Closed Bug 1298056 Opened 4 years ago Closed 4 years ago

Periodic HSTS updates hanging

Categories

(Core :: Security: PSM, defect, P1)

defect

Tracking

()

RESOLVED FIXED
Tracking Status
firefox-esr45 --- unaffected
firefox50 --- fixed
firefox51 --- fixed

People

(Reporter: catlee, Assigned: keeler)

References

Details

(Whiteboard: [psm-assigned])

Attachments

(1 file)

Depends on: 1295268
Component: Security → Security: PSM
Priority: -- → P2
Whiteboard: [psm-backlog]
Assignee: nobody → dkeeler
Priority: P2 → P1
Whiteboard: [psm-backlog] → [psm-assigned]
Comment on attachment 8785460 [details]
bug 1298056 - fix HSTS preload update script so it will continue when requests result in errors

https://reviewboard.mozilla.org/r/74648/#review72514

LGTM. One question attached.

::: security/manager/tools/getHSTSPreloadList.js:186
(Diff revision 1)
>    var uri = "https://" + host.name + "/";
>    req.open("GET", uri, true);
>    req.timeout = REQUEST_TIMEOUT;
>    req.channel.notificationCallbacks = new RedirectAndAuthStopper();
> +
> +  let errorhandler = (evt) => {

Is there any value in printing something from `evt` to identify what went wrong with said host?
Attachment #8785460 - Flags: review?(jjones) → review+
Comment on attachment 8785460 [details]
bug 1298056 - fix HSTS preload update script so it will continue when requests result in errors

https://reviewboard.mozilla.org/r/74648/#review72514

> Is there any value in printing something from `evt` to identify what went wrong with said host?

Sure - sounds good.
Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/mozilla-central/rev/1645acdb3e67
fix HSTS preload update script so it will continue when requests result in errors r=jcj DONTBUILD NPOTB a=KWierso
(There's more work to do here, such as to verify that this actually did fix it in production and then uplift the changes to the other branches to fix them too.)
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Comment on attachment 8785460 [details]
bug 1298056 - fix HSTS preload update script so it will continue when requests result in errors

Looks like the patch worked as expected: https://people.mozilla.org/~dkeeler/hstscanary/

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: this is an important component of an essential security feature (the HSTS preload list)
User impact if declined: no first-connection HSTS protection for sites that we know should be HSTS
Fix Landed on Version: 51
Risk to taking this patch (and alternatives if risky): extremely low - it's not part of the build
String or UUID changes made by this patch: none

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Attachment #8785460 - Flags: approval-mozilla-esr45?
Attachment #8785460 - Flags: approval-mozilla-aurora?
Comment on attachment 8785460 [details]
bug 1298056 - fix HSTS preload update script so it will continue when requests result in errors

NPTOB, Aurora50+, ESR45+
Attachment #8785460 - Flags: approval-mozilla-esr45?
Attachment #8785460 - Flags: approval-mozilla-esr45+
Attachment #8785460 - Flags: approval-mozilla-aurora?
Attachment #8785460 - Flags: approval-mozilla-aurora+
Turns out https://hg.mozilla.org/mozilla-central/rev/59ddf661a7ee from bug 709991 caused this. Since that only landed on 50, this doesn't affect esr-45.
You need to log in before you can comment on or make changes to this bug.