Completely remove verifyChannelSecurity and related pref. default tip
authorEdward Lee <edilee@mozilla.com>
Tue, 19 Nov 2013 15:12:00 -0800
changeset 718 c003747a44beb6822d5c247a674c955253aecc9a
parent 717 a96171a106dabecba49b67ba72eddde36f527384
push id567
push useredward.lee@engineering.uiuc.edu
push dateTue, 19 Nov 2013 23:12:02 +0000
Completely remove verifyChannelSecurity and related pref.
extension/modules/remote-experiment-loader.js
--- a/extension/modules/remote-experiment-loader.js
+++ b/extension/modules/remote-experiment-loader.js
@@ -1,95 +1,20 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 const BASE_URL_PREF = "extensions.testpilot.indexBaseURL";
-const SSL_DOWNLOAD_REQUIRED_PREF = "extensions.testpilot.ssldownloadrequired";
 
 var Cuddlefish = require("cuddlefish");
 var resolveUrl = require("url").resolve;
 var SecurableModule = require("securable-module");
 let JarStore = require("jar-code-store").JarStore;
 let prefs = require("preferences-service");
 
-/* Security info should look like this:
- * Security Info:
-	Security state: secure
-	Security description: Authenticated by Equifax
-	Security error message: null
-
-Certificate Status:
-	Verification: OK
-	Common name (CN) = *.mozillalabs.com
-	Organisation = Mozilla Corporation
-	Issuer = Equifax
-	SHA1 fingerprint = E5:CD:91:97:08:E6:88:F2:A2:AE:31:3C:F9:91:8D:14:33:07:C4:EE
-	Valid from 8/12/09 14:04:39
-	Valid until 8/14/11 3:27:26
- */
-
-function verifyChannelSecurity(channel) {
-  // http://mdn.beonex.com/En/How_to_check_the_security_state_of_an_XMLHTTPRequest_over_SSL
-  // Expect channel to have security state = secure, CN = *.mozillalabs.com,
-  // Organization = "Mozilla Corporation", verification = OK.
-  console.info("Verifying SSL channel security info before download...");
-
-  try {
-    if (! channel instanceof  Ci.nsIChannel) {
-      console.warn("Not a channel.  This should never happen.");
-      return false;
-    }
-    let secInfo = channel.securityInfo;
-
-    if (secInfo instanceof Ci.nsITransportSecurityInfo) {
-      secInfo.QueryInterface(Ci.nsITransportSecurityInfo);
-      let secState = secInfo.securityState & Ci.nsIWebProgressListener.STATE_IS_SECURE;
-      if (secState != Ci.nsIWebProgressListener.STATE_IS_SECURE) {
-        console.warn("Failing security check: Security state is not secure.");
-        return false;
-      }
-    } else {
-      console.warn("Failing secuity check: No TransportSecurityInfo.");
-      return false;
-    }
-
-    // check SSL certificate details
-    if (secInfo instanceof Ci.nsISSLStatusProvider) {
-      let cert = secInfo.QueryInterface(Ci.nsISSLStatusProvider).
-	SSLStatus.QueryInterface(Ci.nsISSLStatus).serverCert;
-
-      let verificationResult = cert.verifyForUsage(
-        Ci.nsIX509Cert.CERT_USAGE_SSLServer);
-      if (verificationResult != Ci.nsIX509Cert.VERIFIED_OK) {
-        console.warn("Failing security check: Cert not verified OK.");
-        return false;
-      }
-      if (cert.commonName != "*.mozillalabs.com") {
-        console.warn("Failing security check: Cert not for *.mozillalabs.com");
-        return false;
-      }
-      if (cert.organization != "Mozilla Corporation") {
-        console.warn("Failing security check: Cert not for Mozilla corporation.");
-        return false;
-      }
-    } else {
-      console.warn("Failing security check: No SSL cert info.");
-      return false;
-    }
-
-    // Passed everything
-    console.info("Channel passed SSL security check.");
-    return true;
-  } catch(err) {
-    console.warn("Failing security check:  Error: " + err);
-    return false;
-  }
-}
-
 function downloadFile(url, cb, lastModified) {
   // lastModified is a timestamp (ms since epoch); if provided, then the file
   // will not be downloaded unless it is newer than this.
   var req = Cc["@mozilla.org/xmlextras/xmlhttprequest;1"]
               .createInstance( Ci.nsIXMLHttpRequest );
   req.open('GET', url, true);
   if (lastModified != undefined) {
     let d = new Date();
@@ -101,23 +26,17 @@ function downloadFile(url, cb, lastModif
   //Use binary mode to download jars TODO find a better switch
   if (url.indexOf(".jar") == url.length - 4) {
     console.info("Using binary mode to download jar file.");
     req.overrideMimeType('text/plain; charset=x-user-defined');
   }
   req.onreadystatechange = function(aEvt) {
     if (req.readyState == 4) {
       if (req.status == 200) {
-        // check security channel (for Fx23-), if the user is requesting that.
-        let ssldownloadrequired = prefs.get(SSL_DOWNLOAD_REQUIRED_PREF, false);
-        if (!ssldownloadrequired || verifyChannelSecurity(req.channel)) {
-          cb(req.responseText);
-        } else {
-          cb(null);
-        }
+        cb(req.responseText);
       } else if (req.status == 304) {
         // 304 is "Not Modified", which we can get because we send an
         // If-Modified-Since header.
         console.info("File " + url + " not modified; using cached version.");
         cb(null);
         // calling back with null lets the RemoteExperimentLoader know it should
         // keep using the old cached version of the code.
       } else {