summarylogtreecommitdiffstats
path: root/0004-Bug-1821359-Disable-TLS-Key-Pinning-for-Twitter-Doma.patch
diff options
context:
space:
mode:
Diffstat (limited to '0004-Bug-1821359-Disable-TLS-Key-Pinning-for-Twitter-Doma.patch')
-rw-r--r--0004-Bug-1821359-Disable-TLS-Key-Pinning-for-Twitter-Doma.patch165
1 files changed, 165 insertions, 0 deletions
diff --git a/0004-Bug-1821359-Disable-TLS-Key-Pinning-for-Twitter-Doma.patch b/0004-Bug-1821359-Disable-TLS-Key-Pinning-for-Twitter-Doma.patch
new file mode 100644
index 000000000000..eb75f7f90e0c
--- /dev/null
+++ b/0004-Bug-1821359-Disable-TLS-Key-Pinning-for-Twitter-Doma.patch
@@ -0,0 +1,165 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Dennis Jackson <djackson@mozilla.com>
+Date: Thu, 9 Mar 2023 22:05:17 +0000
+Subject: [PATCH] Bug 1821359: Disable TLS Key Pinning for Twitter Domains.
+ r=keeler, a=dmeehan
+
+This patch removes Twitter domains from the list of sites we statically pin in Firefox
+and regenerates the associated headers. Note that the Twitter domains are still
+imported from Chrome's list of pins, but now have the test flag set, making them inert.
+
+Differential Revision: https://phabricator.services.mozilla.com/D172161
+---
+ security/manager/ssl/StaticHPKPins.h | 18 ++++++++--------
+ security/manager/tools/PreloadedHPKPins.json | 22 ++------------------
+ 2 files changed, 11 insertions(+), 29 deletions(-)
+
+diff --git a/security/manager/ssl/StaticHPKPins.h b/security/manager/ssl/StaticHPKPins.h
+index 3adda637832a..e558393a3218 100644
+--- a/security/manager/ssl/StaticHPKPins.h
++++ b/security/manager/ssl/StaticHPKPins.h
+@@ -602,26 +602,26 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
+ { "admin.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "android.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "api.accounts.firefox.com", true, false, true, 5, &kPinset_mozilla_services },
+- { "api.twitter.com", true, false, false, -1, &kPinset_twitterCDN },
++ { "api.twitter.com", true, true, false, -1, &kPinset_twitterCDN },
+ { "apis.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "appengine.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "apps.facebook.com", true, false, false, -1, &kPinset_facebook },
+ { "appspot.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "at.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+ { "au.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+ { "aus4.mozilla.org", true, true, true, 3, &kPinset_mozilla_services },
+ { "aus5.mozilla.org", true, true, true, 7, &kPinset_mozilla_services },
+ { "az.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+ { "be.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+ { "bi.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+ { "blog.torproject.org", true, false, false, -1, &kPinset_tor },
+ { "blogger.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "blogspot.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "br.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+ { "bugs.chromium.org", true, false, false, -1, &kPinset_google_root_pems },
+ { "build.chromium.org", true, false, false, -1, &kPinset_google_root_pems },
+ { "business.facebook.com", true, false, false, -1, &kPinset_facebook },
+- { "business.twitter.com", true, false, false, -1, &kPinset_twitterCom },
++ { "business.twitter.com", true, true, false, -1, &kPinset_twitterCom },
+ { "ca.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+ { "calendar.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "cd.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+@@ -661,7 +661,7 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
+ { "ct.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+ { "datastudio.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "de.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+- { "dev.twitter.com", true, false, false, -1, &kPinset_twitterCom },
++ { "dev.twitter.com", true, true, false, -1, &kPinset_twitterCom },
+ { "developer.android.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "developers.facebook.com", true, false, false, -1, &kPinset_facebook },
+ { "dist.torproject.org", true, false, false, -1, &kPinset_tor },
+@@ -973,34 +973,34 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
+ { "mbasic.facebook.com", true, false, false, -1, &kPinset_facebook },
+ { "meet.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "messenger.com", true, false, false, -1, &kPinset_facebook },
+- { "mobile.twitter.com", true, false, false, -1, &kPinset_twitterCom },
++ { "mobile.twitter.com", true, true, false, -1, &kPinset_twitterCom },
+ { "mt.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+ { "mtouch.facebook.com", true, false, false, -1, &kPinset_facebook },
+ { "mu.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+ { "mw.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+ { "mx.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+ { "myaccount.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "myactivity.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "ni.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+ { "nl.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+ { "no.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+ { "np.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+ { "nz.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+- { "oauth.twitter.com", true, false, false, -1, &kPinset_twitterCom },
++ { "oauth.twitter.com", true, true, false, -1, &kPinset_twitterCom },
+ { "oauthaccountmanager.googleapis.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "pa.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+ { "passwords.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "passwordsleakcheck-pa.googleapis.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "payments.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "pe.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+ { "ph.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+ { "pinning-test.badssl.com", true, false, false, -1, &kPinset_test },
+ { "pinningtest.appspot.com", true, false, false, -1, &kPinset_test },
+ { "pixel.facebook.com", true, false, false, -1, &kPinset_facebook },
+ { "pixel.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "pk.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+ { "pl.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+- { "platform.twitter.com", true, false, false, -1, &kPinset_twitterCDN },
++ { "platform.twitter.com", true, true, false, -1, &kPinset_twitterCDN },
+ { "play.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "plus.google.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "plus.sandbox.google.com", true, false, false, -1, &kPinset_google_root_pems },
+@@ -1043,8 +1043,8 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
+ { "tunnel.googlezip.net", true, false, false, -1, &kPinset_google_root_pems },
+ { "tv.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+ { "tw.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+- { "twimg.com", true, false, false, -1, &kPinset_twitterCDN },
+- { "twitter.com", true, false, false, -1, &kPinset_twitterCDN },
++ { "twimg.com", true, true, false, -1, &kPinset_twitterCDN },
++ { "twitter.com", false, true, false, -1, &kPinset_twitterCom },
+ { "ua.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+ { "ua5v.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "uk.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+@@ -1079,7 +1079,7 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
+ { "www.googlemail.com", false, false, false, -1, &kPinset_google_root_pems },
+ { "www.messenger.com", true, false, false, -1, &kPinset_facebook },
+ { "www.torproject.org", true, false, false, -1, &kPinset_tor },
+- { "www.twitter.com", true, false, false, -1, &kPinset_twitterCom },
++ { "www.twitter.com", true, true, false, -1, &kPinset_twitterCom },
+ { "xa.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+ { "xbrlsuccess.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
+ { "xn--7xa.google.com", true, false, false, -1, &kPinset_google_root_pems },
+diff --git a/security/manager/tools/PreloadedHPKPins.json b/security/manager/tools/PreloadedHPKPins.json
+index 243625852686..c7c20ea6f680 100644
+--- a/security/manager/tools/PreloadedHPKPins.json
++++ b/security/manager/tools/PreloadedHPKPins.json
+@@ -44,29 +44,16 @@
+ // Dropbox
+ "dropbox.com",
+ "www.dropbox.com",
+- // Twitter
+- "api.twitter.com",
+- "business.twitter.com",
+- "dev.twitter.com",
+- "mobile.twitter.com",
+- "oauth.twitter.com",
+- "platform.twitter.com",
+- "twimg.com",
+- "www.twitter.com",
+ // Tor
+ "torproject.org",
+ "blog.torproject.org",
+ "check.torproject.org",
+ "dist.torproject.org",
+ "www.torproject.org",
+ // SpiderOak
+ "spideroak.com"
+ ],
+- "exclude_domains" : [
+- // Chrome's entry for twitter.com doesn't include subdomains, so replace
+- // it with our own entry below which also uses an expanded pinset.
+- "twitter.com"
+- ]
++ "exclude_domains" : []
+ },
+ "pinsets": [
+ {
+@@ -193,12 +180,7 @@
+ "include_subdomains": false, "pins": "mozilla_test",
+ "test_mode": false },
+ { "name": "test-mode.pinning.example.com", "include_subdomains": true,
+- "pins": "mozilla_test", "test_mode": true },
+- // Expand twitter's pinset to include all of *.twitter.com and use
+- // twitterCDN. More specific rules take precedence because we search for
+- // exact domain name first.
+- { "name": "twitter.com", "include_subdomains": true,
+- "pins": "twitterCDN", "test_mode": false }
++ "pins": "mozilla_test", "test_mode": true }
+ ],
+ // When pinning to non-root certs, like intermediates,
+ // place the PEM of the pinned certificate in this array