslstatus = aSecurityInfo.SSLStatus; + let sslstatus = aSecurityInfo.QueryInterface(Ci.nsISSLStatusProvider) + .SSLStatus; let bits = (sslstatus.isUntrusted ? Ci.nsICertOverrideService.ERROR_UNTRUSTED : 0) | (sslstatus.isDomainMismatch ? Ci.nsICertOverrideService.ERROR_MISMATCH : 0) | diff --git a/security/manager/ssl/tests/unit/test_ct.js b/security/manager/ssl/tests/unit/test_ct.js index 57dd2c032ed5..08eb74298bab 100644 --- a/security/manager/ssl/tests/unit/test_ct.js +++ b/security/manager/ssl/tests/unit/test_ct.js @@ -11,7 +11,8 @@ const certdb = Cc["@mozilla.org/security/x509certdb;1"] function expectCT(value) { return (securityInfo) => { - let sslStatus = securityInfo.SSLStatus; + let sslStatus = securityInfo.QueryInterface(Ci.nsISSLStatusProvider) + .SSLStatus; Assert.equal(sslStatus.certificateTransparencyStatus, value, "actual and expected CT status should match"); }; diff --git a/security/manager/ssl/tests/unit/test_session_resumption.js b/security/manager/ssl/tests/unit/test_session_resumption.js index 4923e14f1b68..58303b3e9a20 100644 --- a/security/manager/ssl/tests/unit/test_session_resumption.js +++ b/security/manager/ssl/tests/unit/test_session_resumption.js @@ -41,7 +41,9 @@ function add_resume_non_ev_with_override_test() { ok(transportSecurityInfo.securityState & Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN, "expired.example.com should have STATE_CERT_USER_OVERRIDDEN flag"); - let sslStatus = transportSecurityInfo.SSLStatus; + let sslStatus = transportSecurityInfo + .QueryInterface(Ci.nsISSLStatusProvider) + .SSLStatus; ok(!sslStatus.succeededCertChain, "ev-test.example.com should not have succeededCertChain set"); ok(!sslStatus.isDomainMismatch, @@ -66,7 +68,9 @@ function add_one_ev_test() { ok(!(transportSecurityInfo.securityState & Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN), "ev-test.example.com should not have STATE_CERT_USER_OVERRIDDEN flag"); - let sslStatus = transportSecurityInfo.SSLStatus; + let sslStatus = transportSecurityInfo + .QueryInterface(Ci.nsISSLStatusProvider) + .SSLStatus; ok(sslStatus.succeededCertChain, "ev-test.example.com should have succeededCertChain set"); ok(!sslStatus.isDomainMismatch, @@ -126,7 +130,9 @@ function add_one_non_ev_test() { ok(!(transportSecurityInfo.securityState & Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN), `${GOOD_DOMAIN} should not have STATE_CERT_USER_OVERRIDDEN flag`); - let sslStatus = transportSecurityInfo.SSLStatus; + let sslStatus = transportSecurityInfo + .QueryInterface(Ci.nsISSLStatusProvider) + .SSLStatus; ok(sslStatus.succeededCertChain, `${GOOD_DOMAIN} should have succeededCertChain set`); ok(!sslStatus.isDomainMismatch, diff --git a/security/manager/ssl/tests/unit/test_ssl_status.js b/security/manager/ssl/tests/unit/test_ssl_status.js index e652e78ca421..2352e584eedb 100644 --- a/security/manager/ssl/tests/unit/test_ssl_status.js +++ b/security/manager/ssl/tests/unit/test_ssl_status.js @@ -20,8 +20,8 @@ function run_test() { // succeededCertChain should be set as expected) add_connection_test( "good.include-subdomains.pinning.example.com", PRErrorCodeSuccess, null, - function withSecurityInfo(aSecInfo) { - let sslstatus = aSecInfo.SSLStatus; + function withSecurityInfo(aSSLStatus) { + let sslstatus = aSSLStatus.QueryInterface(Ci.nsISSLStatusProvider).SSLStatus; equal(sslstatus.failedCertChain, null, "failedCertChain for a successful connection should be null"); ok(sslstatus.succeededCertChain.equals(build_cert_chain(["default-ee", "test-ca"])), @@ -33,8 +33,8 @@ function run_test() { // succeededCertChain should be null) add_connection_test( "expired.example.com", SEC_ERROR_EXPIRED_CERTIFICATE, null, - function withSecurityInfo(aSecInfo) { - let sslstatus = aSecInfo.SSLStatus; + function withSecurityInfo(aSSLStatus) { + let sslstatus = aSSLStatus.QueryInterface(Ci.nsISSLStatusProvider).SSLStatus; equal(sslstatus.succeededCertChain, null, "succeededCertChain for a failed connection should be null"); ok(sslstatus.failedCertChain.equals(build_cert_chain(["expired-ee", "test-ca"])), diff --git a/security/manager/tools/getHSTSPreloadList.js b/security/manager/tools/getHSTSPreloadList.js index 5e10239a1c81..2a0a0efafb53 100644 --- a/security/manager/tools/getHSTSPreloadList.js +++ b/security/manager/tools/getHSTSPreloadList.js @@ -111,8 +111,8 @@ function processStsHeader(host, header, status, securityInfo) { if (header != null && securityInfo != null) { try { let uri = Services.io.newURI("https://" + host.name); - let sslStatus = securityInfo. - QueryInterface(Ci.nsITransportSecurityInfo).SSLStatus; + let sslStatus = securityInfo.QueryInterface(Ci.nsISSLStatusProvider) + .SSLStatus; gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri, header, sslStatus, 0, Ci.nsISiteSecurityService.SOURCE_PRELOAD_LIST, diff --git a/testing/marionette/puppeteer/firefox/firefox_puppeteer/api/security.py b/testing/marionette/puppeteer/firefox/firefox_puppeteer/api/security.py index 8a5c692ecc65..63297adb94d8 100644 --- a/testing/marionette/puppeteer/firefox/firefox_puppeteer/api/security.py +++ b/testing/marionette/puppeteer/firefox/firefox_puppeteer/api/security.py @@ -40,7 +40,8 @@ class Security(BaseLib): """ cert = self.marionette.execute_script(""" var securityUI = arguments[0].linkedBrowser.securityUI; - var status = securityUI.secInfo.SSLStatus; + var status = securityUI.QueryInterface(Components.interfaces.nsISSLStatusProvider) + .SSLStatus; return status ? status.serverCert : null; """, script_args=[tab_element]) diff --git a/toolkit/content/browser-child.js b/toolkit/content/browser-child.js index 31a5fa50d7bf..a378eb63ec26 100644 --- a/toolkit/content/browser-child.js +++ b/toolkit/content/browser-child.js @@ -215,7 +215,7 @@ var WebProgressListener = { let objects = this._setupObjects(aWebProgress, aRequest); json.state = aState; - json.secInfo = SecurityUI.getSecInfoAsString(); + json.status = SecurityUI.getSSLStatusAsString(); json.matchedList = null; if (aRequest && aRequest instanceof Ci.nsIClassifiedChannel) { @@ -374,17 +374,15 @@ var WebNavigation = { WebNavigation.init(); var SecurityUI = { - getSecInfoAsString() { - let secInfo = docShell.securityUI.secInfo; + getSSLStatusAsString() { + let status = docShell.securityUI.QueryInterface(Ci.nsISSLStatusProvider).SSLStatus; - if (secInfo) { - if (secInfo) { - let helper = Cc["@mozilla.org/network/serialization-helper;1"] - .getService(Ci.nsISerializationHelper); + if (status) { + let helper = Cc["@mozilla.org/network/serialization-helper;1"] + .getService(Ci.nsISerializationHelper); - secInfo.QueryInterface(Ci.nsISerializable); - return helper.serializeToString(secInfo); - } + status.QueryInterface(Ci.nsISerializable); + return helper.serializeToString(status); } return null; diff --git a/toolkit/modules/CertUtils.jsm b/toolkit/modules/CertUtils.jsm index 252b319b43fc..ab35d04291e5 100644 --- a/toolkit/modules/CertUtils.jsm +++ b/toolkit/modules/CertUtils.jsm @@ -143,7 +143,7 @@ function checkCert(aChannel, aAllowNonBuiltInCerts, aCerts) { return; } - let sslStatus = aChannel.securityInfo.QueryInterface(Ci.nsITransportSecurityInfo) + let sslStatus = aChannel.securityInfo.QueryInterface(Ci.nsISSLStatusProvider) .SSLStatus; let cert = sslStatus.serverCert; diff --git a/toolkit/modules/RemoteSecurityUI.jsm b/toolkit/modules/RemoteSecurityUI.jsm index 10ee842fcf61..47fd63b63bcf 100644 --- a/toolkit/modules/RemoteSecurityUI.jsm +++ b/toolkit/modules/RemoteSecurityUI.jsm @@ -8,20 +8,22 @@ var EXPORTED_SYMBOLS = ["RemoteSecurityUI"]; ChromeUtils.import("resource://gre/modules/XPCOMUtils.jsm"); function RemoteSecurityUI() { - this._secInfo = null; + this._SSLStatus = null; this._state = 0; } RemoteSecurityUI.prototype = { - QueryInterface: ChromeUtils.generateQI([Ci.nsISecureBrowserUI]), + QueryInterface: ChromeUtils.generateQI([Ci.nsISSLStatusProvider, Ci.nsISecureBrowserUI]), + + // nsISSLStatusProvider + get SSLStatus() { return this._SSLStatus; }, // nsISecureBrowserUI get state() { return this._state; }, get tooltipText() { return ""; }, - get secInfo() { return this._secInfo; }, - _update(aSecInfo, aState) { - this._secInfo = aSecInfo; + _update(aStatus, aState) { + this._SSLStatus = aStatus; this._state = aState; } }; diff --git a/toolkit/modules/RemoteWebProgress.jsm b/toolkit/modules/RemoteWebProgress.jsm index c384e053e545..bcdb4979e266 100644 --- a/toolkit/modules/RemoteWebProgress.jsm +++ b/toolkit/modules/RemoteWebProgress.jsm @@ -110,14 +110,14 @@ RemoteWebProgressManager.prototype = { this._progressListeners.filter(l => l.listener != aListener); }, - _fixSecInfoAndState(aSecInfo, aState) { + _fixSSLStatusAndState(aStatus, aState) { let deserialized = null; - if (aSecInfo) { + if (aStatus) { let helper = Cc["@mozilla.org/network/serialization-helper;1"] .getService(Ci.nsISerializationHelper); - deserialized = helper.deserializeObject(aSecInfo); - deserialized.QueryInterface(Ci.nsITransportSecurityInfo); + deserialized = helper.deserializeObject(aStatus); + deserialized.QueryInterface(Ci.nsISSLStatus); } return [deserialized, aState]; @@ -241,14 +241,14 @@ RemoteWebProgressManager.prototype = { break; case "Content:SecurityChange": - let [secInfo, state] = this._fixSecInfoAndState(json.secInfo, json.state); + let [status, state] = this._fixSSLStatusAndState(json.status, json.state); if (isTopLevel) { // Invoking this getter triggers the generation of the underlying object, // which we need to access with ._securityUI, because .securityUI returns // a wrapper that makes _update inaccessible. void this._browser.securityUI; - this._browser._securityUI._update(secInfo, state); + this._browser._securityUI._update(status, state); } this._callProgressListeners( diff --git a/toolkit/modules/addons/SecurityInfo.jsm b/toolkit/modules/addons/SecurityInfo.jsm index 44cbe1c33492..de0084398aa6 100644 --- a/toolkit/modules/addons/SecurityInfo.jsm +++ b/toolkit/modules/addons/SecurityInfo.jsm @@ -94,6 +94,7 @@ const SecurityInfo = { } securityInfo.QueryInterface(Ci.nsITransportSecurityInfo); + securityInfo.QueryInterface(Ci.nsISSLStatusProvider); const SSLStatus = securityInfo.SSLStatus; if (NSSErrorsService.isNSSErrorCode(securityInfo.errorCode)) { diff --git a/toolkit/modules/tests/chrome/test_bug544442_checkCert.xul b/toolkit/modules/tests/chrome/test_bug544442_checkCert.xul index e4c96f22ed08..213c18de3d7a 100644 --- a/toolkit/modules/tests/chrome/test_bug544442_checkCert.xul +++ b/toolkit/modules/tests/chrome/test_bug544442_checkCert.xul @@ -87,7 +87,7 @@ function testXHRLoad(aEvent) { "attributes array passed to checkCert has an element that has an " + "issuerName that is not the same as the certificate's"); - var cert = channel.securityInfo.QueryInterface(Ci.nsITransportSecurityInfo). + var cert = channel.securityInfo.QueryInterface(Ci.nsISSLStatusProvider). SSLStatus.QueryInterface(Ci.nsISSLStatus).serverCert; certs = [ { issuerName: cert.issuerName, diff --git a/toolkit/mozapps/update/nsUpdateService.js b/toolkit/mozapps/update/nsUpdateService.js index 110674f3a8fa..cc591421495e 100644 --- a/toolkit/mozapps/update/nsUpdateService.js +++ b/toolkit/mozapps/update/nsUpdateService.js @@ -3116,7 +3116,7 @@ Checker.prototype = { // Set MitM pref. try { var sslStatus = request.channel.QueryInterface(Ci.nsIRequest) - .securityInfo.QueryInterface(Ci.nsITransportSecurityInfo) + .securityInfo.QueryInterface(Ci.nsISSLStatusProvider) .SSLStatus.QueryInterface(Ci.nsISSLStatus); if (sslStatus && sslStatus.serverCert && sslStatus.serverCert.issuerName) { Services.prefs.setStringPref("security.pki.mitm_canary_issuer",