Bug 926102 - Firefox for Android offers cert error overrides for HSTS sites, even though the override will never be honored r=margaret
authorMark Finkle <mfinkle@mozilla.com>
Thu, 24 Oct 2013 05:50:59 -0400
changeset 166701 88a17d5958447fb3942d26bfc9428bc2823eb9b3
parent 166700 27d18354871e047846d1a18f55dabc9df681686a
child 166702 2734d5adbf357ac6ff3e812b49feb764d43dad38
push id428
push userbbajaj@mozilla.com
push dateTue, 28 Jan 2014 00:16:25 +0000
treeherdermozilla-release@cd72a7ff3a75 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmargaret
bugs926102
milestone27.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 926102 - Firefox for Android offers cert error overrides for HSTS sites, even though the override will never be honored r=margaret
mobile/android/chrome/content/aboutCertError.xhtml
mobile/android/themes/core/netError.css
--- a/mobile/android/chrome/content/aboutCertError.xhtml
+++ b/mobile/android/chrome/content/aboutCertError.xhtml
@@ -80,16 +80,22 @@
         };
         replaceWithHost(intro);
 
         if (getCSSClass() == "expertBadCert") {
           toggle('technicalContent');
           toggle('expertContent');
         }
 
+        // Disallow overrides if this is a Strict-Transport-Security
+        // host and the cert is bad (STS Spec section 7.3) or if the
+        // certerror is in a frame (bug 633691).
+        if (getCSSClass() == "badStsCert" || window != top)
+          document.getElementById("expertContent").setAttribute("hidden", "true");
+
         var tech = document.getElementById("technicalContentText");
         if (tech)
           tech.textContent = getDescription();
 
         addDomainErrorLink();
       }
 
       /* In the case of SSL error pages about domain mismatch, see if
--- a/mobile/android/themes/core/netError.css
+++ b/mobile/android/themes/core/netError.css
@@ -125,17 +125,18 @@ button + button {
 
 div[collapsed="true"] > .expander {
   background-image: url("chrome://browser/skin/images/dropmarker-right.svg");
   /* dropmarker.svg is 7x10. Ensure that its centered in the middle of an 18x18 box */
   background-size: 7px 10px;
   background-position: 5.5px 4px;
 }
 
-/* Hide the first element after the expander */
+div[hidden] > .expander,
+div[hidden] > .expander + *,
 div[collapsed="true"] > .expander + * {
   display: none;
 }
 
 .blockedsite h1 {
   border-bottom-color: #9b2e2e;
 }