Bug 1204486 - Simplify gIdentityHandler and show connection type in the fullscreen notification. r=ttaubert, a=lizzard
authorPaolo Amadini <paolo.mozmail@amadzone.org>
Tue, 22 Sep 2015 14:37:39 +0100
changeset 296261 35b3e4d35d2910419ec5971c8b8771b38f197cb4
parent 296260 5bacade79fc5d26ce8c2fc50adc1d084d342eab2
child 296262 c4cd3a110e3fd8048698ff11b1a8d3f98dcb950f
push id5245
push userraliiev@mozilla.com
push dateThu, 29 Oct 2015 11:30:51 +0000
treeherdermozilla-beta@dac831dc1bd0 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersttaubert, lizzard
bugs1204486
milestone43.0a2
Bug 1204486 - Simplify gIdentityHandler and show connection type in the fullscreen notification. r=ttaubert, a=lizzard
browser/base/content/browser-fullScreen.js
browser/base/content/browser.js
browser/base/content/test/general/browser_aboutSupport_newtab_security_state.js
browser/base/content/test/general/browser_bug435035.js
browser/base/content/test/general/browser_identity_UI.js
browser/base/content/test/general/head.js
--- a/browser/base/content/browser-fullScreen.js
+++ b/browser/base/content/browser-fullScreen.js
@@ -394,17 +394,17 @@ var FullScreen = {
       } else {
         textElem.removeAttribute("hidden");
         let hostLabel = document.getElementById("fullscreen-domain");
         // Document's principal's URI has a host. Display a warning including it.
         let utils = {};
         Cu.import("resource://gre/modules/DownloadUtils.jsm", utils);
         hostLabel.value = utils.DownloadUtils.getURIHost(uri.spec)[0];
       }
-      this._element.className = gIdentityHandler.getMode();
+      this._element.className = gIdentityHandler.fullscreenWarningClassName;
 
       // User should be allowed to explicitly disable
       // the prompt if they really want.
       if (this._timeoutHide.delay <= 0) {
         return;
       }
 
       // Explicitly set the last state to hidden to avoid the warning
--- a/browser/base/content/browser.js
+++ b/browser/base/content/browser.js
@@ -4501,51 +4501,24 @@ var XULBrowserWindow = {
       return;
     this._state = aState;
     this._lastLocation = spec;
 
     if (typeof(aIsSimulated) != "boolean" && typeof(aIsSimulated) != "undefined") {
       throw "onSecurityChange: aIsSimulated receieved an unexpected type";
     }
 
-    // aState is defined as a bitmask that may be extended in the future.
-    // We filter out any unknown bits before testing for known values.
-    const wpl = Components.interfaces.nsIWebProgressListener;
-    const wpl_security_bits = wpl.STATE_IS_SECURE |
-                              wpl.STATE_IS_BROKEN |
-                              wpl.STATE_IS_INSECURE;
-    var level;
-
-    switch (this._state & wpl_security_bits) {
-      case wpl.STATE_IS_SECURE:
-        level = "high";
-        break;
-      case wpl.STATE_IS_BROKEN:
-        level = "broken";
-        break;
-    }
-
-    if (level) {
-      // We don't style the Location Bar based on the the 'level' attribute
-      // anymore, but still set it for third-party themes.
-      if (gURLBar)
-        gURLBar.setAttribute("level", level);
-    } else {
-      if (gURLBar)
-        gURLBar.removeAttribute("level");
-    }
-
     // Make sure the "https" part of the URL is striked out or not,
     // depending on the current mixed active content blocking state.
     gURLBar.formatValue();
 
     try {
       uri = Services.uriFixup.createExposableURI(uri);
     } catch (e) {}
-    gIdentityHandler.checkIdentity(this._state, uri);
+    gIdentityHandler.updateIdentity(this._state, uri);
     TrackingProtection.onSecurityChange(this._state, aIsSimulated);
   },
 
   // simulate all change notifications after switching tabs
   onUpdateCurrentBrowser: function XWB_onUpdateCurrentBrowser(aStateFlags, aStatus, aMessage, aTotalProgress) {
     if (FullZoom.updateBackgroundTabs)
       FullZoom.onLocationChange(gBrowser.currentURI, true);
     var nsIWebProgressListener = Components.interfaces.nsIWebProgressListener;
@@ -6736,31 +6709,73 @@ function formatURL(aFormat, aIsPref) {
   var formatter = Cc["@mozilla.org/toolkit/URLFormatterService;1"].getService(Ci.nsIURLFormatter);
   return aIsPref ? formatter.formatURLPref(aFormat) : formatter.formatURL(aFormat);
 }
 
 /**
  * Utility object to handle manipulations of the identity indicators in the UI
  */
 var gIdentityHandler = {
-  // Mode strings used to control CSS display
-  IDENTITY_MODE_IDENTIFIED                             : "verifiedIdentity", // High-quality identity information
-  IDENTITY_MODE_DOMAIN_VERIFIED                        : "verifiedDomain",   // Minimal SSL CA-signed domain verification
-  IDENTITY_MODE_UNKNOWN                                : "unknownIdentity",  // No trusted identity information
-  IDENTITY_MODE_USES_WEAK_CIPHER                       : "unknownIdentity weakCipher",  // SSL with RC4 cipher suite or SSL3
-  IDENTITY_MODE_MIXED_DISPLAY_LOADED                   : "unknownIdentity mixedContent mixedDisplayContent",  // SSL with unauthenticated display content
-  IDENTITY_MODE_MIXED_ACTIVE_LOADED                    : "unknownIdentity mixedContent mixedActiveContent",  // SSL with unauthenticated active (and perhaps also display) content
-  IDENTITY_MODE_MIXED_DISPLAY_LOADED_ACTIVE_BLOCKED    : "unknownIdentity mixedContent mixedDisplayContentLoadedActiveBlocked",  // SSL with unauthenticated display content; unauthenticated active content is blocked.
-  IDENTITY_MODE_MIXED_ACTIVE_BLOCKED                   : "verifiedDomain mixedContent mixedActiveBlocked",  // SSL with unauthenticated active content blocked; no unauthenticated display content
-  IDENTITY_MODE_MIXED_ACTIVE_BLOCKED_IDENTIFIED        : "verifiedIdentity mixedContent mixedActiveBlocked",  // SSL with unauthenticated active content blocked; no unauthenticated display content
-  IDENTITY_MODE_CHROMEUI                               : "chromeUI",         // Part of the product's UI
-
-  _isChromeUI: false,
+  /**
+   * nsIURI for which the identity UI is displayed. This has been already
+   * processed by nsIURIFixup.createExposableURI.
+   */
+  _uri: null,
+
+  /**
+   * We only know the connection type if this._uri has a defined "host" part.
+   *
+   * These URIs, like "about:" and "data:" URIs, will usually be treated as a
+   * non-secure connection, unless they refer to an internally implemented
+   * browser page or resolve to "file:" URIs.
+   */
+  _uriHasHost: false,
+
+  /**
+   * Whether this._uri refers to an internally implemented browser page.
+   *
+   * Note that this is set for some "about:" pages, but general "chrome:" URIs
+   * are not included in this category by default.
+   */
+  _isSecureInternalUI: false,
+
+  /**
+   * nsISSLStatus metadata provided by gBrowser.securityUI the last time the
+   * identity UI was updated, or null if the connection is not secure.
+   */
   _sslStatus: null,
-  _uri: null,
+
+  /**
+   * Bitmask provided by nsIWebProgressListener.onSecurityChange.
+   */
+  _state: 0,
+
+  get _isBroken() {
+    return this._state & Ci.nsIWebProgressListener.STATE_IS_BROKEN;
+  },
+
+  get _isSecure() {
+    return this._state & Ci.nsIWebProgressListener.STATE_IS_SECURE;
+  },
+
+  get _isEV() {
+    return this._state & Ci.nsIWebProgressListener.STATE_IDENTITY_EV_TOPLEVEL;
+  },
+
+  get _isMixedActiveContentLoaded() {
+    return this._state & Ci.nsIWebProgressListener.STATE_LOADED_MIXED_ACTIVE_CONTENT;
+  },
+
+  get _isMixedActiveContentBlocked() {
+    return this._state & Ci.nsIWebProgressListener.STATE_BLOCKED_MIXED_ACTIVE_CONTENT;
+  },
+
+  get _isMixedPassiveContentLoaded() {
+    return this._state & Ci.nsIWebProgressListener.STATE_LOADED_MIXED_DISPLAY_CONTENT;
+  },
 
   // smart getters
   get _identityPopup () {
     delete this._identityPopup;
     return this._identityPopup = document.getElementById("identity-popup");
   },
   get _identityBox () {
     delete this._identityBox;
@@ -6883,18 +6898,17 @@ var gIdentityHandler = {
   },
 
   /**
    * Helper to parse out the important parts of _sslStatus (of the SSL cert in
    * particular) for use in constructing identity UI strings
   */
   getIdentityData : function() {
     var result = {};
-    var status = this._sslStatus.QueryInterface(Ci.nsISSLStatus);
-    var cert = status.serverCert;
+    var cert = this._sslStatus.serverCert;
 
     // Human readable name of Subject
     result.subjectOrg = cert.organization;
 
     // SubjectName fields, broken up for individual access
     if (cert.subjectName) {
       result.subjectNameFields = {};
       cert.subjectName.split(",").forEach(function(v) {
@@ -6911,79 +6925,55 @@ var gIdentityHandler = {
     // Human readable name of Certificate Authority
     result.caOrg =  cert.issuerOrganization || cert.issuerCommonName;
     result.cert = cert;
 
     return result;
   },
 
   /**
-   * Determine the identity of the page being displayed by examining its SSL cert
-   * (if available) and, if necessary, update the UI to reflect this.  Intended to
-   * be called by onSecurityChange
+   * Update the identity user interface for the page currently being displayed.
+   *
+   * This examines the SSL certificate metadata, if available, as well as the
+   * connection type and other security-related state information for the page.
    *
-   * @param PRUint32 state
-   * @param nsIURI uri The address for which the UI should be updated.
+   * @param state
+   *        Bitmask provided by nsIWebProgressListener.onSecurityChange.
+   * @param uri
+   *        nsIURI for which the identity UI should be displayed, already
+   *        processed by nsIURIFixup.createExposableURI.
    */
-  checkIdentity : function(state, uri) {
-    let nsIWebProgressListener = Ci.nsIWebProgressListener;
-
-    // For some URIs like data: we can't get a host. URIs without a host will
-    // usually be treated as a non-secure connection if they're not on the
-    // whitelist below and don't resolve to file:// URIs internally.
-    let unknown = false;
+  updateIdentity(state, uri) {
+    this._state = state;
+    this._uri = uri;
+
+    // Firstly, populate the state properties required to display the UI. See
+    // the documentation of the individual properties for details.
+
     try {
-      uri.host;
-    } catch (e) { unknown = true; }
-
-    // Chrome URIs however get special treatment. Some chrome URIs are
-    // whitelisted to provide a positive security signal to the user.
+      this._uri.host;
+      this._uriHasHost = true;
+    } catch (ex) {
+      this._uriHasHost = false;
+    }
+
     let whitelist = /^(?:accounts|addons|app-manager|cache|config|crashes|customizing|downloads|healthreport|home|license|newaddon|permissions|preferences|privatebrowsing|rights|sessionrestore|support|welcomeback)(?:[?#]|$)/i;
-    let isChromeUI = uri.schemeIs("about") && whitelist.test(uri.path);
-    let mode = this.IDENTITY_MODE_UNKNOWN;
-
-    if (isChromeUI) {
-      mode = this.IDENTITY_MODE_CHROMEUI;
-    } else if (unknown) {
-      // Use default mode.
-    } else if (state & nsIWebProgressListener.STATE_IDENTITY_EV_TOPLEVEL) {
-      if (state & nsIWebProgressListener.STATE_BLOCKED_MIXED_ACTIVE_CONTENT) {
-        mode = this.IDENTITY_MODE_MIXED_ACTIVE_BLOCKED_IDENTIFIED;
-      } else {
-        mode = this.IDENTITY_MODE_IDENTIFIED;
-      }
-    } else if (state & nsIWebProgressListener.STATE_IS_SECURE) {
-      if (state & nsIWebProgressListener.STATE_BLOCKED_MIXED_ACTIVE_CONTENT) {
-        mode = this.IDENTITY_MODE_MIXED_ACTIVE_BLOCKED;
-      } else {
-        mode = this.IDENTITY_MODE_DOMAIN_VERIFIED;
-      }
-    } else if (state & nsIWebProgressListener.STATE_IS_BROKEN) {
-      if (state & nsIWebProgressListener.STATE_LOADED_MIXED_ACTIVE_CONTENT) {
-        mode = this.IDENTITY_MODE_MIXED_ACTIVE_LOADED;
-      } else if (state & nsIWebProgressListener.STATE_BLOCKED_MIXED_ACTIVE_CONTENT) {
-        mode = this.IDENTITY_MODE_MIXED_DISPLAY_LOADED_ACTIVE_BLOCKED;
-      } else if (state & nsIWebProgressListener.STATE_LOADED_MIXED_DISPLAY_CONTENT) {
-        mode = this.IDENTITY_MODE_MIXED_DISPLAY_LOADED;
-      } else {
-        mode = this.IDENTITY_MODE_USES_WEAK_CIPHER;
-      }
-    }
-
-    // We need those values later when populating the control center.
-    this._uri = uri;
-    this._state = state;
-    this._isChromeUI = isChromeUI;
-    this._sslStatus =
-      gBrowser.securityUI.QueryInterface(Ci.nsISSLStatusProvider).SSLStatus;
-
-    // Update the identity block.
+    this._isSecureInternalUI = uri.schemeIs("about") && whitelist.test(uri.path);
+
+    this._sslStatus = gBrowser.securityUI
+                              .QueryInterface(Ci.nsISSLStatusProvider)
+                              .SSLStatus;
+    if (this._sslStatus) {
+      this._sslStatus.QueryInterface(Ci.nsISSLStatus);
+    }
+
+    // Then, update the user interface with the available data.
+
     if (this._identityBox) {
-      this._identityBox.className = mode;
-      this.refreshIdentityBlock(mode);
+      this.refreshIdentityBlock();
     }
 
     // NOTE: We do NOT update the identity popup (the control center) when
     // we receive a new security state. If the user opened the popup and looks
     // at the provided information we don't want to suddenly change the panel
     // contents.
   },
 
@@ -6999,80 +6989,103 @@ var gIdentityHandler = {
     } catch (e) {
       // If something goes wrong (e.g. host is an IP address) just fail back
       // to the full domain.
       return this._uri.host;
     }
   },
 
   /**
-   * Return the current mode, which should be one of IDENTITY_MODE_*.
+   * Return the CSS class name to set on the "fullscreen-warning" element to
+   * display information about connection security in the notification shown
+   * when a site enters the fullscreen mode.
    */
-  getMode: function() {
-    return this._mode;
+  get fullscreenWarningClassName() {
+    // Note that the fullscreen warning does not handle _isSecureInternalUI.
+    if (this._uriHasHost && this._isEV) {
+      return "verifiedIdentity";
+    }
+    if (this._uriHasHost && this._isSecure) {
+      return "verifiedDomain";
+    }
+    return "unknownIdentity";
   },
 
   /**
-   * Set up the messages for the primary identity UI based on the specified mode,
-   * and the details of the SSL cert, where applicable
-   *
-   * @param newMode The newly set identity mode.  Should be one of the IDENTITY_MODE_* constants.
+   * Updates the identity block user interface with the data from this object.
    */
-  refreshIdentityBlock(newMode) {
+  refreshIdentityBlock() {
     let icon_label = "";
     let tooltip = "";
     let icon_country_label = "";
     let icon_labels_dir = "ltr";
 
-    switch (newMode) {
-    case this.IDENTITY_MODE_DOMAIN_VERIFIED:
-    case this.IDENTITY_MODE_MIXED_ACTIVE_BLOCKED: {
-      let iData = this.getIdentityData();
-
-      // Verifier is either the CA Org, for a normal cert, or a special string
-      // for certs that are trusted because of a security exception.
-      tooltip = gNavigatorBundle.getFormattedString("identity.identified.verifier",
-                                                    [iData.caOrg]);
-
-      // This can't throw, because URI's with a host that throw don't end up in this case.
-      let host = this._uri.host;
-      let port = 443;
-      try {
-        if (this._uri.port > 0)
-          port = this._uri.port;
-      } catch (e) {}
-
-      if (this._overrideService.hasMatchingOverride(host, port, iData.cert, {}, {}))
-        tooltip = gNavigatorBundle.getString("identity.identified.verified_by_you");
-
-      break; }
-    case this.IDENTITY_MODE_IDENTIFIED:
-    case this.IDENTITY_MODE_MIXED_ACTIVE_BLOCKED_IDENTIFIED: {
+    if (this._isSecureInternalUI) {
+      this._identityBox.className = "chromeUI";
+      let brandBundle = document.getElementById("bundle_brand");
+      icon_label = brandBundle.getString("brandShorterName");
+    } else if (this._uriHasHost && this._isEV) {
+      this._identityBox.className = "verifiedIdentity";
+      if (this._isMixedActiveContentBlocked) {
+        this._identityBox.classList.add("mixedActiveBlocked");
+      }
+
       // If it's identified, then we can populate the dialog with credentials
       let iData = this.getIdentityData();
       tooltip = gNavigatorBundle.getFormattedString("identity.identified.verifier",
                                                     [iData.caOrg]);
       icon_label = iData.subjectOrg;
       if (iData.country)
         icon_country_label = "(" + iData.country + ")";
 
       // If the organization name starts with an RTL character, then
       // swap the positions of the organization and country code labels.
       // The Unicode ranges reflect the definition of the UCS2_CHAR_IS_BIDI
       // macro in intl/unicharutil/util/nsBidiUtils.h. When bug 218823 gets
       // fixed, this test should be replaced by one adhering to the
       // Unicode Bidirectional Algorithm proper (at the paragraph level).
       icon_labels_dir = /^[\u0590-\u08ff\ufb1d-\ufdff\ufe70-\ufefc]/.test(icon_label) ?
                         "rtl" : "ltr";
-      break; }
-    case this.IDENTITY_MODE_CHROMEUI:
-      let brandBundle = document.getElementById("bundle_brand");
-      icon_label = brandBundle.getString("brandShorterName");
-      break;
-    default:
+
+    } else if (this._uriHasHost && this._isSecure) {
+      this._identityBox.className = "verifiedDomain";
+      if (this._isMixedActiveContentBlocked) {
+        this._identityBox.classList.add("mixedActiveBlocked");
+      }
+
+      let iData = this.getIdentityData();
+
+      // Verifier is either the CA Org, for a normal cert, or a special string
+      // for certs that are trusted because of a security exception.
+      tooltip = gNavigatorBundle.getFormattedString("identity.identified.verifier",
+                                                    [iData.caOrg]);
+
+      let host = this._uri.host;
+      let port = 443;
+      try {
+        if (this._uri.port > 0)
+          port = this._uri.port;
+      } catch (e) {}
+
+      if (this._overrideService.hasMatchingOverride(host, port, iData.cert, {}, {})) {
+        tooltip = gNavigatorBundle.getString("identity.identified.verified_by_you");
+      }
+    } else {
+      this._identityBox.className = "unknownIdentity";
+      if (this._isBroken) {
+        if (this._isMixedActiveContentLoaded) {
+          this._identityBox.classList.add("mixedActiveContent");
+        } else if (this._isMixedActiveContentBlocked) {
+          this._identityBox.classList.add("mixedDisplayContentLoadedActiveBlocked");
+        } else if (this._isMixedPassiveContentLoaded) {
+          this._identityBox.classList.add("mixedDisplayContent");
+        } else {
+          this._identityBox.classList.add("weakCipher");
+        }
+      }
       tooltip = gNavigatorBundle.getString("identity.unknown.tooltip");
     }
 
     // Push the appropriate strings out to the UI
     this._identityBox.tooltipText = tooltip;
     this._identityIconLabel.value = icon_label;
     this._identityIconCountryLabel.value = icon_country_label;
     // Set cropping and direction
@@ -7088,58 +7101,45 @@ var gIdentityHandler = {
    * applicable
    */
   refreshIdentityPopup() {
     // Update the "Learn More" hrefs for Mixed Content Blocking.
     let baseURL = Services.urlFormatter.formatURLPref("app.support.baseURL");
     let learnMoreHref = `${baseURL}mixed-content`;
     this._identityPopupMixedContentLearnMore.setAttribute("href", learnMoreHref);
 
-    // Basic connection properties.
-    let isBroken = this._state & Ci.nsIWebProgressListener.STATE_IS_BROKEN;
-    let isSecure = this._state & Ci.nsIWebProgressListener.STATE_IS_SECURE;
-    let isEV = this._state & Ci.nsIWebProgressListener.STATE_IDENTITY_EV_TOPLEVEL;
-
     // Determine connection security information.
     let connection = "not-secure";
-    if (this._isChromeUI) {
+    if (this._isSecureInternalUI) {
       connection = "chrome";
-    } else if (this._isURILoadedFromFile(this._uri)) {
+    } else if (this._isURILoadedFromFile) {
       connection = "file";
-    } else if (isEV) {
+    } else if (this._isEV) {
       connection = "secure-ev";
-    } else if (isSecure) {
+    } else if (this._isSecure) {
       connection = "secure";
     }
 
-    // Mixed content flags.
-    let isMixedActiveContentLoaded =
-      this._state & Ci.nsIWebProgressListener.STATE_LOADED_MIXED_ACTIVE_CONTENT;
-    let isMixedActiveContentBlocked =
-      this._state & Ci.nsIWebProgressListener.STATE_BLOCKED_MIXED_ACTIVE_CONTENT;
-    let isMixedPassiveContentLoaded =
-      this._state & Ci.nsIWebProgressListener.STATE_LOADED_MIXED_DISPLAY_CONTENT;
-
     // Determine the mixed content state.
     let mixedcontent = [];
-    if (isMixedPassiveContentLoaded) {
+    if (this._isMixedPassiveContentLoaded) {
       mixedcontent.push("passive-loaded");
     }
-    if (isMixedActiveContentLoaded) {
+    if (this._isMixedActiveContentLoaded) {
       mixedcontent.push("active-loaded");
-    } else if (isMixedActiveContentBlocked) {
+    } else if (this._isMixedActiveContentBlocked) {
       mixedcontent.push("active-blocked");
     }
     mixedcontent = mixedcontent.join(" ");
 
     // We have no specific flags for weak ciphers (yet). If a connection is
     // broken and we can't detect any mixed content loaded then it's a weak
     // cipher.
     let ciphers = "";
-    if (isBroken && !isMixedActiveContentLoaded && !isMixedPassiveContentLoaded) {
+    if (this._isBroken && !this._isMixedActiveContentLoaded && !this._isMixedPassiveContentLoaded) {
       ciphers = "weak";
     }
 
     // Update all elements.
     let elementIDs = [
       "identity-popup",
       "identity-popup-securityView-body",
     ];
@@ -7152,17 +7152,17 @@ var gIdentityHandler = {
       }
     }
 
     for (let id of elementIDs) {
       let element = document.getElementById(id);
       updateAttribute(element, "connection", connection);
       updateAttribute(element, "ciphers", ciphers);
       updateAttribute(element, "mixedcontent", mixedcontent);
-      updateAttribute(element, "isbroken", isBroken);
+      updateAttribute(element, "isbroken", this._isBroken);
     }
 
     // Initialize the optional strings to empty values
     let supplemental = "";
     let verifier = "";
     let host = "";
     let owner = "";
     let crop = "start";
@@ -7174,22 +7174,22 @@ var gIdentityHandler = {
     }
 
     // Fallback for special protocols.
     if (!host) {
       host = this._uri.specIgnoringRef;
     }
 
     // Fill in the CA name if we have a valid TLS certificate.
-    if (isSecure) {
+    if (this._isSecure) {
       verifier = this._identityBox.tooltipText;
     }
 
     // Fill in organization information if we have a valid EV certificate.
-    if (isEV) {
+    if (this._isEV) {
       crop = "end";
 
       let iData = this.getIdentityData();
       host = owner = iData.subjectOrg;
       verifier = this._identityBox.tooltipText;
 
       // Build an appropriate supplemental block out of whatever location data we have
       if (iData.city)
@@ -7211,20 +7211,20 @@ var gIdentityHandler = {
     this._identityPopupContentOwner.textContent = owner;
     this._identityPopupContentSupp.textContent = supplemental;
     this._identityPopupContentVerif.textContent = verifier;
 
     // Update per-site permissions section.
     this.updateSitePermissions();
   },
 
-  _isURILoadedFromFile(uri) {
+  get _isURILoadedFromFile() {
     // Create a channel for the sole purpose of getting the resolved URI
     // of the request to determine if it's loaded from the file system.
-    let chanOptions = {uri, loadUsingSystemPrincipal: true};
+    let chanOptions = {uri: this._uri, loadUsingSystemPrincipal: true};
     let resolvedURI;
     try {
       resolvedURI = NetUtil.newChannel(chanOptions).URI;
       if (resolvedURI.schemeIs("jar")) {
         // Given a URI "jar:<jar-file-uri>!/<jar-entry>"
         // create a new URI using <jar-file-uri>!/<jar-entry>
         resolvedURI = NetUtil.newURI(resolvedURI.path);
       }
--- a/browser/base/content/test/general/browser_aboutSupport_newtab_security_state.js
+++ b/browser/base/content/test/general/browser_aboutSupport_newtab_security_state.js
@@ -16,13 +16,12 @@ add_task(function* checkIdentityOfAboutS
     allowThirdPartyFixup: false,
     relatedToCurrent: false,
     skipAnimation: true,
     allowMixedContent: false
   });
 
   yield promiseTabLoaded(tab);
   let identityBox = document.getElementById("identity-box");
-  is(identityBox.className, gIdentityHandler.IDENTITY_MODE_CHROMEUI,
-     "Should know that we're chrome.");
+  is(identityBox.className, "chromeUI", "Should know that we're chrome.");
   gBrowser.removeTab(tab);
 });
 
--- a/browser/base/content/test/general/browser_bug435035.js
+++ b/browser/base/content/test/general/browser_bug435035.js
@@ -1,16 +1,16 @@
 function test() {
   waitForExplicitFinish();
 
   gBrowser.selectedTab = gBrowser.addTab();
   gBrowser.selectedBrowser.addEventListener("load", function () {
     gBrowser.selectedBrowser.removeEventListener("load", arguments.callee, true);
     is(document.getElementById("identity-box").className,
-       gIdentityHandler.IDENTITY_MODE_MIXED_DISPLAY_LOADED,
+       "unknownIdentity mixedDisplayContent",
        "identity box has class name for mixed content");
 
     gBrowser.removeCurrentTab();
     finish();
   }, true);
 
   content.location = "https://example.com/browser/browser/base/content/test/general/test_bug435035.html";
 }
--- a/browser/base/content/test/general/browser_identity_UI.js
+++ b/browser/base/content/test/general/browser_identity_UI.js
@@ -102,15 +102,16 @@ function nextTest() {
 }
 
 function checkResult() {
   // Sanity check other values, and the value of gIdentityHandler.getEffectiveHost()
   is(gIdentityHandler._uri.spec, gCurrentTest.location, "location matches for test " + gTestDesc);
   // getEffectiveHost can't be called for all modes
   if (gCurrentTest.effectiveHost === null) {
     let identityBox = document.getElementById("identity-box");
-    is(identityBox.className == gIdentityHandler.IDENTITY_MODE_UNKNOWN || identityBox.className == gIdentityHandler.IDENTITY_MODE_CHROMEUI, true, "mode matched");
+    ok(identityBox.className == "unknownIdentity" ||
+       identityBox.className == "chromeUI", "mode matched");
   } else {
     is(gIdentityHandler.getEffectiveHost(), gCurrentTest.effectiveHost, "effectiveHost matches for test " + gTestDesc);
   }
 
   executeSoon(nextTest);
 }
--- a/browser/base/content/test/general/head.js
+++ b/browser/base/content/test/general/head.js
@@ -801,29 +801,26 @@ function assertMixedContentBlockingState
     // should always be visible regardless of MCB state.
     ok(classList.contains("unknownIdentity"), "unknownIdentity on HTTP page");
     is(identityBoxImage, "url(\"chrome://browser/skin/identity-not-secure.svg\")", "Using 'non-secure' icon");
 
     ok(!classList.contains("mixedActiveContent"), "No MCB icon on HTTP page");
     ok(!classList.contains("mixedActiveBlocked"), "No MCB icon on HTTP page");
     ok(!classList.contains("mixedDisplayContent"), "No MCB icon on HTTP page");
     ok(!classList.contains("mixedDisplayContentLoadedActiveBlocked"), "No MCB icon on HTTP page");
-    ok(!classList.contains("mixedContent"), "No MCB icon on HTTP page");
   } else {
     // Make sure the identity box UI has the correct mixedcontent states and icons
     is(classList.contains("mixedActiveContent"), activeLoaded,
         "identityBox has expected class for activeLoaded");
     is(classList.contains("mixedActiveBlocked"), activeBlocked && !passiveLoaded,
         "identityBox has expected class for activeBlocked && !passiveLoaded");
     is(classList.contains("mixedDisplayContent"), passiveLoaded && !(activeLoaded || activeBlocked),
        "identityBox has expected class for passiveLoaded && !(activeLoaded || activeBlocked)");
     is(classList.contains("mixedDisplayContentLoadedActiveBlocked"), passiveLoaded && activeBlocked,
        "identityBox has expected class for passiveLoaded && activeBlocked");
-    is (classList.contains("mixedContent"), activeBlocked || activeLoaded || passiveLoaded,
-       "identityBox has expected class for mixed content");
 
     if (activeLoaded) {
       is(identityBoxImage, "url(\"chrome://browser/skin/identity-mixed-active-loaded.svg\")",
         "Using active loaded icon");
     }
     if (activeBlocked && !passiveLoaded) {
       is(identityBoxImage, "url(\"chrome://browser/skin/identity-mixed-active-blocked.svg\")",
         "Using active blocked icon");