diff options
Diffstat (limited to '')
-rw-r--r-- | toolkit/content/aboutNetError.mjs | 1368 |
1 files changed, 1368 insertions, 0 deletions
diff --git a/toolkit/content/aboutNetError.mjs b/toolkit/content/aboutNetError.mjs new file mode 100644 index 0000000000..62cdc8a86c --- /dev/null +++ b/toolkit/content/aboutNetError.mjs @@ -0,0 +1,1368 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this file, + * You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* eslint-env mozilla/remote-page */ +/* eslint-disable import/no-unassigned-import */ + +import "chrome://global/content/certviewer/pvutils_bundle.jsm"; +import "chrome://global/content/certviewer/asn1js_bundle.jsm"; +import "chrome://global/content/certviewer/pkijs_bundle.jsm"; +import "chrome://global/content/certviewer/certDecoder.jsm"; + +const { Integer, fromBER } = globalThis.asn1js.asn1js; +const { Certificate } = globalThis.pkijs.pkijs; +const { fromBase64, stringToArrayBuffer } = globalThis.pvutils.pvutils; +const { parse, pemToDER } = globalThis.certDecoderInitializer( + Integer, + fromBER, + Certificate, + fromBase64, + stringToArrayBuffer, + crypto +); + +const formatter = new Intl.DateTimeFormat(); + +const HOST_NAME = getHostName(); + +function getHostName() { + try { + return new URL(RPMGetInnerMostURI(document.location.href)).hostname; + } catch (error) { + console.error("Could not parse URL", error); + } + return ""; +} + +// Used to check if we have a specific localized message for an error. +const KNOWN_ERROR_TITLE_IDS = new Set([ + // Error titles: + "connectionFailure-title", + "deniedPortAccess-title", + "dnsNotFound-title", + "dns-not-found-trr-only-title", + "fileNotFound-title", + "fileAccessDenied-title", + "generic-title", + "captivePortal-title", + "malformedURI-title", + "netInterrupt-title", + "notCached-title", + "netOffline-title", + "contentEncodingError-title", + "unsafeContentType-title", + "netReset-title", + "netTimeout-title", + "unknownProtocolFound-title", + "proxyConnectFailure-title", + "proxyResolveFailure-title", + "redirectLoop-title", + "unknownSocketType-title", + "nssFailure2-title", + "csp-xfo-error-title", + "corruptedContentError-title", + "sslv3Used-title", + "inadequateSecurityError-title", + "blockedByPolicy-title", + "clockSkewError-title", + "networkProtocolError-title", + "nssBadCert-title", + "nssBadCert-sts-title", + "certerror-mitm-title", +]); + +/* The error message IDs from nsserror.ftl get processed into + * aboutNetErrorCodes.js which is loaded before we are: */ +/* global KNOWN_ERROR_MESSAGE_IDS */ +const ERROR_MESSAGES_FTL = "toolkit/neterror/nsserrors.ftl"; + +// The following parameters are parsed from the error URL: +// e - the error code +// s - custom CSS class to allow alternate styling/favicons +// d - error description +// captive - "true" to indicate we're behind a captive portal. +// Any other value is ignored. + +// Note that this file uses document.documentURI to get +// the URL (with the format from above). This is because +// document.location.href gets the current URI off the docshell, +// which is the URL displayed in the location bar, i.e. +// the URI that the user attempted to load. + +let searchParams = new URLSearchParams(document.documentURI.split("?")[1]); + +let gErrorCode = searchParams.get("e"); +let gIsCertError = gErrorCode == "nssBadCert"; +let gHasSts = gIsCertError && getCSSClass() === "badStsCert"; + +// If the location of the favicon changes, FAVICON_CERTERRORPAGE_URL and/or +// FAVICON_ERRORPAGE_URL in toolkit/components/places/nsFaviconService.idl +// should also be updated. +document.getElementById("favicon").href = + gIsCertError || gErrorCode == "nssFailure2" + ? "chrome://global/skin/icons/warning.svg" + : "chrome://global/skin/icons/info.svg"; + +function getCSSClass() { + return searchParams.get("s"); +} + +function getDescription() { + return searchParams.get("d"); +} + +function isCaptive() { + return searchParams.get("captive") == "true"; +} + +/** + * We don't actually know what the MitM is called (since we don't + * maintain a list), so we'll try and display the common name of the + * root issuer to the user. In the worst case they are as clueless as + * before, in the best case this gives them an actionable hint. + * This may be revised in the future. + */ +function getMitmName(failedCertInfo) { + return failedCertInfo.issuerCommonName; +} + +function retryThis(buttonEl) { + RPMSendAsyncMessage("Browser:EnableOnlineMode"); + buttonEl.disabled = true; +} + +function showPrefChangeContainer() { + const panel = document.getElementById("prefChangeContainer"); + panel.hidden = false; + document.getElementById("netErrorButtonContainer").hidden = true; + document + .getElementById("prefResetButton") + .addEventListener("click", function resetPreferences() { + RPMSendAsyncMessage("Browser:ResetSSLPreferences"); + }); + setFocus("#prefResetButton", "beforeend"); +} + +function toggleCertErrorDebugInfoVisibility(shouldShow) { + let debugInfo = document.getElementById("certificateErrorDebugInformation"); + let copyButton = document.getElementById("copyToClipboardTop"); + + if (shouldShow === undefined) { + shouldShow = debugInfo.hidden; + } + debugInfo.hidden = !shouldShow; + if (shouldShow) { + copyButton.scrollIntoView({ block: "start", behavior: "smooth" }); + copyButton.focus(); + } +} + +function setupAdvancedButton() { + // Get the hostname and add it to the panel + var panel = document.getElementById("badCertAdvancedPanel"); + + // Register click handler for the weakCryptoAdvancedPanel + document + .getElementById("advancedButton") + .addEventListener("click", togglePanelVisibility); + + function togglePanelVisibility() { + panel.hidden = !panel.hidden; + + // Toggling the advanced panel must ensure that the debugging + // information panel is hidden as well, since it's opened by the + // error code link in the advanced panel. + toggleCertErrorDebugInfoVisibility(false); + + if (!panel.hidden) { + // send event to trigger telemetry ping + var event = new CustomEvent("AboutNetErrorUIExpanded", { bubbles: true }); + document.dispatchEvent(event); + } + } + + if (getCSSClass() == "expertBadCert") { + panel.hidden = false; + } +} + +function disallowCertOverridesIfNeeded() { + // Disallow overrides if this is a Strict-Transport-Security + // host and the cert is bad (STS Spec section 7.3) or if the + // certerror is in a frame (bug 633691). + if (gHasSts || window != top) { + document.getElementById("exceptionDialogButton").hidden = true; + } + if (gHasSts) { + const stsExplanation = document.getElementById("badStsCertExplanation"); + document.l10n.setAttributes( + stsExplanation, + "certerror-what-should-i-do-bad-sts-cert-explanation", + { hostname: HOST_NAME } + ); + stsExplanation.hidden = false; + + document.l10n.setAttributes( + document.getElementById("returnButton"), + "neterror-return-to-previous-page-button" + ); + document.l10n.setAttributes( + document.getElementById("advancedPanelReturnButton"), + "neterror-return-to-previous-page-button" + ); + } +} + +function initPage() { + // We show an offline support page in case of a system-wide error, + // when a user cannot connect to the internet and access the SUMO website. + // For example, clock error, which causes certerrors across the web or + // a security software conflict where the user is unable to connect + // to the internet. + // The URL that prompts us to show an offline support page should have the following + // format: "https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/supportPageSlug", + // so we can extract the support page slug. + let baseURL = RPMGetFormatURLPref("app.support.baseURL"); + let location = document.location.href; + if (location.startsWith(baseURL)) { + let supportPageSlug = document.location.pathname.split("/").pop(); + RPMSendAsyncMessage("DisplayOfflineSupportPage", { + supportPageSlug, + }); + } + + const className = getCSSClass(); + if (className) { + document.body.classList.add(className); + } + + const isTRROnlyFailure = gErrorCode == "dnsNotFound" && RPMIsTRROnlyFailure(); + + const docTitle = document.querySelector("title"); + const bodyTitle = document.querySelector(".title-text"); + const shortDesc = document.getElementById("errorShortDesc"); + + if (gIsCertError) { + const isStsError = window !== window.top || gHasSts; + const errArgs = { hostname: HOST_NAME }; + if (isCaptive()) { + document.l10n.setAttributes( + docTitle, + "neterror-captive-portal-page-title" + ); + document.l10n.setAttributes(bodyTitle, "captivePortal-title"); + document.l10n.setAttributes( + shortDesc, + "neterror-captive-portal", + errArgs + ); + initPageCaptivePortal(); + } else { + if (isStsError) { + document.l10n.setAttributes(docTitle, "certerror-sts-page-title"); + document.l10n.setAttributes(bodyTitle, "nssBadCert-sts-title"); + document.l10n.setAttributes(shortDesc, "certerror-sts-intro", errArgs); + } else { + document.l10n.setAttributes(docTitle, "certerror-page-title"); + document.l10n.setAttributes(bodyTitle, "nssBadCert-title"); + document.l10n.setAttributes(shortDesc, "certerror-intro", errArgs); + } + initPageCertError(); + } + + initCertErrorPageActions(); + setTechnicalDetailsOnCertError(); + return; + } + + document.body.classList.add("neterror"); + + let longDesc = document.getElementById("errorLongDesc"); + const tryAgain = document.getElementById("netErrorButtonContainer"); + tryAgain.hidden = false; + const learnMore = document.getElementById("learnMoreContainer"); + const learnMoreLink = document.getElementById("learnMoreLink"); + learnMoreLink.setAttribute("href", baseURL + "connection-not-secure"); + + let pageTitleId = "neterror-page-title"; + let bodyTitleId = gErrorCode + "-title"; + + switch (gErrorCode) { + case "blockedByPolicy": + pageTitleId = "neterror-blocked-by-policy-page-title"; + document.body.classList.add("blocked"); + + // Remove the "Try again" button from pages that don't need it. + // For pages blocked by policy, trying again won't help. + tryAgain.hidden = true; + break; + + case "cspBlocked": + case "xfoBlocked": { + bodyTitleId = "csp-xfo-error-title"; + + // Remove the "Try again" button for XFO and CSP violations, + // since it's almost certainly useless. (Bug 553180) + tryAgain.hidden = true; + + // Adding a button for opening websites blocked for CSP and XFO violations + // in a new window. (Bug 1461195) + document.getElementById("errorShortDesc").hidden = true; + + document.l10n.setAttributes(longDesc, "csp-xfo-blocked-long-desc", { + hostname: HOST_NAME, + }); + longDesc = null; + + document.getElementById("openInNewWindowContainer").hidden = false; + + const openInNewWindowButton = document.getElementById( + "openInNewWindowButton" + ); + openInNewWindowButton.href = document.location.href; + + // Add a learn more link + learnMore.hidden = false; + learnMoreLink.setAttribute("href", baseURL + "xframe-neterror-page"); + + setupBlockingReportingUI(); + break; + } + + case "dnsNotFound": + pageTitleId = "neterror-dns-not-found-title"; + if (!isTRROnlyFailure) { + RPMCheckAlternateHostAvailable(); + } + + break; + case "inadequateSecurityError": + // Remove the "Try again" button from pages that don't need it. + // For HTTP/2 inadequate security, trying again won't help. + tryAgain.hidden = true; + break; + + case "malformedURI": + pageTitleId = "neterror-malformed-uri-page-title"; + // Remove the "Try again" button from pages that don't need it. + tryAgain.hidden = true; + break; + + // Pinning errors are of type nssFailure2 + case "nssFailure2": { + learnMore.hidden = false; + + const errorCode = document.getNetErrorInfo().errorCodeString; + switch (errorCode) { + case "SSL_ERROR_UNSUPPORTED_VERSION": + case "SSL_ERROR_PROTOCOL_VERSION_ALERT": { + const tlsNotice = document.getElementById("tlsVersionNotice"); + tlsNotice.hidden = false; + document.l10n.setAttributes(tlsNotice, "cert-error-old-tls-version"); + } + // fallthrough + + case "interrupted": // This happens with subresources that are above the max tls + case "SSL_ERROR_NO_CIPHERS_SUPPORTED": + case "SSL_ERROR_NO_CYPHER_OVERLAP": + case "SSL_ERROR_SSL_DISABLED": + RPMAddMessageListener("HasChangedCertPrefs", msg => { + if (msg.data.hasChangedCertPrefs) { + // Configuration overrides might have caused this; offer to reset. + showPrefChangeContainer(); + } + }); + RPMSendAsyncMessage("GetChangedCertPrefs"); + } + + break; + } + + case "sslv3Used": + learnMore.hidden = false; + document.body.className = "certerror"; + break; + } + + if (!KNOWN_ERROR_TITLE_IDS.has(bodyTitleId)) { + console.error("No strings exist for error:", gErrorCode); + bodyTitleId = "generic-title"; + } + + if (isTRROnlyFailure && RPMShowTRROnlyFailureError()) { + document.body.className = "certerror"; // Shows warning icon + pageTitleId = "dns-not-found-trr-only-title"; + document.l10n.setAttributes(docTitle, pageTitleId, { + hostname: HOST_NAME, + }); + bodyTitleId = "dns-not-found-trr-only-title"; + document.l10n.setAttributes(bodyTitle, bodyTitleId, { + hostname: HOST_NAME, + }); + + shortDesc.textContent = ""; + + // enable buttons + let trrExceptionButton = document.getElementById("trrExceptionButton"); + trrExceptionButton.addEventListener("click", () => { + RPMSendQuery("Browser:AddTRRExcludedDomain", { + hostname: HOST_NAME, + }).then(msg => { + retryThis(this); + }); + }); + trrExceptionButton.hidden = false; + let trrSettingsButton = document.getElementById("trrSettingsButton"); + trrSettingsButton.addEventListener("click", () => { + RPMSendAsyncMessage("OpenTRRPreferences"); + }); + trrSettingsButton.hidden = false; + let message = document.getElementById("trrOnlyMessage"); + document.l10n.setAttributes( + message, + "neterror-dns-not-found-trr-only-reason", + { + hostname: HOST_NAME, + } + ); + + let skipReason = RPMGetTRRSkipReason(); + + let descriptionTag = "neterror-dns-not-found-trr-unknown-problem"; + let args = { trrDomain: RPMGetTRRDomain() }; + if ( + skipReason == "TRR_FAILED" || + skipReason == "TRR_CHANNEL_DNS_FAIL" || + skipReason == "TRR_UNKNOWN_CHANNEL_FAILURE" || + skipReason == "TRR_NET_REFUSED" || + skipReason == "TRR_NET_INTERRUPT" || + skipReason == "TRR_NET_INADEQ_SEQURITY" + ) { + descriptionTag = "neterror-dns-not-found-trr-only-could-not-connect"; + } else if (skipReason == "TRR_TIMEOUT") { + descriptionTag = "neterror-dns-not-found-trr-only-timeout"; + } else if ( + skipReason == "TRR_IS_OFFLINE" || + skipReason == "TRR_NO_CONNECTIVITY" + ) { + descriptionTag = "neterror-dns-not-found-trr-offline"; + } else if (skipReason == "TRR_NO_ANSWERS" || skipReason == "TRR_NXDOMAIN") { + descriptionTag = "neterror-dns-not-found-trr-unknown-host"; + } else if ( + skipReason == "TRR_DECODE_FAILED" || + skipReason == "TRR_SERVER_RESPONSE_ERR" + ) { + descriptionTag = "neterror-dns-not-found-trr-server-problem"; + } + + let description = document.getElementById("trrOnlyDescription"); + document.l10n.setAttributes(description, descriptionTag, args); + + const trrLearnMoreContainer = document.getElementById( + "trrLearnMoreContainer" + ); + trrLearnMoreContainer.hidden = false; + let learnMoreLink = document.getElementById("trrOnlylearnMoreLink"); + // This will be replaced at a later point with a link to an offline support page + // https://bugzilla.mozilla.org/show_bug.cgi?id=1806257 + learnMoreLink.href = + RPMGetFormatURLPref("network.trr_ui.skip_reason_learn_more_url") + + skipReason.toLowerCase().replaceAll("_", "-"); + + let div = document.getElementById("trrOnlyContainer"); + div.hidden = false; + + return; + } + + document.l10n.setAttributes(docTitle, pageTitleId); + document.l10n.setAttributes(bodyTitle, bodyTitleId); + + shortDesc.textContent = getDescription(); + setFocus("#netErrorButtonContainer > .try-again"); + + if (longDesc) { + const parts = getNetErrorDescParts(); + setNetErrorMessageFromParts(longDesc, parts); + } + + setNetErrorMessageFromCode(); +} + +/** + * Builds HTML elements from `parts` and appends them to `parent`. + * + * @param {HTMLElement} parent + * @param {Array<["li" | "p" | "span", string, Record<string, string> | undefined]>} parts + */ +function setNetErrorMessageFromParts(parent, parts) { + let list = null; + + for (let [tag, l10nId, l10nArgs] of parts) { + const elem = document.createElement(tag); + elem.dataset.l10nId = l10nId; + if (l10nArgs) { + elem.dataset.l10nArgs = JSON.stringify(l10nArgs); + } + + if (tag === "li") { + if (!list) { + list = document.createElement("ul"); + parent.appendChild(list); + } + list.appendChild(elem); + } else { + if (list) { + list = null; + } + parent.appendChild(elem); + } + } +} + +/** + * Returns an array of tuples determining the parts of an error message: + * - HTML tag name + * - l10n id + * - l10n args (optional) + * + * @returns { Array<["li" | "p" | "span", string, Record<string, string> | undefined]> } + */ +function getNetErrorDescParts() { + switch (gErrorCode) { + case "connectionFailure": + case "netInterrupt": + case "netReset": + case "netTimeout": + return [ + ["li", "neterror-load-error-try-again"], + ["li", "neterror-load-error-connection"], + ["li", "neterror-load-error-firewall"], + ]; + + case "blockedByPolicy": + case "deniedPortAccess": + case "malformedURI": + return []; + + case "captivePortal": + return [["p", ""]]; + case "contentEncodingError": + return [["li", "neterror-content-encoding-error"]]; + case "corruptedContentErrorv2": + return [ + ["p", "neterror-corrupted-content-intro"], + ["li", "neterror-corrupted-content-contact-website"], + ]; + case "dnsNotFound": + return [ + ["span", "neterror-dns-not-found-hint-header"], + ["li", "neterror-dns-not-found-hint-try-again"], + ["li", "neterror-dns-not-found-hint-check-network"], + ["li", "neterror-dns-not-found-hint-firewall"], + ]; + case "fileAccessDenied": + return [["li", "neterror-access-denied"]]; + case "fileNotFound": + return [ + ["li", "neterror-file-not-found-filename"], + ["li", "neterror-file-not-found-moved"], + ]; + case "inadequateSecurityError": + return [ + ["p", "neterror-inadequate-security-intro", { hostname: HOST_NAME }], + ["p", "neterror-inadequate-security-code"], + ]; + case "mitm": { + const failedCertInfo = document.getFailedCertSecurityInfo(); + const errArgs = { + hostname: HOST_NAME, + mitm: getMitmName(failedCertInfo), + }; + return [["span", "certerror-mitm", errArgs]]; + } + case "netOffline": + return [["li", "neterror-net-offline"]]; + case "networkProtocolError": + return [ + ["p", "neterror-network-protocol-error-intro"], + ["li", "neterror-network-protocol-error-contact-website"], + ]; + case "notCached": + return [ + ["p", "neterror-not-cached-intro"], + ["li", "neterror-not-cached-sensitive"], + ["li", "neterror-not-cached-try-again"], + ]; + case "nssFailure2": + return [ + ["li", "neterror-nss-failure-not-verified"], + ["li", "neterror-nss-failure-contact-website"], + ]; + case "proxyConnectFailure": + return [ + ["li", "neterror-proxy-connect-failure-settings"], + ["li", "neterror-proxy-connect-failure-contact-admin"], + ]; + case "proxyResolveFailure": + return [ + ["li", "neterror-proxy-resolve-failure-settings"], + ["li", "neterror-proxy-resolve-failure-connection"], + ["li", "neterror-proxy-resolve-failure-firewall"], + ]; + case "redirectLoop": + return [["li", "neterror-redirect-loop"]]; + case "sslv3Used": + return [["span", "neterror-sslv3-used"]]; + case "unknownProtocolFound": + return [["li", "neterror-unknown-protocol"]]; + case "unknownSocketType": + return [ + ["li", "neterror-unknown-socket-type-psm-installed"], + ["li", "neterror-unknown-socket-type-server-config"], + ]; + case "unsafeContentType": + return [["li", "neterror-unsafe-content-type"]]; + + default: + return [["p", "neterror-generic-error"]]; + } +} + +function setNetErrorMessageFromCode() { + let errorCode; + try { + errorCode = document.getNetErrorInfo().errorCodeString; + } catch (ex) { + // We don't have a securityInfo when this is for example a DNS error. + return; + } + + let errorMessage; + if (errorCode) { + const l10nId = errorCode.replace(/_/g, "-").toLowerCase(); + if (KNOWN_ERROR_MESSAGE_IDS.has(l10nId)) { + const l10n = new Localization([ERROR_MESSAGES_FTL], true); + errorMessage = l10n.formatValueSync(l10nId); + } + + const shortDesc2 = document.getElementById("errorShortDesc2"); + document.l10n.setAttributes(shortDesc2, "cert-error-code-prefix", { + error: errorCode, + }); + } else { + console.warn("This error page has no error code in its security info"); + } + + let hostname = HOST_NAME; + const { port } = document.location; + if (port && port != 443) { + hostname += ":" + port; + } + + const shortDesc = document.getElementById("errorShortDesc"); + document.l10n.setAttributes(shortDesc, "cert-error-ssl-connection-error", { + errorMessage: errorMessage ?? errorCode ?? "", + hostname, + }); +} + +function setupBlockingReportingUI() { + let checkbox = document.getElementById("automaticallyReportBlockingInFuture"); + + let reportingAutomatic = RPMGetBoolPref( + "security.xfocsp.errorReporting.automatic" + ); + checkbox.checked = !!reportingAutomatic; + + checkbox.addEventListener("change", function({ target: { checked } }) { + RPMSetBoolPref("security.xfocsp.errorReporting.automatic", checked); + + // If we're enabling reports, send a report for this failure. + if (checked) { + reportBlockingError(); + } + }); + + let reportingEnabled = RPMGetBoolPref( + "security.xfocsp.errorReporting.enabled" + ); + + if (reportingEnabled) { + // Display blocking error reporting UI for XFO error and CSP error. + document.getElementById("blockingErrorReporting").hidden = false; + + if (reportingAutomatic) { + reportBlockingError(); + } + } +} + +function reportBlockingError() { + // We only report if we are in a frame. + if (window === window.top) { + return; + } + + let err = gErrorCode; + // Ensure we only deal with XFO and CSP here. + if (!["xfoBlocked", "cspBlocked"].includes(err)) { + return; + } + + let xfo_header = RPMGetHttpResponseHeader("X-Frame-Options"); + let csp_header = RPMGetHttpResponseHeader("Content-Security-Policy"); + + // Extract the 'CSP: frame-ancestors' from the CSP header. + let reg = /(?:^|\s)frame-ancestors\s([^;]*)[$]*/i; + let match = reg.exec(csp_header); + csp_header = match ? match[1] : ""; + + // If it's the csp error page without the CSP: frame-ancestors, this means + // this error page is not triggered by CSP: frame-ancestors. So, we bail out + // early. + if (err === "cspBlocked" && !csp_header) { + return; + } + + let xfoAndCspInfo = { + error_type: err === "xfoBlocked" ? "xfo" : "csp", + xfo_header, + csp_header, + }; + + // Trimming the tail colon symbol. + let scheme = document.location.protocol.slice(0, -1); + + RPMSendAsyncMessage("ReportBlockingError", { + scheme, + host: document.location.host, + port: parseInt(document.location.port) || -1, + path: document.location.pathname, + xfoAndCspInfo, + }); +} + +function initPageCaptivePortal() { + document.body.className = "captiveportal"; + document.getElementById("returnButton").hidden = true; + const openButton = document.getElementById("openPortalLoginPageButton"); + openButton.hidden = false; + openButton.addEventListener("click", () => { + RPMSendAsyncMessage("Browser:OpenCaptivePortalPage"); + }); + + setFocus("#openPortalLoginPageButton"); + setupAdvancedButton(); + disallowCertOverridesIfNeeded(); + + // When the portal is freed, an event is sent by the parent process + // that we can pick up and attempt to reload the original page. + RPMAddMessageListener("AboutNetErrorCaptivePortalFreed", () => { + document.location.reload(); + }); +} + +function initPageCertError() { + document.body.classList.add("certerror"); + + setFocus("#returnButton"); + setupAdvancedButton(); + disallowCertOverridesIfNeeded(); + + const hideAddExceptionButton = RPMGetBoolPref( + "security.certerror.hideAddException", + false + ); + if (hideAddExceptionButton) { + document.getElementById("exceptionDialogButton").hidden = true; + } + + const els = document.querySelectorAll("[data-telemetry-id]"); + for (let el of els) { + el.addEventListener("click", recordClickTelemetry); + } + + const failedCertInfo = document.getFailedCertSecurityInfo(); + // Truncate the error code to avoid going over the allowed + // string size limit for telemetry events. + const errorCode = failedCertInfo.errorCodeString.substring(0, 40); + RPMRecordTelemetryEvent( + "security.ui.certerror", + "load", + "aboutcerterror", + errorCode, + { + has_sts: gHasSts.toString(), + is_frame: (window.parent != window).toString(), + } + ); + + setCertErrorDetails(); +} + +function recordClickTelemetry(e) { + let target = e.originalTarget; + let telemetryId = target.dataset.telemetryId; + let failedCertInfo = document.getFailedCertSecurityInfo(); + // Truncate the error code to avoid going over the allowed + // string size limit for telemetry events. + let errorCode = failedCertInfo.errorCodeString.substring(0, 40); + RPMRecordTelemetryEvent( + "security.ui.certerror", + "click", + telemetryId, + errorCode, + { + has_sts: gHasSts.toString(), + is_frame: (window.parent != window).toString(), + } + ); +} + +function initCertErrorPageActions() { + document.getElementById( + "certErrorAndCaptivePortalButtonContainer" + ).hidden = false; + document + .getElementById("returnButton") + .addEventListener("click", onReturnButtonClick); + document + .getElementById("advancedPanelReturnButton") + .addEventListener("click", onReturnButtonClick); + document + .getElementById("copyToClipboardTop") + .addEventListener("click", copyPEMToClipboard); + document + .getElementById("copyToClipboardBottom") + .addEventListener("click", copyPEMToClipboard); + document + .getElementById("exceptionDialogButton") + .addEventListener("click", addCertException); +} + +function addCertException() { + const isPermanent = + !RPMIsWindowPrivate() && + RPMGetBoolPref("security.certerrors.permanentOverride"); + document.addCertException(!isPermanent).then( + () => { + location.reload(); + }, + err => {} + ); +} + +function onReturnButtonClick(e) { + RPMSendAsyncMessage("Browser:SSLErrorGoBack"); +} + +function copyPEMToClipboard(e) { + const errorText = document.getElementById("certificateErrorText"); + navigator.clipboard.writeText(errorText.textContent); +} + +async function getFailedCertificatesAsPEMString() { + let location = document.location.href; + let failedCertInfo = document.getFailedCertSecurityInfo(); + let errorMessage = failedCertInfo.errorMessage; + let hasHSTS = failedCertInfo.hasHSTS.toString(); + let hasHPKP = failedCertInfo.hasHPKP.toString(); + let [ + hstsLabel, + hpkpLabel, + failedChainLabel, + ] = await document.l10n.formatValues([ + { id: "cert-error-details-hsts-label", args: { hasHSTS } }, + { id: "cert-error-details-key-pinning-label", args: { hasHPKP } }, + { id: "cert-error-details-cert-chain-label" }, + ]); + + let certStrings = failedCertInfo.certChainStrings; + let failedChainCertificates = ""; + for (let der64 of certStrings) { + let wrapped = der64.replace(/(\S{64}(?!$))/g, "$1\r\n"); + failedChainCertificates += + "-----BEGIN CERTIFICATE-----\r\n" + + wrapped + + "\r\n-----END CERTIFICATE-----\r\n"; + } + + let details = + location + + "\r\n\r\n" + + errorMessage + + "\r\n\r\n" + + hstsLabel + + "\r\n" + + hpkpLabel + + "\r\n\r\n" + + failedChainLabel + + "\r\n\r\n" + + failedChainCertificates; + return details; +} + +function setCertErrorDetails() { + // Check if the connection is being man-in-the-middled. When the parent + // detects an intercepted connection, the page may be reloaded with a new + // error code (MOZILLA_PKIX_ERROR_MITM_DETECTED). + const failedCertInfo = document.getFailedCertSecurityInfo(); + const mitmPrimingEnabled = RPMGetBoolPref( + "security.certerrors.mitm.priming.enabled" + ); + if ( + mitmPrimingEnabled && + failedCertInfo.errorCodeString == "SEC_ERROR_UNKNOWN_ISSUER" && + // Only do this check for top-level failures. + window.parent == window + ) { + RPMSendAsyncMessage("Browser:PrimeMitm"); + } + + document.body.setAttribute("code", failedCertInfo.errorCodeString); + + const learnMore = document.getElementById("learnMoreContainer"); + learnMore.hidden = false; + const learnMoreLink = document.getElementById("learnMoreLink"); + const baseURL = RPMGetFormatURLPref("app.support.baseURL"); + learnMoreLink.href = baseURL + "connection-not-secure"; + + const bodyTitle = document.querySelector(".title-text"); + const shortDesc = document.getElementById("errorShortDesc"); + const shortDesc2 = document.getElementById("errorShortDesc2"); + + let whatToDoParts = null; + + switch (failedCertInfo.errorCodeString) { + case "SSL_ERROR_BAD_CERT_DOMAIN": + whatToDoParts = [ + ["p", "certerror-bad-cert-domain-what-can-you-do-about-it"], + ]; + break; + + case "SEC_ERROR_OCSP_INVALID_SIGNING_CERT": // FIXME - this would have thrown? + break; + + case "SEC_ERROR_UNKNOWN_ISSUER": + whatToDoParts = [ + ["p", "certerror-unknown-issuer-what-can-you-do-about-it-website"], + [ + "p", + "certerror-unknown-issuer-what-can-you-do-about-it-contact-admin", + ], + ]; + break; + + // This error code currently only exists for the Symantec distrust + // in Firefox 63, so we add copy explaining that to the user. + // In case of future distrusts of that scale we might need to add + // additional parameters that allow us to identify the affected party + // without replicating the complex logic from certverifier code. + case "MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED": { + document.l10n.setAttributes( + shortDesc2, + "cert-error-symantec-distrust-description", + { hostname: HOST_NAME } + ); + + // FIXME - this does nothing + const adminDesc = document.createElement("p"); + document.l10n.setAttributes( + adminDesc, + "cert-error-symantec-distrust-admin" + ); + + learnMoreLink.href = baseURL + "symantec-warning"; + break; + } + + case "MOZILLA_PKIX_ERROR_MITM_DETECTED": { + const autoEnabledEnterpriseRoots = RPMGetBoolPref( + "security.enterprise_roots.auto-enabled", + false + ); + if (mitmPrimingEnabled && autoEnabledEnterpriseRoots) { + RPMSendAsyncMessage("Browser:ResetEnterpriseRootsPref"); + } + + learnMoreLink.href = baseURL + "security-error"; + + document.l10n.setAttributes(bodyTitle, "certerror-mitm-title"); + + document.l10n.setAttributes(shortDesc, "certerror-mitm", { + hostname: HOST_NAME, + mitm: getMitmName(failedCertInfo), + }); + + const id3 = gHasSts + ? "certerror-mitm-what-can-you-do-about-it-attack-sts" + : "certerror-mitm-what-can-you-do-about-it-attack"; + whatToDoParts = [ + ["li", "certerror-mitm-what-can-you-do-about-it-antivirus"], + ["li", "certerror-mitm-what-can-you-do-about-it-corporate"], + ["li", id3, { mitm: getMitmName(failedCertInfo) }], + ]; + break; + } + + case "MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT": + learnMoreLink.href = baseURL + "security-error"; + break; + + // In case the certificate expired we make sure the system clock + // matches the remote-settings service (blocklist via Kinto) ping time + // and is not before the build date. + case "SEC_ERROR_EXPIRED_CERTIFICATE": + case "SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE": + case "MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE": + case "MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE": { + learnMoreLink.href = baseURL + "time-errors"; + + // We check against the remote-settings server time first if available, because that allows us + // to give the user an approximation of what the correct time is. + const difference = RPMGetIntPref( + "services.settings.clock_skew_seconds", + 0 + ); + const lastFetched = + RPMGetIntPref("services.settings.last_update_seconds", 0) * 1000; + + // This is set to true later if the user's system clock is at fault for this error. + let clockSkew = false; + + const now = Date.now(); + const certRange = { + notBefore: failedCertInfo.certValidityRangeNotBefore, + notAfter: failedCertInfo.certValidityRangeNotAfter, + }; + const approximateDate = now - difference * 1000; + // If the difference is more than a day, we last fetched the date in the last 5 days, + // and adjusting the date per the interval would make the cert valid, warn the user: + if ( + Math.abs(difference) > 60 * 60 * 24 && + now - lastFetched <= 60 * 60 * 24 * 5 * 1000 && + certRange.notBefore < approximateDate && + certRange.notAfter > approximateDate + ) { + clockSkew = true; + // If there is no clock skew with Kinto servers, check against the build date. + // (The Kinto ping could have happened when the time was still right, or not at all) + } else { + const appBuildID = RPMGetAppBuildID(); + const year = parseInt(appBuildID.substr(0, 4), 10); + const month = parseInt(appBuildID.substr(4, 2), 10) - 1; + const day = parseInt(appBuildID.substr(6, 2), 10); + + const buildDate = new Date(year, month, day); + + // We don't check the notBefore of the cert with the build date, + // as it is of course almost certain that it is now later than the build date, + // so we shouldn't exclude the possibility that the cert has become valid + // since the build date. + if (buildDate > now && new Date(certRange.notAfter) > buildDate) { + clockSkew = true; + } + } + + if (clockSkew) { + document.body.classList.add("clockSkewError"); + document.l10n.setAttributes(bodyTitle, "clockSkewError-title"); + document.l10n.setAttributes(shortDesc, "neterror-clock-skew-error", { + hostname: HOST_NAME, + now, + }); + document.getElementById("returnButton").hidden = true; + document.getElementById("certErrorTryAgainButton").hidden = false; + document.getElementById("advancedButton").hidden = true; + + document.getElementById("advancedPanelReturnButton").hidden = true; + document.getElementById("advancedPanelTryAgainButton").hidden = false; + document.getElementById("exceptionDialogButton").hidden = true; + break; + } + + document.l10n.setAttributes(shortDesc, "certerror-expired-cert-intro", { + hostname: HOST_NAME, + }); + + // The secondary description mentions expired certificates explicitly + // and should only be shown if the certificate has actually expired + // instead of being not yet valid. + if (failedCertInfo.errorCodeString == "SEC_ERROR_EXPIRED_CERTIFICATE") { + const sd2Id = gHasSts + ? "certerror-expired-cert-sts-second-para" + : "certerror-expired-cert-second-para"; + document.l10n.setAttributes(shortDesc2, sd2Id); + if ( + Math.abs(difference) <= 60 * 60 * 24 && + now - lastFetched <= 60 * 60 * 24 * 5 * 1000 + ) { + whatToDoParts = [ + ["p", "certerror-bad-cert-domain-what-can-you-do-about-it"], + ]; + } + } + + whatToDoParts ??= [ + [ + "p", + "certerror-expired-cert-what-can-you-do-about-it-clock", + { hostname: HOST_NAME, now }, + ], + [ + "p", + "certerror-expired-cert-what-can-you-do-about-it-contact-website", + ], + ]; + break; + } + } + + if (whatToDoParts) { + setNetErrorMessageFromParts( + document.getElementById("errorWhatToDoText"), + whatToDoParts + ); + document.getElementById("errorWhatToDo").hidden = false; + } +} + +async function getSubjectAltNames(failedCertInfo) { + const serverCertBase64 = failedCertInfo.certChainStrings[0]; + const parsed = await parse(pemToDER(serverCertBase64)); + const subjectAltNamesExtension = parsed.ext.san; + const subjectAltNames = []; + if (subjectAltNamesExtension) { + for (let [key, value] of subjectAltNamesExtension.altNames) { + if (key === "DNS Name" && value.length) { + subjectAltNames.push(value); + } + } + } + return subjectAltNames; +} + +// The optional argument is only here for testing purposes. +function setTechnicalDetailsOnCertError( + failedCertInfo = document.getFailedCertSecurityInfo() +) { + let technicalInfo = document.getElementById("badCertTechnicalInfo"); + technicalInfo.textContent = ""; + + function addLabel(l10nId, args = null, attrs = null) { + let elem = document.createElement("label"); + technicalInfo.appendChild(elem); + + let newLines = document.createTextNode("\n \n"); + technicalInfo.appendChild(newLines); + + if (attrs) { + let link = document.createElement("a"); + for (let [attr, value] of Object.entries(attrs)) { + link.setAttribute(attr, value); + } + elem.appendChild(link); + } + + document.l10n.setAttributes(elem, l10nId, args); + } + + function addErrorCodeLink() { + addLabel( + "cert-error-code-prefix-link", + { error: failedCertInfo.errorCodeString }, + { + title: failedCertInfo.errorCodeString, + id: "errorCode", + "data-l10n-name": "error-code-link", + "data-telemetry-id": "error_code_link", + href: "#certificateErrorDebugInformation", + } + ); + + // We're attaching the event listener to the parent element and not on + // the errorCodeLink itself because event listeners cannot be attached + // to fluent DOM overlays. + technicalInfo.addEventListener("click", event => { + if (event.target.id === "errorCode") { + event.preventDefault(); + toggleCertErrorDebugInfoVisibility(); + recordClickTelemetry(event); + } + }); + } + + let hostname = HOST_NAME; + const { port } = document.location; + if (port && port != 443) { + hostname += ":" + port; + } + + switch (failedCertInfo.overridableErrorCategory) { + case "trust-error": + switch (failedCertInfo.errorCodeString) { + case "MOZILLA_PKIX_ERROR_MITM_DETECTED": + addLabel("cert-error-mitm-intro"); + addLabel("cert-error-mitm-mozilla"); + addLabel("cert-error-mitm-connection"); + break; + case "SEC_ERROR_UNKNOWN_ISSUER": + addLabel("cert-error-trust-unknown-issuer-intro"); + addLabel("cert-error-trust-unknown-issuer", { hostname }); + break; + case "SEC_ERROR_CA_CERT_INVALID": + addLabel("cert-error-intro", { hostname }); + addLabel("cert-error-trust-cert-invalid"); + break; + case "SEC_ERROR_UNTRUSTED_ISSUER": + addLabel("cert-error-intro", { hostname }); + addLabel("cert-error-trust-untrusted-issuer"); + break; + case "SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED": + addLabel("cert-error-intro", { hostname }); + addLabel("cert-error-trust-signature-algorithm-disabled"); + break; + case "SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE": + addLabel("cert-error-intro", { hostname }); + addLabel("cert-error-trust-expired-issuer"); + break; + case "MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT": + addLabel("cert-error-intro", { hostname }); + addLabel("cert-error-trust-self-signed"); + break; + case "MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED": + addLabel("cert-error-intro", { hostname }); + addLabel("cert-error-trust-symantec"); + break; + default: + addLabel("cert-error-intro", { hostname }); + addLabel("cert-error-untrusted-default"); + } + addErrorCodeLink(); + break; + + case "expired-or-not-yet-valid": { + const notBefore = failedCertInfo.validNotBefore; + const notAfter = failedCertInfo.validNotAfter; + if (notBefore && Date.now() < notAfter) { + addLabel("cert-error-not-yet-valid-now", { + hostname, + "not-before-local-time": formatter.format(new Date(notBefore)), + }); + } else { + addLabel("cert-error-expired-now", { + hostname, + "not-after-local-time": formatter.format(new Date(notAfter)), + }); + } + addErrorCodeLink(); + break; + } + + case "domain-mismatch": + getSubjectAltNames(failedCertInfo).then(subjectAltNames => { + if (!subjectAltNames.length) { + addLabel("cert-error-domain-mismatch", { hostname }); + } else if (subjectAltNames.length > 1) { + const names = subjectAltNames.join(", "); + addLabel("cert-error-domain-mismatch-multiple", { + hostname, + "subject-alt-names": names, + }); + } else { + const altName = subjectAltNames[0]; + + // If the alt name is a wildcard domain ("*.example.com") + // let's use "www" instead. "*.example.com" isn't going to + // get anyone anywhere useful. bug 432491 + const okHost = altName.replace(/^\*\./, "www."); + + // Let's check if we want to make this a link. + const showLink = + /* case #1: + * example.com uses an invalid security certificate. + * + * The certificate is only valid for www.example.com + * + * Make sure to include the "." ahead of thisHost so that a + * MitM attack on paypal.com doesn't hyperlink to "notpaypal.com" + * + * We'd normally just use a RegExp here except that we lack a + * library function to escape them properly (bug 248062), and + * domain names are famous for having '.' characters in them, + * which would allow spurious and possibly hostile matches. + */ + okHost.endsWith("." + HOST_NAME) || + /* case #2: + * browser.garage.maemo.org uses an invalid security certificate. + * + * The certificate is only valid for garage.maemo.org + */ + HOST_NAME.endsWith("." + okHost); + + const l10nArgs = { hostname, "alt-name": altName }; + if (showLink) { + // Set the link if we want it. + const proto = document.location.protocol + "//"; + addLabel("cert-error-domain-mismatch-single", l10nArgs, { + href: proto + okHost, + "data-l10n-name": "domain-mismatch-link", + id: "cert_domain_link", + }); + + // If we set a link, meaning there's something helpful for + // the user here, expand the section by default + if (getCSSClass() != "expertBadCert") { + document.getElementById("badCertAdvancedPanel").hidden = false; + + // Toggling the advanced panel must ensure that the debugging + // information panel is hidden as well, since it's opened by the + // error code link in the advanced panel. + toggleCertErrorDebugInfoVisibility(false); + } + } else { + addLabel("cert-error-domain-mismatch-single-nolink", l10nArgs); + } + } + addErrorCodeLink(); + }); + break; + } + + getFailedCertificatesAsPEMString().then(pemString => { + const errorText = document.getElementById("certificateErrorText"); + errorText.textContent = pemString; + }); +} + +/* Only focus if we're the toplevel frame; otherwise we + don't want to call attention to ourselves! +*/ +function setFocus(selector, position = "afterbegin") { + if (window.top == window) { + var button = document.querySelector(selector); + var parent = button.parentNode; + parent.insertAdjacentElement(position, button); + // It's possible setFocus was called via the DOMContentLoaded event + // handler and that the button has no frame. Things without a frame cannot + // be focused. We use a requestAnimationFrame to queue up the focus to occur + // once the button has its frame. + requestAnimationFrame(() => { + button.focus({ focusVisible: false }); + }); + } +} + +for (let button of document.querySelectorAll(".try-again")) { + button.addEventListener("click", function() { + retryThis(this); + }); +} + +initPage(); + +// Dispatch this event so tests can detect that we finished loading the error page. +const event = new CustomEvent("AboutNetErrorLoad", { bubbles: true }); +document.dispatchEvent(event); |