Closed Bug 1350599 Opened 6 years ago Closed 6 years ago

Rewrite test_sts_preloadlist_perwindowpb.js and friends to not depend on or any other domain that can ever be removed from the HSTS preload list


(Core :: Security: PSM, defect, P1)

54 Branch



Tracking Status
firefox-esr52 --- fixed
firefox54 --- fixed
firefox55 --- fixed


(Reporter: philor, Assigned: Cykesiopka)



(Whiteboard: [psm-assigned])


(2 files)

As says, we have a set of tests that depend on having,, and included in the preload list.

Surprisingly, persona was not the one of those to break first (the "service has shut down" page apparently still pointlessly includes the hsts header), but because is currently mitigating an attack by sending strangers to hardhat.cdn.whatevertherestofthatis, the automatic updates of the preload list have removed, resulting in permaorange in test_sts_preloadlist_perwindowpb.js, test_sts_preloadlist_selfdestruct.js, test_sss_readstate.js, and test_sss_readstate_empty.js.

That's a great big party foul, having your test depend on hitting an external site over the network, even if the external site access is done in a separate task from the actual test run, so I'm disabling those tests on esr45/esr52/aurora/mozilla-central (even though they haven't yet broken on mozilla-central since updates are separately broken there).

Not sure what the clean solution is, since the only things guaranteed to remain on the list are "pins": "google", which leaves you at the mercy of Google not deciding to remove or something less imaginable like losing a trademark battle and losing control of
Pushed by
disable hsts tests which depend on always being in the preload list, a=bustage
Indeed, making these assumptions was not the best idea.

Anyways, a solution that will work is to have the preload script always insert some test entries that we can then use in tests. This is what the HPKP script already does.
Assignee: nobody → cykesiopka.bmo
Priority: -- → P1
Whiteboard: [psm-assigned]
Depends on: 1350868
Comment on attachment 8851623 [details]
Bug 1350599 - Use guaranteed preloaded test domains instead of real domains in HSTS tests.

Great - thanks.
Attachment #8851623 - Flags: review?(dkeeler) → review+
(As a gentle reminder, the changes in Bug 1350868 need to land first.)
Keywords: checkin-needed
Pushed by
Use guaranteed preloaded test domains instead of real domains in HSTS tests. r=keeler
Keywords: checkin-needed
Closed: 6 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
This is the ESR 52 version of the patch.
Attachment #8854954 - Flags: review+ is test only and should be uplifted to Aurora. is test only and should be uplifted to ESR 52.

Whiteboard: [psm-assigned] → [psm-assigned][checkin-needed-aurora][checkin-needed-esr52]
Whiteboard: [psm-assigned][checkin-needed-aurora][checkin-needed-esr52] → [psm-assigned][checkin-needed-esr52]
Whiteboard: [psm-assigned][checkin-needed-esr52] → [psm-assigned]
You need to log in before you can comment on or make changes to this bug.