Closed
Bug 1014414
Opened 11 years ago
Closed 11 years ago
Be more verbose as to why the user can't override a "connection is untrusted" dialog.
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 800882
People
(Reporter: glandium, Unassigned)
References
Details
Attachments
(1 file)
|
71.05 KB,
image/png
|
Details |
Screenshot
+++ This bug was initially created as a clone of Bug #1014387 +++
See bug 1014387 as to how this started.
Considering this is all the result of a combination of how the server is badly configured, and what HSTS tells us, I'm fine-ish with the outcome.
But the "Technical details" could at the very least say why there's no way out, being that the domain requests strict transport security, and where that comes from (the server requesting it or our own preload list)
|
||
Comment 1•11 years ago
|
||
If we're talking about the same security exception dialog as the one in bug 659736, then as far as I followed the code (not too closely in these areas) and noticed myself at the actual dialog, it always shows the button and always shows the reason, and differently according to one of the following flags:
WARNING_BAD_CERT_TOP_CONFIRM_ADD_EXCEPTION_FLAG_UNTRUSTED
WARNING_BAD_CERT_TOP_CONFIRM_ADD_EXCEPTION_FLAG_DOMAIN
WARNING_BAD_CERT_TOP_CONFIRM_ADD_EXCEPTION_FLAG_TIME
|
Reporter | |
Comment 2•11 years ago
|
||
(In reply to Avi Halachmi (:avih) from comment #1)
> If we're talking about the same security exception dialog as the one in bug
> 659736, then as far as I followed the code (not too closely in these areas)
> and noticed myself at the actual dialog, it always shows the button and
> always shows the reason, (...)
Cf. screenshot, the reason is obscure and doesn't say anything about HSTS, and the button is not there.
|
|
Reporter | |
Comment 3•11 years ago
|
||
Also, it's not possible to see the certificate and what part of the chain is missing...
|
|
||
Comment 4•11 years ago
|
||
(In reply to Mike Hommey [:glandium] from comment #2)
> Screenshot
Ah, I _think_ that's not considered the exception dialog but rather the exception page/notice, which should hopefully allow you to launch the dialog to view more details, add/confirm an exception for it etc.
While I believe it should use the same kind of flags, I never looked at the code which displays this page.
Also, it does give a reason, at least for the error.
So this bug could be one or several issues:
- incorrect reason
- not high resolution enough reason
- missing reason for not allowing to launch the exception dialog
- not being able to launch the exception dialog
|
|
||
Comment 5•11 years ago
|
||
While bug 659736 is about the dialog itself after it's launched, which has the "confirm" etc buttons disabled, and some related side effect bug where it does show the button and you can confirm the exception, yet you end up again at this error notice/page (from which you could launch the dialog and goto 10).
|
||
Comment 6•11 years ago
|
||
Thanks for filing this, Mike. My understanding is bug 800882 aims to do the same thing (unless you're intending that this be for more than just HSTS).
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•