certificate error override is accepted in normal browser when accepted in private mode
Categories
(Core :: Security: PSM, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox91 | --- | verified |
People
(Reporter: giantgreg2, Assigned: rmf)
References
Details
(Whiteboard: [psm-assigned])
Attachments
(2 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
Steps to reproduce:
Opened a link to a site with an expired SSL certificate.
Verified that it shows a warning.
Opened that link in private mode.
Accepted the certificate in private mode.
Tabbed back to the normal browser and visited the link.
Saw that the certificate was accepted in normal mode (even though I did that action in private mode).
Actual results:
Saw that the certificate was accepted in normal mode (even though I did that action in private mode).
Couldn't record the private browser, but interaction with the private browser occurs inbetween seeing the SSL warning in normal mode and then refreshing to see the SSL cert be accepted (with a yellow warning) in normal mode)
Expected results:
I expected firefox to separate accepted certificates in normal/private modes.
This may be a feature request rather than a bug, but I'd expect there to be separation of accepted SSL certificates between normal/private mode.
After closing the private mode window, normal mode unaccepts the SSL certificate, but while the private mode browser is open, the certificate is valid.
I accept certificates in private mode so that if a site is malicious, I can simply view it without it potentially getting access to my private information.
Comment 1•5 years ago
|
||
The priority flag is not set for this bug.
:groovecoder, could you have a look please?
For more information, please visit auto_nag documentation.
Comment 2•4 years ago
|
||
Dana, I know we revert to temporary exceptions for private windows, so I assume there's no mechanism to separate certificate exceptions by origin attributes, like in the permission manager? What are the cert exceptions keyed against? Maybe it wouldn't be that hard adding origin attributes?
Cert exceptions are keyed against host and port. I don't think it would be too difficult to key against origin attributes. Moritz is already doing some work in this area.
Comment 4•4 years ago
|
||
The priority flag is not set for this bug.
:keeler, could you have a look please?
For more information, please visit auto_nag documentation.
Assignee | ||
Comment 5•4 years ago
|
||
Updated•4 years ago
|
Pushed by malexandru@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/98c3e6255c58 make certificate overrides depend on origin attributes r=keeler,geckoview-reviewers,smaug,agi
Comment 7•3 years ago
|
||
Backed out changeset 98c3e6255c58 (bug 1597600) for browser_installssl.js failures.
Backout link: https://hg.mozilla.org/integration/autoland/rev/810b2253e524ceee3b5e3368bc15b54bcec844e4
Failure log: https://treeherder.mozilla.org/logviewer?job_id=323801638&repo=autoland&lineNumber=10335
...
[task 2020-12-07T18:10:35.118Z] 18:10:35 INFO - TEST-PASS | toolkit/mozapps/extensions/test/browser/browser_installssl.js | Should have seen the right result for an install redirected from https://expired.example.com/ to https://expired.example.com/ -
[task 2020-12-07T18:10:35.118Z] 18:10:35 INFO - Install test ran in 18ms
[task 2020-12-07T18:10:35.119Z] 18:10:35 INFO - Test 2 took 846ms
[task 2020-12-07T18:10:35.119Z] 18:10:35 INFO - Running test 3
[task 2020-12-07T18:10:35.120Z] 18:10:35 INFO - Console message: 1607364634787 addons.xpi DEBUG Download started for https://expired.example.com/browser/toolkit/mozapps/extensions/test/browser/redirect.sjs?https://expired.example.com/browser/toolkit/mozapps/extensions/test/browser/addons/browser_installssl.xpi to file /tmp/tmp-ppy.xpi
[task 2020-12-07T18:10:35.121Z] 18:10:35 INFO - Console message: 1607364634787 addons.xpi DEBUG Download of https://expired.example.com/browser/toolkit/mozapps/extensions/test/browser/redirect.sjs?https://expired.example.com/browser/toolkit/mozapps/extensions/test/browser/addons/browser_installssl.xpi completed.
[task 2020-12-07T18:10:35.123Z] 18:10:35 INFO - Console message: 1607364634787 addons.xpi WARN Download of https://expired.example.com/browser/toolkit/mozapps/extensions/test/browser/redirect.sjs?https://expired.example.com/browser/toolkit/mozapps/extensions/test/browser/addons/browser_installssl.xpi failed: 2153390069
[task 2020-12-07T18:10:35.125Z] 18:10:35 INFO - Console message: 1607364634788 addons.xpi DEBUG downloadFailed: removing temp file for https://expired.example.com/browser/toolkit/mozapps/extensions/test/browser/redirect.sjs?https://expired.example.com/browser/toolkit/mozapps/extensions/test/browser/addons/browser_installssl.xpi
[task 2020-12-07T18:10:35.125Z] 18:10:35 INFO - Console message: 1607364634789 addons.xpi DEBUG removeTemporaryFile: https://expired.example.com/browser/toolkit/mozapps/extensions/test/browser/redirect.sjs?https://expired.example.com/browser/toolkit/mozapps/extensions/test/browser/addons/browser_installssl.xpi removing temp file /tmp/tmp-ppy.xpi
[task 2020-12-07T18:10:35.126Z] 18:10:35 INFO - Buffered messages finished
[task 2020-12-07T18:10:35.127Z] 18:10:35 INFO - TEST-UNEXPECTED-FAIL | toolkit/mozapps/extensions/test/browser/browser_installssl.js | uncaught exception - NS_ERROR_XPC_NOT_ENOUGH_ARGS: Not enough arguments [nsICertOverrideService.rememberValidityOverride] at addCertOverride/</req.onerror@chrome://mochitests/content/browser/toolkit/mozapps/extensions/test/browser/head.js:655:15
[task 2020-12-07T18:10:35.127Z] 18:10:35 INFO -
[task 2020-12-07T18:10:35.128Z] 18:10:35 INFO - Stack trace:
[task 2020-12-07T18:10:35.128Z] 18:10:35 INFO - chrome://mochikit/content/tests/SimpleTest/SimpleTest.js:simpletestOnerror:2112
[task 2020-12-07T18:10:35.129Z] 18:10:35 INFO - GECKO(1516) | JavaScript error: chrome://mochitests/content/browser/toolkit/mozapps/extensions/test/browser/head.js, line 655: NS_ERROR_XPC_NOT_ENOUGH_ARGS: Not enough arguments [nsICertOverrideService.rememberValidityOverride]
[task 2020-12-07T18:10:35.129Z] 18:10:35 INFO - Not taking screenshot here: see the one that was previously logged
[task 2020-12-07T18:10:35.130Z] 18:10:35 INFO - TEST-UNEXPECTED-FAIL | toolkit/mozapps/extensions/test/browser/browser_installssl.js | [SimpleTest.finish()] No checks actually run. (You need to call ok(), is(), or similar functions at least once. Make sure you use SimpleTest.waitForExplicitFinish() if you need it.) -
[task 2020-12-07T18:10:35.130Z] 18:10:35 INFO - Stack trace:
[task 2020-12-07T18:10:35.131Z] 18:10:35 INFO - chrome://mochikit/content/browser-test.js:test_ok:1304
[task 2020-12-07T18:10:35.131Z] 18:10:35 INFO - chrome://mochikit/content/tests/SimpleTest/SimpleTest.js:afterCleanup:1571
[task 2020-12-07T18:10:35.132Z] 18:10:35 INFO - chrome://mochikit/content/tests/SimpleTest/SimpleTest.js:executeCleanupFunction:1636
[task 2020-12-07T18:10:35.132Z] 18:10:35 INFO - chrome://mochikit/content/tests/SimpleTest/SimpleTest.js:SimpleTest.finish:1656
[task 2020-12-07T18:10:35.133Z] 18:10:35 INFO - Console message: [JavaScript Error: "NS_ERROR_XPC_NOT_ENOUGH_ARGS: Not enough arguments [nsICertOverrideService.rememberValidityOverride]" {file: "chrome://mochitests/content/browser/toolkit/mozapps/extensions/test/browser/head.js" line: 655}]
[task 2020-12-07T18:10:35.133Z] 18:10:35 INFO - addCertOverride/</req.onerror@chrome://mochitests/content/browser/toolkit/mozapps/extensions/test/browser/head.js:655:15
[task 2020-12-07T18:10:35.134Z] 18:10:35 INFO -
[task 2020-12-07T18:10:35.134Z] 18:10:35 INFO - GECKO(1516) | JavaScript error: chrome://mochitests/content/browser/toolkit/mozapps/extensions/test/browser/head.js, line 655: NS_ERROR_XPC_NOT_ENOUGH_ARGS: Not enough arguments [nsICertOverrideService.rememberValidityOverride]
[task 2020-12-07T18:10:35.135Z] 18:10:35 INFO - Console message: [JavaScript Error: "NS_ERROR_XPC_NOT_ENOUGH_ARGS: Not enough arguments [nsICertOverrideService.rememberValidityOverride]" {file: "chrome://mochitests/content/browser/toolkit/mozapps/extensions/test/browser/head.js" line: 655}]
[task 2020-12-07T18:10:35.135Z] 18:10:35 INFO - addCertOverride/</req.onerror@chrome://mochitests/content/browser/toolkit/mozapps/extensions/test/browser/head.js:655:15
[task 2020-12-07T18:10:35.136Z] 18:10:35 INFO -
...
Comment 8•3 years ago
|
||
The following also seems to start perma failing with the backed out changes: https://treeherder.mozilla.org/logviewer?job_id=323815400&repo=autoland&lineNumber=1709
Updated•3 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Comment 9•3 years ago
|
||
Patch fails to apply in toolkit/components/cleardata/ClearDataService.jsm
Updated•3 years ago
|
Updated•3 years ago
|
Comment 10•3 years ago
|
||
Pushed by archaeopteryx@coole-files.de: https://hg.mozilla.org/integration/autoland/rev/089c88b9657b make certificate overrides depend on origin attributes r=keeler,geckoview-reviewers,smaug,agi
Comment 11•3 years ago
|
||
Backed out changeset 089c88b9657b (bug 1597600) for XPCshell failures in toolkit/components/cleardata/tests/unit/test_certs.js. CLOSED TREE
Log:
https://treeherder.mozilla.org/logviewer?job_id=341171154&repo=autoland&lineNumber=7558
Push with failures:
https://treeherder.mozilla.org/jobs?repo=autoland&group_state=expanded&revision=089c88b9657b385f8f7372c66ddf675b267de55a
Backout:
https://hg.mozilla.org/integration/autoland/rev/3fe91f9ec56fe664fbb350e0e209ba8014db9c34
Comment 12•3 years ago
|
||
Pushed by archaeopteryx@coole-files.de: https://hg.mozilla.org/integration/autoland/rev/b208386de197 make certificate overrides depend on origin attributes r=keeler,geckoview-reviewers,smaug,agi
Comment 13•3 years ago
|
||
bugherder |
Assignee | ||
Updated•3 years ago
|
Updated•3 years ago
|
Comment 14•3 years ago
|
||
I've reproduced the issue using the following link with Fx 90.0a1 (2021-05-18) on Windows 10.
Verified fixed with Fx 91.0b9 and Fx 92.0a1 (2021-07-29) on Windows 10, macOS 11.0 and Ubuntu 18.04.
Description
•