Bug 1116428 - Part 2: Present SSLv3 and RC4 warnings in Network Monitor UI. r=vporof
authorSami Jaktholm <sjakthol@outlook.com>
Sat, 24 Jan 2015 12:47:15 +0200
changeset 254801 06e5cde2c6fc82a5a76bc8eb136df34b1387208b
parent 254800 046c7d482f36f80aed6c992b25a9d1462b74675e
child 254802 dc24497dbda4bf508a69237ddc8b9b9a909b50ab
push id721
push userjlund@mozilla.com
push dateTue, 21 Apr 2015 23:03:33 +0000
treeherdermozilla-release@d27c9211ebb3 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersvporof
bugs1116428
milestone38.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1116428 - Part 2: Present SSLv3 and RC4 warnings in Network Monitor UI. r=vporof
browser/devtools/netmonitor/netmonitor-view.js
browser/devtools/netmonitor/netmonitor.xul
browser/devtools/netmonitor/test/browser.ini
browser/devtools/netmonitor/test/browser_net_security-state.js
browser/devtools/netmonitor/test/browser_net_security-warnings.js
browser/locales/en-US/chrome/browser/devtools/netmonitor.dtd
browser/locales/en-US/chrome/browser/devtools/netmonitor.properties
browser/themes/shared/devtools/netmonitor.inc.css
--- a/browser/devtools/netmonitor/netmonitor-view.js
+++ b/browser/devtools/netmonitor/netmonitor-view.js
@@ -1678,17 +1678,17 @@ RequestsMenuView.prototype = Heritage.ex
   },
 
   /**
    * A handler that opens the security tab in the details view if secure or
    * broken security indicator is clicked.
    */
   _onSecurityIconClick: function(e) {
     let state = this.selectedItem.attachment.securityState;
-    if (state === "broken" || state === "secure") {
+    if (state !== "insecure") {
       // Choose the security tab.
       NetMonitorView.NetworkDetails.widget.selectedIndex = 5;
     }
   },
 
   /**
    * The resize listener for this container's window.
    */
@@ -2760,20 +2760,32 @@ NetworkDetailsView.prototype = {
         label.value = value;
         label.setAttribute("tooltiptext", value);
       }
     }
 
     let errorbox = $("#security-error");
     let infobox = $("#security-information");
 
-    if (securityInfo.state === "secure") {
+    if (securityInfo.state === "secure" || securityInfo.state === "weak") {
       infobox.hidden = false;
       errorbox.hidden = true;
 
+      // Warning icons
+      let cipher = $("#security-warning-cipher");
+      let sslv3 = $("#security-warning-sslv3");
+
+      if (securityInfo.state === "weak") {
+        cipher.hidden = securityInfo.weaknessReasons.indexOf("cipher") === -1;
+        sslv3.hidden = securityInfo.weaknessReasons.indexOf("sslv3") === -1;
+      } else {
+        cipher.hidden = true;
+        sslv3.hidden = true;
+      }
+
       let enabledLabel = L10N.getStr("netmonitor.security.enabled");
       let disabledLabel = L10N.getStr("netmonitor.security.disabled");
 
       // Connection parameters
       setLabel("#security-protocol-version-value", securityInfo.protocolVersion);
       setLabel("#security-ciphersuite-value", securityInfo.cipherSuite);
 
       // Host header
--- a/browser/devtools/netmonitor/netmonitor.xul
+++ b/browser/devtools/netmonitor/netmonitor.xul
@@ -501,26 +501,32 @@
                               class="tabpanel-summary-container"
                               align="center">
                           <label class="plain tabpanel-summary-label"
                                  value="&netmonitorUI.security.protocolVersion;"/>
                           <label id="security-protocol-version-value"
                                  class="plain tabpanel-summary-value devtools-monospace"
                                  crop="end"
                                  flex="1"/>
+                          <image class="security-warning-icon"
+                                 id="security-warning-sslv3"
+                                 tooltiptext="&netmonitorUI.security.warning.sslv3;" />
                         </hbox>
                         <hbox id="security-ciphersuite"
                               class="tabpanel-summary-container"
                               align="center">
                           <label class="plain tabpanel-summary-label"
                                  value="&netmonitorUI.security.cipherSuite;"/>
                           <label id="security-ciphersuite-value"
                                  class="plain tabpanel-summary-value devtools-monospace"
                                  crop="end"
                                  flex="1"/>
+                          <image class="security-warning-icon"
+                                 id="security-warning-cipher"
+                                 tooltiptext="&netmonitorUI.security.warning.cipher;" />
                         </hbox>
                       </vbox>
                     </vbox>
                     <vbox id="security-info-domain"
                           class="tabpanel-summary-container">
                       <label class="plain tabpanel-summary-label"
                              id="security-info-host-header"/>
                       <vbox class="security-info-section">
--- a/browser/devtools/netmonitor/test/browser.ini
+++ b/browser/devtools/netmonitor/test/browser.ini
@@ -87,16 +87,17 @@ skip-if = e10s # Bug 1091603
 skip-if = e10s # Bug 1091612
 [browser_net_security-details.js]
 [browser_net_security-error.js]
 [browser_net_security-icon-click.js]
 [browser_net_security-redirect.js]
 [browser_net_security-state.js]
 [browser_net_security-tab-deselect.js]
 [browser_net_security-tab-visibility.js]
+[browser_net_security-warnings.js]
 [browser_net_simple-init.js]
 [browser_net_simple-request-data.js]
 [browser_net_simple-request-details.js]
 [browser_net_simple-request.js]
 [browser_net_sort-01.js]
 [browser_net_sort-02.js]
 [browser_net_sort-03.js]
 [browser_net_statistics-01.js]
--- a/browser/devtools/netmonitor/test/browser_net_security-state.js
+++ b/browser/devtools/netmonitor/test/browser_net_security-state.js
@@ -8,16 +8,17 @@
  * state.
  */
 
 add_task(function* () {
   const EXPECTED_SECURITY_STATES = {
     "test1.example.com": "security-state-insecure",
     "example.com": "security-state-secure",
     "nocert.example.com": "security-state-broken",
+    "rc4.example.com": "security-state-weak",
   };
 
   let [tab, debuggee, monitor] = yield initNetMonitor(CUSTOM_GET_URL);
   let { $, EVENTS, NetMonitorView } = monitor.panelWin;
   let { RequestsMenu } = NetMonitorView;
   RequestsMenu.lazyUpdate = false;
 
   yield performRequests();
@@ -65,17 +66,22 @@ add_task(function* () {
     debuggee.performRequests(1, "http://test1.example.com" + CORS_SJS_PATH);
     yield done;
 
     done = waitForNetworkEvents(monitor, 1);
     info("Requesting a resource over HTTPS.");
     debuggee.performRequests(1, "https://example.com" + CORS_SJS_PATH);
     yield done;
 
-    is(RequestsMenu.itemCount, 3, "Three events logged.");
+    done = waitForNetworkEvents(monitor, 1);
+    info("Requesting a resource over HTTPS with RC4.");
+    debuggee.performRequests(1, "https://rc4.example.com" + CORS_SJS_PATH);
+    yield done;
+
+    is(RequestsMenu.itemCount, 4, "Four events logged.");
   }
 
   /**
    * Returns a promise that's resolved once a request with security issues is
    * completed.
    */
   function waitForSecurityBrokenNetworkEvent() {
     let awaitedEvents = [
new file mode 100644
--- /dev/null
+++ b/browser/devtools/netmonitor/test/browser_net_security-warnings.js
@@ -0,0 +1,81 @@
+/* vim: set ft=javascript ts=2 et sw=2 tw=80: */
+/* Any copyright is dedicated to the Public Domain.
+   http://creativecommons.org/publicdomain/zero/1.0/ */
+"use strict";
+
+/**
+ * Test that warning indicators are shown when appropriate.
+ */
+
+const TEST_CASES = [
+  {
+    desc: "no warnings",
+    uri: "https://example.com" + CORS_SJS_PATH,
+    warnCipher: false,
+    warnSSLv3: false,
+  },
+  {
+    desc: "sslv3 warning",
+    uri: "https://ssl3.example.com" + CORS_SJS_PATH,
+    warnCipher: false,
+    warnSSLv3: true,
+  },
+  {
+    desc: "cipher warning",
+    uri: "https://rc4.example.com" + CORS_SJS_PATH,
+    warnCipher: true,
+    warnSSLv3: false,
+  },
+  {
+    desc: "cipher and sslv3 warning",
+    uri: "https://ssl3rc4.example.com" + CORS_SJS_PATH,
+    warnCipher: true,
+    warnSSLv3: true,
+  },
+];
+
+add_task(function* () {
+  let [tab, debuggee, monitor] = yield initNetMonitor(CUSTOM_GET_URL);
+  let { $, EVENTS, NetMonitorView } = monitor.panelWin;
+  let { RequestsMenu, NetworkDetails } = NetMonitorView;
+  RequestsMenu.lazyUpdate = false;
+
+  info("Enabling SSLv3 for the test.");
+  yield new promise(resolve => {
+    SpecialPowers.pushPrefEnv({"set": [["security.tls.version.min", 0]]}, resolve);
+  });
+
+  let cipher = $("#security-warning-cipher");
+  let sslv3 = $("#security-warning-sslv3");
+
+  for (let test of TEST_CASES) {
+    info("Testing site with " + test.desc);
+
+    info("Performing request to " + test.uri);
+    debuggee.performRequests(1, test.uri);
+    yield waitForNetworkEvents(monitor, 1);
+
+    info("Selecting the request.");
+    RequestsMenu.selectedIndex = 0;
+
+    info("Waiting for details pane to be updated.");
+    yield monitor.panelWin.once(EVENTS.TAB_UPDATED);
+
+    if (NetworkDetails.widget.selectedIndex !== 5) {
+      info("Selecting security tab.");
+      NetworkDetails.widget.selectedIndex = 5;
+
+      info("Waiting for details pane to be updated.");
+      yield monitor.panelWin.once(EVENTS.TAB_UPDATED);
+    }
+
+    is(cipher.hidden, !test.warnCipher, "Cipher suite warning is hidden.");
+    is(sslv3.hidden, !test.warnSSLv3, "SSLv3 warning is hidden.");
+
+    RequestsMenu.clear();
+
+  }
+
+  yield teardown(monitor);
+
+});
--- a/browser/locales/en-US/chrome/browser/devtools/netmonitor.dtd
+++ b/browser/locales/en-US/chrome/browser/devtools/netmonitor.dtd
@@ -197,16 +197,24 @@
   -  in a "wait" state. -->
 <!ENTITY netmonitorUI.timings.wait        "Waiting:">
 
 <!-- LOCALIZATION NOTE (debuggerUI.timings.receive): This is the label displayed
   -  in the network details timings tab identifying the amount of time spent
   -  in a "receive" state. -->
 <!ENTITY netmonitorUI.timings.receive     "Receiving:">
 
+<!-- LOCALIZATION NOTE (netmonitorUI.security.warning.protocol): A tooltip
+  -  for warning icon that indicates a connection uses insecure protocol. -->
+<!ENTITY netmonitorUI.security.warning.sslv3      "The protocol SSL 3.0 is deprecated and insecure.">
+
+<!-- LOCALIZATION NOTE (netmonitorUI.security.warning.cipher): A tooltip
+  -  for warning icon that indicates a connection uses insecure cipher suite. -->
+<!ENTITY netmonitorUI.security.warning.cipher     "The cipher used for encryption is deprecated and insecure.">
+
 <!-- LOCALIZATION NOTE (netmonitorUI.security.error): This is the label displayed
   -  in the security tab if a security error prevented the connection. -->
 <!ENTITY netmonitorUI.security.error      "An error occured:">
 
 <!-- LOCALIZATION NOTE (netmonitorUI.security.protocolVersion): This is the label displayed
   -  in the security tab describing TLS/SSL protocol version. -->
 <!ENTITY netmonitorUI.security.protocolVersion "Protocol version:">
 
--- a/browser/locales/en-US/chrome/browser/devtools/netmonitor.properties
+++ b/browser/locales/en-US/chrome/browser/devtools/netmonitor.properties
@@ -39,16 +39,20 @@ netmonitor.security.state.secure=The con
 # channel i.e. the connection was not encrypted.
 netmonitor.security.state.insecure=The connection used to fetch this resource was not encrypted.
 
 # LOCALIZATION NOTE (netmonitor.security.state.broken)
 # This string is used as an tooltip for request that failed due to security
 # issues.
 netmonitor.security.state.broken=A security error prevented the resource from being loaded.
 
+# LOCALIZATION NOTE (netmonitor.security.state.weak)
+# This string is used as an tooltip for request that had minor security issues
+netmonitor.security.state.weak=This resource was transferred over a connection that used weak encryption.
+
 # LOCALIZATION NOTE (netmonitor.security.enabled):
 # This string is used to indicate that a specific security feature is used by
 # a connection in the security details tab.
 # For example: "HTTP Strict Transport Security: Enabled"
 netmonitor.security.enabled=Enabled
 
 # LOCALIZATION NOTE (netmonitor.security.disabled):
 # This string is used to indicate that a specific security feature is not used by
--- a/browser/themes/shared/devtools/netmonitor.inc.css
+++ b/browser/themes/shared/devtools/netmonitor.inc.css
@@ -173,16 +173,21 @@
   list-style-image: url(chrome://browser/skin/identity-icons-generic.png);
 }
 
 .security-state-secure {
   cursor: pointer;
   list-style-image: url(chrome://browser/skin/identity-icons-https.png);
 }
 
+.security-state-weak {
+  cursor: pointer;
+  list-style-image: url(chrome://browser/skin/identity-icons-https-mixed-display.png);
+}
+
 .security-state-broken {
   cursor: pointer;
   list-style-image: url(chrome://browser/skin/identity-icons-https-mixed-active.png);
 }
 
 .requests-menu-type {
   text-align: center;
   width: 4em;
@@ -573,16 +578,31 @@ label.requests-menu-status-code {
 #security-tabpanel {
   overflow: auto;
 }
 
 #security-error-message {
   white-space: pre-wrap;
 }
 
+.security-warning-icon {
+  background-image: url(alerticon-warning.png);
+  background-size: 13px 12px;
+  -moz-margin-start: 5px;
+  vertical-align: top;
+  width: 13px;
+  height: 12px;
+}
+
+@media (min-resolution: 2dppx) {
+  .security-warning-icon {
+    background-image: url(alerticon-warning@2x.png);
+  }
+}
+
 /* Custom request form */
 
 #custom-pane {
   padding: 0.6em 0.5em;
 }
 
 .custom-header {
   font-size: 1.1em;