In nsSiteSecurityService::GetKeyPinsForHostname (around https://dxr.mozilla.org/mozilla-central/source/security/manager/ssl/nsSiteSecurityService.cpp#1164 )it appears that the stores are checked: Persistent, Private, Preload. It seems to me the correct order should be: For Private Browsing: Private, (maybe) Persistent, Preload. (There are arguments to be had on both sides of the 'maybe') For 'Normal' browsing: Persistent, Preload. See also #1242226
Thanks, Tom. I feel like fixing bug 1242226 will address this (or, rather, when we fix that bug, we can incorporate this).
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1242226
You need to log in before you can comment on or make changes to this bug.