Invalid Public Key Pins header warning due to using single instead of double quotes

RESOLVED INVALID

Status

()

Core
Security: PSM
RESOLVED INVALID
3 years ago
3 years ago

People

(Reporter: Jonny Barnes, Unassigned)

Tracking

40 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0
Build ID: 20150402115824

Steps to reproduce:

I added a Public-Key-Pins header for my website https://jonnybarnes.uk


Actual results:

On Firefox Nightly for Linux I get a security warning in the the console:

    This site specified an invalid Public-Key-Pins header.

There is no such warning on Firefox Nightly for Mac.

For reference I’m currently running build 20150402115824 on Linux and build 20150402115823 on Mac.
I see this error in browser console using Nightly 2015-04-08 under all platforms, not just Linux: Win 7 64-bit, Ubuntu 12.04 32-bit and Mac OS X 10.9.5.
Component: Untriaged → Security: PSM
Product: Firefox → Core

Comment 2

3 years ago
Hi Jonny,

Thanks for the report. I see the warning on Dev Edition 41 on Windows as well.

This seems to be the header sent by your server:
> pin-sha256='YwLyi4nuVdn9W3LgJzl3RuWSa7Q2R4H02Uyn1yoxtl4='; pin-sha256='RVkKfDgqfEuAz1Ant86Jmlz27y272iicB9mnmYLgqAw='; max-age=604800; includeSubdomains; report-uri='https://report-uri.io/report/ce1a9be2dd118421243a76513ea701c5'
Notice that single quotes are used, instead of double quotes.

Assuming I'm reading https://tools.ietf.org/html/rfc7469#section-2.1 and https://tools.ietf.org/html/rfc7230#section-3.2.6 correctly, double quotes should be used here.

Could you modify the quotes from single quotes to double quotes to see if the header is now accepted?

Thanks.
Flags: needinfo?(jonny)
(Reporter)

Comment 3

3 years ago
I've changed the header to use double quotes, and the error message seems to have disappeared from the error console.

Is that the case for you as well Cykesiopka?
Flags: needinfo?(jonny) → needinfo?(cykesiopka.bmo)

Comment 4

3 years ago
Yes, it's the same here as well. Also, according to the Security tab of the DevTools, https://jonnybarnes.uk now has HPKP enabled.
Flags: needinfo?(cykesiopka.bmo)
OS: Linux → All
Hardware: x86_64 → All
Summary: Invalid Public Key Pins header warning, but only on Linux → Invalid Public Key Pins header warning due to using single instead of double quotes
(Reporter)

Comment 5

3 years ago
So was this all caused by using single quotes instead of double quotes?

Comment 6

3 years ago
(In reply to Jonny Barnes from comment #5)
> So was this all caused by using single quotes instead of double quotes?

Seems to be the case.

I don't know if we want to allow single quotes (at the moment, probably not), but FWIW I'm working on patches that will hopefully make HSTS and HPKP error messages in the console more specific.

Comment 7

3 years ago
Just so this bug doesn't stay open forever - is allowing single quotes something we want?
Flags: needinfo?(dkeeler)
I think it's best to follow the spec here. We can change the spec if we determine it's beneficial.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Flags: needinfo?(dkeeler)
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.