Investigate if OCSPRequest::Run requires LOAD_BYPASS_URL_ClASSIFIER flag
Categories
(Toolkit :: Safe Browsing, task, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox68 | --- | fixed |
People
(Reporter: dimi, Assigned: dimi)
References
Details
Attachments
(1 file)
Check if OCSPRequest::Run[1] requires LOAD_BYPASS_URL_ClASSIFIER[2].
The question is, what happens if OCSPRequest request is blocked, is it a critical channel?
|
Assignee | |
Comment 1•5 years ago
|
||
Hi keeler,
We have recently changed the behavior of how URL Classifier determines whether a channel should be classified[1] by using the information in the channel.
To be extra careful for not blocking critical channel because of bugs, we added this LOAD_BYPASS_URL_ClASSIFIER flag as a safeguard, whenever we see this flag, we do not classify it no matter the information in the channel.
My question is, what happens if the OCSP request is mistakenly blocked, does it satisfies any of the rules here(this is just a reference to see if this is critical)?
- channels related to an update
- channels may cause security issues if blocked
- channels may prevent the browser to launch if blocked
- channels break basic functionality if blocked
Thank you for your help!
OCSP requests are important for certificate verification (specifically, getting revocation information), so it would be a security issue if we blocked them.
|
|
Assignee | |
Comment 3•5 years ago
|
||
If OCSP request is blocked, we can't get the certificate revocation
informatoin.
Add nsIChannel::LOAD_BYPASS_URL_ClASSIFIER to enfore URL classifier
bypasses OCSP request.
Pushed by dlee@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/aa674b410265 Use LOAD_BYPASS_URL_ClASSIFIER flag for OCSP request. r=keeler
|
|
Assignee | |
Updated•5 years ago
|
|
||
Comment 5•5 years ago
|
||
| bugherder | ||
Description
•