The default bug view has changed. See this FAQ.

providers from origins with invalid, expired or missing certificates still get installed.

RESOLVED FIXED

Status

()

Firefox
SocialAPI
--
major
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: markh, Assigned: markh)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Assignee)

Description

5 years ago
They are silently installed - at a minimum they should only be installed after a scary warning.

self-signed certs are another interesting case, but maybe that is different enough it should be in a new bug (or just allowed?)

This is tested in browser_registry.js and currently marked as a "known failure".
My suggestion for now is to silently reject any manifest on a domain where the cert fails, include a bypass with the social.provider.devmode preference so we can test with our presumably self-signed mochitest server.  We should then revisit this to see if it is worth having UX to deal with this.

mcoates: what do you think?
Severity: normal → major
(Assignee)

Comment 2

5 years ago
Created attachment 627831 [details] [diff] [review]
Check the SSL status of the manifest host

A patch that makes the tests work.  The mochi server seems to have a real cert (or manages to pretend it does) so the devmode pref doesn't seem necessary at the moment.
Assignee: nobody → mhammond
Attachment #627831 - Flags: review?(mixedpuppy)
Comment on attachment 627831 [details] [diff] [review]
Check the SSL status of the manifest host

still would like to be able to pref this off for development
Attachment #627831 - Flags: review?(mixedpuppy) → review+
(Assignee)

Comment 4

5 years ago
Fixed in git as [develop a3a0bcc]
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.