Backed out changeset 3f4fb9bf51b2 (bug 1924585) for causing android perma failures CLOSED TREE

2024-11-23 04:41:11 +00:00 · 2024-10-17 23:17:27 +03:00 · 2024-10-17 23:17:27 +03:00 · 9912f02c3d
commit 9912f02c3d
parent a480e98d71
12 changed files with 2 additions and 136 deletions
--- a/browser/base/content/test/about/browser.toml
+++ b/browser/base/content/test/about/browser.toml
@ -17,8 +17,6 @@ support-files = [

 ["browser_aboutCertError_exception.js"]

-["browser_aboutCertError_hyphen_telemetry.js"]
-
 ["browser_aboutCertError_mitm.js"]

 ["browser_aboutCertError_noSubjectAltName.js"]
--- a/browser/base/content/test/about/browser_aboutCertError_cca_telemetry.js
+++ b/browser/base/content/test/about/browser_aboutCertError_cca_telemetry.js
@ -40,7 +40,6 @@ async function checkTelemetry(expectedIssuedByCCA) {
      has_sts: "false",
      channel_status: "2153390067",
      issued_by_cca: expectedIssuedByCCA,
-      hyphen_compat: "false",
    },
  ]);
 }
--- a/browser/base/content/test/about/browser_aboutCertError_hyphen_telemetry.js
+++ b/browser/base/content/test/about/browser_aboutCertError_hyphen_telemetry.js
@ -1,94 +0,0 @@
-/* Any copyright is dedicated to the Public Domain.
- * http://creativecommons.org/publicdomain/zero/1.0/ */
-
-"use strict";
-
-const HYPHEN_LABEL_SITE = "https://hyphen-.example.com";
-const DOMAIN_MISMATCH_SITE = "https://mismatch.badcertdomain.example.com";
-
-registerCleanupFunction(async () => {
-  await resetTelemetry();
-});
-
-async function resetTelemetry() {
-  Services.telemetry.clearEvents();
-  await TestUtils.waitForCondition(() => {
-    let events = Services.telemetry.snapshotEvents(
-      Ci.nsITelemetry.DATASET_PRERELEASE_CHANNELS,
-      true
-    ).content;
-    return !events || !events.length;
-  });
-}
-
-async function checkTelemetry(expectedHyphenCompat) {
-  let loadEvent = await TestUtils.waitForCondition(() => {
-    let events = Services.telemetry.snapshotEvents(
-      Ci.nsITelemetry.DATASET_PRERELEASE_CHANNELS,
-      true
-    ).content;
-    return events?.find(e => e[1] == "security.ui.certerror" && e[2] == "load");
-  }, "recorded telemetry for the load");
-  loadEvent.shift();
-  Assert.deepEqual(loadEvent, [
-    "security.ui.certerror",
-    "load",
-    "aboutcerterror",
-    "SSL_ERROR_BAD_CERT_DOMAIN",
-    {
-      is_frame: "false",
-      has_sts: "false",
-      channel_status: "2153394164",
-      issued_by_cca: "false",
-      hyphen_compat: expectedHyphenCompat,
-    },
-  ]);
-}
-
-add_task(async function test_site_with_hyphen() {
-  await resetTelemetry();
-  let browser;
-  let pageLoaded;
-  await BrowserTestUtils.openNewForegroundTab(
-    gBrowser,
-    () => {
-      gBrowser.selectedTab = BrowserTestUtils.addTab(
-        gBrowser,
-        HYPHEN_LABEL_SITE
-      );
-      browser = gBrowser.selectedBrowser;
-      pageLoaded = BrowserTestUtils.waitForErrorPage(browser);
-    },
-    false
-  );
-  info("Loading and waiting for the certificate error page");
-  await pageLoaded;
-  // Check that telemetry indicates this error was caused by the hyphen in the
-  // domain name.
-  await checkTelemetry("true");
-  BrowserTestUtils.removeTab(gBrowser.selectedTab);
-});
-
-add_task(async function test_domain_mismatch_site() {
-  await resetTelemetry();
-  let browser;
-  let pageLoaded;
-  await BrowserTestUtils.openNewForegroundTab(
-    gBrowser,
-    () => {
-      gBrowser.selectedTab = BrowserTestUtils.addTab(
-        gBrowser,
-        DOMAIN_MISMATCH_SITE
-      );
-      browser = gBrowser.selectedBrowser;
-      pageLoaded = BrowserTestUtils.waitForErrorPage(browser);
-    },
-    false
-  );
-  info("Loading and waiting for the certificate error page");
-  await pageLoaded;
-  // Check that telemetry indicates this error was not caused by a hyphen in
-  // the domain name.
-  await checkTelemetry("false");
-  BrowserTestUtils.removeTab(gBrowser.selectedTab);
-});
--- a/build/pgo/certs/cert9.db
+++ b/build/pgo/certs/cert9.db
--- a/build/pgo/certs/key4.db
+++ b/build/pgo/certs/key4.db
--- a/build/pgo/certs/mochitest.client
+++ b/build/pgo/certs/mochitest.client
--- a/build/pgo/certs/wildcard.certspec
+++ b/build/pgo/certs/wildcard.certspec
@ -1,3 +0,0 @@
-subject:*.example.com
-issuer:printableString/CN=Temporary Certificate Authority/O=Mozilla Testing/OU=Profile Guided Optimization
-extension:subjectAlternativeName:*.example.com
--- a/build/pgo/server-locations.txt
+++ b/build/pgo/server-locations.txt
@ -402,6 +402,3 @@ https://123.123.123.123:443    privileged,nocert
 # Domain with HSTS preloaded
 http://includesubdomains.preloaded.test:80       privileged
 https://includesubdomains.preloaded.test:443     privileged
-
-# Domain with a hyphen at the end of a label.
-https://hyphen-.example.com:443             privileged,cert=wildcard.pem
--- a/netwerk/test/httpserver/httpd.sys.mjs
+++ b/netwerk/test/httpserver/httpd.sys.mjs
@ -971,14 +971,11 @@ export class NodeServer {
 // address. For simplicity, the regexp below captures all canonical IPv6
 // addresses (e.g. [::1]), but may also match valid non-canonical IPv6 addresses
 // (e.g. [::127.0.0.1]) and even invalid bracketed addresses ([::], [99999::]).
-//
-// For compatibility, domainlabels may begin and/or end with hyphens, which
-// strictly speaking violates these specifications.

 const HOST_REGEX = new RegExp(
  "^(?:" +
    // *( domainlabel "." )
-    "(?:[a-z0-9-]*?\\.)*" +
+    "(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\\.)*" +
    // toplabel [ "." ]
    "[a-z](?:[a-z0-9-]*[a-z0-9])?\\.?" +
    "|" +
--- a/testing/mochitest/server.js
+++ b/testing/mochitest/server.js
@ -253,7 +253,7 @@ function processLocations(server) {
      "(" +
      "\\d+\\.\\d+\\.\\d+\\.\\d+" +
      "|" +
-      "(?:[-a-z0-9]*?\\.)*" +
+      "(?:[a-z0-9](?:[-a-z0-9]*[a-z0-9])?\\.)*" +
      "[a-z](?:[-a-z0-9]*[a-z0-9])?" +
      ")" +
      ":" +
--- a/toolkit/components/telemetry/Events.yaml
+++ b/toolkit/components/telemetry/Events.yaml
@ -3103,7 +3103,6 @@ security.ui.certerror:
      has_sts: If the error page is for a site with HSTS headers or with a pinned key.
      channel_status: The status of the failed channel, as an nsresult.
      issued_by_cca: If trusting the CCA India roots would fix this error.
-      hyphen_compat: If the error is due to a domain label starting or ending with a hyphen.
  click:
    objects: [
      "advanced_button",
--- a/toolkit/content/aboutNetError.mjs
+++ b/toolkit/content/aboutNetError.mjs
@ -1010,33 +1010,6 @@ async function recordSecurityUITelemetry(category, name, errorInfo) {
  }
  if (category == "securityUiCerterror" && name.startsWith("load")) {
    extraKeys.issued_by_cca = false;
-    extraKeys.hyphen_compat = false;
-    // This issue only applies to certificate domain name mismatch errors where
-    // the first label in the domain name starts or ends with a hyphen.
-    let label = HOST_NAME.substring(0, HOST_NAME.indexOf("."));
-    if (
-      errorCode == "SSL_ERROR_BAD_CERT_DOMAIN" &&
-      (label.startsWith("-") || label.endsWith("-"))
-    ) {
-      try {
-        let subjectAltNames = await getSubjectAltNames(errorInfo);
-        for (let subjectAltName of subjectAltNames) {
-          // If the certificate has a wildcard entry that matches the domain
-          // name (e.g. '*.example.com' matches 'foo-.example.com'), then
-          // this error is probably due to Firefox disallowing hyphens in
-          // domain names when matching wildcard entries.
-          if (
-            subjectAltName.startsWith("*.") &&
-            subjectAltName.substring(1) == HOST_NAME.substring(label.length)
-          ) {
-            extraKeys.hyphen_compat = true;
-            break;
-          }
-        }
-      } catch (e) {
-        console.error("error parsing certificate:", e);
-      }
-    }
    let issuer = errorInfo.certChainStrings.at(-1);
    if (issuer && errorCode == "SEC_ERROR_UNKNOWN_ISSUER") {
      try {