Bug 1217156 - Add a pref to turn on/off insecure password warnings. Keep it on for Nightly and off for other builds. Will be turned on for dev edition after a few bug fixes. r=bgrins
authorTanvi Vyas <tanvi@mozilla.com>
Thu, 29 Oct 2015 17:01:22 -0700
changeset 270292 3189c9d88f1357c98dbd7c08c8615af138268807
parent 270291 e458fba06eb1613dd252bfc5445d070115d2ad93
child 270293 5cdf66dfef92364072336ce276f9f2c70d421718
push id29610
push usercbook@mozilla.com
push dateFri, 30 Oct 2015 10:46:37 +0000
treeherdermozilla-central@c2534acb4859 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbgrins
bugs1217156
milestone45.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1217156 - Add a pref to turn on/off insecure password warnings. Keep it on for Nightly and off for other builds. Will be turned on for dev edition after a few bug fixes. r=bgrins
browser/app/profile/firefox.js
browser/base/content/browser.js
browser/base/content/test/general/browser_insecureLoginForms.js
--- a/browser/app/profile/firefox.js
+++ b/browser/app/profile/firefox.js
@@ -1425,16 +1425,23 @@ pref("social.sidebar.unload_timeout_ms",
 pref("social.share.activationPanelEnabled", true);
 pref("social.shareDirectory", "https://activations.cdn.mozilla.net/sharePanel.html");
 
 pref("dom.identity.enabled", false);
 
 // Block insecure active content on https pages
 pref("security.mixed_content.block_active_content", true);
 
+// Show degraded UI for http pages with password fields
+#ifdef NIGHTLY_BUILD
+pref("security.insecure_password.ui.enabled", true);
+#else
+pref("security.insecure_password.ui.enabled", false);
+#endif
+
 // 1 = allow MITM for certificate pinning checks.
 pref("security.cert_pinning.enforcement_level", 1);
 
 // 2 = allow SHA-1 only before 2016-01-01
 pref("security.pki.sha1_enforcement_level", 2);
 
 // Required blocklist freshness for OneCRL OCSP bypass
 // (default is 1.25x extensions.blocklist.interval, or 30 hours)
--- a/browser/base/content/browser.js
+++ b/browser/base/content/browser.js
@@ -6922,16 +6922,23 @@ var gIdentityHandler = {
   get _isMixedActiveContentBlocked() {
     return this._state & Ci.nsIWebProgressListener.STATE_BLOCKED_MIXED_ACTIVE_CONTENT;
   },
 
   get _isMixedPassiveContentLoaded() {
     return this._state & Ci.nsIWebProgressListener.STATE_LOADED_MIXED_DISPLAY_CONTENT;
   },
 
+  get _hasInsecureLoginForms() {
+    // checks if the page has been flagged for an insecure login. Also checks
+    // if the pref to degrade the UI is set to true
+    return LoginManagerParent.hasInsecureLoginForms(gBrowser.selectedBrowser) &&
+           Services.prefs.getBoolPref("security.insecure_password.ui.enabled");
+  },
+
   // smart getters
   get _identityPopup () {
     delete this._identityPopup;
     return this._identityPopup = document.getElementById("identity-popup");
   },
   get _identityBox () {
     delete this._identityBox;
     return this._identityBox = document.getElementById("identity-box");
@@ -7252,17 +7259,17 @@ var gIdentityHandler = {
         } else if (this._isMixedActiveContentBlocked) {
           this._identityBox.classList.add("mixedDisplayContentLoadedActiveBlocked");
         } else if (this._isMixedPassiveContentLoaded) {
           this._identityBox.classList.add("mixedDisplayContent");
         } else {
           this._identityBox.classList.add("weakCipher");
         }
       }
-      if (LoginManagerParent.hasInsecureLoginForms(gBrowser.selectedBrowser)) {
+      if (this._hasInsecureLoginForms) {
         // Insecure login forms can only be present on "unknown identity"
         // pages, either already insecure or with mixed active content loaded.
         this._identityBox.classList.add("insecureLoginForms");
       }
       tooltip = gNavigatorBundle.getString("identity.unknown.tooltip");
     }
 
     // Push the appropriate strings out to the UI
@@ -7296,17 +7303,17 @@ var gIdentityHandler = {
     } else if (this._isEV) {
       connection = "secure-ev";
     } else if (this._isSecure) {
       connection = "secure";
     }
 
     // Determine if there are insecure login forms.
     let loginforms = "secure";
-    if (LoginManagerParent.hasInsecureLoginForms(gBrowser.selectedBrowser)) {
+    if (this._hasInsecureLoginForms) {
       loginforms = "insecure";
     }
 
     // Determine the mixed content state.
     let mixedcontent = [];
     if (this._isMixedPassiveContentLoaded) {
       mixedcontent.push("passive-loaded");
     }
--- a/browser/base/content/test/general/browser_insecureLoginForms.js
+++ b/browser/base/content/test/general/browser_insecureLoginForms.js
@@ -13,16 +13,20 @@ function waitForInsecureLoginFormsStateC
   return BrowserTestUtils.waitForEvent(browser, "InsecureLoginFormsStateChange",
                                        false, () => --count == 0);
 }
 
 /**
  * Checks the insecure login forms logic for the identity block.
  */
 add_task(function* test_simple() {
+  yield new Promise(resolve => SpecialPowers.pushPrefEnv({
+    "set": [["security.insecure_password.ui.enabled", true]],
+  }, resolve));
+
   for (let scheme of ["http", "https"]) {
     let tab = gBrowser.addTab(scheme + testUrlPath + "form_basic.html");
     let browser = tab.linkedBrowser;
     yield Promise.all([
       BrowserTestUtils.switchTab(gBrowser, tab),
       BrowserTestUtils.browserLoaded(browser),
       // One event is triggered by pageshow and one by DOMFormHasPassword.
       waitForInsecureLoginFormsStateChange(browser, 2),