Correctly documentation of Firefox client behavior #859
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
References: - https://bugzilla.mozilla.org/show_bug.cgi?id=1846866 ignores pref - https://bugzilla.mozilla.org/show_bug.cgi?id=1267318 ignores notAfter - https://bugzilla.mozilla.org/show_bug.cgi?id=1713628 ignores notBefore "Only end-entity certs can potentially end up here." (in ERROR_EXPIRED_CERTIFICATE / ERROR_NOT_YET_VALID_CERTIFICATE): verified locally and also observed before in the armagadd-on-2.0 incident (https://bugzilla.mozilla.org/show_bug.cgi?id=1548973); if expired intermediates were accepted, then we would not have had the incident.
Rob--W
force-pushed
the
fix-doc-firefox-behavior
branch
from
1670d00
to
5b600a6
Compare
|
@hwine Could you review/merge this? I don't know who else to ask here. |
hwine
reviewed
Aug 3, 2023
| # In Firefox 103+ (bug 1769669), roots are hard-coded in Firefox and the | ||
| # chosen root is dependent on the app.normandy.api_url pref, see | ||
| # https://searchfox.org/mozilla-central/rev/2bf90dc51ce7e8274ce208fbb9d68b3ff535185e/toolkit/components/normandy/lib/NormandyApi.sys.mjs#15-30 | ||
| # |
There was a problem hiding this comment.
@hwine to do
- also needs to be copied to production configs
hwine
reviewed
Aug 3, 2023
| # In Firefox 103+ (bug 1769669), roots are hard-coded in Firefox and the | ||
| # chosen root is dependent on multiple conditions, see | ||
| # https://searchfox.org/mozilla-central/rev/2bf90dc51ce7e8274ce208fbb9d68b3ff535185e/services/settings/Utils.sys.mjs#53-76,97-101,110-124 | ||
| # |
There was a problem hiding this comment.
@hwine to do
- also needs to be copied to production configs
|
@hwine the docs confused me last night when I was debugging staging content signature for remote settings, can we finalize this PR please? |
|
Thanks for nudge -- I'll cut a separate ticket for the live config updates |
hwine
approved these changes
Mar 22, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The current documentation of content signature verification and add-on certificate verification is inaccurate. This PR fixes a few inaccuracies.
References:
About the comment "Only end-entity certs can potentially end up here." (in ERROR_EXPIRED_CERTIFICATE / ERROR_NOT_YET_VALID_CERTIFICATE): I verified this locally and we have also observed before in the armagadd-on-2.0 incident (https://bugzilla.mozilla.org/show_bug.cgi?id=1548973); if expired intermediates were accepted, then we would not have had the incident.