Closed
Bug 822588
Opened 12 years ago
Closed 12 years ago
Certerror on AMO does not allow certificate exceptions
Categories
(Core :: Security, defect)
Core
Security
Tracking
()
RESOLVED
DUPLICATE
of bug 800882
People
(Reporter: freddy, Unassigned)
Details
User henk on IRC #security complained about the following issue (paraphrased from http://paste.debian.net/216958/): 1) He distrusts certain Certificate Authorities (CA), so he marks them as deleted/distrusted in settings 2) He visits addons.mozilla.org (AMO) and wants to add an exception, so he can still visit AMO with a cert from a distrusted CA 3) The "add an exception" button does *not* appear on the certerror page for AMO. The user is on Firefox 10.0.11 (debian) and I confirmed this with 19 (Aurora).
|
||
Comment 1•12 years ago
|
||
The headers of https://addons.mozilla.org (via http://web-sniffer.net) Status: HTTP/1.1 301 MOVED PERMANENTLY Server: nginx Vary: Accept-Language, User-Agent, X-Mobile Vary: Accept-Encoding X-Backend-Server: web26.addons.phx1.mozilla.com Cache-Control: max-age=31536000 Content-Type: text/html; charset=utf-8 Strict-Transport-Security: max-age=2592000 Date: Tue, 18 Dec 2012 10:43:38 GMT Location: https://addons.mozilla.org/de/firefox/ Transfer-Encoding: chunked Via: Moz-pp-zlb12 Connection: close x-frame-options: DENY The header "Strict-Transport-Security:" forbids Firefox to override certificate errors. This bug report would be invalid but I'm duping it to the bug that this isn't explained in the error message
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
|
|
||
Comment 2•12 years ago
|
||
If you want to know more about HSTS read http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
|
Reporter | |
Comment 3•12 years ago
|
||
Thanks, Matti.
You need to log in
before you can comment on or make changes to this bug.
Description
•