Limit TLS versions that can be set by extensions to >=TLS 1.2
Categories
(WebExtensions :: General, task, P2)
Tracking
(firefox74 fixed)
| Tracking | Status | |
|---|---|---|
| firefox74 | --- | fixed |
People
(Reporter: mt, Assigned: baku)
References
Details
Attachments
(1 file)
Bug 1593635 offered extensions the ability to constrain the TLS versions that could be used. The primary purpose of this was to allow extensions to lift the minimum version to TLS 1.3, but the effect is to make the security.tls.version.min and security.tls.version.max prefs accessible to web extensions.
As the goal of the API is to offer narrow means of improving security, providing extensions with the ability to reduce the maximum version below our defaults is no longer desirable, even if only privileged extensions have that capability. With Bug 1606734 we are disabling TLS 1.0 and TLS 1.1 by default. This API can follow suit.
The task is to limit acceptable values to TLSv1.2 and TLSv1.3 only.
|
||
Comment 1•4 years ago
|
||
@baku, do you want to take this?
|
Assignee | |
Updated•4 years ago
|
|
|
Assignee | |
Comment 2•4 years ago
|
||
Pushed by amarchesini@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/387f7fca9026 Limit TLS versions that can be set by extensions to >=TLS 1.2, r=mixedpuppy
|
||
Comment 4•4 years ago
|
||
| bugherder | ||
|
||
Comment 5•4 years ago
|
||
Hello,
Same as with Bug 1593635, is this a ticket that can be verified through manual testing? Please provide some steps to test it if so.
If not, please mark it using the " qe-verify-" flag.
Thank you
|
|
Assignee | |
Updated•4 years ago
|
Description
•