Bug 1262009 - Treat all file connections (including chrome uris) as non secure connections;r=tanvi
authorBrian Grinstead <bgrinstead@mozilla.com>
Wed, 13 Apr 2016 10:42:37 -0700
changeset 330922 3f43e85a0cfd4281451cc0049fd1638885a1e670
parent 330853 196a0e282b3e33aa3d82ae6f3e7d21390d2a60fd
child 330923 f8ec60f2667eb6c1195e24a08e866caea6cb034f
push id6048
push userkmoir@mozilla.com
push dateMon, 06 Jun 2016 19:02:08 +0000
treeherdermozilla-beta@46d72a56c57d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstanvi
bugs1262009
milestone48.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1262009 - Treat all file connections (including chrome uris) as non secure connections;r=tanvi If a <browser> is included within a chrome document, then this._state will refer to the security state for the <browser> and not the top level document. In this case, don't upgrade the security state in the UI with the secure state of the embedded <browser>.
browser/base/content/browser.js
--- a/browser/base/content/browser.js
+++ b/browser/base/content/browser.js
@@ -6406,21 +6406,29 @@ var gIdentityHandler = {
    */
   _state: 0,
 
   get _isBroken() {
     return this._state & Ci.nsIWebProgressListener.STATE_IS_BROKEN;
   },
 
   get _isSecure() {
-    return this._state & Ci.nsIWebProgressListener.STATE_IS_SECURE;
+    // If a <browser> is included within a chrome document, then this._state
+    // will refer to the security state for the <browser> and not the top level
+    // document. In this case, don't upgrade the security state in the UI
+    // with the secure state of the embedded <browser>.
+    return !this._isURILoadedFromFile && this._state & Ci.nsIWebProgressListener.STATE_IS_SECURE;
   },
 
   get _isEV() {
-    return this._state & Ci.nsIWebProgressListener.STATE_IDENTITY_EV_TOPLEVEL;
+    // If a <browser> is included within a chrome document, then this._state
+    // will refer to the security state for the <browser> and not the top level
+    // document. In this case, don't upgrade the security state in the UI
+    // with the EV state of the embedded <browser>.
+    return !this._isURILoadedFromFile && this._state & Ci.nsIWebProgressListener.STATE_IDENTITY_EV_TOPLEVEL;
   },
 
   get _isMixedActiveContentLoaded() {
     return this._state & Ci.nsIWebProgressListener.STATE_LOADED_MIXED_ACTIVE_CONTENT;
   },
 
   get _isMixedActiveContentBlocked() {
     return this._state & Ci.nsIWebProgressListener.STATE_BLOCKED_MIXED_ACTIVE_CONTENT;
@@ -6603,16 +6611,17 @@ var gIdentityHandler = {
    * @param uri
    *        nsIURI for which the identity UI should be displayed, already
    *        processed by nsIURIFixup.createExposableURI.
    */
   updateIdentity(state, uri) {
     let shouldHidePopup = this._uri && (this._uri.spec != uri.spec);
     this._state = state;
     this._uri = uri;
+    this._isURILoadedFromFile = this.isURILoadedFromFile();
 
     // Firstly, populate the state properties required to display the UI. See
     // the documentation of the individual properties for details.
 
     try {
       this._uri.host;
       this._uriHasHost = true;
     } catch (ex) {
@@ -6956,17 +6965,17 @@ var gIdentityHandler = {
     this._identityPopupContentOwner.textContent = owner;
     this._identityPopupContentSupp.textContent = supplemental;
     this._identityPopupContentVerif.textContent = verifier;
 
     // Update per-site permissions section.
     this.updateSitePermissions();
   },
 
-  get _isURILoadedFromFile() {
+  isURILoadedFromFile() {
     // Create a channel for the sole purpose of getting the resolved URI
     // of the request to determine if it's loaded from the file system.
     let chanOptions = {uri: this._uri, loadUsingSystemPrincipal: true};
     let resolvedURI;
     try {
       resolvedURI = NetUtil.newChannel(chanOptions).URI;
       if (resolvedURI.schemeIs("jar")) {
         // Given a URI "jar:<jar-file-uri>!/<jar-entry>"