bug 961528 - holepunch chart.apis.google.com from the HSTS preload list r=briansmith a=sylvestre
authorDavid Keeler <dkeeler@mozilla.com>
Tue, 11 Feb 2014 10:21:57 -0800
changeset 182796 c4f4eed7a86e490f00c4779637ce8177f0e6204e
parent 182795 6646af3b090ea58e4e4dbdf2af92a93ea1ef957d
child 182797 d79fa91dfabe307abdaf71be62b8b6a60978dcd9
push id3343
push userffxbld
push dateMon, 17 Mar 2014 21:55:32 +0000
treeherdermozilla-beta@2f7d3415f79f [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbriansmith, sylvestre
bugs961528
milestone29.0a2
bug 961528 - holepunch chart.apis.google.com from the HSTS preload list r=briansmith a=sylvestre
security/manager/boot/src/nsSiteSecurityService.cpp
security/manager/ssl/tests/unit/test_sts_holepunch.js
security/manager/ssl/tests/unit/xpcshell.ini
--- a/security/manager/boot/src/nsSiteSecurityService.cpp
+++ b/security/manager/boot/src/nsSiteSecurityService.cpp
@@ -455,16 +455,22 @@ nsSiteSecurityService::IsSecureURI(uint3
   nsresult rv = GetHost(aURI, host);
   NS_ENSURE_SUCCESS(rv, rv);
 
   /* An IP address never qualifies as a secure URI. */
   if (HostIsIPAddress(host.BeginReading())) {
     return NS_OK;
   }
 
+  // Holepunch chart.apis.google.com and subdomains.
+  if (host.Equals(NS_LITERAL_CSTRING("chart.apis.google.com")) ||
+      StringEndsWith(host, NS_LITERAL_CSTRING(".chart.apis.google.com"))) {
+    return NS_OK;
+  }
+
   const nsSTSPreload *preload = nullptr;
   nsSSSHostEntry *pbEntry = nullptr;
 
   bool isPrivate = aFlags & nsISocketProvider::NO_PERMANENT_STORAGE;
   if (isPrivate) {
     pbEntry = mPrivateModeHostTable.GetEntry(host.get());
   }
 
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sts_holepunch.js
@@ -0,0 +1,36 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+"use strict";
+
+// bug 961528: chart.apis.google.com doesn't handle https. Check that
+// it isn't considered HSTS (other example.apis.google.com hosts should be
+// HSTS as long as they're on the preload list, however).
+function run_test() {
+  let SSService = Cc["@mozilla.org/ssservice;1"]
+                    .getService(Ci.nsISiteSecurityService);
+  do_check_false(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                                        "chart.apis.google.com", 0));
+  do_check_false(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                                        "CHART.APIS.GOOGLE.COM", 0));
+  do_check_false(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                                        "sub.chart.apis.google.com", 0));
+  do_check_false(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                                        "SUB.CHART.APIS.GOOGLE.COM", 0));
+  do_check_true(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                                       "example.apis.google.com", 0));
+  do_check_true(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                                       "EXAMPLE.APIS.GOOGLE.COM", 0));
+  do_check_true(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                                       "sub.example.apis.google.com", 0));
+  do_check_true(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                                       "SUB.EXAMPLE.APIS.GOOGLE.COM", 0));
+  // also check isSecureURI
+  let chartURI = Services.io.newURI("http://chart.apis.google.com", null, null);
+  do_check_false(SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
+                                       chartURI, 0));
+  let otherURI = Services.io.newURI("http://other.apis.google.com", null, null);
+  do_check_true(SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
+                                      otherURI, 0));
+}
--- a/security/manager/ssl/tests/unit/xpcshell.ini
+++ b/security/manager/ssl/tests/unit/xpcshell.ini
@@ -24,16 +24,17 @@ skip-if = os == "android"
 [test_hash_algorithms.js]
 # Bug 676972: test hangs consistently on Android
 skip-if = os == "android"
 [test_hmac.js]
 # Bug 676972: test hangs consistently on Android
 skip-if = os == "android"
 [test_sts_preloadlist_perwindowpb.js]
 [test_sts_preloadlist_selfdestruct.js]
+[test_sts_holepunch.js]
 [test_ocsp_stapling.js]
 run-sequentially = hardcoded ports
 # Bug 676972: test fails consistently on Android
 fail-if = os == "android"
 [test_ocsp_stapling_expired.js]
 run-sequentially = hardcoded ports
 # Bug 676972: test fails consistently on Android
 fail-if = os == "android"