Bug 1252068 - Adding in reset prefs button on SSLNetError page. r=gijs

MozReview-Commit-ID: BJQ0cYlrS6O --HG-- extra : transplant_source : %C7%FA%195%1C%87%1BDp%04%1CZI%A3N%94%F5%1Ch%3B
2024-10-08 10:44:56 +00:00 · 2016-05-04 17:10:45 +01:00 · 2016-05-04 17:10:45 +01:00 · 11a106fd9b
commit 11a106fd9b
parent 6a2b0ea6d0
12 changed files with 165 additions and 8 deletions
--- a/browser/base/content/aboutNetError.xhtml
+++ b/browser/base/content/aboutNetError.xhtml
@ -102,16 +102,25 @@

      function toggleDisplay(node) {
        toggle = {
-          '': 'block',
-          'none': 'block',
-          'block': 'none'
+          "": "block",
+          "none": "block",
+          "block": "none"
        };
        return (node.style.display = toggle[node.style.display]);
      }

      function showCertificateErrorReporting() {
        // Display error reporting UI
-        document.getElementById('certificateErrorReporting').style.display = 'block';
+        document.getElementById("certificateErrorReporting").style.display = "block";
+      }
+
+      function showPrefChangeContainer() {
+        const panel = document.getElementById("prefChangeContainer");
+        panel.style.display = "block";
+        document.getElementById("prefResetButton").addEventListener("click", function resetPreferences(e) {
+          const event = new CustomEvent("AboutNetErrorResetPreferences", {bubbles:true});
+          document.dispatchEvent(event);
+        });
      }

      function showAdvancedButton(allowOverride) {
@ -307,19 +316,30 @@

            var options = JSON.parse(evt.detail);
            if (options && options.enabled) {
-              var checkbox = document.getElementById('automaticallyReportInFuture');
+              var checkbox = document.getElementById("automaticallyReportInFuture");
              showCertificateErrorReporting();
              if (options.automatic) {
                // set the checkbox
                checkbox.checked = true;
              }

-              checkbox.addEventListener('change', function(evt) {
+              checkbox.addEventListener("change", function(evt) {
                  var event = new CustomEvent("AboutNetErrorSetAutomatic",
                    {bubbles:true, detail:evt.target.checked});
                  document.dispatchEvent(event);
                }, false);
            }
+            const hasPrefStyleError = [
+              "interrupted", // This happens with subresources that are above the max tls
+              "SSL_ERROR_PROTOCOL_VERSION_ALERT",
+              "SSL_ERROR_UNSUPPORTED_VERSION",
+              "SSL_ERROR_NO_CYPHER_OVERLAP",
+              "SSL_ERROR_NO_CIPHERS_SUPPORTED"
+            ].some((substring) => getDescription().includes(substring));
+            // If it looks like an error that is user config based
+            if (getErrorCode() == "nssFailure2" && hasPrefStyleError && options && options.changedCertPrefs) {
+              showPrefChangeContainer();
+            }
          }
          if (getErrorCode() == "weakCryptoUsed" || getErrorCode() == "sslv3Used") {
            showAdvancedButton(getErrorCode() == "weakCryptoUsed");
@ -409,7 +429,7 @@
        }

        // Initialize the cert domain link.
-        var link = document.getElementById('cert_domain_link');
+        var link = document.getElementById("cert_domain_link");
        if (!link)
          return;

@ -561,6 +581,11 @@
        <!-- Long Description (Note: See netError.dtd for used XHTML tags) -->
        <div id="errorLongDesc" />

+        <div id="prefChangeContainer">
+          <p>&prefReset.longDesc;</p>
+          <button id="prefResetButton" autocomplete="off">&prefReset.label;</button>
+        </div>
+
        <div id="learnMoreContainer">
          <p><a href="https://support.mozilla.org/kb/what-does-your-connection-is-not-secure-mean" id="learnMoreLink" target="new">&errorReporting.learnMore;</a></p>
        </div>
--- a/browser/base/content/browser.js
+++ b/browser/base/content/browser.js
@ -2656,6 +2656,12 @@ const TLS_ERROR_REPORT_TELEMETRY_AUTO_UNCHECKED = 3;
 const TLS_ERROR_REPORT_TELEMETRY_MANUAL_SEND    = 4;
 const TLS_ERROR_REPORT_TELEMETRY_AUTO_SEND      = 5;

+const PREF_SSL_IMPACT_ROOTS = ["security.tls.version.min", "security.tls.version.max", "security.ssl3."];
+
+const PREF_SSL_IMPACT = PREF_SSL_IMPACT_ROOTS.reduce((prefs, root) => {
+  return prefs.concat(Services.prefs.getChildList(root));
+}, []);
+
 /**
 * Handle command events bubbling up from error page content
 * or from about:newtab or from remote error pages that invoke
@ -2669,6 +2675,7 @@ var BrowserOnClick = {
    mm.addMessageListener("Browser:EnableOnlineMode", this);
    mm.addMessageListener("Browser:SendSSLErrorReport", this);
    mm.addMessageListener("Browser:SetSSLErrorReportAuto", this);
+    mm.addMessageListener("Browser:ResetSSLPreferences", this);
    mm.addMessageListener("Browser:SSLErrorReportTelemetry", this);
    mm.addMessageListener("Browser:OverrideWeakCrypto", this);
    mm.addMessageListener("Browser:SSLErrorGoBack", this);
@ -2681,6 +2688,7 @@ var BrowserOnClick = {
    mm.removeMessageListener("Browser:EnableOnlineMode", this);
    mm.removeMessageListener("Browser:SendSSLErrorReport", this);
    mm.removeMessageListener("Browser:SetSSLErrorReportAuto", this);
+    mm.removeMessageListener("Browser:ResetSSLPreferences", this);
    mm.removeMessageListener("Browser:SSLErrorReportTelemetry", this);
    mm.removeMessageListener("Browser:OverrideWeakCrypto", this);
    mm.removeMessageListener("Browser:SSLErrorGoBack", this);
@ -2727,6 +2735,12 @@ var BrowserOnClick = {
                              msg.data.uri,
                              msg.data.securityInfo);
      break;
+      case "Browser:ResetSSLPreferences":
+        for (let prefName of PREF_SSL_IMPACT) {
+          Services.prefs.clearUserPref(prefName);
+        }
+        msg.target.reload();
+      break;
      case "Browser:SetSSLErrorReportAuto":
        Services.prefs.setBoolPref("security.ssl.errorReporting.automatic", msg.json.automatic);
        let bin = TLS_ERROR_REPORT_TELEMETRY_AUTO_UNCHECKED;
--- a/browser/base/content/content.js
+++ b/browser/base/content/content.js
@ -233,12 +233,20 @@ const MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE = MOZILLA_PKIX_ERROR_BASE + 5

 const PREF_KINTO_CLOCK_SKEW_SECONDS = "services.kinto.clock_skew_seconds";

+const PREF_SSL_IMPACT_ROOTS = ["security.tls.version.min", "security.tls.version.max", "security.ssl3."];
+
+const PREF_SSL_IMPACT = PREF_SSL_IMPACT_ROOTS.reduce((prefs, root) => {
+  return prefs.concat(Services.prefs.getChildList(root));
+}, []);
+
+
 var AboutNetAndCertErrorListener = {
  init: function(chromeGlobal) {
    addMessageListener("CertErrorDetails", this);
    chromeGlobal.addEventListener('AboutNetErrorLoad', this, false, true);
    chromeGlobal.addEventListener('AboutNetErrorSetAutomatic', this, false, true);
    chromeGlobal.addEventListener('AboutNetErrorOverride', this, false, true);
+    chromeGlobal.addEventListener('AboutNetErrorResetPreferences', this, false, true);
  },

  get isAboutNetError() {
@ -323,9 +331,22 @@ var AboutNetAndCertErrorListener = {
    case "AboutNetErrorOverride":
      this.onOverride(aEvent);
      break;
+    case "AboutNetErrorResetPreferences":
+      this.onResetPreferences(aEvent);
+      break;
    }
  },

+  changedCertPrefs: function () {
+    for (let prefName of PREF_SSL_IMPACT) {
+      if (Services.prefs.prefHasUserValue(prefName)) {
+        return true;
+      }
+    }
+
+    return false;
+  },
+
  onPageLoad: function(evt) {
    if (this.isAboutCertError) {
      let originalTarget = evt.originalTarget;
@ -337,6 +358,7 @@ var AboutNetAndCertErrorListener = {
    content.dispatchEvent(new content.CustomEvent("AboutNetErrorOptions", {
      detail: JSON.stringify({
        enabled: Services.prefs.getBoolPref("security.ssl.errorReporting.enabled"),
+        changedCertPrefs: this.changedCertPrefs(),
        automatic: automatic
      })
    }));
@ -345,6 +367,11 @@ var AboutNetAndCertErrorListener = {
                     {reportStatus: TLS_ERROR_REPORT_TELEMETRY_UI_SHOWN});
  },

+
+  onResetPreferences: function(evt) {
+    sendAsyncMessage("Browser:ResetSSLPreferences");
+  },
+
  onSetAutomatic: function(evt) {
    sendAsyncMessage("Browser:SetSSLErrorReportAuto", {
      automatic: evt.detail
--- a/browser/base/content/test/general/browser.ini
+++ b/browser/base/content/test/general/browser.ini
@ -140,6 +140,7 @@ skip-if = os == "linux" # Bug 958026
 support-files =
  content_aboutAccounts.js
 [browser_aboutCertError.js]
+[browser_aboutNetError.js]
 [browser_aboutSupport_newtab_security_state.js]
 [browser_aboutHealthReport.js]
 skip-if = os == "linux" # Bug 924307
--- a/browser/base/content/test/general/browser_aboutNetError.js
+++ b/browser/base/content/test/general/browser_aboutNetError.js
@ -0,0 +1,42 @@
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/ */
+
+"use strict";
+
+// Set ourselves up for TLS error
+Services.prefs.setIntPref("security.tls.version.max", 3);
+Services.prefs.setIntPref("security.tls.version.min", 3);
+
+const LOW_TLS_VERSION = "https://tls1.example.com/";
+const {TabStateFlusher} = Cu.import("resource:///modules/sessionstore/TabStateFlusher.jsm", {});
+const ss = Cc["@mozilla.org/browser/sessionstore;1"].getService(Ci.nsISessionStore);
+
+add_task(function* checkReturnToPreviousPage() {
+  info("Loading a TLS page that isn't supported, ensure we have a fix button and clicking it then loads the page");
+  let browser;
+  let pageLoaded;
+  let tab = yield BrowserTestUtils.openNewForegroundTab(gBrowser, () => {
+    gBrowser.selectedTab = gBrowser.addTab(LOW_TLS_VERSION);
+    browser = gBrowser.selectedBrowser;
+    pageLoaded = BrowserTestUtils.waitForErrorPage(browser);
+  }, false);
+
+  info("Loading and waiting for the net error");
+  yield pageLoaded;
+
+  Assert.ok(content.document.getElementById("prefResetButton").getBoundingClientRect().left >= 0,
+    "Should have a visible button");
+
+  Assert.ok(content.document.documentURI.startsWith("about:neterror"), "Should be showing error page");
+
+  let pageshowPromise = promiseWaitForEvent(browser, "pageshow");
+  yield ContentTask.spawn(browser, null, function* () {
+    content.document.getElementById("prefResetButton").click();
+  });
+  yield pageshowPromise;
+
+  Assert.equal(content.document.documentURI, LOW_TLS_VERSION, "Should not be showing page");
+
+  yield BrowserTestUtils.removeTab(gBrowser.selectedTab);
+});
+
--- a/browser/locales/en-US/chrome/overrides/netError.dtd
+++ b/browser/locales/en-US/chrome/overrides/netError.dtd
@ -205,3 +205,6 @@ certificate.">
 <!-- LOCALIZATION NOTE (inadequateSecurityError.longDesc) - Do not translate
     "NS_ERROR_NET_INADEQUATE_SECURITY". -->
 <!ENTITY inadequateSecurityError.longDesc "<p><span class='hostname'></span> uses security technology that is outdated and vulnerable to attack. An attacker could easily reveal information which you thought to be safe. The website administrator will need to fix the server first before you can visit the site.</p><p>Error code: NS_ERROR_NET_INADEQUATE_SECURITY</p>">
+
+<!ENTITY prefReset.longDesc "It looks like your network security settings might be causing this. Do you want the default settings to be restored?">
+<!ENTITY prefReset.label "Restore default settings">
--- a/browser/themes/shared/aboutNetError.css
+++ b/browser/themes/shared/aboutNetError.css
@ -31,6 +31,10 @@ button:disabled {
  cursor: pointer;
 }

+#prefChangeContainer {
+  display: none;
+}
+
 #learnMoreContainer {
  display: none;
 }
--- a/build/pgo/certs/cert8.db
+++ b/build/pgo/certs/cert8.db
--- a/build/pgo/certs/key3.db
+++ b/build/pgo/certs/key3.db
--- a/build/pgo/server-locations.txt
+++ b/build/pgo/server-locations.txt
@ -260,6 +260,7 @@ https://sha256ee.example.com:443                                  privileged,cer
 https://ssl3.example.com:443        privileged,ssl3
 https://rc4.example.com:443         privileged,rc4
 https://ssl3rc4.example.com:443     privileged,ssl3,rc4
+https://tls1.example.com:443        privileged,tls1

 # Hosts for youtube rewrite tests
 https://mochitest.youtube.com:443
--- a/testing/mochitest/runtests.py
+++ b/testing/mochitest/runtests.py
@ -1329,6 +1329,7 @@ class SSLTunnel:
                             (loc.host, loc.port, self.sslPort, redirhost))

            if self.useSSLTunnelExts and option in (
+                    'tls1',
                    'ssl3',
                    'rc4',
                    'failHandshake'):
--- a/testing/mochitest/ssltunnel/ssltunnel.cpp
+++ b/testing/mochitest/ssltunnel/ssltunnel.cpp
@ -155,6 +155,7 @@ typedef struct {
  PLHashTable* host_clientauth_table;
  PLHashTable* host_redir_table;
  PLHashTable* host_ssl3_table;
+  PLHashTable* host_tls1_table;
  PLHashTable* host_rc4_table;
  PLHashTable* host_failhandshake_table;
 } server_info_t;
@ -265,7 +266,8 @@ void SignalShutdown()
 enum {
  USE_SSL3 = 1 << 0,
  USE_RC4 = 1 << 1,
-  FAIL_HANDSHAKE = 1 << 2
+  FAIL_HANDSHAKE = 1 << 2,
+  USE_TLS1 = 1 << 4
 };

 bool ReadConnectRequest(server_info_t* server_info, 
@ -328,6 +330,10 @@ bool ReadConnectRequest(server_info_t* server_info,
    *flags |= USE_RC4;
  }

+  if (PL_HashTableLookup(server_info->host_tls1_table, token)) {
+    *flags |= USE_TLS1;
+  }
+
  if (PL_HashTableLookup(server_info->host_failhandshake_table, token)) {
    *flags |= FAIL_HANDSHAKE;
  }
@ -395,6 +401,12 @@ bool ConfigureSSLServerSocket(PRFileDesc* socket, server_info_t* si, const strin
    SSL_VersionRangeSet(ssl_socket, &range);
  }

+  if (flags & USE_TLS1) {
+    SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0,
+                              SSL_LIBRARY_VERSION_TLS_1_0 };
+    SSL_VersionRangeSet(ssl_socket, &range);
+  }
+
  if (flags & USE_RC4) {
    for (uint16_t i = 0; i < SSL_NumImplementedCiphers; ++i) {
      uint16_t cipher_id = SSL_ImplementedCiphers[i];
@ -756,6 +768,9 @@ void HandleConnection(void* data)
                PL_HashTableEnumerateEntries(ci->server_info->host_ssl3_table, 
                                             match_hostname, 
                                             &match);
+                PL_HashTableEnumerateEntries(ci->server_info->host_tls1_table,
+                                             match_hostname,
+                                             &match);
                PL_HashTableEnumerateEntries(ci->server_info->host_rc4_table, 
                                             match_hostname, 
                                             &match);
@ -1027,6 +1042,11 @@ PLHashTable* get_ssl3_table(server_info_t* server)
  return server->host_ssl3_table;
 }

+PLHashTable* get_tls1_table(server_info_t* server)
+{
+  return server->host_tls1_table;
+}
+
 PLHashTable* get_rc4_table(server_info_t* server)
 {
  return server->host_rc4_table;
@ -1204,6 +1224,14 @@ int processConfigLine(char* configLine)
        return 1;
      }

+      server.host_tls1_table = PL_NewHashTable(0, PL_HashString, PL_CompareStrings,
+                                               PL_CompareStrings, nullptr, nullptr);;
+      if (!server.host_tls1_table)
+      {
+        LOG_ERROR(("Internal, could not create hash table\n"));
+        return 1;
+      }
+
      server.host_rc4_table = PL_NewHashTable(0, PL_HashString, PL_CompareStrings,
                                              PL_CompareStrings, nullptr, nullptr);;
      if (!server.host_rc4_table)
@ -1339,6 +1367,9 @@ int processConfigLine(char* configLine)
  if (!strcmp(keyword, "ssl3")) {
    return parseWeakCryptoConfig(keyword, _caret, get_ssl3_table);
  }
+  if (!strcmp(keyword, "tls1")) {
+    return parseWeakCryptoConfig(keyword, _caret, get_tls1_table);
+  }

  if (!strcmp(keyword, "rc4")) {
    return parseWeakCryptoConfig(keyword, _caret, get_rc4_table);
@ -1438,6 +1469,12 @@ int freeSSL3HashItems(PLHashEntry *he, int i, void *arg)
  return HT_ENUMERATE_REMOVE;
 }

+int freeTLS1HashItems(PLHashEntry *he, int i, void *arg)
+{
+  delete [] (char*)he->key;
+  return HT_ENUMERATE_REMOVE;
+}
+
 int freeRC4HashItems(PLHashEntry *he, int i, void *arg)
 {
  delete [] (char*)he->key;
@ -1577,12 +1614,14 @@ int main(int argc, char** argv)
    PL_HashTableEnumerateEntries(it->host_clientauth_table, freeClientAuthHashItems, nullptr);
    PL_HashTableEnumerateEntries(it->host_redir_table, freeHostRedirHashItems, nullptr);
    PL_HashTableEnumerateEntries(it->host_ssl3_table, freeSSL3HashItems, nullptr);
+    PL_HashTableEnumerateEntries(it->host_tls1_table, freeTLS1HashItems, nullptr);
    PL_HashTableEnumerateEntries(it->host_rc4_table, freeRC4HashItems, nullptr);
    PL_HashTableEnumerateEntries(it->host_failhandshake_table, freeRC4HashItems, nullptr);
    PL_HashTableDestroy(it->host_cert_table);
    PL_HashTableDestroy(it->host_clientauth_table);
    PL_HashTableDestroy(it->host_redir_table);
    PL_HashTableDestroy(it->host_ssl3_table);
+    PL_HashTableDestroy(it->host_tls1_table);
    PL_HashTableDestroy(it->host_rc4_table);
    PL_HashTableDestroy(it->host_failhandshake_table);
  }