summarylogtreecommitdiffstats
path: root/0004-Bug-1821359-Disable-TLS-Key-Pinning-for-Twitter-Doma.patch
diff options
context:
space:
mode:
Diffstat (limited to '0004-Bug-1821359-Disable-TLS-Key-Pinning-for-Twitter-Doma.patch')
-rw-r--r--0004-Bug-1821359-Disable-TLS-Key-Pinning-for-Twitter-Doma.patch165
1 files changed, 0 insertions, 165 deletions
diff --git a/0004-Bug-1821359-Disable-TLS-Key-Pinning-for-Twitter-Doma.patch b/0004-Bug-1821359-Disable-TLS-Key-Pinning-for-Twitter-Doma.patch
deleted file mode 100644
index eb75f7f90e0c..000000000000
--- a/0004-Bug-1821359-Disable-TLS-Key-Pinning-for-Twitter-Doma.patch
+++ /dev/null
@@ -1,165 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Dennis Jackson <djackson@mozilla.com>
-Date: Thu, 9 Mar 2023 22:05:17 +0000
-Subject: [PATCH] Bug 1821359: Disable TLS Key Pinning for Twitter Domains.
- r=keeler, a=dmeehan
-
-This patch removes Twitter domains from the list of sites we statically pin in Firefox
-and regenerates the associated headers. Note that the Twitter domains are still
-imported from Chrome's list of pins, but now have the test flag set, making them inert.
-
-Differential Revision: https://phabricator.services.mozilla.com/D172161
----
- security/manager/ssl/StaticHPKPins.h | 18 ++++++++--------
- security/manager/tools/PreloadedHPKPins.json | 22 ++------------------
- 2 files changed, 11 insertions(+), 29 deletions(-)
-
-diff --git a/security/manager/ssl/StaticHPKPins.h b/security/manager/ssl/StaticHPKPins.h
-index 3adda637832a..e558393a3218 100644
---- a/security/manager/ssl/StaticHPKPins.h
-+++ b/security/manager/ssl/StaticHPKPins.h
-@@ -602,26 +602,26 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
- { "admin.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "android.com", true, false, false, -1, &kPinset_google_root_pems },
- { "api.accounts.firefox.com", true, false, true, 5, &kPinset_mozilla_services },
-- { "api.twitter.com", true, false, false, -1, &kPinset_twitterCDN },
-+ { "api.twitter.com", true, true, false, -1, &kPinset_twitterCDN },
- { "apis.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "appengine.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "apps.facebook.com", true, false, false, -1, &kPinset_facebook },
- { "appspot.com", true, false, false, -1, &kPinset_google_root_pems },
- { "at.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "au.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "aus4.mozilla.org", true, true, true, 3, &kPinset_mozilla_services },
- { "aus5.mozilla.org", true, true, true, 7, &kPinset_mozilla_services },
- { "az.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "be.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "bi.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "blog.torproject.org", true, false, false, -1, &kPinset_tor },
- { "blogger.com", true, false, false, -1, &kPinset_google_root_pems },
- { "blogspot.com", true, false, false, -1, &kPinset_google_root_pems },
- { "br.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "bugs.chromium.org", true, false, false, -1, &kPinset_google_root_pems },
- { "build.chromium.org", true, false, false, -1, &kPinset_google_root_pems },
- { "business.facebook.com", true, false, false, -1, &kPinset_facebook },
-- { "business.twitter.com", true, false, false, -1, &kPinset_twitterCom },
-+ { "business.twitter.com", true, true, false, -1, &kPinset_twitterCom },
- { "ca.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "calendar.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "cd.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
-@@ -661,7 +661,7 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
- { "ct.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "datastudio.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "de.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
-- { "dev.twitter.com", true, false, false, -1, &kPinset_twitterCom },
-+ { "dev.twitter.com", true, true, false, -1, &kPinset_twitterCom },
- { "developer.android.com", true, false, false, -1, &kPinset_google_root_pems },
- { "developers.facebook.com", true, false, false, -1, &kPinset_facebook },
- { "dist.torproject.org", true, false, false, -1, &kPinset_tor },
-@@ -973,34 +973,34 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
- { "mbasic.facebook.com", true, false, false, -1, &kPinset_facebook },
- { "meet.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "messenger.com", true, false, false, -1, &kPinset_facebook },
-- { "mobile.twitter.com", true, false, false, -1, &kPinset_twitterCom },
-+ { "mobile.twitter.com", true, true, false, -1, &kPinset_twitterCom },
- { "mt.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "mtouch.facebook.com", true, false, false, -1, &kPinset_facebook },
- { "mu.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "mw.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "mx.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "myaccount.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "myactivity.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "ni.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "nl.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "no.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "np.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "nz.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
-- { "oauth.twitter.com", true, false, false, -1, &kPinset_twitterCom },
-+ { "oauth.twitter.com", true, true, false, -1, &kPinset_twitterCom },
- { "oauthaccountmanager.googleapis.com", true, false, false, -1, &kPinset_google_root_pems },
- { "pa.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "passwords.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "passwordsleakcheck-pa.googleapis.com", true, false, false, -1, &kPinset_google_root_pems },
- { "payments.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "pe.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "ph.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "pinning-test.badssl.com", true, false, false, -1, &kPinset_test },
- { "pinningtest.appspot.com", true, false, false, -1, &kPinset_test },
- { "pixel.facebook.com", true, false, false, -1, &kPinset_facebook },
- { "pixel.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "pk.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "pl.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
-- { "platform.twitter.com", true, false, false, -1, &kPinset_twitterCDN },
-+ { "platform.twitter.com", true, true, false, -1, &kPinset_twitterCDN },
- { "play.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "plus.google.com", true, false, false, -1, &kPinset_google_root_pems },
- { "plus.sandbox.google.com", true, false, false, -1, &kPinset_google_root_pems },
-@@ -1043,8 +1043,8 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
- { "tunnel.googlezip.net", true, false, false, -1, &kPinset_google_root_pems },
- { "tv.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "tw.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
-- { "twimg.com", true, false, false, -1, &kPinset_twitterCDN },
-- { "twitter.com", true, false, false, -1, &kPinset_twitterCDN },
-+ { "twimg.com", true, true, false, -1, &kPinset_twitterCDN },
-+ { "twitter.com", false, true, false, -1, &kPinset_twitterCom },
- { "ua.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "ua5v.com", true, false, false, -1, &kPinset_google_root_pems },
- { "uk.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
-@@ -1079,7 +1079,7 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
- { "www.googlemail.com", false, false, false, -1, &kPinset_google_root_pems },
- { "www.messenger.com", true, false, false, -1, &kPinset_facebook },
- { "www.torproject.org", true, false, false, -1, &kPinset_tor },
-- { "www.twitter.com", true, false, false, -1, &kPinset_twitterCom },
-+ { "www.twitter.com", true, true, false, -1, &kPinset_twitterCom },
- { "xa.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
- { "xbrlsuccess.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
- { "xn--7xa.google.com", true, false, false, -1, &kPinset_google_root_pems },
-diff --git a/security/manager/tools/PreloadedHPKPins.json b/security/manager/tools/PreloadedHPKPins.json
-index 243625852686..c7c20ea6f680 100644
---- a/security/manager/tools/PreloadedHPKPins.json
-+++ b/security/manager/tools/PreloadedHPKPins.json
-@@ -44,29 +44,16 @@
- // Dropbox
- "dropbox.com",
- "www.dropbox.com",
-- // Twitter
-- "api.twitter.com",
-- "business.twitter.com",
-- "dev.twitter.com",
-- "mobile.twitter.com",
-- "oauth.twitter.com",
-- "platform.twitter.com",
-- "twimg.com",
-- "www.twitter.com",
- // Tor
- "torproject.org",
- "blog.torproject.org",
- "check.torproject.org",
- "dist.torproject.org",
- "www.torproject.org",
- // SpiderOak
- "spideroak.com"
- ],
-- "exclude_domains" : [
-- // Chrome's entry for twitter.com doesn't include subdomains, so replace
-- // it with our own entry below which also uses an expanded pinset.
-- "twitter.com"
-- ]
-+ "exclude_domains" : []
- },
- "pinsets": [
- {
-@@ -193,12 +180,7 @@
- "include_subdomains": false, "pins": "mozilla_test",
- "test_mode": false },
- { "name": "test-mode.pinning.example.com", "include_subdomains": true,
-- "pins": "mozilla_test", "test_mode": true },
-- // Expand twitter's pinset to include all of *.twitter.com and use
-- // twitterCDN. More specific rules take precedence because we search for
-- // exact domain name first.
-- { "name": "twitter.com", "include_subdomains": true,
-- "pins": "twitterCDN", "test_mode": false }
-+ "pins": "mozilla_test", "test_mode": true }
- ],
- // When pinning to non-root certs, like intermediates,
- // place the PEM of the pinned certificate in this array