mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-11-24 05:11:16 +00:00
Backed out changesets fb903f13f215, 9c5c712698e4, and 36d257ead3da (bug 1092835) for causing test_csp_allow_https_schemes.html permafail on Android 2.3.
CLOSED TREE
This commit is contained in:
parent
131c9d3d17
commit
1bdab6fe7b
@ -2,87 +2,72 @@
|
||||
/* Any copyright is dedicated to the Public Domain.
|
||||
* http://creativecommons.org/publicdomain/zero/1.0/ */
|
||||
|
||||
// Tests that the Web Console shows weak crypto warnings (SHA-1 Certificate, SSLv3, and RC4)
|
||||
// Tests that the Web Console shows SHA-1 Certificate warnings
|
||||
|
||||
const TEST_URI_PATH = "/browser/browser/devtools/webconsole/test/test-certificate-messages.html";
|
||||
let gWebconsoleTests = [
|
||||
{url: "https://sha1ee.example.com" + TEST_URI_PATH,
|
||||
name: "SHA1 warning displayed successfully",
|
||||
warning: ["SHA-1"], nowarning: ["SSL 3.0", "RC4"]},
|
||||
{url: "https://ssl3.example.com" + TEST_URI_PATH,
|
||||
name: "SSL3 warning displayed successfully",
|
||||
pref: [["security.tls.version.min", 0]],
|
||||
warning: ["SSL 3.0"], nowarning: ["SHA-1", "RC4"]},
|
||||
{url: "https://rc4.example.com" + TEST_URI_PATH,
|
||||
name: "RC4 warning displayed successfully",
|
||||
warning: ["RC4"], nowarning: ["SHA-1", "SSL 3.0"]},
|
||||
{url: "https://ssl3rc4.example.com" + TEST_URI_PATH,
|
||||
name: "SSL3 and RC4 warning displayed successfully",
|
||||
pref: [["security.tls.version.min", 0]],
|
||||
warning: ["SSL 3.0", "RC4"], nowarning: ["SHA-1"]},
|
||||
{url: "https://sha256ee.example.com" + TEST_URI_PATH,
|
||||
name: "SSL warnings appropriately not present",
|
||||
warning: [], nowarning: ["SHA-1", "SSL 3.0", "RC4"]},
|
||||
];
|
||||
const TEST_BAD_URI = "https://sha1ee.example.com/browser/browser/devtools/webconsole/test/test-certificate-messages.html";
|
||||
const TEST_GOOD_URI = "https://sha256ee.example.com/browser/browser/devtools/webconsole/test/test-certificate-messages.html";
|
||||
const TRIGGER_MSG = "If you haven't seen ssl warnings yet, you won't";
|
||||
|
||||
let gHud = undefined;
|
||||
let gCurrentTest;
|
||||
|
||||
function test() {
|
||||
registerCleanupFunction(function () {
|
||||
gHud = null;
|
||||
});
|
||||
|
||||
addTab("data:text/html;charset=utf8,Web Console weak crypto warnings test");
|
||||
addTab("data:text/html;charset=utf8,Web Console SHA-1 warning test");
|
||||
browser.addEventListener("load", function _onLoad() {
|
||||
browser.removeEventListener("load", _onLoad, true);
|
||||
openConsole(null, runTestLoop);
|
||||
openConsole(null, loadBadDocument);
|
||||
}, true);
|
||||
}
|
||||
|
||||
function runTestLoop(theHud) {
|
||||
gCurrentTest = gWebconsoleTests.shift();
|
||||
if (!gCurrentTest) {
|
||||
finishTest();
|
||||
}
|
||||
if (!gHud) {
|
||||
gHud = theHud;
|
||||
}
|
||||
gHud.jsterm.clearOutput();
|
||||
browser.addEventListener("load", onLoad, true);
|
||||
if (gCurrentTest.pref) {
|
||||
SpecialPowers.pushPrefEnv({"set": gCurrentTest.pref},
|
||||
function() {
|
||||
content.location = gCurrentTest.url;
|
||||
});
|
||||
} else {
|
||||
content.location = gCurrentTest.url;
|
||||
}
|
||||
function loadBadDocument(theHud) {
|
||||
gHud = theHud;
|
||||
browser.addEventListener("load", onBadLoad, true);
|
||||
content.location = TEST_BAD_URI;
|
||||
}
|
||||
|
||||
function onLoad(aEvent) {
|
||||
browser.removeEventListener("load", onLoad, true);
|
||||
function onBadLoad(aEvent) {
|
||||
browser.removeEventListener("load", onBadLoad, true);
|
||||
testForWarningMessage();
|
||||
}
|
||||
|
||||
function loadGoodDocument(theHud) {
|
||||
gHud.jsterm.clearOutput()
|
||||
browser.addEventListener("load", onGoodLoad, true);
|
||||
content.location = TEST_GOOD_URI;
|
||||
}
|
||||
|
||||
function onGoodLoad(aEvent) {
|
||||
browser.removeEventListener("load", onGoodLoad, true);
|
||||
testForNoWarning();
|
||||
}
|
||||
|
||||
function testForWarningMessage() {
|
||||
let aOutputNode = gHud.outputNode;
|
||||
|
||||
waitForSuccess({
|
||||
name: gCurrentTest.name,
|
||||
name: "SHA1 warning displayed successfully",
|
||||
validatorFn: function() {
|
||||
if (gHud.outputNode.textContent.indexOf(TRIGGER_MSG) >= 0) {
|
||||
for (let warning of gCurrentTest.warning) {
|
||||
if (gHud.outputNode.textContent.indexOf(warning) < 0) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
for (let nowarning of gCurrentTest.nowarning) {
|
||||
if (gHud.outputNode.textContent.indexOf(nowarning) >= 0) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
return true;
|
||||
}
|
||||
return gHud.outputNode.textContent.indexOf("SHA-1") > -1;
|
||||
},
|
||||
successFn: runTestLoop,
|
||||
successFn: loadGoodDocument,
|
||||
failureFn: finishTest,
|
||||
});
|
||||
}
|
||||
|
||||
function testForNoWarning() {
|
||||
let aOutputNode = gHud.outputNode;
|
||||
|
||||
waitForSuccess({
|
||||
name: "SHA1 warning appropriately missed",
|
||||
validatorFn: function() {
|
||||
if (gHud.outputNode.textContent.indexOf(TRIGGER_MSG) > -1) {
|
||||
return gHud.outputNode.textContent.indexOf("SHA-1") == -1;
|
||||
}
|
||||
},
|
||||
successFn: finishTest,
|
||||
failureFn: finishTest,
|
||||
});
|
||||
}
|
||||
|
Binary file not shown.
Binary file not shown.
@ -233,8 +233,3 @@ https://include-subdomains.pinning.example.com:443 privileged,cer
|
||||
# Hosts for sha1 console warning tests
|
||||
https://sha1ee.example.com:443 privileged,cert=sha1_end_entity
|
||||
https://sha256ee.example.com:443 privileged,cert=sha256_end_entity
|
||||
|
||||
# Hosts for ssl3/rc4 console warning tests
|
||||
https://ssl3.example.com:443 privileged,ssl3
|
||||
https://rc4.example.com:443 privileged,rc4
|
||||
https://ssl3rc4.example.com:443 privileged,ssl3,rc4
|
||||
|
@ -19,8 +19,3 @@ LoadingMixedActiveContent=Loading mixed (insecure) active content on a secure pa
|
||||
LoadingMixedDisplayContent=Loading mixed (insecure) display content on a secure page "%1$S"
|
||||
# LOCALIZATION NOTE: Do not translate "allow-scripts", "allow-same-origin", "sandbox" or "iframe"
|
||||
BothAllowScriptsAndSameOriginPresent=An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can remove its sandboxing.
|
||||
|
||||
# LOCALIZATION NOTE: Do not translate "SSL 3.0".
|
||||
WeakProtocolVersionWarning=This site uses the protocol SSL 3.0 for encryption, which is deprecated and insecure.
|
||||
# LOCALIZATION NOTE: Do not translate "RC4".
|
||||
WeakCipherSuiteWarning=This site uses the cipher RC4 for encryption, which is deprecated and insecure.
|
||||
|
@ -8,7 +8,7 @@ interface nsIDOMWindow;
|
||||
interface nsIObserver;
|
||||
interface nsIPrompt;
|
||||
|
||||
[scriptable, uuid(10b6ec13-09ed-4f7d-9df9-962c0d18306f)]
|
||||
[scriptable, uuid(594fd36d-5b1b-412f-a74e-ab72099a5bb2)]
|
||||
interface nsIPrintProgress: nsIWebProgressListener {
|
||||
|
||||
/* Open the progress dialog
|
||||
|
@ -48,8 +48,6 @@
|
||||
#include "nsIScriptSecurityManager.h"
|
||||
#include "nsISSLStatus.h"
|
||||
#include "nsISSLStatusProvider.h"
|
||||
#include "nsITransportSecurityInfo.h"
|
||||
#include "nsIWebProgressListener.h"
|
||||
#include "LoadContextInfo.h"
|
||||
#include "netCore.h"
|
||||
#include "nsHttpTransaction.h"
|
||||
@ -1218,25 +1216,6 @@ nsHttpChannel::ProcessSSLInformation()
|
||||
if (!sslstat)
|
||||
return;
|
||||
|
||||
nsCOMPtr<nsITransportSecurityInfo> securityInfo =
|
||||
do_QueryInterface(mSecurityInfo);
|
||||
uint32_t state;
|
||||
if (securityInfo &&
|
||||
NS_SUCCEEDED(securityInfo->GetSecurityState(&state)) &&
|
||||
(state & nsIWebProgressListener::STATE_IS_BROKEN)) {
|
||||
// Send weak crypto warnings to the web console
|
||||
if (state & nsIWebProgressListener::STATE_USES_SSL_3) {
|
||||
nsString consoleErrorTag = NS_LITERAL_STRING("WeakProtocolVersionWarning");
|
||||
nsString consoleErrorCategory = NS_LITERAL_STRING("SSL");
|
||||
AddSecurityMessage(consoleErrorTag, consoleErrorCategory);
|
||||
}
|
||||
if (state & nsIWebProgressListener::STATE_USES_WEAK_CRYPTO) {
|
||||
nsString consoleErrorTag = NS_LITERAL_STRING("WeakCipherSuiteWarning");
|
||||
nsString consoleErrorCategory = NS_LITERAL_STRING("SSL");
|
||||
AddSecurityMessage(consoleErrorTag, consoleErrorCategory);
|
||||
}
|
||||
}
|
||||
|
||||
// Send (SHA-1) signature algorithm errors to the web console
|
||||
nsCOMPtr<nsIX509Cert> cert;
|
||||
sslstat->GetServerCert(getter_AddRefs(cert));
|
||||
|
@ -1172,8 +1172,7 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
|
||||
infoObject->GetPort(),
|
||||
versions.max);
|
||||
|
||||
bool usesWeakProtocol = false;
|
||||
bool usesWeakCipher = false;
|
||||
bool weakEncryption = false;
|
||||
SSLChannelInfo channelInfo;
|
||||
rv = SSL_GetChannelInfo(fd, &channelInfo, sizeof(channelInfo));
|
||||
MOZ_ASSERT(rv == SECSuccess);
|
||||
@ -1192,9 +1191,9 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
|
||||
sizeof cipherInfo);
|
||||
MOZ_ASSERT(rv == SECSuccess);
|
||||
if (rv == SECSuccess) {
|
||||
usesWeakProtocol =
|
||||
channelInfo.protocolVersion <= SSL_LIBRARY_VERSION_3_0;
|
||||
usesWeakCipher = cipherInfo.symCipher == ssl_calg_rc4;
|
||||
weakEncryption =
|
||||
(channelInfo.protocolVersion <= SSL_LIBRARY_VERSION_3_0) ||
|
||||
(cipherInfo.symCipher == ssl_calg_rc4);
|
||||
|
||||
// keyExchange null=0, rsa=1, dh=2, fortezza=3, ecdh=4
|
||||
Telemetry::Accumulate(
|
||||
@ -1266,23 +1265,15 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
|
||||
if (rv != SECSuccess) {
|
||||
siteSupportsSafeRenego = false;
|
||||
}
|
||||
bool renegotiationUnsafe = !siteSupportsSafeRenego &&
|
||||
ioLayerHelpers.treatUnsafeNegotiationAsBroken();
|
||||
|
||||
uint32_t state;
|
||||
if (usesWeakProtocol || usesWeakCipher || renegotiationUnsafe) {
|
||||
state = nsIWebProgressListener::STATE_IS_BROKEN;
|
||||
if (usesWeakProtocol) {
|
||||
state |= nsIWebProgressListener::STATE_USES_SSL_3;
|
||||
}
|
||||
if (usesWeakCipher) {
|
||||
state |= nsIWebProgressListener::STATE_USES_WEAK_CRYPTO;
|
||||
}
|
||||
if (!weakEncryption &&
|
||||
(siteSupportsSafeRenego ||
|
||||
!ioLayerHelpers.treatUnsafeNegotiationAsBroken())) {
|
||||
infoObject->SetSecurityState(nsIWebProgressListener::STATE_IS_SECURE |
|
||||
nsIWebProgressListener::STATE_SECURE_HIGH);
|
||||
} else {
|
||||
state = nsIWebProgressListener::STATE_IS_SECURE |
|
||||
nsIWebProgressListener::STATE_SECURE_HIGH;
|
||||
infoObject->SetSecurityState(nsIWebProgressListener::STATE_IS_BROKEN);
|
||||
}
|
||||
infoObject->SetSecurityState(state);
|
||||
|
||||
// XXX Bug 883674: We shouldn't be formatting messages here in PSM; instead,
|
||||
// we should set a flag on the channel that higher (UI) level code can check
|
||||
|
@ -24,7 +24,7 @@ interface nsIMIMEInfo;
|
||||
* nsIDownloadManager::DOWNLOAD_DIRTY
|
||||
* nsIDownloadManager::DOWNLOAD_BLOCKED_POLICY
|
||||
*/
|
||||
[scriptable, uuid(59f00997-c2ab-4a8b-901d-ccb761cadddd)]
|
||||
[scriptable, uuid(2258f465-656e-4566-87cb-f791dbaf0322)]
|
||||
interface nsIDownload : nsITransfer {
|
||||
|
||||
/**
|
||||
|
@ -11,7 +11,7 @@ interface nsICancelable;
|
||||
interface nsIMIMEInfo;
|
||||
interface nsIFile;
|
||||
|
||||
[scriptable, uuid(9b729b43-0d74-4762-bf11-8cb88a88ead3)]
|
||||
[scriptable, uuid(37ec75d3-97ad-4da8-afaa-eabe5b4afd73)]
|
||||
interface nsITransfer : nsIWebProgressListener2 {
|
||||
|
||||
/**
|
||||
|
@ -17,7 +17,7 @@ interface nsIURI;
|
||||
* nsIWebProgress instances. nsIWebProgress.idl describes the parent-child
|
||||
* relationship of nsIWebProgress instances.
|
||||
*/
|
||||
[scriptable, uuid(90685740-e180-41f1-8394-441c470d5096)]
|
||||
[scriptable, uuid(a9df523b-efe2-421e-9d8e-3d7f807dda4c)]
|
||||
interface nsIWebProgressListener : nsISupports
|
||||
{
|
||||
/**
|
||||
@ -252,20 +252,6 @@ interface nsIWebProgressListener : nsISupports
|
||||
|
||||
const unsigned long STATE_IDENTITY_EV_TOPLEVEL = 0x00100000;
|
||||
|
||||
/**
|
||||
* Broken state flags
|
||||
*
|
||||
* These flags describe the reason of the broken state.
|
||||
*
|
||||
* STATE_USES_SSL_3
|
||||
* The topmost document uses SSL 3.0.
|
||||
*
|
||||
* STATE_USES_WEAK_CRYPTO
|
||||
* The topmost document uses a weak cipher suite such as RC4.
|
||||
*/
|
||||
const unsigned long STATE_USES_SSL_3 = 0x01000000;
|
||||
const unsigned long STATE_USES_WEAK_CRYPTO = 0x02000000;
|
||||
|
||||
/**
|
||||
* Notification indicating the state has changed for one of the requests
|
||||
* associated with aWebProgress.
|
||||
|
@ -7,7 +7,7 @@
|
||||
/**
|
||||
* An extended version of nsIWebProgressListener.
|
||||
*/
|
||||
[scriptable, uuid(19e9d920-c67e-406c-aeea-77ac5a5c908d)]
|
||||
[scriptable, uuid(dde39de0-e4e0-11da-8ad9-0800200c9a66)]
|
||||
interface nsIWebProgressListener2 : nsIWebProgressListener {
|
||||
/**
|
||||
* Notification that the progress has changed for one of the requests
|
||||
|
Loading…
Reference in New Issue
Block a user