Bug 1549561 - Move _setTechDetails from NetErrorChild.jsm to aboutNetError.js. r=johannh,flod
Differential Revision: https://phabricator.services.mozilla.com/D30852
This commit is contained in:
prathiksha
@@ -9,8 +9,6 @@ const {XPCOMUtils} = ChromeUtils.import("resource://gre/modules/XPCOMUtils.jsm")
|
|||||||
const {Services} = ChromeUtils.import("resource://gre/modules/Services.jsm");
|
const {Services} = ChromeUtils.import("resource://gre/modules/Services.jsm");
|
||||||
const {ActorChild} = ChromeUtils.import("resource://gre/modules/ActorChild.jsm");
|
const {ActorChild} = ChromeUtils.import("resource://gre/modules/ActorChild.jsm");
|
||||||
|
|
||||||
ChromeUtils.defineModuleGetter(this, "BrowserUtils",
|
|
||||||
"resource://gre/modules/BrowserUtils.jsm");
|
|
||||||
ChromeUtils.defineModuleGetter(this, "WebNavigationFrames",
|
ChromeUtils.defineModuleGetter(this, "WebNavigationFrames",
|
||||||
"resource://gre/modules/WebNavigationFrames.jsm");
|
"resource://gre/modules/WebNavigationFrames.jsm");
|
||||||
|
|
||||||
@@ -19,9 +17,6 @@ XPCOMUtils.defineLazyGlobalGetters(this, ["URL"]);
|
|||||||
XPCOMUtils.defineLazyGetter(this, "gPipNSSBundle", function() {
|
XPCOMUtils.defineLazyGetter(this, "gPipNSSBundle", function() {
|
||||||
return Services.strings.createBundle("chrome://pipnss/locale/pipnss.properties");
|
return Services.strings.createBundle("chrome://pipnss/locale/pipnss.properties");
|
||||||
});
|
});
|
||||||
XPCOMUtils.defineLazyGetter(this, "gBrandBundle", function() {
|
|
||||||
return Services.strings.createBundle("chrome://branding/locale/brand.properties");
|
|
||||||
});
|
|
||||||
XPCOMUtils.defineLazyPreferenceGetter(this, "mitmErrorPageEnabled",
|
XPCOMUtils.defineLazyPreferenceGetter(this, "mitmErrorPageEnabled",
|
||||||
"browser.security.newcerterrorpage.mitm.enabled");
|
"browser.security.newcerterrorpage.mitm.enabled");
|
||||||
XPCOMUtils.defineLazyPreferenceGetter(this, "mitmPrimingEnabled",
|
XPCOMUtils.defineLazyPreferenceGetter(this, "mitmPrimingEnabled",
|
||||||
@@ -36,12 +31,9 @@ const MOZILLA_PKIX_ERROR_BASE = Ci.nsINSSErrorsService.MOZILLA_PKIX_ERROR_BASE;
|
|||||||
|
|
||||||
const SEC_ERROR_EXPIRED_CERTIFICATE = SEC_ERROR_BASE + 11;
|
const SEC_ERROR_EXPIRED_CERTIFICATE = SEC_ERROR_BASE + 11;
|
||||||
const SEC_ERROR_UNKNOWN_ISSUER = SEC_ERROR_BASE + 13;
|
const SEC_ERROR_UNKNOWN_ISSUER = SEC_ERROR_BASE + 13;
|
||||||
const SEC_ERROR_UNTRUSTED_ISSUER = SEC_ERROR_BASE + 20;
|
|
||||||
const SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE = SEC_ERROR_BASE + 30;
|
const SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE = SEC_ERROR_BASE + 30;
|
||||||
const SEC_ERROR_CA_CERT_INVALID = SEC_ERROR_BASE + 36;
|
|
||||||
const SEC_ERROR_REUSED_ISSUER_AND_SERIAL = SEC_ERROR_BASE + 138;
|
const SEC_ERROR_REUSED_ISSUER_AND_SERIAL = SEC_ERROR_BASE + 138;
|
||||||
const SEC_ERROR_OCSP_INVALID_SIGNING_CERT = SEC_ERROR_BASE + 144;
|
const SEC_ERROR_OCSP_INVALID_SIGNING_CERT = SEC_ERROR_BASE + 144;
|
||||||
const SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED = SEC_ERROR_BASE + 176;
|
|
||||||
const MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE = MOZILLA_PKIX_ERROR_BASE + 5;
|
const MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE = MOZILLA_PKIX_ERROR_BASE + 5;
|
||||||
const MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE = MOZILLA_PKIX_ERROR_BASE + 6;
|
const MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE = MOZILLA_PKIX_ERROR_BASE + 6;
|
||||||
const MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED = MOZILLA_PKIX_ERROR_BASE + 13;
|
const MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED = MOZILLA_PKIX_ERROR_BASE + 13;
|
||||||
@@ -109,209 +101,6 @@ class NetErrorChild extends ActorChild {
|
|||||||
return {notBefore, notAfter};
|
return {notBefore, notAfter};
|
||||||
}
|
}
|
||||||
|
|
||||||
_setTechDetails(input, doc) {
|
|
||||||
// CSS class and error code are set from nsDocShell.
|
|
||||||
let {cssClass, error} = this.getParams(doc);
|
|
||||||
let technicalInfo = doc.getElementById("badCertTechnicalInfo");
|
|
||||||
technicalInfo.textContent = "";
|
|
||||||
|
|
||||||
let uri = Services.io.newURI(input.data.url);
|
|
||||||
let hostString = uri.host;
|
|
||||||
if (uri.port != 443 && uri.port != -1) {
|
|
||||||
hostString = uri.hostPort;
|
|
||||||
}
|
|
||||||
|
|
||||||
let msg1 = gPipNSSBundle.formatStringFromName("certErrorIntro",
|
|
||||||
[hostString], 1);
|
|
||||||
msg1 += "\n\n";
|
|
||||||
|
|
||||||
if (input.data.certIsUntrusted) {
|
|
||||||
switch (input.data.code) {
|
|
||||||
case MOZILLA_PKIX_ERROR_MITM_DETECTED:
|
|
||||||
if (mitmErrorPageEnabled) {
|
|
||||||
let brandName = gBrandBundle.GetStringFromName("brandShortName");
|
|
||||||
msg1 = gPipNSSBundle.GetStringFromName("certErrorMitM");
|
|
||||||
msg1 += "\n\n";
|
|
||||||
msg1 += gPipNSSBundle.formatStringFromName("certErrorMitM2", [brandName], 1);
|
|
||||||
msg1 += "\n\n";
|
|
||||||
msg1 += gPipNSSBundle.formatStringFromName("certErrorMitM3", [brandName], 1);
|
|
||||||
msg1 += "\n";
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
// If the condition is false, fall through...
|
|
||||||
case SEC_ERROR_UNKNOWN_ISSUER:
|
|
||||||
let brandName = gBrandBundle.GetStringFromName("brandShortName");
|
|
||||||
msg1 = "";
|
|
||||||
msg1 += gPipNSSBundle.formatStringFromName("certErrorTrust_UnknownIssuer4", [hostString], 1);
|
|
||||||
msg1 += "\n\n";
|
|
||||||
msg1 += gPipNSSBundle.formatStringFromName("certErrorTrust_UnknownIssuer6", [brandName, hostString], 2);
|
|
||||||
msg1 += "\n\n";
|
|
||||||
break;
|
|
||||||
case SEC_ERROR_CA_CERT_INVALID:
|
|
||||||
msg1 += gPipNSSBundle.GetStringFromName("certErrorTrust_CaInvalid") + "\n";
|
|
||||||
break;
|
|
||||||
case SEC_ERROR_UNTRUSTED_ISSUER:
|
|
||||||
msg1 += gPipNSSBundle.GetStringFromName("certErrorTrust_Issuer") + "\n";
|
|
||||||
break;
|
|
||||||
case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
|
|
||||||
msg1 += gPipNSSBundle.GetStringFromName("certErrorTrust_SignatureAlgorithmDisabled") + "\n";
|
|
||||||
break;
|
|
||||||
case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
|
|
||||||
msg1 += gPipNSSBundle.GetStringFromName("certErrorTrust_ExpiredIssuer") + "\n";
|
|
||||||
break;
|
|
||||||
case MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT:
|
|
||||||
msg1 += gPipNSSBundle.GetStringFromName("certErrorTrust_SelfSigned") + "\n";
|
|
||||||
break;
|
|
||||||
// This error code currently only exists for the Symantec distrust, we may need to adjust
|
|
||||||
// it to fit other distrusts later.
|
|
||||||
case MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED:
|
|
||||||
msg1 += gPipNSSBundle.GetStringFromName("certErrorTrust_Symantec1") + "\n";
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
msg1 += gPipNSSBundle.GetStringFromName("certErrorTrust_Untrusted") + "\n";
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
technicalInfo.appendChild(doc.createTextNode(msg1));
|
|
||||||
|
|
||||||
if (input.data.isDomainMismatch) {
|
|
||||||
let subjectAltNames = input.data.certSubjectAltNames.split(",");
|
|
||||||
let numSubjectAltNames = subjectAltNames.length;
|
|
||||||
|
|
||||||
subjectAltNames = subjectAltNames.filter(name => name.length > 0);
|
|
||||||
numSubjectAltNames = subjectAltNames.length;
|
|
||||||
|
|
||||||
let msgPrefix = "";
|
|
||||||
if (numSubjectAltNames != 0) {
|
|
||||||
if (numSubjectAltNames == 1) {
|
|
||||||
technicalInfo.textContent = "";
|
|
||||||
let brandName = gBrandBundle.GetStringFromName("brandShortName");
|
|
||||||
msgPrefix = gPipNSSBundle.formatStringFromName("certErrorMismatchSinglePrefix3", [brandName, hostString], 2) + " ";
|
|
||||||
msgPrefix += gPipNSSBundle.GetStringFromName("certErrorMismatchSinglePrefix");
|
|
||||||
// Let's check if we want to make this a link.
|
|
||||||
let okHost = input.data.certSubjectAltNames;
|
|
||||||
let href = "";
|
|
||||||
let thisHost = doc.location.hostname;
|
|
||||||
let proto = doc.location.protocol + "//";
|
|
||||||
// If okHost is a wildcard domain ("*.example.com") let's
|
|
||||||
// use "www" instead. "*.example.com" isn't going to
|
|
||||||
// get anyone anywhere useful. bug 432491
|
|
||||||
okHost = okHost.replace(/^\*\./, "www.");
|
|
||||||
/* case #1:
|
|
||||||
* example.com uses an invalid security certificate.
|
|
||||||
*
|
|
||||||
* The certificate is only valid for www.example.com
|
|
||||||
*
|
|
||||||
* Make sure to include the "." ahead of thisHost so that
|
|
||||||
* a MitM attack on paypal.com doesn't hyperlink to "notpaypal.com"
|
|
||||||
*
|
|
||||||
* We'd normally just use a RegExp here except that we lack a
|
|
||||||
* library function to escape them properly (bug 248062), and
|
|
||||||
* domain names are famous for having '.' characters in them,
|
|
||||||
* which would allow spurious and possibly hostile matches.
|
|
||||||
*/
|
|
||||||
if (okHost.endsWith("." + thisHost)) {
|
|
||||||
href = proto + okHost;
|
|
||||||
}
|
|
||||||
/* case #2:
|
|
||||||
* browser.garage.maemo.org uses an invalid security certificate.
|
|
||||||
*
|
|
||||||
* The certificate is only valid for garage.maemo.org
|
|
||||||
*/
|
|
||||||
if (thisHost.endsWith("." + okHost)) {
|
|
||||||
href = proto + okHost;
|
|
||||||
}
|
|
||||||
|
|
||||||
// If we set a link, meaning there's something helpful for
|
|
||||||
// the user here, expand the section by default
|
|
||||||
if (href && cssClass != "expertBadCert") {
|
|
||||||
doc.getElementById("badCertAdvancedPanel").style.display = "block";
|
|
||||||
if (error == "nssBadCert") {
|
|
||||||
// Toggling the advanced panel must ensure that the debugging
|
|
||||||
// information panel is hidden as well, since it's opened by the
|
|
||||||
// error code link in the advanced panel.
|
|
||||||
var div = doc.getElementById("certificateErrorDebugInformation");
|
|
||||||
div.style.display = "none";
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Set the link if we want it.
|
|
||||||
if (href) {
|
|
||||||
let referrerlink = doc.createElement("a");
|
|
||||||
referrerlink.append(input.data.certSubjectAltNames);
|
|
||||||
referrerlink.title = input.data.certSubjectAltNames;
|
|
||||||
referrerlink.id = "cert_domain_link";
|
|
||||||
referrerlink.href = href;
|
|
||||||
let fragment = BrowserUtils.getLocalizedFragment(doc, msgPrefix,
|
|
||||||
referrerlink);
|
|
||||||
technicalInfo.appendChild(fragment);
|
|
||||||
} else {
|
|
||||||
let fragment = BrowserUtils.getLocalizedFragment(doc,
|
|
||||||
msgPrefix,
|
|
||||||
input.data.certSubjectAltNames);
|
|
||||||
technicalInfo.appendChild(fragment);
|
|
||||||
}
|
|
||||||
technicalInfo.append("\n");
|
|
||||||
} else {
|
|
||||||
let msg = "";
|
|
||||||
technicalInfo.textContent = "";
|
|
||||||
let brandName = gBrandBundle.GetStringFromName("brandShortName");
|
|
||||||
msg = gPipNSSBundle.formatStringFromName("certErrorMismatchMultiple3", [brandName, hostString], 2) + " ";
|
|
||||||
for (let i = 0; i < numSubjectAltNames; i++) {
|
|
||||||
msg += subjectAltNames[i];
|
|
||||||
if (i != (numSubjectAltNames - 1)) {
|
|
||||||
msg += ", ";
|
|
||||||
}
|
|
||||||
}
|
|
||||||
technicalInfo.append(msg + "\n");
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
let msg = "";
|
|
||||||
technicalInfo.textContent = "";
|
|
||||||
let brandName = gBrandBundle.GetStringFromName("brandShortName");
|
|
||||||
msg = gPipNSSBundle.formatStringFromName("certErrorMismatch3", [brandName, hostString], 2) + " ";
|
|
||||||
technicalInfo.append(msg + "\n");
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if (input.data.isNotValidAtThisTime) {
|
|
||||||
let msg;
|
|
||||||
if (input.data.validity.notBefore && (Date.now() < input.data.validity.notAfter)) {
|
|
||||||
let notBeforeLocalTime = formatter.format(new Date(input.data.validity.notBefore));
|
|
||||||
msg = gPipNSSBundle.formatStringFromName("certErrorNotYetValidNow3",
|
|
||||||
[hostString, notBeforeLocalTime], 2);
|
|
||||||
} else {
|
|
||||||
let notAfterLocalTime = formatter.format(new Date(input.data.validity.notAfter));
|
|
||||||
msg = gPipNSSBundle.formatStringFromName("certErrorExpiredNow3",
|
|
||||||
[hostString, notAfterLocalTime], 2);
|
|
||||||
}
|
|
||||||
msg += "\n";
|
|
||||||
|
|
||||||
technicalInfo.textContent = "";
|
|
||||||
technicalInfo.append(msg);
|
|
||||||
}
|
|
||||||
technicalInfo.append("\n");
|
|
||||||
|
|
||||||
// Add link to certificate and error message.
|
|
||||||
let linkPrefix = gPipNSSBundle.GetStringFromName("certErrorCodePrefix3");
|
|
||||||
let detailLink = doc.createElement("a");
|
|
||||||
detailLink.append(input.data.codeString);
|
|
||||||
detailLink.title = input.data.codeString;
|
|
||||||
detailLink.id = "errorCode";
|
|
||||||
detailLink.dataset.telemetryId = "error_code_link";
|
|
||||||
let fragment = BrowserUtils.getLocalizedFragment(doc, linkPrefix, detailLink);
|
|
||||||
technicalInfo.appendChild(fragment);
|
|
||||||
var errorCode = doc.getElementById("errorCode");
|
|
||||||
if (errorCode) {
|
|
||||||
errorCode.href = "javascript:void(0)";
|
|
||||||
errorCode.addEventListener("click", () => {
|
|
||||||
let debugInfo = doc.getElementById("certificateErrorDebugInformation");
|
|
||||||
debugInfo.style.display = "block";
|
|
||||||
debugInfo.scrollIntoView({block: "start", behavior: "smooth"});
|
|
||||||
});
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// eslint-disable-next-line complexity
|
// eslint-disable-next-line complexity
|
||||||
onCertErrorDetails(msg, docShell) {
|
onCertErrorDetails(msg, docShell) {
|
||||||
let doc = docShell.document;
|
let doc = docShell.document;
|
||||||
@@ -346,7 +135,6 @@ class NetErrorChild extends ActorChild {
|
|||||||
|
|
||||||
let div = doc.getElementById("certificateErrorText");
|
let div = doc.getElementById("certificateErrorText");
|
||||||
div.textContent = msg.data.info;
|
div.textContent = msg.data.info;
|
||||||
this._setTechDetails(msg, doc);
|
|
||||||
let learnMoreLink = doc.getElementById("learnMoreLink");
|
let learnMoreLink = doc.getElementById("learnMoreLink");
|
||||||
let baseURL = Services.urlFormatter.formatURLPref("app.support.baseURL");
|
let baseURL = Services.urlFormatter.formatURLPref("app.support.baseURL");
|
||||||
learnMoreLink.setAttribute("href", baseURL + "connection-not-secure");
|
learnMoreLink.setAttribute("href", baseURL + "connection-not-secure");
|
||||||
|
|||||||
@@ -363,6 +363,212 @@ function initPageCertError() {
|
|||||||
|
|
||||||
let event = new CustomEvent("AboutNetErrorLoad", {bubbles: true});
|
let event = new CustomEvent("AboutNetErrorLoad", {bubbles: true});
|
||||||
document.getElementById("advancedButton").dispatchEvent(event);
|
document.getElementById("advancedButton").dispatchEvent(event);
|
||||||
|
|
||||||
|
setTechnicalDetailsOnCertError();
|
||||||
|
}
|
||||||
|
|
||||||
|
function setTechnicalDetailsOnCertError() {
|
||||||
|
let technicalInfo = document.getElementById("badCertTechnicalInfo");
|
||||||
|
|
||||||
|
function setL10NLabel(l10nId, args = {}, attrs = {}, rewrite = true) {
|
||||||
|
let elem = document.createElement("label");
|
||||||
|
if (rewrite) {
|
||||||
|
technicalInfo.textContent = "";
|
||||||
|
}
|
||||||
|
technicalInfo.appendChild(elem);
|
||||||
|
|
||||||
|
let newLines = document.createTextNode("\n \n");
|
||||||
|
technicalInfo.appendChild(newLines);
|
||||||
|
|
||||||
|
if (attrs) {
|
||||||
|
let link = document.createElement("a");
|
||||||
|
for (let attr of Object.keys(attrs)) {
|
||||||
|
link.setAttribute(attr, attrs[attr]);
|
||||||
|
}
|
||||||
|
elem.appendChild(link);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (args) {
|
||||||
|
document.l10n.setAttributes(elem, l10nId, args);
|
||||||
|
} else {
|
||||||
|
document.l10n.setAttributes(elem, l10nId);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
let cssClass = getCSSClass();
|
||||||
|
let error = getErrorCode();
|
||||||
|
|
||||||
|
let hostString = document.location.hostname;
|
||||||
|
let port = document.location.port;
|
||||||
|
if (port && port != 443) {
|
||||||
|
hostString += ":" + port;
|
||||||
|
}
|
||||||
|
|
||||||
|
let l10nId;
|
||||||
|
let args = {
|
||||||
|
hostname: hostString,
|
||||||
|
};
|
||||||
|
let failedCertInfo = document.getFailedCertSecurityInfo();
|
||||||
|
if (failedCertInfo.isUntrusted) {
|
||||||
|
switch (failedCertInfo.errorCodeString) {
|
||||||
|
case "MOZILLA_PKIX_ERROR_MITM_DETECTED":
|
||||||
|
setL10NLabel("cert-error-mitm-intro");
|
||||||
|
setL10NLabel("cert-error-mitm-mozilla", {}, {}, false);
|
||||||
|
setL10NLabel("cert-error-mitm-connection", {}, {}, false);
|
||||||
|
break;
|
||||||
|
case "SEC_ERROR_UNKNOWN_ISSUER":
|
||||||
|
setL10NLabel("cert-error-trust-unknown-issuer-intro");
|
||||||
|
setL10NLabel("cert-error-trust-unknown-issuer", args, {}, false);
|
||||||
|
break;
|
||||||
|
case "SEC_ERROR_CA_CERT_INVALID":
|
||||||
|
setL10NLabel("cert-error-intro", args);
|
||||||
|
setL10NLabel("cert-error-trust-cert-invalid", {}, {}, false);
|
||||||
|
break;
|
||||||
|
case "SEC_ERROR_UNTRUSTED_ISSUER":
|
||||||
|
setL10NLabel("cert-error-intro", args);
|
||||||
|
setL10NLabel("cert-error-trust-untrusted-issuer", {}, {}, false);
|
||||||
|
break;
|
||||||
|
case "SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED":
|
||||||
|
setL10NLabel("cert-error-intro", args);
|
||||||
|
setL10NLabel("cert-error-trust-signature-algorithm-disabled", {}, {}, false);
|
||||||
|
break;
|
||||||
|
case "SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE":
|
||||||
|
setL10NLabel("cert-error-intro", args);
|
||||||
|
setL10NLabel("cert-error-trust-expired-issuer", {}, {}, false);
|
||||||
|
break;
|
||||||
|
case "MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT":
|
||||||
|
setL10NLabel("cert-error-intro", args);
|
||||||
|
setL10NLabel("cert-error-trust-self-signed", {}, {}, false);
|
||||||
|
break;
|
||||||
|
case "MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED":
|
||||||
|
setL10NLabel("cert-error-intro", args);
|
||||||
|
setL10NLabel("cert-error-trust-symantec", {}, {}, false);
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
setL10NLabel("cert-error-intro", args);
|
||||||
|
setL10NLabel("cert-error-untrusted-default", {}, {}, false);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (failedCertInfo.isDomainMismatch) {
|
||||||
|
let subjectAltNames = failedCertInfo.subjectAltNames.split(",");
|
||||||
|
subjectAltNames = subjectAltNames.filter(name => name.length > 0);
|
||||||
|
let numSubjectAltNames = subjectAltNames.length;
|
||||||
|
|
||||||
|
if (numSubjectAltNames != 0) {
|
||||||
|
if (numSubjectAltNames == 1) {
|
||||||
|
args["alt-name"] = subjectAltNames[0];
|
||||||
|
|
||||||
|
// Let's check if we want to make this a link.
|
||||||
|
let okHost = failedCertInfo.subjectAltNames;
|
||||||
|
let href = "";
|
||||||
|
let thisHost = document.location.hostname;
|
||||||
|
let proto = document.location.protocol + "//";
|
||||||
|
// If okHost is a wildcard domain ("*.example.com") let's
|
||||||
|
// use "www" instead. "*.example.com" isn't going to
|
||||||
|
// get anyone anywhere useful. bug 432491
|
||||||
|
okHost = okHost.replace(/^\*\./, "www.");
|
||||||
|
/* case #1:
|
||||||
|
* example.com uses an invalid security certificate.
|
||||||
|
*
|
||||||
|
* The certificate is only valid for www.example.com
|
||||||
|
*
|
||||||
|
* Make sure to include the "." ahead of thisHost so that
|
||||||
|
* a MitM attack on paypal.com doesn't hyperlink to "notpaypal.com"
|
||||||
|
*
|
||||||
|
* We'd normally just use a RegExp here except that we lack a
|
||||||
|
* library function to escape them properly (bug 248062), and
|
||||||
|
* domain names are famous for having '.' characters in them,
|
||||||
|
* which would allow spurious and possibly hostile matches.
|
||||||
|
*/
|
||||||
|
|
||||||
|
if (okHost.endsWith("." + thisHost)) {
|
||||||
|
href = proto + okHost;
|
||||||
|
}
|
||||||
|
/* case #2:
|
||||||
|
* browser.garage.maemo.org uses an invalid security certificate.
|
||||||
|
*
|
||||||
|
* The certificate is only valid for garage.maemo.org
|
||||||
|
*/
|
||||||
|
if (thisHost.endsWith("." + okHost)) {
|
||||||
|
href = proto + okHost;
|
||||||
|
}
|
||||||
|
|
||||||
|
// If we set a link, meaning there's something helpful for
|
||||||
|
// the user here, expand the section by default
|
||||||
|
if (href && cssClass != "expertBadCert") {
|
||||||
|
document.getElementById("badCertAdvancedPanel").style.display = "block";
|
||||||
|
if (error == "nssBadCert") {
|
||||||
|
// Toggling the advanced panel must ensure that the debugging
|
||||||
|
// information panel is hidden as well, since it's opened by the
|
||||||
|
// error code link in the advanced panel.
|
||||||
|
let div = document.getElementById("certificateErrorDebugInformation");
|
||||||
|
div.style.display = "none";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Set the link if we want it.
|
||||||
|
if (href) {
|
||||||
|
setL10NLabel("cert-error-domain-mismatch-single", args, {
|
||||||
|
"href": href,
|
||||||
|
"data-l10n-name": "domain-mismatch-link",
|
||||||
|
"id": "cert_domain_link",
|
||||||
|
});
|
||||||
|
} else {
|
||||||
|
setL10NLabel("cert-error-domain-mismatch-single-nolink", args);
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
let names = subjectAltNames.join(", ");
|
||||||
|
args["subject-alt-names"] = names;
|
||||||
|
setL10NLabel("cert-error-domain-mismatch-multiple", args);
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
setL10NLabel("cert-error-domain-mismatch", { hostname: hostString });
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (failedCertInfo.isNotValidAtThisTime) {
|
||||||
|
let notBefore = failedCertInfo.validNotBefore;
|
||||||
|
let notAfter = failedCertInfo.validNotAfter;
|
||||||
|
let formatter = new Intl.DateTimeFormat("default");
|
||||||
|
args = {
|
||||||
|
hostname: hostString,
|
||||||
|
};
|
||||||
|
if (notBefore && (Date.now() < notAfter)) {
|
||||||
|
let notBeforeLocalTime = formatter.format(new Date(notBefore));
|
||||||
|
l10nId = "cert-error-not-yet-valid-now";
|
||||||
|
args["not-before-local-time"] = notBeforeLocalTime;
|
||||||
|
} else {
|
||||||
|
let notAfterLocalTime = formatter.format(new Date(notAfter));
|
||||||
|
l10nId = "cert-error-expired-now";
|
||||||
|
args["not-after-local-time"] = notAfterLocalTime;
|
||||||
|
}
|
||||||
|
setL10NLabel(l10nId, args);
|
||||||
|
}
|
||||||
|
|
||||||
|
setL10NLabel("cert-error-code-prefix-link", { error: failedCertInfo.errorCodeString }, {
|
||||||
|
"title": failedCertInfo.errorCodeString,
|
||||||
|
"id": "errorCode",
|
||||||
|
"data-l10n-name": "error-code-link",
|
||||||
|
"data-telemetry-id": "error_code_link",
|
||||||
|
}, false);
|
||||||
|
let errorCodeLink = document.getElementById("errorCode");
|
||||||
|
if (errorCodeLink) {
|
||||||
|
// We're attaching the event listener to the parent element and not on
|
||||||
|
// the errorCodeLink itself because event listeners cannot be attached
|
||||||
|
// to fluent DOM overlays.
|
||||||
|
technicalInfo.addEventListener("click", handleErrorCodeClick);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
function handleErrorCodeClick(event) {
|
||||||
|
if (event.target.id !== "errorCode") {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
let debugInfo = document.getElementById("certificateErrorDebugInformation");
|
||||||
|
debugInfo.style.display = "block";
|
||||||
|
debugInfo.scrollIntoView({block: "start", behavior: "smooth"});
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Only do autofocus if we're the toplevel frame; otherwise we
|
/* Only do autofocus if we're the toplevel frame; otherwise we
|
||||||
|
|||||||
@@ -25,6 +25,8 @@
|
|||||||
<!-- If the location of the favicon is changed here, the FAVICON_ERRORPAGE_URL symbol in
|
<!-- If the location of the favicon is changed here, the FAVICON_ERRORPAGE_URL symbol in
|
||||||
toolkit/components/places/src/nsFaviconService.h should be updated. -->
|
toolkit/components/places/src/nsFaviconService.h should be updated. -->
|
||||||
<link rel="icon" id="favicon" href="chrome://global/skin/icons/warning.svg"/>
|
<link rel="icon" id="favicon" href="chrome://global/skin/icons/warning.svg"/>
|
||||||
|
<link rel="localization" href="browser/aboutCertError.ftl" />
|
||||||
|
<link rel="localization" href="branding/brand.ftl"/>
|
||||||
</head>
|
</head>
|
||||||
|
|
||||||
<body dir="&locale.dir;">
|
<body dir="&locale.dir;">
|
||||||
|
|||||||
@@ -3230,20 +3230,10 @@ var BrowserOnClick = {
|
|||||||
securityInfo = getSecurityInfo(securityInfoAsString);
|
securityInfo = getSecurityInfo(securityInfoAsString);
|
||||||
let errorInfo = getDetailedCertErrorInfo(location,
|
let errorInfo = getDetailedCertErrorInfo(location,
|
||||||
securityInfo);
|
securityInfo);
|
||||||
let validityInfo = {
|
|
||||||
notAfter: securityInfo.serverCert.validity.notAfter / 1000,
|
|
||||||
notBefore: securityInfo.serverCert.validity.notBefore / 1000,
|
|
||||||
};
|
|
||||||
browser.messageManager.sendAsyncMessage("CertErrorDetails", {
|
browser.messageManager.sendAsyncMessage("CertErrorDetails", {
|
||||||
code: securityInfo.errorCode,
|
code: securityInfo.errorCode,
|
||||||
info: errorInfo,
|
info: errorInfo,
|
||||||
codeString: securityInfo.errorCodeString,
|
codeString: securityInfo.errorCodeString,
|
||||||
certIsUntrusted: securityInfo.isUntrusted,
|
|
||||||
certSubjectAltNames: securityInfo.serverCert.subjectAltNames,
|
|
||||||
validity: validityInfo,
|
|
||||||
url: location,
|
|
||||||
isDomainMismatch: securityInfo.isDomainMismatch,
|
|
||||||
isNotValidAtThisTime: securityInfo.isNotValidAtThisTime,
|
|
||||||
frameId,
|
frameId,
|
||||||
});
|
});
|
||||||
break;
|
break;
|
||||||
|
|||||||
66
browser/locales/en-US/browser/aboutCertError.ftl
Normal file
66
browser/locales/en-US/browser/aboutCertError.ftl
Normal file
@@ -0,0 +1,66 @@
|
|||||||
|
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||||
|
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||||
|
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||||
|
|
||||||
|
# Variables:
|
||||||
|
# $hostname (String) - Hostname of the website with cert error.
|
||||||
|
cert-error-intro = { $hostname } uses an invalid security certificate.
|
||||||
|
|
||||||
|
cert-error-mitm-intro = Websites prove their identity via certificates, which are issued by certificate authorities.
|
||||||
|
|
||||||
|
cert-error-mitm-mozilla = { -brand-short-name } is backed by the non-profit Mozilla, which administers a completely open certificate authority (CA) store. The CA store helps ensure that certificate authorities are following best practices for user security.
|
||||||
|
|
||||||
|
cert-error-mitm-connection = { -brand-short-name } uses the Mozilla CA store to verify that a connection is secure, rather than certificates supplied by the user’s operating system. So, if an antivirus program or a network is intercepting a connection with a security certificate issued by a CA that is not in the Mozilla CA store, the connection is considered unsafe.
|
||||||
|
|
||||||
|
cert-error-trust-unknown-issuer-intro = Someone could be trying to impersonate the site and you should not continue.
|
||||||
|
|
||||||
|
# Variables:
|
||||||
|
# $hostname (String) - Hostname of the website with cert error.
|
||||||
|
cert-error-trust-unknown-issuer = Websites prove their identity via certificates. { -brand-short-name } does not trust { $hostname } because its certificate issuer is unknown, the certificate is self-signed, or the server is not sending the correct intermediate certificates.
|
||||||
|
|
||||||
|
cert-error-trust-cert-invalid = The certificate is not trusted because it was issued by an invalid CA certificate.
|
||||||
|
|
||||||
|
cert-error-trust-untrusted-issuer = The certificate is not trusted because the issuer certificate is not trusted.
|
||||||
|
|
||||||
|
cert-error-trust-signature-algorithm-disabled = The certificate is not trusted because it was signed using a signature algorithm that was disabled because that algorithm is not secure.
|
||||||
|
|
||||||
|
cert-error-trust-expired-issuer = The certificate is not trusted because the issuer certificate has expired.
|
||||||
|
|
||||||
|
cert-error-trust-self-signed = The certificate is not trusted because it is self-signed.
|
||||||
|
|
||||||
|
cert-error-trust-symantec = Certificates issued by GeoTrust, RapidSSL, Symantec, Thawte, and VeriSign are no longer considered safe because these certificate authorities failed to follow security practices in the past.
|
||||||
|
|
||||||
|
cert-error-untrusted-default = The certificate does not come from a trusted source.
|
||||||
|
|
||||||
|
# Variables:
|
||||||
|
# $hostname (String) - Hostname of the website with cert error.
|
||||||
|
cert-error-domain-mismatch = Websites prove their identity via certificates. { -brand-short-name } does not trust this site because it uses a certificate that is not valid for { $hostname }.
|
||||||
|
|
||||||
|
# Variables:
|
||||||
|
# $hostname (String) - Hostname of the website with cert error.
|
||||||
|
# $alt-name (String) - Alternate domain name for which the cert is valid.
|
||||||
|
cert-error-domain-mismatch-single = Websites prove their identity via certificates. { -brand-short-name } does not trust this site because it uses a certificate that is not valid for { $hostname }. The certificate is only valid for <a data-l10n-name="domain-mismatch-link">{ $alt-name }</a>.
|
||||||
|
|
||||||
|
# Variables:
|
||||||
|
# $hostname (String) - Hostname of the website with cert error.
|
||||||
|
# $alt-name (String) - Alternate domain name for which the cert is valid.
|
||||||
|
cert-error-domain-mismatch-single-nolink = Websites prove their identity via certificates. { -brand-short-name } does not trust this site because it uses a certificate that is not valid for { $hostname }. The certificate is only valid for { $alt-name }.
|
||||||
|
|
||||||
|
# Variables:
|
||||||
|
# $subject-alt-names (String) - Alternate domain names for which the cert is valid.
|
||||||
|
cert-error-domain-mismatch-multiple = Websites prove their identity via certificates. { -brand-short-name } does not trust this site because it uses a certificate that is not valid for { $hostname }. The certificate is only valid for the following names: { $subject-alt-names }
|
||||||
|
|
||||||
|
# Variables:
|
||||||
|
# $hostname (String) - Hostname of the website with cert error.
|
||||||
|
# $not-after-local-time (Date) - Certificate is not valid after this time.
|
||||||
|
cert-error-expired-now = Websites prove their identity via certificates, which are valid for a set time period. The certificate for { $hostname } expired on { $not-after-local-time }.
|
||||||
|
|
||||||
|
# Variables:
|
||||||
|
# $hostname (String) - Hostname of the website with cert error.
|
||||||
|
# $not-before-local-time (Date) - Certificate is not valid before this time.
|
||||||
|
cert-error-not-yet-valid-now = Websites prove their identity via certificates, which are valid for a set time period. The certificate for { $hostname } will not be valid until { $not-before-local-time }.
|
||||||
|
|
||||||
|
# Variables:
|
||||||
|
# $error (String) - NSS error code string that specifies type of cert error. e.g. unknown issuer, invalid cert, etc.
|
||||||
|
cert-error-code-prefix-link = Error code: <a data-l10n-name="error-code-link">{ $error }</a>
|
||||||
|
|
||||||
@@ -263,33 +263,23 @@ certErrorTrust_SelfSigned=The certificate is not trusted because it is self-sign
|
|||||||
certErrorTrust_UnknownIssuer=The certificate is not trusted because the issuer certificate is unknown.
|
certErrorTrust_UnknownIssuer=The certificate is not trusted because the issuer certificate is unknown.
|
||||||
certErrorTrust_UnknownIssuer2=The server might not be sending the appropriate intermediate certificates.
|
certErrorTrust_UnknownIssuer2=The server might not be sending the appropriate intermediate certificates.
|
||||||
certErrorTrust_UnknownIssuer3=An additional root certificate may need to be imported.
|
certErrorTrust_UnknownIssuer3=An additional root certificate may need to be imported.
|
||||||
certErrorTrust_UnknownIssuer4=Someone could be trying to impersonate the site and you should not continue.
|
|
||||||
# LOCALIZATION NOTE (certErrorTrust_UnknownIssuer6): %1$S is replaced by the brand name, %2$S is replaced by host name.
|
|
||||||
certErrorTrust_UnknownIssuer6=Websites prove their identity via certificates. %1$S does not trust %2$S because its certificate issuer is unknown, the certificate is self-signed, or the server is not sending the correct intermediate certificates.
|
|
||||||
certErrorTrust_CaInvalid=The certificate is not trusted because it was issued by an invalid CA certificate.
|
certErrorTrust_CaInvalid=The certificate is not trusted because it was issued by an invalid CA certificate.
|
||||||
certErrorTrust_Issuer=The certificate is not trusted because the issuer certificate is not trusted.
|
certErrorTrust_Issuer=The certificate is not trusted because the issuer certificate is not trusted.
|
||||||
certErrorTrust_SignatureAlgorithmDisabled=The certificate is not trusted because it was signed using a signature algorithm that was disabled because that algorithm is not secure.
|
certErrorTrust_SignatureAlgorithmDisabled=The certificate is not trusted because it was signed using a signature algorithm that was disabled because that algorithm is not secure.
|
||||||
certErrorTrust_ExpiredIssuer=The certificate is not trusted because the issuer certificate has expired.
|
certErrorTrust_ExpiredIssuer=The certificate is not trusted because the issuer certificate has expired.
|
||||||
certErrorTrust_Untrusted=The certificate does not come from a trusted source.
|
certErrorTrust_Untrusted=The certificate does not come from a trusted source.
|
||||||
certErrorTrust_MitM=Your connection is being intercepted by a TLS proxy. Uninstall it if possible or configure your device to trust its root certificate.
|
certErrorTrust_MitM=Your connection is being intercepted by a TLS proxy. Uninstall it if possible or configure your device to trust its root certificate.
|
||||||
certErrorTrust_Symantec1=Certificates issued by GeoTrust, RapidSSL, Symantec, Thawte, and VeriSign are no longer considered safe because these certificate authorities failed to follow security practices in the past.
|
|
||||||
|
|
||||||
certErrorMismatch=The certificate is not valid for the name %S.
|
certErrorMismatch=The certificate is not valid for the name %S.
|
||||||
# LOCALIZATION NOTE (certErrorMismatch3, certErrorMismatchSinglePrefix3, certErrorMismatchMultiple3): %1$S is replaced by the brand name, %2$S is replaced by host name.
|
|
||||||
certErrorMismatch3=Websites prove their identity via certificates. %1$S does not trust this site because it uses a certificate that is not valid for %2$S.
|
|
||||||
# LOCALIZATION NOTE (certErrorMismatchSinglePrefix): %S is replaced by the domain for which the certificate is valid
|
# LOCALIZATION NOTE (certErrorMismatchSinglePrefix): %S is replaced by the domain for which the certificate is valid
|
||||||
certErrorMismatchSinglePrefix=The certificate is only valid for %S.
|
certErrorMismatchSinglePrefix=The certificate is only valid for %S.
|
||||||
certErrorMismatchSinglePrefix3=Websites prove their identity via certificates. %1$S does not trust this site because it uses a certificate that is not valid for %2$S.
|
|
||||||
certErrorMismatchMultiple=The certificate is only valid for the following names:
|
certErrorMismatchMultiple=The certificate is only valid for the following names:
|
||||||
certErrorMismatchMultiple3=Websites prove their identity via certificates. %1$S does not trust this site because it uses a certificate that is not valid for %2$S. The certificate is only valid for the following names:
|
|
||||||
|
|
||||||
# LOCALIZATION NOTE (certErrorExpiredNow): Do not translate %1$S (date+time of expired certificate) or %2$S (current date+time)
|
# LOCALIZATION NOTE (certErrorExpiredNow): Do not translate %1$S (date+time of expired certificate) or %2$S (current date+time)
|
||||||
certErrorExpiredNow=The certificate expired on %1$S. The current time is %2$S.
|
certErrorExpiredNow=The certificate expired on %1$S. The current time is %2$S.
|
||||||
certErrorExpiredNow3=Websites prove their identity via certificates, which are valid for a set time period. The certificate for %1$S expired on %2$S.
|
|
||||||
|
|
||||||
# LOCALIZATION NOTE (certErrorNotYetValidNow): Do not translate %1$S (date+time certificate will become valid) or %2$S (current date+time)
|
# LOCALIZATION NOTE (certErrorNotYetValidNow): Do not translate %1$S (date+time certificate will become valid) or %2$S (current date+time)
|
||||||
certErrorNotYetValidNow=The certificate will not be valid until %1$S. The current time is %2$S.
|
certErrorNotYetValidNow=The certificate will not be valid until %1$S. The current time is %2$S.
|
||||||
certErrorNotYetValidNow3=Websites prove their identity via certificates, which are valid for a set time period. The certificate for %1$S will not be valid until %2$S.
|
|
||||||
|
|
||||||
certErrorMitM=Websites prove their identity via certificates, which are issued by certificate authorities.
|
certErrorMitM=Websites prove their identity via certificates, which are issued by certificate authorities.
|
||||||
# LOCALIZATION NOTE (certErrorMitM2): %S is brandShortName
|
# LOCALIZATION NOTE (certErrorMitM2): %S is brandShortName
|
||||||
|
|||||||
Reference in New Issue
Block a user