diff options
| author | Martin Robinson <mrobinson@igalia.com> | 2023-08-08 16:00:10 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-08-08 14:00:10 +0000 |
| commit | bce7622cde4cd10f6b3edf852d97ae9a540a0076 (patch) | |
| tree | e8c09178e875b63e64b32a290840c6ff80d2c4e0 /components/script/dom/servoparser | |
| parent | ab0f48f8e8a72542269c9e563fad4fa03273d2f3 (diff) | |
| download | servo-bce7622cde4cd10f6b3edf852d97ae9a540a0076.tar.gz servo-bce7622cde4cd10f6b3edf852d97ae9a540a0076.zip | |
Switch to rustls and webpki-roots (#30025)
This change replaces OpenSSL with rustls and also the manually curated
CA certs file with webpki-roots (effectively the same thing, but as a
crate).
Generally speaking the design of the network stack is the same. Changes:
- Code around certificate overrides needed to be refactored to work with
rustls so the various thread-safe list of certificates is refactored
into `CertificateErrorOverrideManager`
- hyper-rustls takes care of setting ALPN protocols for HTTP requests,
so for WebSockets this is moved to the WebSocket code.
- The safe set of cypher suites is chosen, which seem to correspond to
the "Modern" configuration from [1]. This can be adjusted later.
- Instead of passing a string of PEM CA certificates around, an enum is
used that includes parsed Certificates (or the default which reads
them from webpki-roots).
- Code for starting up an SSL server for testing is cleaned up a little,
due to the fact that the certificates need to be overriden explicitly
now. This is due to the fact that the `webpki` crate is more stringent
with self-signed certificates than SSL (CA certificates cannot used as
end-entity certificates). [2]
1. https://wiki.mozilla.org/Security/Server_Side_TLS
2. https://github.com/briansmith/webpki/issues/114
Fixes #7888.
Fixes #13749.
Fixes #26835.
Fixes #29291.
Diffstat (limited to 'components/script/dom/servoparser')
| -rw-r--r-- | components/script/dom/servoparser/mod.rs | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/components/script/dom/servoparser/mod.rs b/components/script/dom/servoparser/mod.rs index 44d0c3de1df..943a680d4ef 100644 --- a/components/script/dom/servoparser/mod.rs +++ b/components/script/dom/servoparser/mod.rs @@ -36,6 +36,7 @@ use crate::dom::virtualmethods::vtable_for; use crate::network_listener::PreInvoke; use crate::realms::enter_realm; use crate::script_thread::ScriptThread; +use base64::{engine::general_purpose, Engine as _}; use content_security_policy::{self as csp, CspList}; use dom_struct::dom_struct; use embedder_traits::resources::{self, Resource}; @@ -880,8 +881,8 @@ impl FetchResponseListener for ParserContext { self.is_synthesized_document = true; let page = resources::read_string(Resource::BadCertHTML); let page = page.replace("${reason}", &reason); - let page = - page.replace("${bytes}", std::str::from_utf8(&bytes).unwrap_or_default()); + let encoded_bytes = general_purpose::STANDARD_NO_PAD.encode(&bytes); + let page = page.replace("${bytes}", encoded_bytes.as_str()); let page = page.replace("${secret}", &net_traits::PRIVILEGED_SECRET.to_string()); parser.push_string_input_chunk(page); |