Adds secureonly.example.com:443 to server-locations.txt - this host is only available on HTTPS.
Regenerates certs using `./mach python build/pgo/genpgocert.py` command.
Sets network.dns.native-is-localhost pref in test so we don't trigger assertion.
Differential Revision: https://phabricator.services.mozilla.com/D94005
This removes processing of HTTP Public Key Pinning headers, remotely modifying
pinning information, and using cached pinning information, all of which was
already disabled in bug 1412438. Static pins that ship with the browser are
still enforced.
Differential Revision: https://phabricator.services.mozilla.com/D73352
WebAuthn needs to write a test to confirm it's prohibited when accessed via
an IP address. This adds the capability to get a SecureContext for an IP host.
It uses 127.0.0.2 so as to bypass restrictions on 127.0.0.1, and the use of .1
as a special-market in ssltunnel.
Differential Revision: https://phabricator.services.mozilla.com/D63570
--HG--
extra : moz-landing-system : lando
The incorrect LEGACY_BUILD_ID will be fixed in a subsequent changeset.
We must add https://www.mozilla.org/ to server-locations.txt and regenerate the mochitest certificates [1] because the new navigator.buildID test pretends to load content from https://www.mozilla.org/.
[1] https://searchfox.org/mozilla-central/source/build/pgo/certs/README
Differential Revision: https://phabricator.services.mozilla.com/D7982
--HG--
rename : dom/tests/mochitest/bugs/test_bug351601.html => dom/tests/mochitest/bugs/test_navigator_buildID.html
extra : rebase_source : 1deb142930f1a7a570cf719c4cb2bed8adfeabe2
extra : source : 408bff32f9623513a271cdf043d11ba6d1318e03
(This also fixes Bug 879740 and Bug 1204543.)
build/pgo/certs contains an NSS database set that has a bunch of hand-generated
certificates, and many of these hand-generated certificates are specifically
depended upon for a variety of unit tests. This patch changes all of these to
use the "pycert.py" and "pykey.py" utilities that produce deterministic keys
and certificates.
The naming convention here is new, and defined in the README. It is based on
the mochitest runtest.py naming convention that imports .ca and .client
PEM-encoded certificates.
Unfortunately, the updates to build/pgo/genpgocert.py to generate these files
depends on OpenSSL in order to produce PKCS12 archives for pk11tool to import
into NSS. This could be done with pure-NSS tooling, but it'd require some new
command line functionality, which is out-of-scope for this change.
Note that build/pgo/genpgocert.py no longer takes arguments when run. It's not
run automatically anywhere that I can see, but could (reasonably) be, now.
Differential Revision: https://phabricator.services.mozilla.com/D971
--HG--
extra : amend_source : bc389b9b0a807a4889feb14db439daa28635dfe9
This patch does a few things:
1) It removes the symantecRoot and symantec_affected certs from build/pgo/certs'
DB.
2) It upgrades that DB from the old format to SQLite (and this 8/3 to 9/4).
3) It adds a new cert "imminently_distrusted" to that DB for the bc test.
4) It changes the Subject of the immient distrust test to only have the CN
field: this is because certutil reorders C to come after CN, and just like
with the real Symantec certs, I had put C first. So rather than deal with
importing the end entity for the pgo tests, I decided to just make things
simple and change the tested subject.
5) Finally, it re-enables the test that was disabled in Bug 1434300.
MozReview-Commit-ID: Bt2RKyInJje
--HG--
rename : build/pgo/certs/cert8.db => build/pgo/certs/cert9.db
rename : build/pgo/certs/key3.db => build/pgo/certs/key4.db
extra : rebase_source : efceb67ae16f0af617bbd8bec201d52eee0f467d
There are xpcshell tests to verify that the appropriate distrust flag is set
upon reaching an affected end entity certificate; this test checks that the
distrust flag prints a warning to console.
MozReview-Commit-ID: OMG246WOOT
--HG--
rename : devtools/client/webconsole/test/browser_webconsole_certificate_messages.js => devtools/client/webconsole/test/browser_console_certificate_imminent_distrust.js
extra : rebase_source : a5fed5457e7789e742ee461b988463b81cd2c214
The previous implementation regarding to the Flash Blocking Subdocument list blocked all subdocuments that matched the list. This patch changes that so that subdocuments are only blocked if they are on the Subdocument Block List and also are loaded in a Third-Party context.
The changes to cert8.db and key3.db add the https certificate for subdocument.example.com so that testing can verify that a scheme mismatch between the document and its parent results in a third-party classification.
MozReview-Commit-ID: IXnA4iPzB4y
--HG--
extra : rebase_source : 103c1e184d4219e6db9d00da1ea54674a0e216dd
Valentin Gosu
Moritz Birghan
Butkovits Atila
prathiksha
Dorel Luca
Dana Keeler
Arthur Iakab
Lupita Arroyo
J.C. Jones
Nihanth Subramanya
Kevin Jacobs
Ehsan Akhgari
Oana Pop Rus
Carolina Jimenez Gomez
Johann Hofmann
Wes Kocher
Cosmin Sabou
Gurzau Raul
Chris Peterson
Tim Taubert
Kirk Steuber
Jonathan Kingston
Paolo Amadini
Cykesiopka
Masatoshi Kimura
Ryan VanderMeulen
Mark Goodwin
Carsten "Tomcat" Book
Camilo Viecco
Marco Castelluccio