diff options
Diffstat (limited to '0004-Bug-1821359-Disable-TLS-Key-Pinning-for-Twitter-Doma.patch')
-rw-r--r-- | 0004-Bug-1821359-Disable-TLS-Key-Pinning-for-Twitter-Doma.patch | 165 |
1 files changed, 165 insertions, 0 deletions
diff --git a/0004-Bug-1821359-Disable-TLS-Key-Pinning-for-Twitter-Doma.patch b/0004-Bug-1821359-Disable-TLS-Key-Pinning-for-Twitter-Doma.patch new file mode 100644 index 000000000000..eb75f7f90e0c --- /dev/null +++ b/0004-Bug-1821359-Disable-TLS-Key-Pinning-for-Twitter-Doma.patch @@ -0,0 +1,165 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Dennis Jackson <djackson@mozilla.com> +Date: Thu, 9 Mar 2023 22:05:17 +0000 +Subject: [PATCH] Bug 1821359: Disable TLS Key Pinning for Twitter Domains. + r=keeler, a=dmeehan + +This patch removes Twitter domains from the list of sites we statically pin in Firefox +and regenerates the associated headers. Note that the Twitter domains are still +imported from Chrome's list of pins, but now have the test flag set, making them inert. + +Differential Revision: https://phabricator.services.mozilla.com/D172161 +--- + security/manager/ssl/StaticHPKPins.h | 18 ++++++++-------- + security/manager/tools/PreloadedHPKPins.json | 22 ++------------------ + 2 files changed, 11 insertions(+), 29 deletions(-) + +diff --git a/security/manager/ssl/StaticHPKPins.h b/security/manager/ssl/StaticHPKPins.h +index 3adda637832a..e558393a3218 100644 +--- a/security/manager/ssl/StaticHPKPins.h ++++ b/security/manager/ssl/StaticHPKPins.h +@@ -602,26 +602,26 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = { + { "admin.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "android.com", true, false, false, -1, &kPinset_google_root_pems }, + { "api.accounts.firefox.com", true, false, true, 5, &kPinset_mozilla_services }, +- { "api.twitter.com", true, false, false, -1, &kPinset_twitterCDN }, ++ { "api.twitter.com", true, true, false, -1, &kPinset_twitterCDN }, + { "apis.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "appengine.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "apps.facebook.com", true, false, false, -1, &kPinset_facebook }, + { "appspot.com", true, false, false, -1, &kPinset_google_root_pems }, + { "at.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "au.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "aus4.mozilla.org", true, true, true, 3, &kPinset_mozilla_services }, + { "aus5.mozilla.org", true, true, true, 7, &kPinset_mozilla_services }, + { "az.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "be.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "bi.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "blog.torproject.org", true, false, false, -1, &kPinset_tor }, + { "blogger.com", true, false, false, -1, &kPinset_google_root_pems }, + { "blogspot.com", true, false, false, -1, &kPinset_google_root_pems }, + { "br.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "bugs.chromium.org", true, false, false, -1, &kPinset_google_root_pems }, + { "build.chromium.org", true, false, false, -1, &kPinset_google_root_pems }, + { "business.facebook.com", true, false, false, -1, &kPinset_facebook }, +- { "business.twitter.com", true, false, false, -1, &kPinset_twitterCom }, ++ { "business.twitter.com", true, true, false, -1, &kPinset_twitterCom }, + { "ca.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "calendar.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "cd.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, +@@ -661,7 +661,7 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = { + { "ct.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "datastudio.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "de.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, +- { "dev.twitter.com", true, false, false, -1, &kPinset_twitterCom }, ++ { "dev.twitter.com", true, true, false, -1, &kPinset_twitterCom }, + { "developer.android.com", true, false, false, -1, &kPinset_google_root_pems }, + { "developers.facebook.com", true, false, false, -1, &kPinset_facebook }, + { "dist.torproject.org", true, false, false, -1, &kPinset_tor }, +@@ -973,34 +973,34 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = { + { "mbasic.facebook.com", true, false, false, -1, &kPinset_facebook }, + { "meet.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "messenger.com", true, false, false, -1, &kPinset_facebook }, +- { "mobile.twitter.com", true, false, false, -1, &kPinset_twitterCom }, ++ { "mobile.twitter.com", true, true, false, -1, &kPinset_twitterCom }, + { "mt.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "mtouch.facebook.com", true, false, false, -1, &kPinset_facebook }, + { "mu.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "mw.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "mx.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "myaccount.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "myactivity.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "ni.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "nl.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "no.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "np.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "nz.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, +- { "oauth.twitter.com", true, false, false, -1, &kPinset_twitterCom }, ++ { "oauth.twitter.com", true, true, false, -1, &kPinset_twitterCom }, + { "oauthaccountmanager.googleapis.com", true, false, false, -1, &kPinset_google_root_pems }, + { "pa.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "passwords.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "passwordsleakcheck-pa.googleapis.com", true, false, false, -1, &kPinset_google_root_pems }, + { "payments.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "pe.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "ph.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "pinning-test.badssl.com", true, false, false, -1, &kPinset_test }, + { "pinningtest.appspot.com", true, false, false, -1, &kPinset_test }, + { "pixel.facebook.com", true, false, false, -1, &kPinset_facebook }, + { "pixel.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "pk.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "pl.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, +- { "platform.twitter.com", true, false, false, -1, &kPinset_twitterCDN }, ++ { "platform.twitter.com", true, true, false, -1, &kPinset_twitterCDN }, + { "play.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "plus.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "plus.sandbox.google.com", true, false, false, -1, &kPinset_google_root_pems }, +@@ -1043,8 +1043,8 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = { + { "tunnel.googlezip.net", true, false, false, -1, &kPinset_google_root_pems }, + { "tv.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "tw.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, +- { "twimg.com", true, false, false, -1, &kPinset_twitterCDN }, +- { "twitter.com", true, false, false, -1, &kPinset_twitterCDN }, ++ { "twimg.com", true, true, false, -1, &kPinset_twitterCDN }, ++ { "twitter.com", false, true, false, -1, &kPinset_twitterCom }, + { "ua.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "ua5v.com", true, false, false, -1, &kPinset_google_root_pems }, + { "uk.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, +@@ -1079,7 +1079,7 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = { + { "www.googlemail.com", false, false, false, -1, &kPinset_google_root_pems }, + { "www.messenger.com", true, false, false, -1, &kPinset_facebook }, + { "www.torproject.org", true, false, false, -1, &kPinset_tor }, +- { "www.twitter.com", true, false, false, -1, &kPinset_twitterCom }, ++ { "www.twitter.com", true, true, false, -1, &kPinset_twitterCom }, + { "xa.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "xbrlsuccess.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, + { "xn--7xa.google.com", true, false, false, -1, &kPinset_google_root_pems }, +diff --git a/security/manager/tools/PreloadedHPKPins.json b/security/manager/tools/PreloadedHPKPins.json +index 243625852686..c7c20ea6f680 100644 +--- a/security/manager/tools/PreloadedHPKPins.json ++++ b/security/manager/tools/PreloadedHPKPins.json +@@ -44,29 +44,16 @@ + // Dropbox + "dropbox.com", + "www.dropbox.com", +- // Twitter +- "api.twitter.com", +- "business.twitter.com", +- "dev.twitter.com", +- "mobile.twitter.com", +- "oauth.twitter.com", +- "platform.twitter.com", +- "twimg.com", +- "www.twitter.com", + // Tor + "torproject.org", + "blog.torproject.org", + "check.torproject.org", + "dist.torproject.org", + "www.torproject.org", + // SpiderOak + "spideroak.com" + ], +- "exclude_domains" : [ +- // Chrome's entry for twitter.com doesn't include subdomains, so replace +- // it with our own entry below which also uses an expanded pinset. +- "twitter.com" +- ] ++ "exclude_domains" : [] + }, + "pinsets": [ + { +@@ -193,12 +180,7 @@ + "include_subdomains": false, "pins": "mozilla_test", + "test_mode": false }, + { "name": "test-mode.pinning.example.com", "include_subdomains": true, +- "pins": "mozilla_test", "test_mode": true }, +- // Expand twitter's pinset to include all of *.twitter.com and use +- // twitterCDN. More specific rules take precedence because we search for +- // exact domain name first. +- { "name": "twitter.com", "include_subdomains": true, +- "pins": "twitterCDN", "test_mode": false } ++ "pins": "mozilla_test", "test_mode": true } + ], + // When pinning to non-root certs, like intermediates, + // place the PEM of the pinned certificate in this array |