Bug 1670506 - OCSP requests shouldn't interact with the necko cache at all r=valentin

Differential Revision: https://phabricator.services.mozilla.com/D114030
2024-11-24 13:21:05 +00:00 · 2021-05-04 23:28:50 +00:00 · 2021-05-04 23:28:50 +00:00 · ad61aa064a
commit ad61aa064a
parent 4feed6d4c7
2 changed files with 13 additions and 17 deletions
--- a/security/manager/ssl/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/nsNSSCallbacks.cpp
@ -261,9 +261,10 @@ OCSPRequest::Run() {
    priorityChannel->AdjustPriority(nsISupportsPriority::PRIORITY_HIGHEST);
  }

-  channel->SetLoadFlags(nsIRequest::LOAD_ANONYMOUS |
-                        nsIChannel::LOAD_BYPASS_SERVICE_WORKER |
-                        nsIChannel::LOAD_BYPASS_URL_CLASSIFIER);
+  channel->SetLoadFlags(
+      nsIRequest::LOAD_ANONYMOUS | nsIRequest::LOAD_BYPASS_CACHE |
+      nsIRequest::INHIBIT_CACHING | nsIChannel::LOAD_BYPASS_SERVICE_WORKER |
+      nsIChannel::LOAD_BYPASS_URL_CLASSIFIER);

  nsCOMPtr<nsILoadInfo> loadInfo = channel->LoadInfo();

--- a/security/manager/ssl/tests/unit/test_ocsp_private_caching.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_private_caching.js
@ -6,9 +6,9 @@
 "use strict";

 // In which we connect to a host and encounter OCSP responses with the
-// Cache-Control header set, which Necko will normally cache. We need to ensure
-// that these responses aren't cached to disk when the original https request
-// was in a private context.
+// Cache-Control header set, which normally Necko would cache. This test
+// ensures that these responses aren't cached. PSM has its own OCSP cache, so
+// Necko shouldn't also be caching them.

 do_get_profile(); // must be called before getting nsIX509CertDB
 const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
@ -50,7 +50,7 @@ function add_flush_cache() {
  });
 }

-function add_ocsp_necko_cache_test(loadContext, shouldFindEntry) {
+function add_ocsp_necko_cache_test(loadContext) {
  // Pre-testcase cleanup/setup.
  add_test(() => {
    Services.cache2.clear();
@ -70,7 +70,7 @@ function add_ocsp_necko_cache_test(loadContext, shouldFindEntry) {
      [],
      [],
      [],
-      [["Cache-Control", "max-age: 1000"]]
+      [["Cache-Control", "max-age=1000"]]
    );
    run_next_test();
  });
@ -87,8 +87,7 @@ function add_ocsp_necko_cache_test(loadContext, shouldFindEntry) {

  add_flush_cache();

-  // Traverse the cache and ensure the response made it into the cache with the
-  // appropriate properties (private or not private).
+  // Traverse the cache and ensure the response was not cached.
  add_test(() => {
    let foundEntry = false;
    let visitor = {
@ -111,11 +110,7 @@ function add_ocsp_necko_cache_test(loadContext, shouldFindEntry) {
        foundEntry = true;
      },
      onCacheEntryVisitCompleted() {
-        Assert.equal(
-          foundEntry,
-          shouldFindEntry,
-          "should only find a cached entry if we're expecting one"
-        );
+        Assert.ok(!foundEntry, "should not find a cached entry");
        run_next_test();
      },
      QueryInterface: ChromeUtils.generateQI(["nsICacheStorageVisitor"]),
@ -132,7 +127,7 @@ function add_ocsp_necko_cache_test(loadContext, shouldFindEntry) {
 function run_test() {
  Services.prefs.setIntPref("security.OCSP.enabled", 1);
  add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
-  add_ocsp_necko_cache_test(Services.loadContextInfo.private, false);
-  add_ocsp_necko_cache_test(Services.loadContextInfo.default, true);
+  add_ocsp_necko_cache_test(Services.loadContextInfo.private);
+  add_ocsp_necko_cache_test(Services.loadContextInfo.default);
  run_next_test();
 }