Bug 1463759 Change the copy of certificate error pages r=johannh
MozReview-Commit-ID: LbZBwSk1xX4
--- a/browser/base/content/aboutNetError-new.xhtml
+++ b/browser/base/content/aboutNetError-new.xhtml
@@ -26,17 +26,17 @@
toolkit/components/places/src/nsFaviconService.h should be updated. -->
<link rel="icon" type="image/png" id="favicon" href="chrome://global/skin/icons/warning-16.png"/>
</head>
<body dir="&locale.dir;">
<!-- ERROR ITEM CONTAINER (removed during loading to avoid bug 39098) -->
<div id="errorContainer">
<div id="errorPageTitlesContainer">
- <span id="ept_nssBadCert">&certerror.pagetitle1;</span>
+ <span id="ept_nssBadCert">&certerror.pagetitle2;</span>
<span id="ept_captivePortal">&captivePortal.title;</span>
<span id="ept_dnsNotFound">&dnsNotFound.pageTitle;</span>
<span id="ept_malformedURI">&malformedURI.pageTitle;</span>
<span id="ept_blockedByPolicy">&blockedByPolicy.title;</span>
</div>
<div id="errorTitlesContainer">
<h1 id="et_generic">&generic.title;</h1>
<h1 id="et_captivePortal">&captivePortal.title;</h1>
@@ -54,17 +54,17 @@
<h1 id="et_netOffline">&netOffline.title;</h1>
<h1 id="et_netInterrupt">&netInterrupt.title;</h1>
<h1 id="et_deniedPortAccess">&deniedPortAccess.title;</h1>
<h1 id="et_proxyResolveFailure">&proxyResolveFailure.title;</h1>
<h1 id="et_proxyConnectFailure">&proxyConnectFailure.title;</h1>
<h1 id="et_contentEncodingError">&contentEncodingError.title;</h1>
<h1 id="et_unsafeContentType">&unsafeContentType.title;</h1>
<h1 id="et_nssFailure2">&nssFailure2.title;</h1>
- <h1 id="et_nssBadCert">&certerror.longpagetitle1;</h1>
+ <h1 id="et_nssBadCert">&certerror.longpagetitle2;</h1>
<h1 id="et_cspBlocked">&cspBlocked.title;</h1>
<h1 id="et_remoteXUL">&remoteXUL.title;</h1>
<h1 id="et_corruptedContentErrorv2">&corruptedContentErrorv2.title;</h1>
<h1 id="et_sslv3Used">&sslv3Used.title;</h1>
<h1 id="et_inadequateSecurityError">&inadequateSecurityError.title;</h1>
<h1 id="et_blockedByPolicy">&blockedByPolicy.title;</h1>
</div>
<div id="errorDescriptionsContainer">
@@ -84,24 +84,41 @@
<div id="ed_netOffline">&netOffline.longDesc2;</div>
<div id="ed_netInterrupt">&netInterrupt.longDesc;</div>
<div id="ed_deniedPortAccess">&deniedPortAccess.longDesc;</div>
<div id="ed_proxyResolveFailure">&proxyResolveFailure.longDesc;</div>
<div id="ed_proxyConnectFailure">&proxyConnectFailure.longDesc;</div>
<div id="ed_contentEncodingError">&contentEncodingError.longDesc;</div>
<div id="ed_unsafeContentType">&unsafeContentType.longDesc;</div>
<div id="ed_nssFailure2">&nssFailure2.longDesc2;</div>
- <div id="ed_nssBadCert">&certerror.introPara;</div>
+ <div id="ed_nssBadCert">&certerror.introPara1;</div>
<div id="ed_cspBlocked">&cspBlocked.longDesc;</div>
<div id="ed_remoteXUL">&remoteXUL.longDesc;</div>
<div id="ed_corruptedContentErrorv2">&corruptedContentErrorv2.longDesc;</div>
<div id="ed_sslv3Used">&sslv3Used.longDesc2;</div>
<div id="ed_inadequateSecurityError">&inadequateSecurityError.longDesc;</div>
<div id="ed_blockedByPolicy"></div>
</div>
+ <div id="errorDescriptions2Container">
+ <div id="ed2_nssBadCert_SEC_ERROR_EXPIRED_CERTIFICATE">&certerror.expiredCert.secondPara;</div>
+ </div>
+ <div id="whatCanYouDoAboutItTitleContainer">
+ <div id="edd_nssBadCert"><strong>&certerror.whatCanYouDoAboutItTitle;</strong></div>
+ </div>
+ <div id="whatCanYouDoAboutItContainer">
+ <div id="es_nssBadCert_SEC_ERROR_UNKNOWN_ISSUER">&certerror.unknownIssuer.whatCanYouDoAboutIt;</div>
+ <div id="es_nssBadCert_SEC_ERROR_EXPIRED_CERTIFICATE">&certerror.expiredCert.whatCanYouDoAboutIt;</div>
+ <div id="es_nssBadCert_SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE">&certerror.expiredCert.whatCanYouDoAboutIt;</div>
+ <div id="es_nssBadCert_SEC_ERROR_OCSP_FUTURE_RESPONSE">&certerror.expiredCert.whatCanYouDoAboutIt;</div>
+ <div id="es_nssBadCert_SEC_ERROR_OCSP_OLD_RESPONSE">&certerror.expiredCert.whatCanYouDoAboutIt;</div>
+ <div id="es_nssBadCert_MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE">&certerror.expiredCert.whatCanYouDoAboutIt;</div>
+ <div id="es_nssBadCert_MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE">&certerror.expiredCert.whatCanYouDoAboutIt;</div>
+ <div id="es_nssBadCert_SSL_ERROR_BAD_CERT_DOMAIN">&certerror.badCertDomain.whatCanYouDoAboutIt;</div>
+ <div id="es_nssBadCert_SEC_ERROR_OCSP_INVALID_SIGNING_CERT">&certerror.badCertDomain.whatCanYouDoAboutIt;</div>
+ </div>
</div>
<!-- PAGE CONTAINER (for styling purposes only) -->
<div id="errorPageContainer" class="container">
<div id="text-container">
<!-- Error Title -->
<div class="title">
<h1 class="title-text"/>
@@ -109,17 +126,34 @@
<!-- LONG CONTENT (the section most likely to require scrolling) -->
<div id="errorLongContent">
<!-- Short Description -->
<div id="errorShortDesc">
<p id="errorShortDescText" />
</div>
- <p id="badStsCertExplanation" hidden="true">&certerror.whatShouldIDo.badStsCertExplanation;</p>
+
+ <div id="errorShortDesc2">
+ <p id="errorShortDescText2" />
+ </div>
+
+ <div id="errorWhatToDoTitle">
+ <p id="errorWhatToDoTitleText" />
+ </div>
+
+ <div id="errorWhatToDo">
+ <p id="badStsCertExplanation" hidden="true">&certerror.whatShouldIDo.badStsCertExplanation1;</p>
+ <p id="errorWhatToDoText" />
+ </div>
+
+ <div id="errorWhatToDo2">
+ <p id="errorWhatToDoText2" />
+ <p id="badStsCertExplanation" hidden="true">&certerror.whatShouldIDo.badStsCertExplanation1;</p>
+ </div>
<div id="wrongSystemTimePanel">
&certerror.wrongSystemTime2;
</div>
<div id="wrongSystemTimeWithoutReferencePanel">
&certerror.wrongSystemTimeWithoutReference;
</div>
@@ -129,47 +163,50 @@
<div id="learnMoreContainer">
<p><a href="https://support.mozilla.org/kb/what-does-your-connection-is-not-secure-mean" id="learnMoreLink" target="new">&errorReporting.learnMore;</a></p>
</div>
</div>
<!-- UI for option to report certificate errors to Mozilla. Removed on
init for other error types .-->
- <div id="certificateErrorReporting">
- <p class="toggle-container-with-text">
- <input type="checkbox" id="automaticallyReportInFuture" role="checkbox" />
- <label for="automaticallyReportInFuture" id="automaticallyReportInFuture">&errorReporting.automatic2;</label>
- </p>
- </div>
-
<div id="prefChangeContainer" class="button-container">
<p>&prefReset.longDesc;</p>
<button id="prefResetButton" class="primary" autocomplete="off">&prefReset.label;</button>
</div>
<div id="certErrorAndCaptivePortalButtonContainer" class="button-container">
- <button id="returnButton" class="primary" autocomplete="off">&returnToPreviousPage.label;</button>
+ <button id="returnButton" class="primary" autocomplete="off">&returnToPreviousPage1.label;</button>
<button id="openPortalLoginPageButton" class="primary" autocomplete="off">&openPortalLoginPage.label2;</button>
<button id="advancedButton" autocomplete="off">&advanced.label;</button>
</div>
</div>
<div id="netErrorButtonContainer" class="button-container">
<button id="errorTryAgain" class="primary" autocomplete="off">&retry.label;</button>
</div>
<div id="advancedPanelContainer">
<div id="badCertAdvancedPanel" class="advanced-panel">
<p id="badCertTechnicalInfo"/>
- <div class="exceptionDialogButtonContainer">
- <button id="exceptionDialogButton">&securityOverride.exceptionButtonLabel;</button>
+ <div id="advancedPanelButtonContainer" class="button-container">
+ <button id="advancedPanelReturnButton" class="primary" autocomplete="off">&returnToPreviousPage1.label;</button>
+ <div class="exceptionDialogButtonContainer">
+ <button id="exceptionDialogButton">&securityOverride.exceptionButtonLabel;</button>
+ </div>
</div>
</div>
+ <div id="certificateErrorReporting">
+ <p class="toggle-container-with-text">
+ <input type="checkbox" id="automaticallyReportInFuture" role="checkbox" />
+ <label for="automaticallyReportInFuture" id="automaticallyReportInFuture">&errorReporting.automatic2;</label>
+ </p>
+ </div>
+
<div id="certificateErrorDebugInformation">
<button id="copyToClipboard">&certerror.copyToClipboard.label;</button>
<div id="certificateErrorText"/>
<button id="copyToClipboard">&certerror.copyToClipboard.label;</button>
</div>
</div>
</div>
</body>
--- a/browser/base/content/browser.js
+++ b/browser/base/content/browser.js
@@ -3124,16 +3124,20 @@ var BrowserOnClick = {
case "returnButton":
if (isTopFrame) {
secHistogram.add(Ci.nsISecurityUITelemetry.WARNING_BAD_CERT_TOP_GET_ME_OUT_OF_HERE);
}
goBackFromErrorPage();
break;
+ case "advancedPanelReturnButton":
+ goBackFromErrorPage();
+ break;
+
case "advancedButton":
if (isTopFrame) {
secHistogram.add(Ci.nsISecurityUITelemetry.WARNING_BAD_CERT_TOP_UNDERSTAND_RISKS);
}
securityInfo = getSecurityInfo(securityInfoAsString);
sslStatus = securityInfo.QueryInterface(Ci.nsISSLStatusProvider)
.SSLStatus;
--- a/browser/base/content/test/static/browser_misused_characters_in_strings.js
+++ b/browser/base/content/test/static/browser_misused_characters_in_strings.js
@@ -9,16 +9,28 @@
* the end of the test, there is an assertion that all items have been
* removed from the whitelist, thus ensuring there are no stale entries. */
let gWhitelist = [{
file: "netError.dtd",
key: "certerror.introPara",
type: "single-quote"
}, {
file: "netError.dtd",
+ key: "certerror.introPara1",
+ type: "single-quote"
+ }, {
+ file: "netError.dtd",
+ key: "certerror.expiredCert.whatCanYouDoAboutIt",
+ type: "single-quote"
+ }, {
+ file: "netError.dtd",
+ key: "certerror.whatShouldIDo.badStsCertExplanation1",
+ type: "single-quote"
+ }, {
+ file: "netError.dtd",
key: "inadequateSecurityError.longDesc",
type: "single-quote"
}, {
file: "netError.dtd",
key: "certerror.wrongSystemTime2",
type: "single-quote"
}, {
file: "netError.dtd",
--- a/browser/locales/en-US/chrome/overrides/netError.dtd
+++ b/browser/locales/en-US/chrome/overrides/netError.dtd
@@ -3,16 +3,17 @@
- file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
<!ENTITY % brandDTD SYSTEM "chrome://branding/locale/brand.dtd">
%brandDTD;
<!ENTITY loadError.label "Problem loading page">
<!ENTITY retry.label "Try Again">
<!ENTITY returnToPreviousPage.label "Go Back">
+<!ENTITY returnToPreviousPage1.label "Go Back (Recommended)">
<!ENTITY advanced.label "Advanced">
<!-- Specific error messages -->
<!ENTITY connectionFailure.title "Unable to connect">
<!ENTITY connectionFailure.longDesc "&sharedLongDesc;">
<!ENTITY deniedPortAccess.title "This address is restricted">
@@ -141,20 +142,40 @@
<!ENTITY nssFailure2.longDesc2 "
<ul>
<li>The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.</li>
<li>Please contact the website owners to inform them of this problem.</li>
</ul>
">
<!ENTITY certerror.longpagetitle1 "Your connection is not secure">
-<!-- Localization note (certerror.introPara) - The text content of the span tag
+<!ENTITY certerror.longpagetitle2 "Warning: Potential Security Risk Ahead">
+<!-- Localization note (certerror.introPara, certerror.introPara1) - The text content of the span tag
will be replaced at runtime with the name of the server to which the user
was trying to connect. -->
<!ENTITY certerror.introPara "The owner of <span class='hostname'/> has configured their website improperly. To protect your information from being stolen, &brandShortName; has not connected to this website.">
+<!ENTITY certerror.introPara1 "&brandShortName; detected a potential security threat and did not continue to <span class='hostname'/>. If you visit this site, attackers could try to steal information like your passwords, emails, or credit cards.">
+
+<!ENTITY certerror.expiredCert.secondPara "This issue is most likely because your computer clock is set to the wrong time, which would prevent &brandShortName; from connecting securely.">
+
+<!ENTITY certerror.whatCanYouDoAboutItTitle "What can you do about it?">
+
+<!ENTITY certerror.unknownIssuer.whatCanYouDoAboutIt "
+<p>The issue is most likely with the website, and there is nothing you can do to resolve it.</p>
+<p>If you are on a corporate network or using anti-virus software, you can reach out to the support teams for assistance. You can also notify the website’s administrator about the problem.</p>
+">
+
+<!ENTITY certerror.expiredCert.whatCanYouDoAboutIt "
+<p>Your computer clock is set to <span id='wrongSystemTime_systemDate'/>. Make sure your computer is set to the correct date, time, and time zone in your system settings, and then refresh <span class='hostname'/>.</p>
+<p>If your clock is already set to the right time, the website is likely misconfigured, and there is nothing you can do to resolve the issue. You can notify the website’s administrator about the problem.</p>
+">
+
+<!ENTITY certerror.badCertDomain.whatCanYouDoAboutIt "
+<p>The issue is most likely with the website, and there is nothing you can do to resolve it. You can notify the website’s administrator about the problem.</p>
+">
<!ENTITY sharedLongDesc "
<ul>
<li>The site could be temporarily unavailable or too busy. Try again in a few
moments.</li>
<li>If you are unable to load any pages, check your computer’s network
connection.</li>
<li>If your computer or network is protected by a firewall or proxy, make sure
@@ -184,20 +205,22 @@ was trying to connect. -->
<!-- LOCALIZATION NOTE (certerror.wrongSystemTime2,
certerror.wrongSystemTimeWithoutReference) - The <span id='..' />
tags will be injected with actual values, please leave them unchanged. -->
<!ENTITY certerror.wrongSystemTime2 "<p> &brandShortName; did not connect to <span id='wrongSystemTime_URL'/> because your computer’s clock appears to show the wrong time and this is preventing a secure connection.</p> <p>Your computer is set to <span id='wrongSystemTime_systemDate'/>, when it should be <span id='wrongSystemTime_actualDate'/>. To fix this problem, change your date and time settings to match the correct time.</p>">
<!ENTITY certerror.wrongSystemTimeWithoutReference "<p>&brandShortName; did not connect to <span id='wrongSystemTimeWithoutReference_URL'/> because your computer’s clock appears to show the wrong time and this is preventing a secure connection.</p> <p>Your computer is set to <span id='wrongSystemTimeWithoutReference_systemDate'/>. To fix this problem, change your date and time settings to match the correct time.</p>">
<!ENTITY certerror.pagetitle1 "Insecure Connection">
+<!ENTITY certerror.pagetitle2 "Warning: Potential Security Risk Ahead">
<!ENTITY certerror.whatShouldIDo.badStsCertExplanation "This site uses HTTP
Strict Transport Security (HSTS) to specify that &brandShortName; may only connect
to it securely. As a result, it is not possible to add an exception for this
certificate.">
+<!ENTITY certerror.whatShouldIDo.badStsCertExplanation1 "<span class='hostname'></span> has a security policy called HTTP Strict Transport Security (HSTS), which means that &brandShortName; can only connect to it securely. You can’t add an exception to visit this site.">
<!ENTITY certerror.copyToClipboard.label "Copy text to clipboard">
<!ENTITY inadequateSecurityError.title "Your connection is not secure">
<!-- LOCALIZATION NOTE (inadequateSecurityError.longDesc) - Do not translate
"NS_ERROR_NET_INADEQUATE_SECURITY". -->
<!ENTITY inadequateSecurityError.longDesc "<p><span class='hostname'></span> uses security technology that is outdated and vulnerable to attack. An attacker could easily reveal information which you thought to be safe. The website administrator will need to fix the server first before you can visit the site.</p><p>Error code: NS_ERROR_NET_INADEQUATE_SECURITY</p>">
<!ENTITY blockedByPolicy.title "Blocked Page">
--- a/browser/modules/NetErrorContent.jsm
+++ b/browser/modules/NetErrorContent.jsm
@@ -11,40 +11,47 @@ ChromeUtils.import("resource://gre/modul
ChromeUtils.defineModuleGetter(this, "BrowserUtils",
"resource://gre/modules/BrowserUtils.jsm");
ChromeUtils.defineModuleGetter(this, "WebNavigationFrames",
"resource://gre/modules/WebNavigationFrames.jsm");
XPCOMUtils.defineLazyGetter(this, "gPipNSSBundle", function() {
return Services.strings.createBundle("chrome://pipnss/locale/pipnss.properties");
});
+XPCOMUtils.defineLazyGetter(this, "gBrandBundle", function() {
+ return Services.strings.createBundle("chrome://branding/locale/brand.properties");
+});
+XPCOMUtils.defineLazyPreferenceGetter(this, "newErrorPagesEnabled",
+ "browser.security.newcerterrorpage.enabled");
XPCOMUtils.defineLazyGetter(this, "gNSSErrorsBundle", function() {
return Services.strings.createBundle("chrome://pipnss/locale/nsserrors.properties");
});
const SEC_ERROR_BASE = Ci.nsINSSErrorsService.NSS_SEC_ERROR_BASE;
const MOZILLA_PKIX_ERROR_BASE = Ci.nsINSSErrorsService.MOZILLA_PKIX_ERROR_BASE;
const SEC_ERROR_EXPIRED_CERTIFICATE = SEC_ERROR_BASE + 11;
const SEC_ERROR_UNKNOWN_ISSUER = SEC_ERROR_BASE + 13;
const SEC_ERROR_UNTRUSTED_ISSUER = SEC_ERROR_BASE + 20;
const SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE = SEC_ERROR_BASE + 30;
const SEC_ERROR_CA_CERT_INVALID = SEC_ERROR_BASE + 36;
const SEC_ERROR_OCSP_FUTURE_RESPONSE = SEC_ERROR_BASE + 131;
const SEC_ERROR_OCSP_OLD_RESPONSE = SEC_ERROR_BASE + 132;
const SEC_ERROR_REUSED_ISSUER_AND_SERIAL = SEC_ERROR_BASE + 138;
+const SEC_ERROR_OCSP_INVALID_SIGNING_CERT = SEC_ERROR_BASE + 144;
const SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED = SEC_ERROR_BASE + 176;
const MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE = MOZILLA_PKIX_ERROR_BASE + 5;
const MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE = MOZILLA_PKIX_ERROR_BASE + 6;
const MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT = MOZILLA_PKIX_ERROR_BASE + 14;
const MOZILLA_PKIX_ERROR_MITM_DETECTED = MOZILLA_PKIX_ERROR_BASE + 15;
const SSL_ERROR_BASE = Ci.nsINSSErrorsService.NSS_SSL_ERROR_BASE;
+const SSL_ERROR_BAD_CERT_DOMAIN = SSL_ERROR_BASE + 12;
const SSL_ERROR_SSL_DISABLED = SSL_ERROR_BASE + 20;
const SSL_ERROR_SSL2_DISABLED = SSL_ERROR_BASE + 14;
const PREF_SERVICES_SETTINGS_CLOCK_SKEW_SECONDS = "services.settings.clock_skew_seconds";
const PREF_SERVICES_SETTINGS_LAST_FETCHED = "services.settings.last_update_seconds";
const PREF_SSL_IMPACT_ROOTS = ["security.tls.version.", "security.ssl3."];
@@ -108,19 +115,28 @@ var NetErrorContent = {
[hostString], 1);
msg1 += "\n\n";
if (input.data.certIsUntrusted) {
switch (input.data.code) {
// We only want to measure MitM rates for now. Treat it as unkown issuer.
case MOZILLA_PKIX_ERROR_MITM_DETECTED:
case SEC_ERROR_UNKNOWN_ISSUER:
- msg1 += gPipNSSBundle.GetStringFromName("certErrorTrust_UnknownIssuer") + "\n";
- msg1 += gPipNSSBundle.GetStringFromName("certErrorTrust_UnknownIssuer2") + "\n";
- msg1 += gPipNSSBundle.GetStringFromName("certErrorTrust_UnknownIssuer3") + "\n";
+ let brandName = gBrandBundle.GetStringFromName("brandShortName");
+ if (newErrorPagesEnabled) {
+ msg1 = "";
+ msg1 += gPipNSSBundle.formatStringFromName("certErrorTrust_UnknownIssuer4", [hostString], 1);
+ msg1 += "\n\n";
+ msg1 += gPipNSSBundle.formatStringFromName("certErrorTrust_UnknownIssuer5", [brandName, hostString], 2);
+ msg1 += "\n\n";
+ } else {
+ msg1 += gPipNSSBundle.GetStringFromName("certErrorTrust_UnknownIssuer") + "\n";
+ msg1 += gPipNSSBundle.GetStringFromName("certErrorTrust_UnknownIssuer2") + "\n";
+ msg1 += gPipNSSBundle.GetStringFromName("certErrorTrust_UnknownIssuer3") + "\n";
+ }
break;
case SEC_ERROR_CA_CERT_INVALID:
msg1 += gPipNSSBundle.GetStringFromName("certErrorTrust_CaInvalid") + "\n";
break;
case SEC_ERROR_UNTRUSTED_ISSUER:
msg1 += gPipNSSBundle.GetStringFromName("certErrorTrust_Issuer") + "\n";
break;
case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
@@ -140,18 +156,24 @@ var NetErrorContent = {
technicalInfo.appendChild(doc.createTextNode(msg1));
if (input.data.isDomainMismatch) {
let subjectAltNames = input.data.certSubjectAltNames.split(",");
let numSubjectAltNames = subjectAltNames.length;
let msgPrefix = "";
if (numSubjectAltNames != 0) {
if (numSubjectAltNames == 1) {
- msgPrefix = gPipNSSBundle.GetStringFromName("certErrorMismatchSinglePrefix");
-
+ if (newErrorPagesEnabled) {
+ technicalInfo.textContent = "";
+ let brandName = gBrandBundle.GetStringFromName("brandShortName");
+ msgPrefix = gPipNSSBundle.formatStringFromName("certErrorMismatchSinglePrefix1", [brandName, hostString], 2);
+ msgPrefix += gPipNSSBundle.GetStringFromName("certErrorMismatchSinglePrefix");
+ } else {
+ msgPrefix = gPipNSSBundle.GetStringFromName("certErrorMismatchSinglePrefix");
+ }
// Let's check if we want to make this a link.
let okHost = input.data.certSubjectAltNames;
let href = "";
let thisHost = doc.location.hostname;
let proto = doc.location.protocol + "//";
// If okHost is a wildcard domain ("*.example.com") let's
// use "www" instead. "*.example.com" isn't going to
// get anyone anywhere useful. bug 432491
@@ -207,49 +229,89 @@ var NetErrorContent = {
} else {
let fragment = BrowserUtils.getLocalizedFragment(doc,
msgPrefix,
input.data.certSubjectAltNames);
technicalInfo.appendChild(fragment);
}
technicalInfo.append("\n");
} else {
- let msg = gPipNSSBundle.GetStringFromName("certErrorMismatchMultiple") + "\n";
+ let msg = "";
+ if (newErrorPagesEnabled) {
+ technicalInfo.textContent = "";
+ let brandName = gBrandBundle.GetStringFromName("brandShortName");
+ msg = gPipNSSBundle.formatStringFromName("certErrorMismatchMultiple1", [brandName, hostString], 2) + " ";
+ } else {
+ msg = gPipNSSBundle.GetStringFromName("certErrorMismatchMultiple") + "\n";
+ }
for (let i = 0; i < numSubjectAltNames; i++) {
msg += subjectAltNames[i];
if (i != (numSubjectAltNames - 1)) {
msg += ", ";
}
}
technicalInfo.append(msg + "\n");
}
} else {
- let msg = gPipNSSBundle.formatStringFromName("certErrorMismatch",
+ let msg = "";
+ if (newErrorPagesEnabled) {
+ technicalInfo.textContent = "";
+ let brandName = gBrandBundle.GetStringFromName("brandShortName");
+ msg = gPipNSSBundle.formatStringFromName("certErrorMismatch1", [brandName, hostString], 2) + " ";
+ } else {
+ msg = gPipNSSBundle.formatStringFromName("certErrorMismatch",
[hostString], 1);
+ }
technicalInfo.append(msg + "\n");
}
}
if (input.data.isNotValidAtThisTime) {
let nowTime = new Date().getTime() * 1000;
let dateOptions = { year: "numeric", month: "long", day: "numeric", hour: "numeric", minute: "numeric" };
let now = new Services.intl.DateTimeFormat(undefined, dateOptions).format(new Date());
let msg = "";
if (input.data.validity.notBefore) {
if (nowTime > input.data.validity.notAfter) {
- msg += gPipNSSBundle.formatStringFromName("certErrorExpiredNow",
- [input.data.validity.notAfterLocalTime, now], 2) + "\n";
+ if (newErrorPagesEnabled) {
+ technicalInfo.textContent = "";
+ msg += gPipNSSBundle.formatStringFromName("certErrorExpiredNow1",
+ [hostString], 1);
+ msg += "\n";
+ } else {
+ msg += gPipNSSBundle.formatStringFromName("certErrorExpiredNow",
+ [input.data.validity.notAfterLocalTime, now], 2);
+ msg += "\n";
+ }
} else {
- msg += gPipNSSBundle.formatStringFromName("certErrorNotYetValidNow",
- [input.data.validity.notBeforeLocalTime, now], 2) + "\n";
- }
- } else {
+ // eslint-disable-next-line no-lonely-if
+ if (newErrorPagesEnabled) {
+ technicalInfo.textContent = "";
+ msg += gPipNSSBundle.formatStringFromName("certErrorNotYetValidNow1",
+ [hostString], 1);
+ msg += "\n";
+ } else {
+ msg += gPipNSSBundle.formatStringFromName("certErrorNotYetValidNow",
+ [input.data.validity.notBeforeLocalTime, now], 2);
+ msg += "\n";
+ }
+ }
+ } else {
// If something goes wrong, we assume the cert expired.
- msg += gPipNSSBundle.formatStringFromName("certErrorExpiredNow",
- ["", now], 2) + "\n";
+ // eslint-disable-next-line no-lonely-if
+ if (newErrorPagesEnabled) {
+ technicalInfo.textContent = "";
+ msg += gPipNSSBundle.formatStringFromName("certErrorExpiredNow1",
+ [hostString], 1);
+ msg += "\n";
+ } else {
+ msg += gPipNSSBundle.formatStringFromName("certErrorExpiredNow",
+ ["", now], 2);
+ msg += "\n";
+ }
}
technicalInfo.append(msg);
}
technicalInfo.append("\n");
// Add link to certificate and error message.
let linkPrefix = gPipNSSBundle.GetStringFromName("certErrorCodePrefix3");
let detailLink = doc.createElement("a");
@@ -267,39 +329,86 @@ var NetErrorContent = {
debugInfo.scrollIntoView({block: "start", behavior: "smooth"});
});
}
},
onCertErrorDetails(global, msg, docShell) {
let doc = docShell.document;
+ function updateContainerPosition() {
+ let textContainer = doc.getElementById("text-container");
+ textContainer.style.marginTop = `calc(50vh - ${textContainer.clientHeight / 2}px)`;
+ }
+
let div = doc.getElementById("certificateErrorText");
div.textContent = msg.data.info;
this._setTechDetails(msg, doc);
let learnMoreLink = doc.getElementById("learnMoreLink");
let baseURL = Services.urlFormatter.formatURLPref("app.support.baseURL");
+ let errWhatToDo = doc.getElementById("es_nssBadCert_" + msg.data.codeString);
+ let es = doc.getElementById("errorWhatToDoText");
+ let errWhatToDoTitle = doc.getElementById("edd_nssBadCert");
+ let est = doc.getElementById("errorWhatToDoTitleText");
switch (msg.data.code) {
+ case SSL_ERROR_BAD_CERT_DOMAIN:
+ case SEC_ERROR_OCSP_INVALID_SIGNING_CERT:
case SEC_ERROR_UNKNOWN_ISSUER:
+ if (!newErrorPagesEnabled) {
+ break;
+ }
+ if (es) {
+ // eslint-disable-next-line no-unsanitized/property
+ es.innerHTML = errWhatToDo.innerHTML;
+ }
+ if (est) {
+ // eslint-disable-next-line no-unsanitized/property
+ est.innerHTML = errWhatToDoTitle.innerHTML;
+ }
+ updateContainerPosition();
+ break;
+
case MOZILLA_PKIX_ERROR_MITM_DETECTED:
case MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT:
learnMoreLink.href = baseURL + "security-error";
break;
// In case the certificate expired we make sure the system clock
// matches the remote-settings service (blocklist via Kinto) ping time
// and is not before the build date.
case SEC_ERROR_EXPIRED_CERTIFICATE:
case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
case SEC_ERROR_OCSP_FUTURE_RESPONSE:
case SEC_ERROR_OCSP_OLD_RESPONSE:
case MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE:
case MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE:
+ learnMoreLink.href = baseURL + "time-errors";
+ if (newErrorPagesEnabled) {
+ let dateOptions = { year: "numeric", month: "long", day: "numeric", hour: "numeric", minute: "numeric" };
+ let systemDate = new Services.intl.DateTimeFormat(undefined, dateOptions).format(new Date());
+ doc.getElementById("wrongSystemTime_systemDate").textContent = systemDate;
+ let errDesc = doc.getElementById("ed2_nssBadCert_SEC_ERROR_EXPIRED_CERTIFICATE");
+ let sd = doc.getElementById("errorShortDescText2");
+ if (sd) {
+ // eslint-disable-next-line no-unsanitized/property
+ sd.innerHTML = errDesc.innerHTML;
+ }
+ if (es) {
+ // eslint-disable-next-line no-unsanitized/property
+ es.innerHTML = errWhatToDo.innerHTML;
+ }
+ if (est) {
+ // eslint-disable-next-line no-unsanitized/property
+ est.innerHTML = errWhatToDoTitle.innerHTML;
+ }
+ updateContainerPosition();
+ break;
+ }
// We check against the remote-settings server time first if available, because that allows us
// to give the user an approximation of what the correct time is.
let difference = Services.prefs.getIntPref(PREF_SERVICES_SETTINGS_CLOCK_SKEW_SECONDS, 0);
let lastFetched = Services.prefs.getIntPref(PREF_SERVICES_SETTINGS_LAST_FETCHED, 0) * 1000;
let now = Date.now();
let certRange = this._getCertValidityRange(docShell);
@@ -347,17 +456,16 @@ var NetErrorContent = {
.textContent = doc.location.hostname;
doc.getElementById("wrongSystemTimeWithoutReference_systemDate")
.textContent = formatter.format(systemDate);
doc.getElementById("errorShortDesc").style.display = "none";
doc.getElementById("wrongSystemTimeWithoutReferencePanel").style.display = "block";
}
}
- learnMoreLink.href = baseURL + "time-errors";
break;
}
},
handleEvent(aGlobal, aEvent) {
// Documents have a null ownerDocument.
let doc = aEvent.originalTarget.ownerDocument || aEvent.originalTarget;
--- a/browser/themes/shared/aboutNetError-new.css
+++ b/browser/themes/shared/aboutNetError-new.css
@@ -45,16 +45,23 @@ button:disabled {
#learnMoreContainer {
display: none;
}
#certErrorAndCaptivePortalButtonContainer {
display: none;
}
+#advancedPanelButtonContainer {
+ background-color: var(--exception-button-container-background);
+ display: flex;
+ justify-content: end;
+ padding: 5px;
+}
+
body:not(.neterror) #certErrorAndCaptivePortalButtonContainer {
display: flex;
}
body:not(.neterror) #netErrorButtonContainer {
display: none;
}
@@ -79,16 +86,17 @@ body:not(.captiveportal) #openPortalLogi
}
body:not(.neterror) #advancedButton {
display: block;
}
#certificateErrorReporting {
display: none;
+ padding-bottom: 10px;
}
#advancedPanelContainer {
width: 100%;
left: 0;
}
.advanced-panel {
@@ -158,17 +166,16 @@ span#hostname {
color: var(--in-content-page-color);
text-decoration: none;
}
.exceptionDialogButtonContainer {
background-color: var(--exception-button-container-background);
display: flex;
justify-content: end;
- padding: 10px;
}
.exceptionDialogButtonContainer[hidden] {
display: none;
}
.illustrated #errorPageContainer {
min-height: 300px;
--- a/security/manager/locales/en-US/chrome/pipnss/pipnss.properties
+++ b/security/manager/locales/en-US/chrome/pipnss/pipnss.properties
@@ -273,32 +273,43 @@ PSMERR_HostReusedIssuerSerial=You have r
SSLConnectionErrorPrefix2=An error occurred during a connection to %1$S. %2$S\n
certErrorIntro=%S uses an invalid security certificate.
certErrorTrust_SelfSigned=The certificate is not trusted because it is self-signed.
certErrorTrust_UnknownIssuer=The certificate is not trusted because the issuer certificate is unknown.
certErrorTrust_UnknownIssuer2=The server might not be sending the appropriate intermediate certificates.
certErrorTrust_UnknownIssuer3=An additional root certificate may need to be imported.
+certErrorTrust_UnknownIssuer4=Someone could be trying to impersonate the site and you should not continue.
+# LOCALIZATION NOTE (certErrorTrust_UnknownIssuer5): %1$S is replaced by the brand name, %2$S is replaced by host name.
+certErrorTrust_UnknownIssuer5=Websites prove their identity via security certificates. %1$S does not trust %2$S because its security certificate issuer is unknown, the certificate is self-signed, or the server is not sending the correct intermediate certificates.
certErrorTrust_CaInvalid=The certificate is not trusted because it was issued by an invalid CA certificate.
certErrorTrust_Issuer=The certificate is not trusted because the issuer certificate is not trusted.
certErrorTrust_SignatureAlgorithmDisabled=The certificate is not trusted because it was signed using a signature algorithm that was disabled because that algorithm is not secure.
certErrorTrust_ExpiredIssuer=The certificate is not trusted because the issuer certificate has expired.
certErrorTrust_Untrusted=The certificate does not come from a trusted source.
certErrorTrust_MitM=Your connection is being intercepted by a TLS proxy. Uninstall it if possible or configure your device to trust its root certificate.
certErrorMismatch=The certificate is not valid for the name %S.
+# LOCALIZATION NOTE (certErrorMismatch1, certErrorMismatchSinglePrefix1, certErrorMismatchMultiple1): %1$S is replaced by the brand name, %2$S is replaced by host name.
+certErrorMismatch1=Websites prove their identity via security certificates. %1$S does not trust %2$S because it uses a security certificate that is not valid for %2$S.
# LOCALIZATION NOTE (certErrorMismatchSinglePrefix): %S is replaced by the domain for which the certificate is valid
certErrorMismatchSinglePrefix=The certificate is only valid for %S.
+# LOCALIZATION NOTE (certErrorMismatchSinglePrefix1): %3$S is replaced by the domain for which the certificate is valid
+certErrorMismatchSinglePrefix1=Websites prove their identity via security certificates. %1$S does not trust %2$S because it uses a security certificate that is not valid for %2$S.
certErrorMismatchMultiple=The certificate is only valid for the following names:
+certErrorMismatchMultiple1=Websites prove their identity via security certificates. %1$S does not trust %2$S because it uses a security certificate that is not valid for %2$S. The certificate is only valid for the following names:
# LOCALIZATION NOTE (certErrorExpiredNow): Do not translate %1$S (date+time of expired certificate) or %2$S (current date+time)
certErrorExpiredNow=The certificate expired on %1$S. The current time is %2$S.
+certErrorExpiredNow1=Websites prove their identity via security certificates, which are valid for a set time period. The security certificate for %S appears to be expired.
+
# LOCALIZATION NOTE (certErrorNotYetValidNow): Do not translate %1$S (date+time certificate will become valid) or %2$S (current date+time)
certErrorNotYetValidNow=The certificate will not be valid until %1$S. The current time is %2$S.
+certErrorNotYetValidNow1=Websites prove their identity via security certificates, which are valid for a set time period. The security certificate for %S appears to be not yet valid.
# LOCALIZATION NOTE (certErrorCodePrefix3): %S is replaced by the error code.
certErrorCodePrefix3=Error code: %S
P12DefaultNickname=Imported Certificate
CertUnknown=Unknown
CertNoEmailAddress=(no email address)
CaCertExists=This certificate is already installed as a certificate authority.