archlinuxarm/PKGBUILDs
1
0
Fork 0
mirror of https://github.com/archlinuxarm/PKGBUILDs.git synced 2024-11-08 22:45:43 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
PKGBUILDs/extra/firefox/0004-Bug-1821359-Disable-TLS-Key-Pinning-for-Twitter-Doma.patch
Kevin Mihelich 3e37676588 extra/firefox to 110.0.1-4
2023-03-11 01:13:35 +00:00

165 lines
9.7 KiB
Diff
Raw Blame History

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Dennis Jackson <djackson@mozilla.com>
Date: Thu, 9 Mar 2023 22:05:17 +0000
Subject: [PATCH] Bug 1821359: Disable TLS Key Pinning for Twitter Domains.
r=keeler, a=dmeehan
This patch removes Twitter domains from the list of sites we statically pin in Firefox
and regenerates the associated headers. Note that the Twitter domains are still
imported from Chrome's list of pins, but now have the test flag set, making them inert.
Differential Revision: https://phabricator.services.mozilla.com/D172161
---
security/manager/ssl/StaticHPKPins.h | 18 ++++++++--------
security/manager/tools/PreloadedHPKPins.json | 22 ++------------------
2 files changed, 11 insertions(+), 29 deletions(-)
diff --git a/security/manager/ssl/StaticHPKPins.h b/security/manager/ssl/StaticHPKPins.h
index 3adda637832a..e558393a3218 100644
--- a/security/manager/ssl/StaticHPKPins.h
+++ b/security/manager/ssl/StaticHPKPins.h
@@ -602,26 +602,26 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
{ "admin.google.com", true, false, false, -1, &kPinset_google_root_pems },
{ "android.com", true, false, false, -1, &kPinset_google_root_pems },
{ "api.accounts.firefox.com", true, false, true, 5, &kPinset_mozilla_services },
- { "api.twitter.com", true, false, false, -1, &kPinset_twitterCDN },
+ { "api.twitter.com", true, true, false, -1, &kPinset_twitterCDN },
{ "apis.google.com", true, false, false, -1, &kPinset_google_root_pems },
{ "appengine.google.com", true, false, false, -1, &kPinset_google_root_pems },
{ "apps.facebook.com", true, false, false, -1, &kPinset_facebook },
{ "appspot.com", true, false, false, -1, &kPinset_google_root_pems },
{ "at.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
{ "au.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
{ "aus4.mozilla.org", true, true, true, 3, &kPinset_mozilla_services },
{ "aus5.mozilla.org", true, true, true, 7, &kPinset_mozilla_services },
{ "az.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
{ "be.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
{ "bi.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
{ "blog.torproject.org", true, false, false, -1, &kPinset_tor },
{ "blogger.com", true, false, false, -1, &kPinset_google_root_pems },
{ "blogspot.com", true, false, false, -1, &kPinset_google_root_pems },
{ "br.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
{ "bugs.chromium.org", true, false, false, -1, &kPinset_google_root_pems },
{ "build.chromium.org", true, false, false, -1, &kPinset_google_root_pems },
{ "business.facebook.com", true, false, false, -1, &kPinset_facebook },
- { "business.twitter.com", true, false, false, -1, &kPinset_twitterCom },
+ { "business.twitter.com", true, true, false, -1, &kPinset_twitterCom },
{ "ca.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
{ "calendar.google.com", true, false, false, -1, &kPinset_google_root_pems },
{ "cd.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
@@ -661,7 +661,7 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
{ "ct.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
{ "datastudio.google.com", true, false, false, -1, &kPinset_google_root_pems },
{ "de.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "dev.twitter.com", true, false, false, -1, &kPinset_twitterCom },
+ { "dev.twitter.com", true, true, false, -1, &kPinset_twitterCom },
{ "developer.android.com", true, false, false, -1, &kPinset_google_root_pems },
{ "developers.facebook.com", true, false, false, -1, &kPinset_facebook },
{ "dist.torproject.org", true, false, false, -1, &kPinset_tor },
@@ -973,34 +973,34 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
{ "mbasic.facebook.com", true, false, false, -1, &kPinset_facebook },
{ "meet.google.com", true, false, false, -1, &kPinset_google_root_pems },
{ "messenger.com", true, false, false, -1, &kPinset_facebook },
- { "mobile.twitter.com", true, false, false, -1, &kPinset_twitterCom },
+ { "mobile.twitter.com", true, true, false, -1, &kPinset_twitterCom },
{ "mt.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
{ "mtouch.facebook.com", true, false, false, -1, &kPinset_facebook },
{ "mu.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
{ "mw.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
{ "mx.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
{ "myaccount.google.com", true, false, false, -1, &kPinset_google_root_pems },
{ "myactivity.google.com", true, false, false, -1, &kPinset_google_root_pems },
{ "ni.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
{ "nl.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
{ "no.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
{ "np.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
{ "nz.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "oauth.twitter.com", true, false, false, -1, &kPinset_twitterCom },
+ { "oauth.twitter.com", true, true, false, -1, &kPinset_twitterCom },
{ "oauthaccountmanager.googleapis.com", true, false, false, -1, &kPinset_google_root_pems },
{ "pa.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
{ "passwords.google.com", true, false, false, -1, &kPinset_google_root_pems },
{ "passwordsleakcheck-pa.googleapis.com", true, false, false, -1, &kPinset_google_root_pems },
{ "payments.google.com", true, false, false, -1, &kPinset_google_root_pems },
{ "pe.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
{ "ph.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
{ "pinning-test.badssl.com", true, false, false, -1, &kPinset_test },
{ "pinningtest.appspot.com", true, false, false, -1, &kPinset_test },
{ "pixel.facebook.com", true, false, false, -1, &kPinset_facebook },
{ "pixel.google.com", true, false, false, -1, &kPinset_google_root_pems },
{ "pk.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
{ "pl.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "platform.twitter.com", true, false, false, -1, &kPinset_twitterCDN },
+ { "platform.twitter.com", true, true, false, -1, &kPinset_twitterCDN },
{ "play.google.com", true, false, false, -1, &kPinset_google_root_pems },
{ "plus.google.com", true, false, false, -1, &kPinset_google_root_pems },
{ "plus.sandbox.google.com", true, false, false, -1, &kPinset_google_root_pems },
@@ -1043,8 +1043,8 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
{ "tunnel.googlezip.net", true, false, false, -1, &kPinset_google_root_pems },
{ "tv.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
{ "tw.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "twimg.com", true, false, false, -1, &kPinset_twitterCDN },
- { "twitter.com", true, false, false, -1, &kPinset_twitterCDN },
+ { "twimg.com", true, true, false, -1, &kPinset_twitterCDN },
+ { "twitter.com", false, true, false, -1, &kPinset_twitterCom },
{ "ua.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
{ "ua5v.com", true, false, false, -1, &kPinset_google_root_pems },
{ "uk.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
@@ -1079,7 +1079,7 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
{ "www.googlemail.com", false, false, false, -1, &kPinset_google_root_pems },
{ "www.messenger.com", true, false, false, -1, &kPinset_facebook },
{ "www.torproject.org", true, false, false, -1, &kPinset_tor },
- { "www.twitter.com", true, false, false, -1, &kPinset_twitterCom },
+ { "www.twitter.com", true, true, false, -1, &kPinset_twitterCom },
{ "xa.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
{ "xbrlsuccess.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
{ "xn--7xa.google.com", true, false, false, -1, &kPinset_google_root_pems },
diff --git a/security/manager/tools/PreloadedHPKPins.json b/security/manager/tools/PreloadedHPKPins.json
index 243625852686..c7c20ea6f680 100644
--- a/security/manager/tools/PreloadedHPKPins.json
+++ b/security/manager/tools/PreloadedHPKPins.json
@@ -44,29 +44,16 @@
// Dropbox
"dropbox.com",
"www.dropbox.com",
- // Twitter
- "api.twitter.com",
- "business.twitter.com",
- "dev.twitter.com",
- "mobile.twitter.com",
- "oauth.twitter.com",
- "platform.twitter.com",
- "twimg.com",
- "www.twitter.com",
// Tor
"torproject.org",
"blog.torproject.org",
"check.torproject.org",
"dist.torproject.org",
"www.torproject.org",
// SpiderOak
"spideroak.com"
],
- "exclude_domains" : [
- // Chrome's entry for twitter.com doesn't include subdomains, so replace
- // it with our own entry below which also uses an expanded pinset.
- "twitter.com"
- ]
+ "exclude_domains" : []
},
"pinsets": [
{
@@ -193,12 +180,7 @@
"include_subdomains": false, "pins": "mozilla_test",
"test_mode": false },
{ "name": "test-mode.pinning.example.com", "include_subdomains": true,
- "pins": "mozilla_test", "test_mode": true },
- // Expand twitter's pinset to include all of *.twitter.com and use
- // twitterCDN. More specific rules take precedence because we search for
- // exact domain name first.
- { "name": "twitter.com", "include_subdomains": true,
- "pins": "twitterCDN", "test_mode": false }
+ "pins": "mozilla_test", "test_mode": true }
],
// When pinning to non-root certs, like intermediates,
// place the PEM of the pinned certificate in this array
Reference in a new issue View git blame Copy permalink