Bug 1745389 - Split up SecuritySettingsCleaner. r=geckoview-reviewers,pbz,keeler,jonalmeida

Differential Revision: https://phabricator.services.mozilla.com/D134119
2024-11-27 23:02:20 +00:00 · 2022-01-13 15:04:05 +00:00 · 2022-01-13 15:04:05 +00:00 · f5c826b962
commit f5c826b962
parent 90fdceb124
8 changed files with 174 additions and 57 deletions
--- a/browser/modules/Sanitizer.jsm
+++ b/browser/modules/Sanitizer.jsm
@ -513,7 +513,7 @@ var Sanitizer = {
          Ci.nsIClearDataService.CLEAR_PERMISSIONS |
            Ci.nsIClearDataService.CLEAR_CONTENT_PREFERENCES |
            Ci.nsIClearDataService.CLEAR_DOM_PUSH_NOTIFICATIONS |
-            Ci.nsIClearDataService.CLEAR_SECURITY_SETTINGS |
+            Ci.nsIClearDataService.CLEAR_CLIENT_AUTH_REMEMBER_SERVICE |
            Ci.nsIClearDataService.CLEAR_CERT_EXCEPTIONS
        );
        TelemetryStopwatch.finish("FX_SANITIZE_SITESETTINGS", refObj);
@ -985,7 +985,6 @@ async function sanitizeSessionPrincipal(progress, principal) {
      Ci.nsIClearDataService.CLEAR_ALL_CACHES |
        Ci.nsIClearDataService.CLEAR_COOKIES |
        Ci.nsIClearDataService.CLEAR_DOM_STORAGES |
-        Ci.nsIClearDataService.CLEAR_SECURITY_SETTINGS |
        Ci.nsIClearDataService.CLEAR_EME,
      resolve
    );
--- a/browser/modules/SiteDataManager.jsm
+++ b/browser/modules/SiteDataManager.jsm
@ -510,7 +510,6 @@ var SiteDataManager = {
      const kFlags =
        Ci.nsIClearDataService.CLEAR_COOKIES |
        Ci.nsIClearDataService.CLEAR_DOM_STORAGES |
-        Ci.nsIClearDataService.CLEAR_SECURITY_SETTINGS |
        Ci.nsIClearDataService.CLEAR_EME |
        Ci.nsIClearDataService.CLEAR_ALL_CACHES;
      promises.push(
@ -646,7 +645,7 @@ var SiteDataManager = {
      Services.clearData.deleteData(
        Ci.nsIClearDataService.CLEAR_COOKIES |
          Ci.nsIClearDataService.CLEAR_DOM_STORAGES |
-          Ci.nsIClearDataService.CLEAR_SECURITY_SETTINGS |
+          Ci.nsIClearDataService.CLEAR_HSTS |
          Ci.nsIClearDataService.CLEAR_EME,
        resolve
      );
--- a/mobile/android/modules/geckoview/GeckoViewStorageController.jsm
+++ b/mobile/android/modules/geckoview/GeckoViewStorageController.jsm
@ -68,12 +68,15 @@ const ClearFlags = [
    1 << 7,
    Ci.nsIClearDataService.CLEAR_CONTENT_PREFERENCES |
      Ci.nsIClearDataService.CLEAR_DOM_PUSH_NOTIFICATIONS |
-      Ci.nsIClearDataService.CLEAR_SECURITY_SETTINGS,
+      // former a part of SECURITY_SETTINGS_CLEANER
+      Ci.nsIClearDataService.CLEAR_CLIENT_AUTH_REMEMBER_SERVICE,
  ],
  [
    // SITE_DATA
    1 << 8,
    Ci.nsIClearDataService.CLEAR_EME,
+    // former a part of SECURITY_SETTINGS_CLEANER
+    Ci.nsIClearDataService.CLEAR_HSTS,
  ],
  [
    // ALL
--- a/toolkit/components/antitracking/PurgeTrackerService.jsm
+++ b/toolkit/components/antitracking/PurgeTrackerService.jsm
@ -205,7 +205,7 @@ PurgeTrackerService.prototype = {
        Ci.nsIClearDataService.CLEAR_ALL_CACHES |
          Ci.nsIClearDataService.CLEAR_COOKIES |
          Ci.nsIClearDataService.CLEAR_DOM_STORAGES |
-          Ci.nsIClearDataService.CLEAR_SECURITY_SETTINGS |
+          Ci.nsIClearDataService.CLEAR_CLIENT_AUTH_REMEMBER_SERVICE |
          Ci.nsIClearDataService.CLEAR_EME |
          Ci.nsIClearDataService.CLEAR_MEDIA_DEVICES |
          Ci.nsIClearDataService.CLEAR_STORAGE_ACCESS |
--- a/toolkit/components/cleardata/ClearDataService.jsm
+++ b/toolkit/components/cleardata/ClearDataService.jsm
@ -1127,21 +1127,8 @@ const PreferencesCleaner = {
  },
 };

-const SecuritySettingsCleaner = {
+const ClientAuthRememberCleaner = {
  async deleteByHost(aHost, aOriginAttributes) {
-    let sss = Cc["@mozilla.org/ssservice;1"].getService(
-      Ci.nsISiteSecurityService
-    );
-    // Also remove HSTS information for subdomains by enumerating
-    // the information in the site security service.
-    for (let entry of sss.enumerate()) {
-      let hostname = entry.hostname;
-      if (Services.eTLD.hasRootDomain(hostname, aHost)) {
-        // This uri is used as a key to reset the state.
-        let uri = Services.io.newURI("https://" + hostname);
-        sss.resetState(uri, 0, entry.originAttributes);
-      }
-    }
    let cars = Cc[
      "@mozilla.org/security/clientAuthRememberService;1"
    ].getService(Ci.nsIClientAuthRememberService);
@ -1154,22 +1141,6 @@ const SecuritySettingsCleaner = {
  },

  async deleteByBaseDomain(aDomain) {
-    let sss = Cc["@mozilla.org/ssservice;1"].getService(
-      Ci.nsISiteSecurityService
-    );
-
-    // Remove HSTS information by enumerating entries of the site security
-    // service.
-    Array.from(sss.enumerate())
-      .filter(({ hostname, originAttributes }) =>
-        hasBaseDomain({ host: hostname, originAttributes }, aDomain)
-      )
-      .forEach(({ hostname, originAttributes }) => {
-        // This uri is used as a key to reset the state.
-        let uri = Services.io.newURI("https://" + hostname);
-        sss.resetState(uri, 0, originAttributes);
-      });
-
    let cars = Cc[
      "@mozilla.org/security/clientAuthRememberService;1"
    ].getService(Ci.nsIClientAuthRememberService);
@ -1207,6 +1178,53 @@ const SecuritySettingsCleaner = {
      .forEach(({ entryKey }) => cars.forgetRememberedDecision(entryKey));
  },

+  async deleteAll() {
+    let cars = Cc[
+      "@mozilla.org/security/clientAuthRememberService;1"
+    ].getService(Ci.nsIClientAuthRememberService);
+    cars.clearRememberedDecisions();
+  },
+};
+
+const HSTSCleaner = {
+  async deleteByHost(aHost, aOriginAttributes) {
+    let sss = Cc["@mozilla.org/ssservice;1"].getService(
+      Ci.nsISiteSecurityService
+    );
+    // Remove HSTS information for subdomains by enumerating
+    // the information in the site security service.
+    for (let entry of sss.enumerate()) {
+      let hostname = entry.hostname;
+      if (Services.eTLD.hasRootDomain(hostname, aHost)) {
+        // This uri is used as a key to reset the state.
+        let uri = Services.io.newURI("https://" + hostname);
+        sss.resetState(uri, 0, entry.originAttributes);
+      }
+    }
+  },
+
+  deleteByPrincipal(aPrincipal) {
+    return this.deleteByHost(aPrincipal.host, aPrincipal.originAttributes);
+  },
+
+  async deleteByBaseDomain(aDomain) {
+    let sss = Cc["@mozilla.org/ssservice;1"].getService(
+      Ci.nsISiteSecurityService
+    );
+
+    // Remove HSTS information by enumerating entries of the site security
+    // service.
+    Array.from(sss.enumerate())
+      .filter(({ hostname, originAttributes }) =>
+        hasBaseDomain({ host: hostname, originAttributes }, aDomain)
+      )
+      .forEach(({ hostname, originAttributes }) => {
+        // This uri is used as a key to reset the state.
+        let uri = Services.io.newURI("https://" + hostname);
+        sss.resetState(uri, 0, originAttributes);
+      });
+  },
+
  async deleteAll() {
    // Clear site security settings - no support for ranges in this
    // interface either, so we clearAll().
@ -1214,10 +1232,6 @@ const SecuritySettingsCleaner = {
      Ci.nsISiteSecurityService
    );
    sss.clearAll();
-    let cars = Cc[
-      "@mozilla.org/security/clientAuthRememberService;1"
-    ].getService(Ci.nsIClientAuthRememberService);
-    cars.clearRememberedDecisions();
  },
 };

@ -1398,6 +1412,11 @@ const FLAGS_MAP = [
    cleaners: [CSSCacheCleaner],
  },

+  {
+    flag: Ci.nsIClearDataService.CLEAR_CLIENT_AUTH_REMEMBER_SERVICE,
+    cleaners: [ClientAuthRememberCleaner],
+  },
+
  {
    flag: Ci.nsIClearDataService.CLEAR_DOWNLOADS,
    cleaners: [DownloadsCleaner, AboutHomeStartupCacheCleaner],
@ -1456,8 +1475,8 @@ const FLAGS_MAP = [
  },

  {
-    flag: Ci.nsIClearDataService.CLEAR_SECURITY_SETTINGS,
-    cleaners: [SecuritySettingsCleaner],
+    flag: Ci.nsIClearDataService.CLEAR_HSTS,
+    cleaners: [HSTSCleaner],
  },

  { flag: Ci.nsIClearDataService.CLEAR_EME, cleaners: [EMECleaner] },
--- a/toolkit/components/cleardata/SiteDataTestUtils.jsm
+++ b/toolkit/components/cleardata/SiteDataTestUtils.jsm
@ -405,7 +405,7 @@ var SiteDataTestUtils = {
          Ci.nsIClearDataService.CLEAR_MEDIA_DEVICES |
          Ci.nsIClearDataService.CLEAR_DOM_STORAGES |
          Ci.nsIClearDataService.CLEAR_PREDICTOR_NETWORK_DATA |
-          Ci.nsIClearDataService.CLEAR_SECURITY_SETTINGS |
+          Ci.nsIClearDataService.CLEAR_CLIENT_AUTH_REMEMBER_SERVICE |
          Ci.nsIClearDataService.CLEAR_EME |
          Ci.nsIClearDataService.CLEAR_STORAGE_ACCESS,
        resolve
--- a/toolkit/components/cleardata/nsIClearDataService.idl
+++ b/toolkit/components/cleardata/nsIClearDataService.idl
@ -231,9 +231,9 @@ interface nsIClearDataService : nsISupports
  const uint32_t CLEAR_CONTENT_PREFERENCES = 1 << 15;

  /**
-   * Secure site settings
+   * Clear HSTS data
   */
-  const uint32_t CLEAR_SECURITY_SETTINGS = 1 << 16;
+    const uint32_t CLEAR_HSTS = 1 << 16;

  /**
   * Media plugin data
@ -270,6 +270,11 @@ interface nsIClearDataService : nsISupports
   */
  const uint32_t CLEAR_PREFLIGHT_CACHE = 1 << 23;

+  /**
+   * Forget descision about clients authentification certificate
+   */
+  const uint32_t CLEAR_CLIENT_AUTH_REMEMBER_SERVICE = 1 << 24;
+
  /**
   * Use this value to delete all the data.
   */
@ -284,7 +289,7 @@ interface nsIClearDataService : nsISupports
   * Delete all the possible caches.
   */
  const uint32_t CLEAR_ALL_CACHES = CLEAR_NETWORK_CACHE | CLEAR_IMAGE_CACHE |
-    CLEAR_CSS_CACHE | CLEAR_PREFLIGHT_CACHE;
+    CLEAR_CSS_CACHE | CLEAR_PREFLIGHT_CACHE | CLEAR_HSTS;

  /**
   * Delete all DOM storages
@ -299,7 +304,7 @@ interface nsIClearDataService : nsISupports
    CLEAR_COOKIES | CLEAR_EME | CLEAR_DOWNLOADS | CLEAR_PASSWORDS |
    CLEAR_PERMISSIONS | CLEAR_DOM_STORAGES | CLEAR_CONTENT_PREFERENCES |
    CLEAR_PREDICTOR_NETWORK_DATA | CLEAR_DOM_PUSH_NOTIFICATIONS |
-    CLEAR_SECURITY_SETTINGS | CLEAR_REPORTS | CLEAR_CERT_EXCEPTIONS;
+    CLEAR_CLIENT_AUTH_REMEMBER_SERVICE | CLEAR_REPORTS | CLEAR_CERT_EXCEPTIONS;
 };

 /**
--- a/toolkit/components/cleardata/tests/unit/test_security_settings.js
+++ b/toolkit/components/cleardata/tests/unit/test_security_settings.js
@ -109,14 +109,16 @@ function testSecurityInfo({

 add_task(async function test_baseDomain() {
  gSSService.clearAll();
+
+  // ---- hsts cleaner ----
  addTestSecurityInfo();

-  // Clear security settings of example.net including partitions.
+  // Clear hsts data of example.net including partitions.
  await new Promise(aResolve => {
    Services.clearData.deleteDataFromBaseDomain(
      "example.net",
      false,
-      Ci.nsIClearDataService.CLEAR_SECURITY_SETTINGS,
+      Ci.nsIClearDataService.CLEAR_HSTS,
      aResolve
    );
  });
@ -124,13 +126,13 @@ add_task(async function test_baseDomain() {
  testSecurityInfo({
    host: "example.net",
    expectedHSTS: false,
-    expectedCARS: false,
+    expectedCARS: true,
  });
-  // SecuritySettingsCleaner also removes subdomain settings.
+  // HSTSCleaner also removes subdomain settings.
  testSecurityInfo({
    host: "test.example.net",
    expectedHSTS: false,
-    expectedCARS: false,
+    expectedCARS: true,
  });
  testSecurityInfo({ host: "example.org" });

@ -138,18 +140,63 @@ add_task(async function test_baseDomain() {
    host: "example.com",
    topLevelBaseDomain: "example.net",
    expectedHSTS: false,
-    expectedCARS: false,
+    expectedCARS: true,
  });
  testSecurityInfo({
    host: "example.net",
    topLevelBaseDomain: "example.org",
    expectedHSTS: false,
-    expectedCARS: false,
+    expectedCARS: true,
  });
  testSecurityInfo({
    host: "test.example.net",
    topLevelBaseDomain: "example.org",
    expectedHSTS: false,
+    expectedCARS: true,
+  });
+
+  // ---- client auth remember cleaner -----
+  addTestSecurityInfo();
+
+  // Clear security settings of example.net including partitions.
+  await new Promise(aResolve => {
+    Services.clearData.deleteDataFromBaseDomain(
+      "example.net",
+      false,
+      Ci.nsIClearDataService.CLEAR_CLIENT_AUTH_REMEMBER_SERVICE,
+      aResolve
+    );
+  });
+
+  testSecurityInfo({
+    host: "example.net",
+    expectedHSTS: true,
+    expectedCARS: false,
+  });
+  // ClientAuthRememberCleaner also removes subdomain settings.
+  testSecurityInfo({
+    host: "test.example.net",
+    expectedHSTS: true,
+    expectedCARS: false,
+  });
+  testSecurityInfo({ host: "example.org" });
+
+  testSecurityInfo({
+    host: "example.com",
+    topLevelBaseDomain: "example.net",
+    expectedHSTS: true,
+    expectedCARS: false,
+  });
+  testSecurityInfo({
+    host: "example.net",
+    topLevelBaseDomain: "example.org",
+    expectedHSTS: true,
+    expectedCARS: false,
+  });
+  testSecurityInfo({
+    host: "test.example.net",
+    topLevelBaseDomain: "example.org",
+    expectedHSTS: true,
    expectedCARS: false,
  });

@ -159,6 +206,8 @@ add_task(async function test_baseDomain() {

 add_task(async function test_host() {
  gSSService.clearAll();
+
+  // ---- HSTS cleaer ----
  addTestSecurityInfo();

  // Clear security settings of example.net without partitions.
@ -166,7 +215,7 @@ add_task(async function test_host() {
    Services.clearData.deleteDataFromHost(
      "example.net",
      false,
-      Ci.nsIClearDataService.CLEAR_SECURITY_SETTINGS,
+      Ci.nsIClearDataService.CLEAR_HSTS,
      aResolve
    );
  });
@ -174,7 +223,7 @@ add_task(async function test_host() {
  testSecurityInfo({
    host: "example.net",
    expectedHSTS: false,
-    expectedCARS: false,
+    expectedCARS: true,
  });
  testSecurityInfo({
    host: "test.example.net",
@ -188,7 +237,7 @@ add_task(async function test_host() {
    host: "example.net",
    topLevelBaseDomain: "example.org",
    expectedHSTS: false,
-    expectedCARS: false,
+    expectedCARS: true,
  });
  testSecurityInfo({
    host: "test.example.net",
@ -199,4 +248,47 @@ add_task(async function test_host() {

  // Cleanup
  gSSService.clearAll();
+
+  // --- clientAuthRemember cleaner ---
+
+  addTestSecurityInfo();
+
+  // Clear security settings of example.net without partitions.
+  await new Promise(aResolve => {
+    Services.clearData.deleteDataFromHost(
+      "example.net",
+      false,
+      Ci.nsIClearDataService.CLEAR_CLIENT_AUTH_REMEMBER_SERVICE,
+      aResolve
+    );
+  });
+
+  testSecurityInfo({
+    host: "example.net",
+    expectedHSTS: true,
+    expectedCARS: false,
+  });
+  testSecurityInfo({
+    host: "test.example.net",
+    expectedHSTS: true,
+    expectedCARS: true,
+  });
+  testSecurityInfo({ host: "example.org" });
+
+  testSecurityInfo({ host: "example.com", topLevelBaseDomain: "example.net" });
+  testSecurityInfo({
+    host: "example.net",
+    topLevelBaseDomain: "example.org",
+    expectedHSTS: true,
+    expectedCARS: false,
+  });
+  testSecurityInfo({
+    host: "test.example.net",
+    topLevelBaseDomain: "example.org",
+    expectedHSTS: true,
+    expectedCARS: true,
+  });
+
+  // Cleanup
+  gSSService.clearAll();
 });