Bug 926102 - Firefox for Android offers cert error overrides for HSTS sites, even though the override will never be honored r=margaret
authorMark Finkle <mfinkle@mozilla.com>
Thu, 24 Oct 2013 05:50:59 -0400
changeset 165749 88a17d5958447fb3942d26bfc9428bc2823eb9b3
parent 165748 27d18354871e047846d1a18f55dabc9df681686a
child 165750 2734d5adbf357ac6ff3e812b49feb764d43dad38
push id3066
push userakeybl@mozilla.com
push dateMon, 09 Dec 2013 19:58:46 +0000
treeherdermozilla-beta@a31a0dce83aa [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmargaret
bugs926102
milestone27.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 926102 - Firefox for Android offers cert error overrides for HSTS sites, even though the override will never be honored r=margaret
mobile/android/chrome/content/aboutCertError.xhtml
mobile/android/themes/core/netError.css
--- a/mobile/android/chrome/content/aboutCertError.xhtml
+++ b/mobile/android/chrome/content/aboutCertError.xhtml
@@ -80,16 +80,22 @@
         };
         replaceWithHost(intro);
 
         if (getCSSClass() == "expertBadCert") {
           toggle('technicalContent');
           toggle('expertContent');
         }
 
+        // Disallow overrides if this is a Strict-Transport-Security
+        // host and the cert is bad (STS Spec section 7.3) or if the
+        // certerror is in a frame (bug 633691).
+        if (getCSSClass() == "badStsCert" || window != top)
+          document.getElementById("expertContent").setAttribute("hidden", "true");
+
         var tech = document.getElementById("technicalContentText");
         if (tech)
           tech.textContent = getDescription();
 
         addDomainErrorLink();
       }
 
       /* In the case of SSL error pages about domain mismatch, see if
--- a/mobile/android/themes/core/netError.css
+++ b/mobile/android/themes/core/netError.css
@@ -125,17 +125,18 @@ button + button {
 
 div[collapsed="true"] > .expander {
   background-image: url("chrome://browser/skin/images/dropmarker-right.svg");
   /* dropmarker.svg is 7x10. Ensure that its centered in the middle of an 18x18 box */
   background-size: 7px 10px;
   background-position: 5.5px 4px;
 }
 
-/* Hide the first element after the expander */
+div[hidden] > .expander,
+div[hidden] > .expander + *,
 div[collapsed="true"] > .expander + * {
   display: none;
 }
 
 .blockedsite h1 {
   border-bottom-color: #9b2e2e;
 }