Parses a given HTTP header and records the results internally.
Currently two header types are supported: HSTS (aka STS) and HPKP
The format of the HSTS header is defined by the HSTS specification:
https://tools.ietf.org/html/rfc6797
and allows a host to specify that future HTTP requests should be
upgraded to HTTPS.
The Format of the HPKP header is currently defined by:
https://tools.ietf.org/html/draft-ietf-websec-key-pinning-20
and allows a host to speficy a subset of trusted anchors to be used
in future HTTPS connections.
| aType | the type of security header in question. |
| aSourceURI | the URI of the resource with the HTTP header. |
| aSSLStatus | the SSLStatus of the current channel |
| aHeader | the HTTP response header specifying security data. |
| aFlags | options for this request as defined in nsISocketProvider: NO_PERMANENT_STORAGE |
| aMaxAge | the parsed max-age directive of the header. |
| aIncludeSubdomains | the parsed includeSubdomains directive. |
| NS_OK if it succeeds NS_ERROR_FAILURE if it can't be parsed NS_SUCCESS_LOSS_OF_INSIGNIFICANT_DATA if there are unrecognized tokens in the header. |
Same as processHeader but without checking for the security properties
of the connection. Use ONLY for testing.
Given a header type, removes state relating to that header of a host,
including the includeSubdomains state that would affect subdomains.
This essentially removes the state for the domain tree rooted at this
host.
| aType | the type of security state in question |
| aURI | the URI of the target host |
| aFlags | options for this request as defined in nsISocketProvider: NO_PERMANENT_STORAGE |
See isSecureURI
| aType | the type of security state in question. |
| aHost | the hostname (punycode) to query for state. |
| aFlags | options for this request as defined in nsISocketProvider: NO_PERMANENT_STORAGE |
Checks if the given security info is for a host with a broken
transport layer (certificate errors like invalid CN).
Checks whether or not the URI’s hostname has a given security state set.
For example, for HSTS:
The URI is an HSTS URI if either the host has the HSTS state set, or one
of its super-domains has the HSTS “includeSubdomains” flag set.
NOTE: this function makes decisions based only on the
host contained in the URI, and disregards other portions of the URI
such as path and port.
| aType | the type of security state in question. |
| aURI | the URI to query for STS state. |
| aFlags | options for this request as defined in nsISocketProvider: NO_PERMANENT_STORAGE |
Removes all security state by resetting to factory-original settings.
Returns an array of sha256-hashed key pins for the given domain, if any.
If these pins also apply to subdomains of the given domain,
aIncludeSubdomains will be true. Pins returned are only for non-built-in
pin entries.
| aHostname | the hosname (punycode) to be queried about |
| the | time at which the pins should be valid. This is in mozilla::pkix::Time which uses internally seconds since 0 AD. |
| aPinArray | the set of sha256-hashed key pins for the given domain |
| aIncludeSubdomains | true if the pins apply to subdomains of the given domain |
Set public-key pins for a host. The resulting pins will be permanent
and visible from private and non-private contexts. These pins replace
any already set by this mechanism or those built-in to Gecko.
| aHost | the hostname (punycode) that pins will apply to |
| aIncludeSubdomains | whether these pins also apply to subdomains |
| aMaxAge | lifetime (in seconds) of this pin set |
| aPinCount | number of keys being pinnned |
| aSha256Pins | array of hashed key fingerprints (SHA-256, base64) |