Open
Bug 1474657
Opened 6 years ago
Updated 3 years ago
browser.webRequest.getSecurityInfo() returns undefined when called in browser.webRequest.onErrorOccured
Categories
(WebExtensions :: Request Handling, defect, P3)
WebExtensions
Request Handling
Tracking
(Not tracked)
NEW
People
(Reporter: April, Unassigned)
References
Details
(Keywords: dev-doc-complete)
As far as I can tell, it is not possible to trigger state === "broken" and get the (possibly invalid) certificate chain via browser.webRequest.getSecurityInfo() when an HTTPS error has occurred, without allowing a security exception. This is pretty dangerous behavior to encourage. I'm not sure exactly what the underlying issue is, but it could be: * browser.webRequest.getSecurityInfo() can only be called in browser.webRequest.onHeadersReceived, but HTTPS errors trigger the onErrorOccurred event, not onHeadersReceived * the security information isn't available via the APIs that getSecurityInfo() calls when the browser is in this state The correct behavior is probably: 1) Allow getSecurityInfo() to be called during onErrorOccurred 2) Return state === "broken" 3) Include a non-internationalized error code alongside the localized error message 4) Include the full certificate chain. Note that this data is generally only available if the error is certificate related, not protocol/cipher related.
|
Reporter | |
Comment 1•6 years ago
|
||
I will add that the dev tools *don't* show any information at all if you are stuck at the error page interstitial. Here is what it returns in the security tab for expired.badssl.com: An error occurred: SEC_ERROR_EXPIRED_CERTIFICATE.
|
||
Comment 2•6 years ago
|
||
It's kind of a side-effect of the way that API is implemented. It piggybacks on the channel registration we use for response data filtering, and we clear those registrations when data streaming starts or the channel closes.
|
||
Updated•6 years ago
|
Keywords: dev-doc-needed
|
||
Updated•6 years ago
|
Flags: needinfo?(mixedpuppy)
Priority: -- → P2
|
||
Comment 3•6 years ago
|
||
I'm going to have to think about how to address this.
Assignee: nobody → mixedpuppy
Flags: needinfo?(mixedpuppy)
|
||
Comment 4•5 years ago
|
||
Can't write documentation until the issue has been addressed. If it has been addressed elsewhere, can you add a link to the issue?
Please let me know when this is ready to be addressed.
Flags: needinfo?(mixedpuppy)
|
|
||
Comment 5•5 years ago
|
||
Irene, the doc change that can be done now is to note that getSecurityInfo is currently only available in webRequest.onHeadersReceived.
Flags: needinfo?(mixedpuppy) → needinfo?(ismith)
|
|
Reporter | |
Comment 6•5 years ago
|
||
I believe this is already documented?
Or am I missing something?
|
|
||
Updated•5 years ago
|
Keywords: dev-doc-needed → dev-doc-complete
|
|
||
Updated•4 years ago
|
Assignee: mixedpuppy → nobody
Severity: normal → S3
Priority: P2 → P3
You need to log in
before you can comment on or make changes to this bug.
Description
•