Closed Bug 1218515 Opened 4 years ago Closed 4 years ago
Please preload pinning-test
.badssl .com with a bogus pin .
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2541.0 Safari/537.36 Steps to reproduce: 1. Visit https://pinning-test.badssl.com/ Actual results: The page loads. Expected results: Per , I'd like https://pinning-test.badssl.com to fail with an HPKP pinning failure (including subdomains). (See screenshot for Chrome Canary behaviour.) In Chrome, we use the bogus pin `sha1/AAAAAAAAAAAAAAAAAAAAAAAAAAA=`  (although I'm about to change this to SHA256 ) and include subdomains for this domain .  https://github.com/lgarron/badssl.com/issues/15#issuecomment-151260202  https://code.google.com/p/chromium/codesearch#chromium/src/net/http/transport_security_state_static.certs  https://crbug.com/368878  https://code.google.com/p/chromium/codesearch#chromium/src/net/http/transport_security_state_static.json&q=pinning-test.badssl.com&sq=package:chromium&l=185
Component: Untriaged → Security: PSM
OS: Unspecified → All
Product: Firefox → Core
Hardware: Unspecified → All
bug 1218515 - flip pinning-test.badssl.com into production mode r?jcj pinning-test.badssl.com is a test domain for preloaded HPKP (HTTP Public Key Pinning - see RFC 7469). By specifying a pinset corresponding to no known keys, this domain should fail with a key pinning error by default. Also, the includeSubdomains option is set, so any subdomains should fail as well.
Attachment #8679110 - Flags: review?(jjones)
4 years ago
Assignee: nobody → dkeeler
Attachment #8679110 - Flags: review?(jjones) → review+
Comment on attachment 8679110 [details] MozReview Request: bug 1218515 - flip pinning-test.badssl.com into production mode r?jcj https://reviewboard.mozilla.org/r/23377/#review21033 LGTM
Thanks for the review! (Just so anyone following this is aware: this patch changes the input to the automated script that will actually make the code change when it runs this Saturday.)
You need to log in before you can comment on or make changes to this bug.