bug 800444 - disable HSTS preload list if firefox has not updated in 18 weeks r=bsmith, mayhemer

security/manager/boot/src/Makefile.in

@@ -26,6 +26,7 @@ CPPSRCS = \
 	nsStrictTransportSecurityService.cpp \
 	$(NULL)
 
+DEFINES += -D__STDC_CONSTANT_MACROS
 
 include $(topsrcdir)/config/rules.mk
 

security/manager/boot/src/nsSTSPreloadList.errors

@@ -41,16 +41,16 @@ ledgerscope.net: max-age too low: 86400
 linx.net: could not connect to host
 lists.mayfirst.org: did not receive HSTS header
 login.persona.org: max-age too low: 2592000
-lookout.com: did not receive HSTS header
 mail.google.com: did not receive HSTS header
 market.android.com: did not receive HSTS header
 mydigipass.com: did not receive HSTS header
-mylookout.com: did not receive HSTS header
 neonisi.com: could not connect to host
+openshift.redhat.com: did not receive HSTS header
 ottospora.nl: could not connect to host
 packagist.org: max-age too low: 2592000
 plus.google.com: did not receive HSTS header
 profiles.google.com: did not receive HSTS header
+rhcloud.com: could not connect to host
 romab.com: max-age too low: 2628000
 script.google.com: did not receive HSTS header
 shops.neonisi.com: could not connect to host
@@ -67,6 +67,7 @@ torproject.org: did not receive HSTS header
 uprotect.it: could not connect to host
 www.developer.mydigipass.com: did not receive HSTS header
 www.dropcam.com: max-age too low: 2592000
+www.elanex.biz: did not receive HSTS header
 www.entropia.de: max-age too low: 2678402
 www.gmail.com: did not receive HSTS header
 www.googlemail.com: did not receive HSTS header
@@ -83,3 +84,4 @@ www.neonisi.com: could not connect to host
 www.paycheckrecords.com: did not receive HSTS header
 www.paypal.com: max-age too low: 14400
 www.sandbox.mydigipass.com: did not receive HSTS header
+www.twitter.com: did not receive HSTS header

security/manager/boot/src/nsSTSPreloadList.inc

@@ -7,6 +7,9 @@
 /* nsStrictTransportSecurityService.cpp, you shouldn't be #including it.     */
 /*****************************************************************************/
 
+#include "mozilla/StandardInteger.h"
+const PRTime gPreloadListExpirationTime = INT64_C(1362156597190000);
+
 class nsSTSPreload
 {
   public:
@@ -34,27 +37,31 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "factor.cc", false },
   { "id.mayfirst.org", false },
   { "intercom.io", false },
+  { "itriskltd.com", true },
   { "keyerror.com", true },
   { "logentries.com", false },
   { "login.sapo.pt", true },
+  { "lookout.com", false },
   { "luneta.nearbuysystems.com", false },
   { "makeyourlaws.org", false },
   { "mattmccutchen.net", true },
   { "members.mayfirst.org", false },
+  { "mylookout.com", false },
   { "neg9.org", false },
   { "passwd.io", true },
   { "piratenlogin.de", true },
   { "pixi.me", true },
   { "riseup.net", true },
   { "sandbox.mydigipass.com", false },
+  { "stocktrade.de", false },
   { "stripe.com", true },
   { "support.mayfirst.org", false },
   { "surfeasy.com", false },
+  { "twitter.com", false },
   { "ubertt.org", true },
   { "www.apollo-auto.com", true },
   { "www.braintreepayments.com", false },
   { "www.cueup.com", false },
-  { "www.elanex.biz", false },
   { "www.intercom.io", false },
   { "www.lookout.com", false },
   { "www.mydigipass.com", false },

security/manager/boot/src/nsStrictTransportSecurityService.cpp

@@ -374,16 +374,23 @@ int STSPreloadCompare(const void *key, const void *entry)
 const nsSTSPreload *
 nsStrictTransportSecurityService::GetPreloadListEntry(const char *aHost)
 {
-  if (mUsePreloadList) {
+  PRTime currentTime = PR_Now();
+  int32_t timeOffset = 0;
+  nsresult rv = mozilla::Preferences::GetInt("test.currentTimeOffsetSeconds",
+                                             &timeOffset);
+  if (NS_SUCCEEDED(rv)) {
+    currentTime += (PRTime(timeOffset) * PR_USEC_PER_SEC);
+  }
+
+  if (mUsePreloadList && currentTime < gPreloadListExpirationTime) {
     return (const nsSTSPreload *) bsearch(aHost,
                                           kSTSPreloadList,
                                           PR_ARRAY_SIZE(kSTSPreloadList),
                                           sizeof(nsSTSPreload),
                                           STSPreloadCompare);
   }
-  else {
-    return nullptr;
-  }
+
+  return nullptr;
 }
 
 NS_IMETHODIMP

security/manager/ssl/tests/unit/test_sts_preloadlist_selfdestruct.js

@@ -0,0 +1,24 @@
+var Cc = Components.classes;
+var Ci = Components.interfaces;
+var Cu = Components.utils;
+
+Cu.import("resource://gre/modules/Services.jsm");
+
+function run_test() {
+  let STSService = Cc["@mozilla.org/stsservice;1"]
+                     .getService(Ci.nsIStrictTransportSecurityService);
+
+  // check that a host on the preload list is identified as an sts host
+  do_check_true(STSService.isStsHost("alpha.irccloud.com"));
+
+  // now simulate that it's 19 weeks later than it actually is
+  let offsetSeconds = 19 * 7 * 24 * 60 * 60;
+  Services.prefs.setIntPref("test.currentTimeOffsetSeconds", offsetSeconds);
+
+  // check that the preloaded host is no longer considered sts
+  do_check_false(STSService.isStsHost("alpha.irccloud.com"));
+
+  // just make sure we can get everything back to normal
+  Services.prefs.clearUserPref("test.currentTimeOffsetSeconds");
+  do_check_true(STSService.isStsHost("alpha.irccloud.com"));
+}

security/manager/ssl/tests/unit/xpcshell.ini

@@ -13,3 +13,4 @@ skip-if = os == "android"
 skip-if = os == "android"
 [test_bug627234.js]
 [test_sts_preloadlist.js]
+[test_sts_preloadlist_selfdestruct.js]

security/manager/tools/getHSTSPreloadList.js

@@ -27,7 +27,7 @@ const SOURCE = "https://src.chromium.org/viewvc/chrome/trunk/src/net/base/transp
 const OUTPUT = "nsSTSPreloadList.inc";
 const ERROR_OUTPUT = "nsSTSPreloadList.errors";
 const MINIMUM_REQUIRED_MAX_AGE = 60 * 60 * 24 * 7 * 18;
-const PREFIX = "/* This Source Code Form is subject to the terms of the Mozilla Public\n" +
+const HEADER = "/* This Source Code Form is subject to the terms of the Mozilla Public\n" +
 " * License, v. 2.0. If a copy of the MPL was not distributed with this\n" +
 " * file, You can obtain one at http://mozilla.org/MPL/2.0/. */\n" +
 "\n" +
@@ -36,6 +36,8 @@ const PREFIX = "/* This Source Code Form is subject to the terms of the Mozilla
 "/* nsStrictTransportSecurityService.cpp, you shouldn't be #including it.     */\n" +
 "/*****************************************************************************/\n" +
 "\n" +
+"#include \"mozilla/StandardInteger.h\"\n";
+const PREFIX = "\n" +
 "class nsSTSPreload\n" +
 "{\n" +
 "  public:\n" +
@@ -171,12 +173,26 @@ function writeTo(string, fos) {
   fos.write(string, string.length);
 }
 
+// Determines and returns a string representing a declaration of when this
+// preload list should no longer be used.
+// This is the current time plus MINIMUM_REQUIRED_MAX_AGE.
+function getExpirationTimeString() {
+  var now = new Date();
+  var nowMillis = now.getTime();
+  // MINIMUM_REQUIRED_MAX_AGE is in seconds, so convert to milliseconds
+  var expirationMillis = nowMillis + (MINIMUM_REQUIRED_MAX_AGE * 1000);
+  var expirationMicros = expirationMillis * 1000;
+  return "const PRTime gPreloadListExpirationTime = INT64_C(" + expirationMicros + ");\n";
+}
+
 function output(sortedStatuses) {
   try {
     var file = FileUtils.getFile("CurWorkD", [OUTPUT]);
     var errorFile = FileUtils.getFile("CurWorkD", [ERROR_OUTPUT]);
     var fos = FileUtils.openSafeFileOutputStream(file);
     var eos = FileUtils.openSafeFileOutputStream(errorFile);
+    writeTo(HEADER, fos);
+    writeTo(getExpirationTimeString(), fos);
     writeTo(PREFIX, fos);
     for (var status of hstsStatuses) {
       if (status.maxAge >= MINIMUM_REQUIRED_MAX_AGE) {