bug 1154012 - dev tools and alt-svc r=vporof a=lhenry
authorPatrick McManus <mcmanus@ducksong.com>
Wed, 06 May 2015 08:28:12 -0400
changeset 267324 096b3675b32550559be6ef67c4da43d51941c695
parent 267323 7b38cbca05ed7d677d7330e7c3a22bdf719a67cd
child 267325 91c2f50a6fb1bcde6e490de6c52010fcd9275cae
push id830
push userraliiev@mozilla.com
push dateFri, 19 Jun 2015 19:24:37 +0000
treeherdermozilla-release@932614382a68 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersvporof, lhenry
bugs1154012
milestone39.0a2
bug 1154012 - dev tools and alt-svc r=vporof a=lhenry
toolkit/devtools/webconsole/network-helper.js
--- a/toolkit/devtools/webconsole/network-helper.js
+++ b/toolkit/devtools/webconsole/network-helper.js
@@ -572,18 +572,27 @@ let NetworkHelper = {
 
     const wpl = Ci.nsIWebProgressListener;
     const NSSErrorsService = Cc['@mozilla.org/nss_errors_service;1']
                                .getService(Ci.nsINSSErrorsService);
     const SSLStatus = securityInfo.SSLStatus;
     if (!NSSErrorsService.isNSSErrorCode(securityInfo.errorCode)) {
       const state = securityInfo.securityState;
 
-      if (state & wpl.STATE_IS_SECURE) {
-        // The connection is secure.
+      let uri = null;
+      if (httpActivity.channel && httpActivity.channel.URI) {
+        uri = httpActivity.channel.URI;
+      }
+      if (uri && !uri.schemeIs("https") && !uri.schemeIs("wss")) {
+        // it is not enough to look at the transport security info - schemes other than
+        // https and wss are subject to downgrade/etc at the scheme level and should
+        // always be considered insecure
+        info.state = "insecure";
+      } else if (state & wpl.STATE_IS_SECURE) {
+        // The connection is secure if the scheme is sufficient
         info.state = "secure";
       } else if (state & wpl.STATE_IS_BROKEN) {
         // The connection is not secure, there was no error but there's some
         // minor security issues.
         info.state = "weak";
         info.weaknessReasons = this.getReasonsForWeakness(state);
       } else if (state & wpl.STATE_IS_INSECURE) {
         // This was most likely an https request that was aborted before