Closed
Bug 1350868
Opened 7 years ago
Closed 7 years ago
Make HSTS preload script preload test domains for use in tests
Categories
(Core :: Security: PSM, defect, P1)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla55
People
(Reporter: Cykesiopka, Assigned: Cykesiopka)
References
Details
(Whiteboard: [psm-assigned])
Attachments
(3 files)
59 bytes,
text/x-review-board-request
|
keeler
:
review+
jcristau
:
approval-mozilla-aurora+
jcristau
:
approval-mozilla-esr52+
|
Details |
59 bytes,
text/x-review-board-request
|
keeler
:
review+
|
Details |
17.65 KB,
application/x-javascript
|
Details |
Several of our HSTS tests require preloaded domain with specific characteristics. In some of these tests, our solution was to pick some real preloaded domains that we assumed would always have the same characteristics. Bug 1350599 shows that this was not the best idea. Instead, a better solution is to modify the HSTS preload script so that it always inject test domains into the preload list. We can then use these domains in our tests and be 100% certain the domains will have the desired characteristics.
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Assignee | ||
Comment 3•7 years ago
|
||
This was the modified HSTS preload script I used to generate attachment 8851612 [details] / the nsSTSPreloadList.inc update.
Comment 4•7 years ago
|
||
mozreview-review |
Comment on attachment 8851611 [details] Bug 1350868 - Make HSTS preload script preload test domains for use in tests. https://reviewboard.mozilla.org/r/123878/#review126490 Sounds good. Thanks for jumping on this. ::: security/manager/tools/getHSTSPreloadList.js:454 (Diff revision 1) > + for (let testEntry of TEST_ENTRIES) { > + hstsStatuses.push({ > + name: testEntry.name, > + maxAge: MINIMUM_REQUIRED_MAX_AGE, > + includeSubdomains: testEntry.includeSubdomains, > + error: ERROR_NONE, Might add a comment that this deliberately doesn't have a value for `retries` (because we should never attempt to connect to this host)
Attachment #8851611 -
Flags: review?(dkeeler) → review+
Comment 5•7 years ago
|
||
mozreview-review |
Comment on attachment 8851612 [details] Bug 1350868 - Semi-manually update nsSTSPreloadList.inc to include test domains. https://reviewboard.mozilla.org/r/123880/#review126492
Attachment #8851612 -
Flags: review?(dkeeler) → review+
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Assignee | ||
Comment 8•7 years ago
|
||
Thanks! https://treeherder.mozilla.org/#/jobs?repo=try&revision=340c6e05b684cdbf967c3cf2110a931d7c1b9ea0
Keywords: checkin-needed
Pushed by philringnalda@gmail.com: https://hg.mozilla.org/integration/autoland/rev/73d180896413 Make HSTS preload script preload test domains for use in tests. r=keeler https://hg.mozilla.org/integration/autoland/rev/f2fc9e7b66db Semi-manually update nsSTSPreloadList.inc to include test domains. r=keeler
Keywords: checkin-needed
Comment 10•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/73d180896413 https://hg.mozilla.org/mozilla-central/rev/f2fc9e7b66db
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox55:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Assignee | ||
Comment 11•7 years ago
|
||
Comment on attachment 8851611 [details] Bug 1350868 - Make HSTS preload script preload test domains for use in tests. If necessary, see https://wiki.mozilla.org/SecurityEngineering/HTTP_Strict_Transport_Security_(HSTS)_Preload_List for background on the preload script. Approval Request Comment [Feature/Bug causing the regression]: None. Long standing issue. [User impact if declined]: Some tests for the HSTS feature will stay disabled, which means we have less confidence in fixes if we ever have to uplift. [Is this code covered by automated tests?]: Not directly, but we have tests in m-c that depend on the functionality provided here, and those tests still pass. [Has the fix been verified in Nightly?]: Yes. At least two periodic updates have happened on m-c with the changes here included. [Needs manual test from QE? If yes, steps to reproduce]: No. [List of other uplifts needed for the feature/fix]: None. [Is the change risky?]: No. [Why is the change risky/not risky?]: Change itself is NPOTB. The code itself has already been verified to work for the m-c periodic update cycle. [String changes made/needed]: None.
Attachment #8851611 -
Flags: approval-mozilla-esr52?
Attachment #8851611 -
Flags: approval-mozilla-aurora?
Comment 12•7 years ago
|
||
Comment on attachment 8851611 [details] Bug 1350868 - Make HSTS preload script preload test domains for use in tests. add test domains to hsts preload script, esr52+, aurora54+
Attachment #8851611 -
Flags: approval-mozilla-esr52?
Attachment #8851611 -
Flags: approval-mozilla-esr52+
Attachment #8851611 -
Flags: approval-mozilla-aurora?
Attachment #8851611 -
Flags: approval-mozilla-aurora+
Updated•7 years ago
|
status-firefox54:
--- → affected
status-firefox-esr52:
--- → affected
Comment 13•7 years ago
|
||
bugherder uplift |
https://hg.mozilla.org/releases/mozilla-esr52/rev/ddd6c44790c0
Comment 14•7 years ago
|
||
bugherder uplift |
https://hg.mozilla.org/releases/mozilla-aurora/rev/18015fe9a21f
Comment 15•7 years ago
|
||
Setting qe-verify- based on Cykesiopka's assessment on manual testing needs (see Comment 11). David, Cykesiopka, if you think manual testing would in fact be of value here, feel free to flip the flag or ni? me directly.
Flags: qe-verify-
You need to log in
before you can comment on or make changes to this bug.
Description
•