User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0 Build ID: 20150402115824 Steps to reproduce: I added a Public-Key-Pins header for my website https://jonnybarnes.uk Actual results: On Firefox Nightly for Linux I get a security warning in the the console: This site specified an invalid Public-Key-Pins header. There is no such warning on Firefox Nightly for Mac. For reference I’m currently running build 20150402115824 on Linux and build 20150402115823 on Mac.
I see this error in browser console using Nightly 2015-04-08 under all platforms, not just Linux: Win 7 64-bit, Ubuntu 12.04 32-bit and Mac OS X 10.9.5.
Component: Untriaged → Security: PSM
Product: Firefox → Core
Hi Jonny, Thanks for the report. I see the warning on Dev Edition 41 on Windows as well. This seems to be the header sent by your server: > pin-sha256='YwLyi4nuVdn9W3LgJzl3RuWSa7Q2R4H02Uyn1yoxtl4='; pin-sha256='RVkKfDgqfEuAz1Ant86Jmlz27y272iicB9mnmYLgqAw='; max-age=604800; includeSubdomains; report-uri='https://report-uri.io/report/ce1a9be2dd118421243a76513ea701c5' Notice that single quotes are used, instead of double quotes. Assuming I'm reading https://tools.ietf.org/html/rfc7469#section-2.1 and https://tools.ietf.org/html/rfc7230#section-3.2.6 correctly, double quotes should be used here. Could you modify the quotes from single quotes to double quotes to see if the header is now accepted? Thanks.
I've changed the header to use double quotes, and the error message seems to have disappeared from the error console. Is that the case for you as well Cykesiopka?
Flags: needinfo?(jonny) → needinfo?(cykesiopka.bmo)
Yes, it's the same here as well. Also, according to the Security tab of the DevTools, https://jonnybarnes.uk now has HPKP enabled.
OS: Linux → All
Hardware: x86_64 → All
Summary: Invalid Public Key Pins header warning, but only on Linux → Invalid Public Key Pins header warning due to using single instead of double quotes
So was this all caused by using single quotes instead of double quotes?
(In reply to Jonny Barnes from comment #5) > So was this all caused by using single quotes instead of double quotes? Seems to be the case. I don't know if we want to allow single quotes (at the moment, probably not), but FWIW I'm working on patches that will hopefully make HSTS and HPKP error messages in the console more specific.
Just so this bug doesn't stay open forever - is allowing single quotes something we want?
I think it's best to follow the spec here. We can change the spec if we determine it's beneficial.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.