User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/110.0

Steps to reproduce:

I programmed a web server that returns an HSTS header with max-age calculated like this:

max-age = (2**64 - currentUnixTimestampInMillis - 1000)/1000

I visited the server with Firefox. The following header was transferred:

Strict-Transport-Security max-age=18446742396180544

Actual results:

The SiteSecurityServiceState.txt file now contains a negative expiry date:

$ grep "hsts.local" ~/.mozilla/firefox/iy6semmg.default-release/SiteSecurityServiceState.txt
0000.hsts.local^partitionKey=%28http%2Chsts.local%29:HSTS 0 19415 -1051,1,0

This value is calculated as follows:

1. Firefox takes the max-age and multiplies it by 1000 to convert it into milliseconds, i.e. 18446742396180544000
2. Firefox adds the current timestamp in milliseconds to the value. This currently is a value around 1677529277474.
3. Firefox stores the result (~ 2**64 - 1000) as a signed integer into SiteSecurityServiceState.txt. The two's complement of that value is -1000.

Expected results:

1. The expiry date should have been stored as an unsigned integer.
2. Regardless of 1., within the calculation (multiplying by 1000 and adding the current time stamp) it should be checked whether an overflow is going to occur.

The severity field is not set for this bug.
:keeler, could you have a look please?

For more information, please visit auto_nag documentation.

https://hg.mozilla.org/mozilla-central/rev/583cab6067b0