Last Comment Bug 759010 - providers from origins with invalid, expired or missing certificates still get installed.
: providers from origins with invalid, expired or missing certificates still ge...
Status: RESOLVED FIXED
:
Product: Firefox
Classification: Client Software
Component: SocialAPI (show other bugs)
: unspecified
: x86_64 Windows Vista
: -- major (vote)
: ---
Assigned To: Mark Hammond [:markh]
:
: Shane Caraveo (:mixedpuppy)
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-27 19:53 PDT by Mark Hammond [:markh]
Modified: 2012-05-28 20:02 PDT (History)
2 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Check the SSL status of the manifest host (2.63 KB, patch)
2012-05-28 19:25 PDT, Mark Hammond [:markh]
mixedpuppy: review+
Details | Diff | Splinter Review

Description Mark Hammond [:markh] 2012-05-27 19:53:42 PDT
They are silently installed - at a minimum they should only be installed after a scary warning.

self-signed certs are another interesting case, but maybe that is different enough it should be in a new bug (or just allowed?)

This is tested in browser_registry.js and currently marked as a "known failure".
Comment 1 Shane Caraveo (:mixedpuppy) 2012-05-28 10:44:43 PDT
My suggestion for now is to silently reject any manifest on a domain where the cert fails, include a bypass with the social.provider.devmode preference so we can test with our presumably self-signed mochitest server.  We should then revisit this to see if it is worth having UX to deal with this.

mcoates: what do you think?
Comment 2 Mark Hammond [:markh] 2012-05-28 19:25:51 PDT
Created attachment 627831 [details] [diff] [review]
Check the SSL status of the manifest host

A patch that makes the tests work.  The mochi server seems to have a real cert (or manages to pretend it does) so the devmode pref doesn't seem necessary at the moment.
Comment 3 Shane Caraveo (:mixedpuppy) 2012-05-28 19:28:53 PDT
Comment on attachment 627831 [details] [diff] [review]
Check the SSL status of the manifest host

still would like to be able to pref this off for development
Comment 4 Mark Hammond [:markh] 2012-05-28 20:02:18 PDT
Fixed in git as [develop a3a0bcc]

Note You need to log in before you can comment on or make changes to this bug.