revisit how certificate error overrides from different contexts (e.g. private vs. non-private) interact
Categories
(Core :: Security: PSM, task, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox103 | --- | fixed |
People
(Reporter: persmule, Assigned: keeler)
References
(Regressed 1 open bug)
Details
(Whiteboard: [psm-assigned])
Attachments
(1 file)
Steps to reproduce:
Set up an HTTPS site with self-sign certificate.
Launch firefox.
Access the site from normal mode and add its certificate as a permanent certificate exception.
Open a private window.
Access the same site from the private window.
Actual results:
The warning for untrusted certificate is generated.
To suppress the warning, we should add the same certificate in the private window as a temporary certificate exception (because only temporary certificate exceptions can be added in private windows) over and over, when we access the site from a private window for the first time after we launch firefox.
Expected results:
We can access this site with no warning.
This used to happen in previous version.
This bug has been report to Debian as https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012430 .
At least, there should be an option (even in about:config) to control whether existing permanent certificate exceptions are effective in private windows, rather than rejecting them unconditionally.
Comment 2•4 years ago
|
||
Dana, any ideas on what to do with this bug? Thanks.
| Assignee | ||
Comment 3•4 years ago
|
||
This is currently expected behavior. Certificate error overrides are partitioned based on origin attributes, which includes the private browsing ID, if applicable. It's unclear what the "right" thing to do here is, as we do want some partitioning of overrides (e.g. if you add an override in a private context, non-private contexts shouldn't be affected by that). Perhaps we need to be more nuanced here, though.
| Assignee | ||
Comment 4•4 years ago
|
||
Certificate error overrides made in non-private contexts should be availble in
private contexts as well (but not vice-versa).
Comment 6•4 years ago
|
||
| bugherder | ||
Description
•