Closed
Bug 432241
Opened 16 years ago
Closed 16 years ago
Identity popup calls override service incorrectly now
Categories
(Firefox :: Security, defect)
Firefox
Security
Tracking
()
RESOLVED
FIXED
People
(Reporter: johnath, Assigned: johnath)
References
Details
(Keywords: regression, Whiteboard: [has patch])
Attachments
(1 file, 1 obsolete file)
3.55 KB,
patch
|
Gavin
:
review+
mconnor
:
approval1.9+
|
Details | Diff | Splinter Review |
A combination of bug 413909 and bug 424829 regressed the way we check whether access to a given HTTPS site is the result of a user-added exception. The net effect of this is that the Larry popup no longer says:
"you have added a security exception for this site"
And instead trusts the contents of the override cert, saying:
"Verified by: SomeOrganization"
Or whatever contents the cert has.
This is bad. Confusing and potentially deceptive for the user. The patch is almost a one-liner, the net effect is that we have to be sure to explicitly pass in a port in all cases. If we have to ship this on branch, so be it, but I really would like to get it in up front, since it's the first experience users will have with this UI, and it regressed after the last beta.
Attachment #319399 -
Flags: review?(gavin.sharp)
Assignee | ||
Updated•16 years ago
|
Assignee: nobody → johnath
Assignee | ||
Updated•16 years ago
|
Status: NEW → ASSIGNED
Assignee | ||
Updated•16 years ago
|
Flags: blocking-firefox3?
Updated•16 years ago
|
Flags: blocking-firefox3? → blocking-firefox3+
Whiteboard: [has patch][needs review gavin]
Updated•16 years ago
|
Depends on: 413909
Keywords: regression
Comment 1•16 years ago
|
||
Comment on attachment 319399 [details] [diff] [review]
Always supply a port
Will this patch work if port has value "-1"?
I guess it will, because the override service accepts as a valid value?
From what you said on IRC, I guess you failed when port has value "undefined".
Updated•16 years ago
|
Attachment #319399 -
Flags: review?(gavin.sharp) → review+
Comment 2•16 years ago
|
||
Comment on attachment 319399 [details] [diff] [review]
Always supply a port
> if (this._overrideService.hasMatchingOverride(this._lastLocation.hostname,
>- this._lastLocation.port,
>+ (this._lastLocation.port || 443),
> iData.cert, {}, {}))
I am not sure if '(this._lastLocation.port || 443)' is what you really want to pass as the parameter. However, there is no need to change this line of code; if this._lastLocation.port is property of the location object (is not 'undefined') then it can be simply directly passed even tough it would be -1 - cert override service accept it and converts internally to 443.
Attachment #319399 -
Flags: review+ → review?(gavin.sharp)
Comment 3•16 years ago
|
||
(In reply to comment #2)
> (From update of attachment 319399 [details] [diff] [review])
>> then it can be simply directly passed even tough it would be -1 -
> cert override service accept it and converts internally to 443.
nsLocation::GetPort doesn't return -1, though - it returns an empty string in that case. So we need the default there.
Updated•16 years ago
|
Whiteboard: [has patch][needs review gavin] → [has patch]
Updated•16 years ago
|
Attachment #319399 -
Flags: review?(gavin.sharp) → review+
Assignee | ||
Comment 4•16 years ago
|
||
Updated to include a comment about _lastLocation.port.
To answer Kai and Honza, yes, the || 443 is required to handle the fact that location.port is returning "" in the default port case. Without this line, only non-standard ports work correctly.
Attachment #319399 -
Attachment is obsolete: true
Attachment #319413 -
Flags: review?(gavin.sharp)
Updated•16 years ago
|
Attachment #319413 -
Flags: review?(gavin.sharp) → review+
Assignee | ||
Comment 5•16 years ago
|
||
Comment on attachment 319413 [details] [diff] [review]
With a comment
Requesting approval to land this blocker.
RISK: None evident, to be honest. The only lines of this patch that aren't comments involve storing one non-leaking variable (port), and supplying a fall-back default value in a common case.
REWARD: Fix a regression, and prevent a potentially exploitable hole in our security UI.
Attachment #319413 -
Flags: approval1.9?
Comment 6•16 years ago
|
||
Comment on attachment 319413 [details] [diff] [review]
With a comment
a=mconnor on behalf of 1.9 drivers
Attachment #319413 -
Flags: approval1.9? → approval1.9+
Assignee | ||
Comment 7•16 years ago
|
||
Checking in browser/base/content/browser.js;
/cvsroot/mozilla/browser/base/content/browser.js,v <-- browser.js
new revision: 1.1031; previous revision: 1.1030
done
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•