Closed Bug 1484259 Opened Last year Closed Last year

In the new cert error pages it is possible to add a security exception in very small iframes

Categories

(Firefox :: Security, defect, P1)

defect

Tracking

()

RESOLVED FIXED
Firefox 63
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- unaffected
firefox61 --- unaffected
firefox62 --- unaffected
firefox63 + fixed

People

(Reporter: johannh, Assigned: johannh)

References

Details

(Keywords: regression)

Attachments

(2 files)

To mitigate bug 633691, we are not allowing users to add certificate exceptions in iframes. We hide the button here: https://searchfox.org/mozilla-central/rev/246f2b4fab2c1a6cca99418bc2e4d73d1102cc38/browser/base/content/aboutNetError.js#121

Bug 1463759 broke this through an unfortunate collision in CSS styles with this rule: https://searchfox.org/mozilla-central/rev/246f2b4fab2c1a6cca99418bc2e4d73d1102cc38/browser/themes/shared/error-pages.css#52

We should fix that in the 63 cycle, but the harm is currently limited to Nightly since these pages are pref-ed off anywhere else by default.
[Tracking Requested - why for this release]:
We should make sure we don't ship this.
To be precise, this only affects iframe that are smaller in width than 480 pixels.
Assignee: nobody → jhofmann
Status: NEW → ASSIGNED
Priority: P2 → P1
Summary: In the new cert error pages it is possible to add a security exception in iframes → In the new cert error pages it is possible to add a security exception in very small iframes
This CSS rule was conflicting with the "hidden" property that is being set on the
button when in an iframe. For now I just removed the rule and didn't see any obvious
breakage.
This is just a slightly modified copy of the one in BrowserTestUtils.
Comment on attachment 9002749 [details]
Bug 1484259 - Hide the "Add exception" in small iframe error pages. r=nhnt11

Nihanth Subramanya [:nhnt11] has approved the revision.
Attachment #9002749 - Flags: review+
Comment on attachment 9003115 [details]
Bug 1484259 - Add is_hidden and is_visible to ContentTaskUtils.jsm. r=nhnt11

Nihanth Subramanya [:nhnt11] has approved the revision.
Attachment #9003115 - Flags: review+
Pushed by jhofmann@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/2331359b5aec
Hide the "Add exception" in small iframe error pages. r=nhnt11
Pushed by jhofmann@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d99190a5b731
Add is_hidden and is_visible to ContentTaskUtils.jsm. r=nhnt11
https://hg.mozilla.org/mozilla-central/rev/2331359b5aec
https://hg.mozilla.org/mozilla-central/rev/d99190a5b731
Status: ASSIGNED → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → Firefox 63
You need to log in before you can comment on or make changes to this bug.