Bug 1262009 - Treat all file connections (including chrome uris) as non secure connections;r=tanvi
authorBrian Grinstead <bgrinstead@mozilla.com>
Wed, 13 Apr 2016 10:42:37 -0700
changeset 316825 3f43e85a0cfd4281451cc0049fd1638885a1e670
parent 316756 196a0e282b3e33aa3d82ae6f3e7d21390d2a60fd
child 316826 f8ec60f2667eb6c1195e24a08e866caea6cb034f
push id9480
push userjlund@mozilla.com
push dateMon, 25 Apr 2016 17:12:58 +0000
treeherdermozilla-aurora@0d6a91c76a9e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstanvi
bugs1262009
milestone48.0a1
Bug 1262009 - Treat all file connections (including chrome uris) as non secure connections;r=tanvi If a <browser> is included within a chrome document, then this._state will refer to the security state for the <browser> and not the top level document. In this case, don't upgrade the security state in the UI with the secure state of the embedded <browser>.
browser/base/content/browser.js
--- a/browser/base/content/browser.js
+++ b/browser/base/content/browser.js
@@ -6406,21 +6406,29 @@ var gIdentityHandler = {
    */
   _state: 0,
 
   get _isBroken() {
     return this._state & Ci.nsIWebProgressListener.STATE_IS_BROKEN;
   },
 
   get _isSecure() {
-    return this._state & Ci.nsIWebProgressListener.STATE_IS_SECURE;
+    // If a <browser> is included within a chrome document, then this._state
+    // will refer to the security state for the <browser> and not the top level
+    // document. In this case, don't upgrade the security state in the UI
+    // with the secure state of the embedded <browser>.
+    return !this._isURILoadedFromFile && this._state & Ci.nsIWebProgressListener.STATE_IS_SECURE;
   },
 
   get _isEV() {
-    return this._state & Ci.nsIWebProgressListener.STATE_IDENTITY_EV_TOPLEVEL;
+    // If a <browser> is included within a chrome document, then this._state
+    // will refer to the security state for the <browser> and not the top level
+    // document. In this case, don't upgrade the security state in the UI
+    // with the EV state of the embedded <browser>.
+    return !this._isURILoadedFromFile && this._state & Ci.nsIWebProgressListener.STATE_IDENTITY_EV_TOPLEVEL;
   },
 
   get _isMixedActiveContentLoaded() {
     return this._state & Ci.nsIWebProgressListener.STATE_LOADED_MIXED_ACTIVE_CONTENT;
   },
 
   get _isMixedActiveContentBlocked() {
     return this._state & Ci.nsIWebProgressListener.STATE_BLOCKED_MIXED_ACTIVE_CONTENT;
@@ -6603,16 +6611,17 @@ var gIdentityHandler = {
    * @param uri
    *        nsIURI for which the identity UI should be displayed, already
    *        processed by nsIURIFixup.createExposableURI.
    */
   updateIdentity(state, uri) {
     let shouldHidePopup = this._uri && (this._uri.spec != uri.spec);
     this._state = state;
     this._uri = uri;
+    this._isURILoadedFromFile = this.isURILoadedFromFile();
 
     // Firstly, populate the state properties required to display the UI. See
     // the documentation of the individual properties for details.
 
     try {
       this._uri.host;
       this._uriHasHost = true;
     } catch (ex) {
@@ -6956,17 +6965,17 @@ var gIdentityHandler = {
     this._identityPopupContentOwner.textContent = owner;
     this._identityPopupContentSupp.textContent = supplemental;
     this._identityPopupContentVerif.textContent = verifier;
 
     // Update per-site permissions section.
     this.updateSitePermissions();
   },
 
-  get _isURILoadedFromFile() {
+  isURILoadedFromFile() {
     // Create a channel for the sole purpose of getting the resolved URI
     // of the request to determine if it's loaded from the file system.
     let chanOptions = {uri: this._uri, loadUsingSystemPrincipal: true};
     let resolvedURI;
     try {
       resolvedURI = NetUtil.newChannel(chanOptions).URI;
       if (resolvedURI.schemeIs("jar")) {
         // Given a URI "jar:<jar-file-uri>!/<jar-entry>"