diff options
Diffstat (limited to '0004-Bug-1821359-Disable-TLS-Key-Pinning-for-Twitter-Doma.patch')
-rw-r--r-- | 0004-Bug-1821359-Disable-TLS-Key-Pinning-for-Twitter-Doma.patch | 165 |
1 files changed, 0 insertions, 165 deletions
diff --git a/0004-Bug-1821359-Disable-TLS-Key-Pinning-for-Twitter-Doma.patch b/0004-Bug-1821359-Disable-TLS-Key-Pinning-for-Twitter-Doma.patch deleted file mode 100644 index eb75f7f90e0c..000000000000 --- a/0004-Bug-1821359-Disable-TLS-Key-Pinning-for-Twitter-Doma.patch +++ /dev/null @@ -1,165 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Dennis Jackson <djackson@mozilla.com> -Date: Thu, 9 Mar 2023 22:05:17 +0000 -Subject: [PATCH] Bug 1821359: Disable TLS Key Pinning for Twitter Domains. - r=keeler, a=dmeehan - -This patch removes Twitter domains from the list of sites we statically pin in Firefox -and regenerates the associated headers. Note that the Twitter domains are still -imported from Chrome's list of pins, but now have the test flag set, making them inert. - -Differential Revision: https://phabricator.services.mozilla.com/D172161 ---- - security/manager/ssl/StaticHPKPins.h | 18 ++++++++-------- - security/manager/tools/PreloadedHPKPins.json | 22 ++------------------ - 2 files changed, 11 insertions(+), 29 deletions(-) - -diff --git a/security/manager/ssl/StaticHPKPins.h b/security/manager/ssl/StaticHPKPins.h -index 3adda637832a..e558393a3218 100644 ---- a/security/manager/ssl/StaticHPKPins.h -+++ b/security/manager/ssl/StaticHPKPins.h -@@ -602,26 +602,26 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = { - { "admin.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "android.com", true, false, false, -1, &kPinset_google_root_pems }, - { "api.accounts.firefox.com", true, false, true, 5, &kPinset_mozilla_services }, -- { "api.twitter.com", true, false, false, -1, &kPinset_twitterCDN }, -+ { "api.twitter.com", true, true, false, -1, &kPinset_twitterCDN }, - { "apis.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "appengine.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "apps.facebook.com", true, false, false, -1, &kPinset_facebook }, - { "appspot.com", true, false, false, -1, &kPinset_google_root_pems }, - { "at.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "au.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "aus4.mozilla.org", true, true, true, 3, &kPinset_mozilla_services }, - { "aus5.mozilla.org", true, true, true, 7, &kPinset_mozilla_services }, - { "az.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "be.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "bi.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "blog.torproject.org", true, false, false, -1, &kPinset_tor }, - { "blogger.com", true, false, false, -1, &kPinset_google_root_pems }, - { "blogspot.com", true, false, false, -1, &kPinset_google_root_pems }, - { "br.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "bugs.chromium.org", true, false, false, -1, &kPinset_google_root_pems }, - { "build.chromium.org", true, false, false, -1, &kPinset_google_root_pems }, - { "business.facebook.com", true, false, false, -1, &kPinset_facebook }, -- { "business.twitter.com", true, false, false, -1, &kPinset_twitterCom }, -+ { "business.twitter.com", true, true, false, -1, &kPinset_twitterCom }, - { "ca.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "calendar.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "cd.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, -@@ -661,7 +661,7 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = { - { "ct.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "datastudio.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "de.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, -- { "dev.twitter.com", true, false, false, -1, &kPinset_twitterCom }, -+ { "dev.twitter.com", true, true, false, -1, &kPinset_twitterCom }, - { "developer.android.com", true, false, false, -1, &kPinset_google_root_pems }, - { "developers.facebook.com", true, false, false, -1, &kPinset_facebook }, - { "dist.torproject.org", true, false, false, -1, &kPinset_tor }, -@@ -973,34 +973,34 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = { - { "mbasic.facebook.com", true, false, false, -1, &kPinset_facebook }, - { "meet.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "messenger.com", true, false, false, -1, &kPinset_facebook }, -- { "mobile.twitter.com", true, false, false, -1, &kPinset_twitterCom }, -+ { "mobile.twitter.com", true, true, false, -1, &kPinset_twitterCom }, - { "mt.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "mtouch.facebook.com", true, false, false, -1, &kPinset_facebook }, - { "mu.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "mw.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "mx.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "myaccount.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "myactivity.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "ni.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "nl.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "no.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "np.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "nz.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, -- { "oauth.twitter.com", true, false, false, -1, &kPinset_twitterCom }, -+ { "oauth.twitter.com", true, true, false, -1, &kPinset_twitterCom }, - { "oauthaccountmanager.googleapis.com", true, false, false, -1, &kPinset_google_root_pems }, - { "pa.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "passwords.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "passwordsleakcheck-pa.googleapis.com", true, false, false, -1, &kPinset_google_root_pems }, - { "payments.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "pe.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "ph.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "pinning-test.badssl.com", true, false, false, -1, &kPinset_test }, - { "pinningtest.appspot.com", true, false, false, -1, &kPinset_test }, - { "pixel.facebook.com", true, false, false, -1, &kPinset_facebook }, - { "pixel.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "pk.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "pl.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, -- { "platform.twitter.com", true, false, false, -1, &kPinset_twitterCDN }, -+ { "platform.twitter.com", true, true, false, -1, &kPinset_twitterCDN }, - { "play.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "plus.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "plus.sandbox.google.com", true, false, false, -1, &kPinset_google_root_pems }, -@@ -1043,8 +1043,8 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = { - { "tunnel.googlezip.net", true, false, false, -1, &kPinset_google_root_pems }, - { "tv.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "tw.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, -- { "twimg.com", true, false, false, -1, &kPinset_twitterCDN }, -- { "twitter.com", true, false, false, -1, &kPinset_twitterCDN }, -+ { "twimg.com", true, true, false, -1, &kPinset_twitterCDN }, -+ { "twitter.com", false, true, false, -1, &kPinset_twitterCom }, - { "ua.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "ua5v.com", true, false, false, -1, &kPinset_google_root_pems }, - { "uk.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, -@@ -1079,7 +1079,7 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = { - { "www.googlemail.com", false, false, false, -1, &kPinset_google_root_pems }, - { "www.messenger.com", true, false, false, -1, &kPinset_facebook }, - { "www.torproject.org", true, false, false, -1, &kPinset_tor }, -- { "www.twitter.com", true, false, false, -1, &kPinset_twitterCom }, -+ { "www.twitter.com", true, true, false, -1, &kPinset_twitterCom }, - { "xa.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "xbrlsuccess.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, - { "xn--7xa.google.com", true, false, false, -1, &kPinset_google_root_pems }, -diff --git a/security/manager/tools/PreloadedHPKPins.json b/security/manager/tools/PreloadedHPKPins.json -index 243625852686..c7c20ea6f680 100644 ---- a/security/manager/tools/PreloadedHPKPins.json -+++ b/security/manager/tools/PreloadedHPKPins.json -@@ -44,29 +44,16 @@ - // Dropbox - "dropbox.com", - "www.dropbox.com", -- // Twitter -- "api.twitter.com", -- "business.twitter.com", -- "dev.twitter.com", -- "mobile.twitter.com", -- "oauth.twitter.com", -- "platform.twitter.com", -- "twimg.com", -- "www.twitter.com", - // Tor - "torproject.org", - "blog.torproject.org", - "check.torproject.org", - "dist.torproject.org", - "www.torproject.org", - // SpiderOak - "spideroak.com" - ], -- "exclude_domains" : [ -- // Chrome's entry for twitter.com doesn't include subdomains, so replace -- // it with our own entry below which also uses an expanded pinset. -- "twitter.com" -- ] -+ "exclude_domains" : [] - }, - "pinsets": [ - { -@@ -193,12 +180,7 @@ - "include_subdomains": false, "pins": "mozilla_test", - "test_mode": false }, - { "name": "test-mode.pinning.example.com", "include_subdomains": true, -- "pins": "mozilla_test", "test_mode": true }, -- // Expand twitter's pinset to include all of *.twitter.com and use -- // twitterCDN. More specific rules take precedence because we search for -- // exact domain name first. -- { "name": "twitter.com", "include_subdomains": true, -- "pins": "twitterCDN", "test_mode": false } -+ "pins": "mozilla_test", "test_mode": true } - ], - // When pinning to non-root certs, like intermediates, - // place the PEM of the pinned certificate in this array |