Issue #1280 - Un-bust certerror pages and ForgetAboutSite

author: wolfbeast <mcwerewolf@wolfbeast.com> 2020-03-31 09:44:30 +0200
committer: wolfbeast <mcwerewolf@wolfbeast.com> 2020-03-31 09:44:30 +0200
commit: a205ee7040b74ff67717ba44723abbdc0dab02e1 (patch)
tree: 72517c9cb8a2662bf61548cff52ff70ed0d20132 /docshell
parent: 3bc5d67c982cc4acdc4db2be1c1b517816401d54 (diff)
download: uxp-a205ee7040b74ff67717ba44723abbdc0dab02e1.tar.gz
1 files changed, 4 insertions, 13 deletions
diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp
index 6104ebfa71..f53d89e819 100644
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@@ -4943,13 +4943,11 @@ nsDocShell::DisplayLoadError(nsresult aError, nsIURI* aURI,
       if (errorClass == nsINSSErrorsService::ERROR_CLASS_BAD_CERT) {
         error.AssignLiteral("nssBadCert");
 
-        // If this is an HTTP Strict Transport Security host or a pinned host
-        // and the certificate is bad, don't allow overrides (RFC 6797 section
-        // 12.1, HPKP draft spec section 2.6).
+        // If this is an HTTP Strict Transport Security host, don't allow
+        // overrides (RFC 6797 section 12.1).
         uint32_t flags =
           UsePrivateBrowsing() ? nsISocketProvider::NO_PERMANENT_STORAGE : 0;
         bool isStsHost = false;
-        bool isPinnedHost = false;
         if (XRE_IsParentProcess()) {
           nsCOMPtr<nsISiteSecurityService> sss =
             do_GetService(NS_SSSERVICE_CONTRACTID, &rv);
@@ -4957,9 +4955,6 @@ nsDocShell::DisplayLoadError(nsresult aError, nsIURI* aURI,
           rv = sss->IsSecureURI(nsISiteSecurityService::HEADER_HSTS, aURI,
                                 flags, nullptr, &isStsHost);
           NS_ENSURE_SUCCESS(rv, rv);
-          rv = sss->IsSecureURI(nsISiteSecurityService::HEADER_HPKP, aURI,
-                                flags, nullptr, &isPinnedHost);
-          NS_ENSURE_SUCCESS(rv, rv);
         } else {
           mozilla::dom::ContentChild* cc =
             mozilla::dom::ContentChild::GetSingleton();
@@ -4967,8 +4962,6 @@ nsDocShell::DisplayLoadError(nsresult aError, nsIURI* aURI,
           SerializeURI(aURI, uri);
           cc->SendIsSecureURI(nsISiteSecurityService::HEADER_HSTS, uri, flags,
                               &isStsHost);
-          cc->SendIsSecureURI(nsISiteSecurityService::HEADER_HPKP, uri, flags,
-                              &isPinnedHost);
         }
 
         if (Preferences::GetBool(
@@ -4976,11 +4969,9 @@ nsDocShell::DisplayLoadError(nsresult aError, nsIURI* aURI,
           cssClass.AssignLiteral("expertBadCert");
         }
 
-        // HSTS/pinning takes precedence over the expert bad cert pref. We
+        // HSTS takes precedence over the expert bad cert pref. We
         // never want to show the "Add Exception" button for these sites.
-        // In the future we should differentiate between an HSTS host and a
-        // pinned host and display a more informative message to the user.
-        if (isStsHost || isPinnedHost) {
+        if (isStsHost) {
           cssClass.AssignLiteral("badStsCert");
         }
author	wolfbeast <mcwerewolf@wolfbeast.com>	2020-03-31 09:44:30 +0200
committer	wolfbeast <mcwerewolf@wolfbeast.com>	2020-03-31 09:44:30 +0200
commit	a205ee7040b74ff67717ba44723abbdc0dab02e1 (patch)
tree	72517c9cb8a2662bf61548cff52ff70ed0d20132 /docshell
parent	3bc5d67c982cc4acdc4db2be1c1b517816401d54 (diff)
download	uxp-a205ee7040b74ff67717ba44723abbdc0dab02e1.tar.gz