Status

()

defect
P1
normal
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: catlee, Assigned: keeler)

Tracking

Trunk
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox-esr45 unaffected, firefox50 fixed, firefox51 fixed)

Details

(Whiteboard: [psm-assigned])

Attachments

(1 attachment)

Depends on: 1295268
Component: Security → Security: PSM
Priority: -- → P2
Whiteboard: [psm-backlog]
Assignee: nobody → dkeeler
Priority: P2 → P1
Whiteboard: [psm-backlog] → [psm-assigned]
Comment on attachment 8785460 [details]
bug 1298056 - fix HSTS preload update script so it will continue when requests result in errors

https://reviewboard.mozilla.org/r/74648/#review72514

LGTM. One question attached.

::: security/manager/tools/getHSTSPreloadList.js:186
(Diff revision 1)
>    var uri = "https://" + host.name + "/";
>    req.open("GET", uri, true);
>    req.timeout = REQUEST_TIMEOUT;
>    req.channel.notificationCallbacks = new RedirectAndAuthStopper();
> +
> +  let errorhandler = (evt) => {

Is there any value in printing something from `evt` to identify what went wrong with said host?
Attachment #8785460 - Flags: review?(jjones) → review+
Comment on attachment 8785460 [details]
bug 1298056 - fix HSTS preload update script so it will continue when requests result in errors

https://reviewboard.mozilla.org/r/74648/#review72514

> Is there any value in printing something from `evt` to identify what went wrong with said host?

Sure - sounds good.
Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/mozilla-central/rev/1645acdb3e67
fix HSTS preload update script so it will continue when requests result in errors r=jcj DONTBUILD NPOTB a=KWierso
(There's more work to do here, such as to verify that this actually did fix it in production and then uplift the changes to the other branches to fix them too.)
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Comment on attachment 8785460 [details]
bug 1298056 - fix HSTS preload update script so it will continue when requests result in errors

Looks like the patch worked as expected: https://people.mozilla.org/~dkeeler/hstscanary/

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: this is an important component of an essential security feature (the HSTS preload list)
User impact if declined: no first-connection HSTS protection for sites that we know should be HSTS
Fix Landed on Version: 51
Risk to taking this patch (and alternatives if risky): extremely low - it's not part of the build
String or UUID changes made by this patch: none

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Attachment #8785460 - Flags: approval-mozilla-esr45?
Attachment #8785460 - Flags: approval-mozilla-aurora?
Comment on attachment 8785460 [details]
bug 1298056 - fix HSTS preload update script so it will continue when requests result in errors

NPTOB, Aurora50+, ESR45+
Attachment #8785460 - Flags: approval-mozilla-esr45?
Attachment #8785460 - Flags: approval-mozilla-esr45+
Attachment #8785460 - Flags: approval-mozilla-aurora?
Attachment #8785460 - Flags: approval-mozilla-aurora+
Turns out https://hg.mozilla.org/mozilla-central/rev/59ddf661a7ee from bug 709991 caused this. Since that only landed on 50, this doesn't affect esr-45.
You need to log in before you can comment on or make changes to this bug.