bug 1154012 - dev tools and alt-svc r=vporof
authorPatrick McManus <mcmanus@ducksong.com>
Mon, 13 Apr 2015 15:35:55 -0400
changeset 242044 794849eb1d82d6962fae4695fecfda56722e114d
parent 242043 6fa4bb578765097f82a0affb14a4feb0ef585f42
child 242045 6fb1d54708024088aaffb1bba631fb1bb6bd1ab4
push id59303
push usermcmanus@ducksong.com
push dateFri, 01 May 2015 20:06:05 +0000
treeherdermozilla-inbound@794849eb1d82 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersvporof
bugs1154012
milestone40.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
bug 1154012 - dev tools and alt-svc r=vporof
browser/locales/en-US/chrome/browser/devtools/netmonitor.properties
toolkit/devtools/webconsole/network-helper.js
--- a/browser/locales/en-US/chrome/browser/devtools/netmonitor.properties
+++ b/browser/locales/en-US/chrome/browser/devtools/netmonitor.properties
@@ -31,18 +31,18 @@ netmonitor.tooltip=Network Monitor
 
 # LOCALIZATION NOTE (netmonitor.security.state.secure)
 # This string is used as an tooltip for request that was performed over secure
 # channel i.e. the connection was encrypted.
 netmonitor.security.state.secure=The connection used to fetch this resource was secure.
 
 # LOCALIZATION NOTE (netmonitor.security.state.insecure)
 # This string is used as an tooltip for request that was performed over insecure
-# channel i.e. the connection was not encrypted.
-netmonitor.security.state.insecure=The connection used to fetch this resource was not encrypted.
+# channel i.e. the connection was not https
+netmonitor.security.state.insecure=The connection used to fetch this resource was not secure.
 
 # LOCALIZATION NOTE (netmonitor.security.state.broken)
 # This string is used as an tooltip for request that failed due to security
 # issues.
 netmonitor.security.state.broken=A security error prevented the resource from being loaded.
 
 # LOCALIZATION NOTE (netmonitor.security.state.weak)
 # This string is used as an tooltip for request that had minor security issues
--- a/toolkit/devtools/webconsole/network-helper.js
+++ b/toolkit/devtools/webconsole/network-helper.js
@@ -572,18 +572,27 @@ let NetworkHelper = {
 
     const wpl = Ci.nsIWebProgressListener;
     const NSSErrorsService = Cc['@mozilla.org/nss_errors_service;1']
                                .getService(Ci.nsINSSErrorsService);
     const SSLStatus = securityInfo.SSLStatus;
     if (!NSSErrorsService.isNSSErrorCode(securityInfo.errorCode)) {
       const state = securityInfo.securityState;
 
-      if (state & wpl.STATE_IS_SECURE) {
-        // The connection is secure.
+      let uri = null;
+      if (httpActivity.channel && httpActivity.channel.URI) {
+        uri = httpActivity.channel.URI;
+      }
+      if (uri && !uri.schemeIs("https") && !uri.schemeIs("wss")) {
+        // it is not enough to look at the transport security info - schemes other than
+        // https and wss are subject to downgrade/etc at the scheme level and should
+        // always be considered insecure
+        info.state = "insecure";
+      } else if (state & wpl.STATE_IS_SECURE) {
+        // The connection is secure if the scheme is sufficient
         info.state = "secure";
       } else if (state & wpl.STATE_IS_BROKEN) {
         // The connection is not secure, there was no error but there's some
         // minor security issues.
         info.state = "weak";
         info.weaknessReasons = this.getReasonsForWeakness(state);
       } else if (state & wpl.STATE_IS_INSECURE) {
         // This was most likely an https request that was aborted before