Closed Bug 759010 Opened 12 years ago Closed 12 years ago

providers from origins with invalid, expired or missing certificates still get installed.

Categories

(Firefox Graveyard :: SocialAPI, defect)

Product:
Firefox Graveyard
Component:
SocialAPI
Platform:
x86_64
Windows Vista
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: markh, Assigned: markh)

Details

Attachments

(1 file)

Check the SSL status of the manifest host
2.63 KB, patch
mixedpuppy
: review+
Details | Diff | Splinter Review 
They are silently installed - at a minimum they should only be installed after a scary warning.

self-signed certs are another interesting case, but maybe that is different enough it should be in a new bug (or just allowed?)

This is tested in browser_registry.js and currently marked as a "known failure".
My suggestion for now is to silently reject any manifest on a domain where the cert fails, include a bypass with the social.provider.devmode preference so we can test with our presumably self-signed mochitest server.  We should then revisit this to see if it is worth having UX to deal with this.

mcoates: what do you think?
Severity: normal → major
A patch that makes the tests work.  The mochi server seems to have a real cert (or manages to pretend it does) so the devmode pref doesn't seem necessary at the moment.
Assignee: nobody → mhammond
Attachment #627831 - Flags: review?(mixedpuppy)
Comment on attachment 627831 [details] [diff] [review]
Check the SSL status of the manifest host

still would like to be able to pref this off for development
Attachment #627831 - Flags: review?(mixedpuppy) → review+
Fixed in git as [develop a3a0bcc]
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Product: Firefox → Firefox Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: