Closed Bug 859639 Opened 12 years ago Closed 7 years ago

Selecting to clear cookies and stored data does to revoke permanent cert exceptions granted to pages that generate cert errors

Categories

(Firefox OS Graveyard :: General, defect)

ARM
Gonk (Firefox OS)
defect
Not set
normal

Tracking

(b2g-v1.3 affected, b2g-v1.3T affected, b2g-v1.4 affected)

RESOLVED WONTFIX
Tracking Status
b2g-v1.3 --- affected
b2g-v1.3T --- affected
b2g-v1.4 --- affected

People

(Reporter: jsmith, Unassigned)

References

Details

(Whiteboard: permafail)

Build: B2G 18 4/8/2013
Device: Unagi

STR

1. Go to https://summitbook.mozilla.org in the browser
2. Add a permanent exception for the page
3. Clear your cookies and stored data
4. Go to https://summitbook.mozilla.org in the browser again

Expected

You should get a cert error page - the permanent exception granted in step #2 should have been cleared when a user selects to clear their stored data.

Actual

The user is granted access to the page without a cert error. This is incorrect behavior - users should be able to revoke permanent exceptions for pages that generate cert errors. Right now, it's impossible to do that on B2G, so if a user grants a permanent exception, they'll never be able to revoke it.
Blocks: 846734
Don't know how important this is. Do we even support this on desktop/android? If we do, this probably should be nomed. If not, this won't block.

Paul - Do you know?
Flags: needinfo?(ptheriault)
We do not support revoking certificates on android at all: see bug 795767. 

Testing this on desktop & mobile, neither clearing history(desktop) or private data (mobile) has any effect on certificates. I think really what is needed here is some for of certificate management interface. I would imagine that this would be added as part of fixing bug 769183.

From what I gather in bug 858730, certificate exceptions are only temporary (exceptions removed the chrome process is restarted). If that is in fact true, then I don't see not having a 'remove SSL exception' too much of an issue. (consider that on desktop at least, certificate exceptions are permanent, and have to be manually removed).

One thing we may want to change is that the text in the certificate exception message - currently it says "Add permanent exception" and it sounds like this is inaccurate.
Depends on: 769183
Flags: needinfo?(ptheriault)
(In reply to Jason Smith [:jsmith] from comment #1)
> Don't know how important this is. Do we even support this on
> desktop/android? If we do, this probably should be nomed. If not, this won't
> block.

On Desktop: Tools > Options > Advanced > View Certificates > Servers > Delete.
On FxAndroid: Not possible.
OK so the issue here I guess is that there is no way to clear a certificate exception which is added by the "add permanent exception" option. Hooking it up to "Clear your cookies and stored data" might be the most obvious UI option, or maybe it needs it's own button ("Clear SSL exceptions" ?). Bigger issue is platform support I suppose.
Whiteboard: burirun1.3-3
Whiteboard: burirun1.3-3 → burirun1.3-3, burirun1.4-1
This issue also occurs on the buri 1.4 Moz Ril

1.4 Environmental Variables:
Device: Buri 1.4 MOZ
BuildID: 20140324000202
Gaia: 730670951e40b2317a167fcd07c398bb662d6e87
Gecko: a44f8b39c2c8
Version: 30.0a2
Firmware Version: v1.2-device.cfg

clearing cookies is not clearing cert exceptions
Whiteboard: burirun1.3-3, burirun1.4-1 → permafail
Firefox OS is not being worked on
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.