bug 1499882 - remove HSTS holepunch for chart.apis.google.com because it now has a valid certificate r=franziskus
authorDana Keeler <dkeeler@mozilla.com>
Tue, 13 Nov 2018 08:14:06 +0000
changeset 446101 7918775acbec8eb792edde32c817db9d193ea6d0
parent 446100 b0298991e6d3f430a6d30bc32e8cf404f87f8f5a
child 446102 ab7f980fd569ddb74134d5b5b22af9d71906fa0b
push id35034
push userccoroiu@mozilla.com
push dateWed, 14 Nov 2018 09:49:38 +0000
treeherdermozilla-central@d8a262837cd3 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersfranziskus
bugs1499882
milestone65.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
bug 1499882 - remove HSTS holepunch for chart.apis.google.com because it now has a valid certificate r=franziskus Differential Revision: https://phabricator.services.mozilla.com/D11695
security/manager/ssl/nsSiteSecurityService.cpp
security/manager/ssl/tests/unit/test_sts_holepunch.js
security/manager/ssl/tests/unit/xpcshell.ini
--- a/security/manager/ssl/nsSiteSecurityService.cpp
+++ b/security/manager/ssl/nsSiteSecurityService.cpp
@@ -1589,29 +1589,18 @@ nsSiteSecurityService::IsSecureHost(uint
     bool enforceTestMode = certVerifier->mPinningMode ==
                            CertVerifier::PinningMode::pinningEnforceTestMode;
     return PublicKeyPinningService::HostHasPins(flatHost.get(),
                                                 mozilla::pkix::Now(),
                                                 enforceTestMode, aOriginAttributes,
                                                 *aResult);
   }
 
-  // Holepunch chart.apis.google.com and subdomains.
   nsAutoCString host(
     PublicKeyPinningService::CanonicalizeHostname(flatHost.get()));
-  if (host.EqualsLiteral("chart.apis.google.com") ||
-      StringEndsWith(host, NS_LITERAL_CSTRING(".chart.apis.google.com"))) {
-    if (aCached) {
-      *aCached = true;
-    }
-    if (aSource) {
-      *aSource = SourcePreload;
-    }
-    return NS_OK;
-  }
 
   // First check the exact host.
   if (HostHasHSTSEntry(host, false, aFlags, aOriginAttributes, aResult,
                        aCached, aSource)) {
     return NS_OK;
   }
 
 
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_sts_holepunch.js
+++ /dev/null
@@ -1,37 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- */
-"use strict";
-
-// bug 961528: chart.apis.google.com doesn't handle https. Check that
-// it isn't considered HSTS (other example.apis.google.com hosts should be
-// HSTS as long as they're on the preload list, however).
-function run_test() {
-  let SSService = Cc["@mozilla.org/ssservice;1"]
-                    .getService(Ci.nsISiteSecurityService);
-  ok(!SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                            Services.io.newURI("https://chart.apis.google.com"),
-                            0));
-  ok(!SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                            Services.io.newURI("https://CHART.APIS.GOOGLE.COM"),
-                            0));
-  ok(!SSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://sub.chart.apis.google.com"), 0));
-  ok(!SSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://SUB.CHART.APIS.GOOGLE.COM"), 0));
-  ok(SSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://example.apis.google.com"), 0));
-  ok(SSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://EXAMPLE.APIS.GOOGLE.COM"), 0));
-  ok(SSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://sub.example.apis.google.com"), 0));
-  ok(SSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://SUB.EXAMPLE.APIS.GOOGLE.COM"), 0));
-}
--- a/security/manager/ssl/tests/unit/xpcshell.ini
+++ b/security/manager/ssl/tests/unit/xpcshell.ini
@@ -176,17 +176,16 @@ support-files = sss_readstate_child_work
 # bug 1124289 - run_test_in_child violates the sandbox on android
 skip-if = toolkit == 'android'
 [test_sss_readstate_empty.js]
 [test_sss_readstate_garbage.js]
 [test_sss_readstate_huge.js]
 [test_sss_savestate.js]
 [test_startcom_wosign.js]
 [test_sts_fqdn.js]
-[test_sts_holepunch.js]
 [test_sts_ipv4_ipv6.js]
 [test_sts_parser.js]
 [test_sts_preload_dynamic.js]
 [test_sts_preloadlist_perwindowpb.js]
 [test_sts_preloadlist_selfdestruct.js]
 [test_symantec_apple_google.js]
 run-sequentially = hardcoded ports
 [test_validity.js]