Bug 1217156 - Add a pref to turn on/off insecure password warnings. Keep it on for Nightly and off for other builds. Will be turned on for dev edition after a few bug fixes. r=bgrins

2024-09-13 09:24:08 -07:00 · 2015-10-29 17:01:22 -07:00 · 2015-10-29 17:01:22 -07:00 · 29e1a19e70
commit 29e1a19e70
parent 7ccb15930d
3 changed files with 20 additions and 2 deletions
--- a/browser/app/profile/firefox.js
+++ b/browser/app/profile/firefox.js
@ -1430,6 +1430,13 @@ pref("dom.identity.enabled", false);
 // Block insecure active content on https pages
 pref("security.mixed_content.block_active_content", true);

+// Show degraded UI for http pages with password fields
+#ifdef NIGHTLY_BUILD
+pref("security.insecure_password.ui.enabled", true);
+#else
+pref("security.insecure_password.ui.enabled", false);
+#endif
+
 // 1 = allow MITM for certificate pinning checks.
 pref("security.cert_pinning.enforcement_level", 1);

--- a/browser/base/content/browser.js
+++ b/browser/base/content/browser.js
@ -6927,6 +6927,13 @@ var gIdentityHandler = {
    return this._state & Ci.nsIWebProgressListener.STATE_LOADED_MIXED_DISPLAY_CONTENT;
  },

+  get _hasInsecureLoginForms() {
+    // checks if the page has been flagged for an insecure login. Also checks
+    // if the pref to degrade the UI is set to true
+    return LoginManagerParent.hasInsecureLoginForms(gBrowser.selectedBrowser) &&
+           Services.prefs.getBoolPref("security.insecure_password.ui.enabled");
+  },
+
  // smart getters
  get _identityPopup () {
    delete this._identityPopup;
@ -7257,7 +7264,7 @@ var gIdentityHandler = {
          this._identityBox.classList.add("weakCipher");
        }
      }
-      if (LoginManagerParent.hasInsecureLoginForms(gBrowser.selectedBrowser)) {
+      if (this._hasInsecureLoginForms) {
        // Insecure login forms can only be present on "unknown identity"
        // pages, either already insecure or with mixed active content loaded.
        this._identityBox.classList.add("insecureLoginForms");
@ -7301,7 +7308,7 @@ var gIdentityHandler = {

    // Determine if there are insecure login forms.
    let loginforms = "secure";
-    if (LoginManagerParent.hasInsecureLoginForms(gBrowser.selectedBrowser)) {
+    if (this._hasInsecureLoginForms) {
      loginforms = "insecure";
    }

--- a/browser/base/content/test/general/browser_insecureLoginForms.js
+++ b/browser/base/content/test/general/browser_insecureLoginForms.js
@ -18,6 +18,10 @@ function waitForInsecureLoginFormsStateChange(browser, count) {
 * Checks the insecure login forms logic for the identity block.
 */
 add_task(function* test_simple() {
+  yield new Promise(resolve => SpecialPowers.pushPrefEnv({
+    "set": [["security.insecure_password.ui.enabled", true]],
+  }, resolve));
+
  for (let scheme of ["http", "https"]) {
    let tab = gBrowser.addTab(scheme + testUrlPath + "form_basic.html");
    let browser = tab.linkedBrowser;