Bug 1217156 - Add a pref to turn on/off insecure password warnings. Keep it on for Nightly and off for other builds. Will be turned on for dev edition after a few bug fixes. r=bgrins
authorTanvi Vyas <tanvi@mozilla.com>
Thu, 29 Oct 2015 17:01:22 -0700
changeset 270208 3189c9d88f1357c98dbd7c08c8615af138268807
parent 270207 e458fba06eb1613dd252bfc5445d070115d2ad93
child 270209 5cdf66dfef92364072336ce276f9f2c70d421718
push id15996
push userbgrinstead@mozilla.com
push dateFri, 30 Oct 2015 00:02:29 +0000
treeherderfx-team@3189c9d88f13 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbgrins
bugs1217156
milestone45.0a1
Bug 1217156 - Add a pref to turn on/off insecure password warnings. Keep it on for Nightly and off for other builds. Will be turned on for dev edition after a few bug fixes. r=bgrins
browser/app/profile/firefox.js
browser/base/content/browser.js
browser/base/content/test/general/browser_insecureLoginForms.js
--- a/browser/app/profile/firefox.js
+++ b/browser/app/profile/firefox.js
@@ -1425,16 +1425,23 @@ pref("social.sidebar.unload_timeout_ms",
 pref("social.share.activationPanelEnabled", true);
 pref("social.shareDirectory", "https://activations.cdn.mozilla.net/sharePanel.html");
 
 pref("dom.identity.enabled", false);
 
 // Block insecure active content on https pages
 pref("security.mixed_content.block_active_content", true);
 
+// Show degraded UI for http pages with password fields
+#ifdef NIGHTLY_BUILD
+pref("security.insecure_password.ui.enabled", true);
+#else
+pref("security.insecure_password.ui.enabled", false);
+#endif
+
 // 1 = allow MITM for certificate pinning checks.
 pref("security.cert_pinning.enforcement_level", 1);
 
 // 2 = allow SHA-1 only before 2016-01-01
 pref("security.pki.sha1_enforcement_level", 2);
 
 // Required blocklist freshness for OneCRL OCSP bypass
 // (default is 1.25x extensions.blocklist.interval, or 30 hours)
--- a/browser/base/content/browser.js
+++ b/browser/base/content/browser.js
@@ -6922,16 +6922,23 @@ var gIdentityHandler = {
   get _isMixedActiveContentBlocked() {
     return this._state & Ci.nsIWebProgressListener.STATE_BLOCKED_MIXED_ACTIVE_CONTENT;
   },
 
   get _isMixedPassiveContentLoaded() {
     return this._state & Ci.nsIWebProgressListener.STATE_LOADED_MIXED_DISPLAY_CONTENT;
   },
 
+  get _hasInsecureLoginForms() {
+    // checks if the page has been flagged for an insecure login. Also checks
+    // if the pref to degrade the UI is set to true
+    return LoginManagerParent.hasInsecureLoginForms(gBrowser.selectedBrowser) &&
+           Services.prefs.getBoolPref("security.insecure_password.ui.enabled");
+  },
+
   // smart getters
   get _identityPopup () {
     delete this._identityPopup;
     return this._identityPopup = document.getElementById("identity-popup");
   },
   get _identityBox () {
     delete this._identityBox;
     return this._identityBox = document.getElementById("identity-box");
@@ -7252,17 +7259,17 @@ var gIdentityHandler = {
         } else if (this._isMixedActiveContentBlocked) {
           this._identityBox.classList.add("mixedDisplayContentLoadedActiveBlocked");
         } else if (this._isMixedPassiveContentLoaded) {
           this._identityBox.classList.add("mixedDisplayContent");
         } else {
           this._identityBox.classList.add("weakCipher");
         }
       }
-      if (LoginManagerParent.hasInsecureLoginForms(gBrowser.selectedBrowser)) {
+      if (this._hasInsecureLoginForms) {
         // Insecure login forms can only be present on "unknown identity"
         // pages, either already insecure or with mixed active content loaded.
         this._identityBox.classList.add("insecureLoginForms");
       }
       tooltip = gNavigatorBundle.getString("identity.unknown.tooltip");
     }
 
     // Push the appropriate strings out to the UI
@@ -7296,17 +7303,17 @@ var gIdentityHandler = {
     } else if (this._isEV) {
       connection = "secure-ev";
     } else if (this._isSecure) {
       connection = "secure";
     }
 
     // Determine if there are insecure login forms.
     let loginforms = "secure";
-    if (LoginManagerParent.hasInsecureLoginForms(gBrowser.selectedBrowser)) {
+    if (this._hasInsecureLoginForms) {
       loginforms = "insecure";
     }
 
     // Determine the mixed content state.
     let mixedcontent = [];
     if (this._isMixedPassiveContentLoaded) {
       mixedcontent.push("passive-loaded");
     }
--- a/browser/base/content/test/general/browser_insecureLoginForms.js
+++ b/browser/base/content/test/general/browser_insecureLoginForms.js
@@ -13,16 +13,20 @@ function waitForInsecureLoginFormsStateC
   return BrowserTestUtils.waitForEvent(browser, "InsecureLoginFormsStateChange",
                                        false, () => --count == 0);
 }
 
 /**
  * Checks the insecure login forms logic for the identity block.
  */
 add_task(function* test_simple() {
+  yield new Promise(resolve => SpecialPowers.pushPrefEnv({
+    "set": [["security.insecure_password.ui.enabled", true]],
+  }, resolve));
+
   for (let scheme of ["http", "https"]) {
     let tab = gBrowser.addTab(scheme + testUrlPath + "form_basic.html");
     let browser = tab.linkedBrowser;
     yield Promise.all([
       BrowserTestUtils.switchTab(gBrowser, tab),
       BrowserTestUtils.browserLoaded(browser),
       // One event is triggered by pageshow and one by DOMFormHasPassword.
       waitForInsecureLoginFormsStateChange(browser, 2),