Skip to content

Commit a7c59a9

Browse files
committed
Bug 1838183: Include HTTPS-First in current HTTPS-Only exemption options on site identity pane r=freddyb,fluent-reviewers
Depends on D182322 Differential Revision: https://phabricator.services.mozilla.com/D181356
1 parent ad465aa commit a7c59a9

File tree

10 files changed

+142
-22
lines changed

10 files changed

+142
-22
lines changed

browser/base/content/browser-siteIdentity.js

Lines changed: 54 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -122,6 +122,13 @@ var gIdentityHandler = {
122122
);
123123
},
124124

125+
get _isContentHttpsFirstModeUpgraded() {
126+
return (
127+
this._state &
128+
Ci.nsIWebProgressListener.STATE_HTTPS_ONLY_MODE_UPGRADED_FIRST
129+
);
130+
},
131+
125132
get _isCertUserOverridden() {
126133
return this._state & Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN;
127134
},
@@ -346,6 +353,38 @@ var gIdentityHandler = {
346353
);
347354
return this._httpsOnlyModeEnabledPBM;
348355
},
356+
get _httpsFirstModeEnabled() {
357+
delete this._httpsFirstModeEnabled;
358+
XPCOMUtils.defineLazyPreferenceGetter(
359+
this,
360+
"_httpsFirstModeEnabled",
361+
"dom.security.https_first"
362+
);
363+
return this._httpsFirstModeEnabled;
364+
},
365+
get _httpsFirstModeEnabledPBM() {
366+
delete this._httpsFirstModeEnabledPBM;
367+
XPCOMUtils.defineLazyPreferenceGetter(
368+
this,
369+
"_httpsFirstModeEnabledPBM",
370+
"dom.security.https_first_pbm"
371+
);
372+
return this._httpsFirstModeEnabledPBM;
373+
},
374+
375+
_isHttpsOnlyModeActive(isWindowPrivate) {
376+
return (
377+
this._httpsOnlyModeEnabled ||
378+
(isWindowPrivate && this._httpsOnlyModeEnabledPBM)
379+
);
380+
},
381+
_isHttpsFirstModeActive(isWindowPrivate) {
382+
return (
383+
!this._isHttpsOnlyModeActive(isWindowPrivate) &&
384+
(this._httpsFirstModeEnabled ||
385+
(isWindowPrivate && this._httpsFirstModeEnabledPBM))
386+
);
387+
},
349388

350389
/**
351390
* Handles clicks on the "Clear Cookies and Site Data" button.
@@ -990,11 +1029,14 @@ var gIdentityHandler = {
9901029

9911030
// If HTTPS-Only Mode is enabled, check the permission status
9921031
const privateBrowsingWindow = PrivateBrowsingUtils.isWindowPrivate(window);
1032+
const isHttpsOnlyModeActive = this._isHttpsOnlyModeActive(
1033+
privateBrowsingWindow
1034+
);
1035+
const isHttpsFirstModeActive = this._isHttpsFirstModeActive(
1036+
privateBrowsingWindow
1037+
);
9931038
let httpsOnlyStatus = "";
994-
if (
995-
this._httpsOnlyModeEnabled ||
996-
(privateBrowsingWindow && this._httpsOnlyModeEnabledPBM)
997-
) {
1039+
if (isHttpsFirstModeActive || isHttpsOnlyModeActive) {
9981040
// Note: value and permission association is laid out
9991041
// in _getHttpsOnlyPermission
10001042
let value = this._getHttpsOnlyPermission();
@@ -1014,11 +1056,17 @@ var gIdentityHandler = {
10141056

10151057
if (value > 0) {
10161058
httpsOnlyStatus = "exception";
1017-
} else if (this._isAboutHttpsOnlyErrorPage) {
1059+
} else if (
1060+
this._isAboutHttpsOnlyErrorPage ||
1061+
(isHttpsFirstModeActive && this._isContentHttpsOnlyModeUpgradeFailed)
1062+
) {
10181063
httpsOnlyStatus = "failed-top";
10191064
} else if (this._isContentHttpsOnlyModeUpgradeFailed) {
10201065
httpsOnlyStatus = "failed-sub";
1021-
} else if (this._isContentHttpsOnlyModeUpgraded) {
1066+
} else if (
1067+
this._isContentHttpsOnlyModeUpgraded ||
1068+
this._isContentHttpsFirstModeUpgraded
1069+
) {
10221070
httpsOnlyStatus = "upgraded";
10231071
}
10241072
}

browser/base/content/test/siteIdentity/browser_identityPopup_HttpsOnlyMode.js

Lines changed: 62 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -20,10 +20,10 @@ add_task(async function () {
2020
});
2121

2222
// Site gets upgraded to HTTPS, so the UI should be visible.
23-
// Disabling HTTPS-Only Mode through the menulist should reload the page and
23+
// Adding a HTTPS-Only exemption through the menulist should reload the page and
2424
// set the permission accordingly.
2525
await runTest({
26-
name: "Disable HTTPS-Only",
26+
name: "Add HTTPS-Only exemption",
2727
initialScheme: "http",
2828
initialPermission: 0,
2929
permissionScheme: "https",
@@ -34,10 +34,10 @@ add_task(async function () {
3434
});
3535

3636
// HTTPS-Only Mode is disabled for this site, so the UI should be visible.
37-
// Disabling HTTPS-Only Mode through the menulist should not reload the page
37+
// Switching HTTPS-Only exemption modes through the menulist should not reload the page
3838
// but set the permission accordingly.
3939
await runTest({
40-
name: "Switch between off states",
40+
name: "Switch between HTTPS-Only exemption modes",
4141
initialScheme: "http",
4242
initialPermission: 1,
4343
permissionScheme: "http",
@@ -48,10 +48,66 @@ add_task(async function () {
4848
});
4949

5050
// HTTPS-Only Mode is disabled for this site, so the UI should be visible.
51-
// Enabling HTTPS-Only Mode through the menulist should reload and upgrade the
51+
// Disabling HTTPS-Only exemptions through the menulist should reload and upgrade the
5252
// page and set the permission accordingly.
5353
await runTest({
54-
name: "Enable HTTPS-Only again",
54+
name: "Remove HTTPS-Only exemption again",
55+
initialScheme: "http",
56+
initialPermission: 2,
57+
permissionScheme: "http",
58+
isUiVisible: true,
59+
selectPermission: 0,
60+
expectReload: true,
61+
finalScheme: "https",
62+
});
63+
64+
await SpecialPowers.flushPrefEnv();
65+
await SpecialPowers.pushPrefEnv({
66+
set: [["dom.security.https_first", true]],
67+
});
68+
69+
// Site is already HTTPS, so the UI should not be visible.
70+
await runTest({
71+
name: "No HTTPS-Only UI",
72+
initialScheme: "https",
73+
initialPermission: 0,
74+
permissionScheme: "https",
75+
isUiVisible: false,
76+
});
77+
78+
// Site gets upgraded to HTTPS, so the UI should be visible.
79+
// Adding a HTTPS-Only exemption through the menulist should reload the page and
80+
// set the permission accordingly.
81+
await runTest({
82+
name: "Add HTTPS-Only exemption",
83+
initialScheme: "http",
84+
initialPermission: 0,
85+
permissionScheme: "https",
86+
isUiVisible: true,
87+
selectPermission: 1,
88+
expectReload: true,
89+
finalScheme: "https",
90+
});
91+
92+
// HTTPS-First Mode is disabled for this site, so the UI should be visible.
93+
// Switching HTTPS-Only exemption modes through the menulist should not reload the page
94+
// but set the permission accordingly.
95+
await runTest({
96+
name: "Switch between HTTPS-Only exemption modes",
97+
initialScheme: "http",
98+
initialPermission: 1,
99+
permissionScheme: "http",
100+
isUiVisible: true,
101+
selectPermission: 2,
102+
expectReload: false,
103+
finalScheme: "http",
104+
});
105+
106+
// HTTPS-First Mode is disabled for this site, so the UI should be visible.
107+
// Disabling HTTPS-Only exemptions through the menulist should reload and upgrade the
108+
// page and set the permission accordingly.
109+
await runTest({
110+
name: "Remove HTTPS-Only exemption again",
55111
initialScheme: "http",
56112
initialPermission: 2,
57113
permissionScheme: "http",

browser/components/controlcenter/content/identityPanel.inc.xhtml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -63,7 +63,7 @@
6363
</vbox>
6464

6565
<vbox id="identity-popup-security-httpsonlymode" when-httpsonlystatus="exception upgraded failed-top failed-sub">
66-
<label flex="1" data-l10n-id="identity-https-only-label"></label>
66+
<label flex="1" data-l10n-id="identity-https-only-label2"></label>
6767
<menulist id="identity-popup-security-httpsonlymode-menulist"
6868
oncommand="gIdentityHandler.changeHttpsOnlyPermission();" sizetopopup="none">
6969
<menupopup>
@@ -74,9 +74,9 @@
7474
</menupopup>
7575
</menulist>
7676
<vbox id="identity-popup-security-httpsonlymode-info">
77-
<description when-httpsonlystatus="exception" flex="1" data-l10n-id="identity-https-only-info-turn-on2">
77+
<description when-httpsonlystatus="exception" flex="1" data-l10n-id="identity-https-only-info-turn-on3">
7878
</description>
79-
<description when-httpsonlystatus="failed-sub" flex="1" data-l10n-id="identity-https-only-info-turn-off2">
79+
<description when-httpsonlystatus="failed-sub" flex="1" data-l10n-id="identity-https-only-info-turn-off3">
8080
</description>
8181
<description when-httpsonlystatus="failed-top" flex="1" data-l10n-id="identity-https-only-info-no-upgrade">
8282
</description>

browser/locales/en-US/browser/browser.ftl

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -386,15 +386,15 @@ identity-weak-encryption = This page uses weak encryption.
386386
identity-insecure-login-forms = Logins entered on this page could be compromised.
387387
388388
identity-https-only-connection-upgraded = (upgraded to HTTPS)
389-
identity-https-only-label = HTTPS-Only Mode
389+
identity-https-only-label2 = Automatically upgrade this site to a secure connection
390390
identity-https-only-dropdown-on =
391391
.label = On
392392
identity-https-only-dropdown-off =
393393
.label = Off
394394
identity-https-only-dropdown-off-temporarily =
395395
.label = Off temporarily
396-
identity-https-only-info-turn-on2 = Turn on HTTPS-Only Mode for this site if you want { -brand-short-name } to upgrade the connection when possible.
397-
identity-https-only-info-turn-off2 = If the page seems broken, you may want to turn off HTTPS-Only Mode for this site to reload using insecure HTTP.
396+
identity-https-only-info-turn-on3 = Turn on HTTPS upgrades for this site if you want { -brand-short-name } to upgrade the connection when possible.
397+
identity-https-only-info-turn-off3 = If the page seems broken, you may want to turn off HTTPS upgrades for this site to reload using insecure HTTP.
398398
identity-https-only-info-no-upgrade = Unable to upgrade connection from HTTP.
399399
400400
identity-permissions-storage-access-header = Cross-site cookies

browser/themes/shared/controlcenter/panel.css

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -55,7 +55,7 @@
5555
#identity-popup[mixedcontent~=active-blocked]:not([mixedcontent~=passive-loaded]) [when-mixedcontent=active-blocked],
5656
/* Show the right elements when there is mixed passive content loaded and active blocked. */
5757
#identity-popup[mixedcontent~=active-blocked][mixedcontent~=passive-loaded] [when-mixedcontent~=active-blocked][when-mixedcontent~=passive-loaded],
58-
/* HTTPS-Only Mode */
58+
/* HTTPS-Only and HTTPS-First Mode */
5959
#identity-popup[httpsonlystatus=exception] [when-httpsonlystatus~=exception],
6060
#identity-popup[httpsonlystatus=upgraded] [when-httpsonlystatus~=upgraded],
6161
#identity-popup[httpsonlystatus=failed-top] [when-httpsonlystatus~=failed-top],

docshell/base/WindowContext.cpp

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@
1818
#include "mozilla/ClearOnShutdown.h"
1919
#include "nsGlobalWindowInner.h"
2020
#include "nsIScriptError.h"
21+
#include "nsIWebProgressListener.h"
2122
#include "nsIXULRuntime.h"
2223
#include "nsRefPtrHashtable.h"
2324
#include "nsContentUtils.h"
@@ -456,7 +457,8 @@ void WindowContext::AddSecurityState(uint32_t aStateFlags) {
456457
nsIWebProgressListener::STATE_BLOCKED_MIXED_DISPLAY_CONTENT |
457458
nsIWebProgressListener::STATE_BLOCKED_MIXED_ACTIVE_CONTENT |
458459
nsIWebProgressListener::STATE_HTTPS_ONLY_MODE_UPGRADED |
459-
nsIWebProgressListener::STATE_HTTPS_ONLY_MODE_UPGRADE_FAILED)) ==
460+
nsIWebProgressListener::STATE_HTTPS_ONLY_MODE_UPGRADE_FAILED |
461+
nsIWebProgressListener::STATE_HTTPS_ONLY_MODE_UPGRADED_FIRST)) ==
460462
aStateFlags,
461463
"Invalid flags specified!");
462464

dom/ipc/WindowGlobalParent.cpp

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -54,6 +54,7 @@
5454
#include "nsITransportSecurityInfo.h"
5555
#include "nsISharePicker.h"
5656
#include "nsIURIMutator.h"
57+
#include "nsIWebProgressListener.h"
5758

5859
#include "mozilla/dom/DOMException.h"
5960
#include "mozilla/dom/DOMExceptionBinding.h"
@@ -1531,7 +1532,8 @@ void WindowGlobalParent::AddSecurityState(uint32_t aStateFlags) {
15311532
nsIWebProgressListener::STATE_BLOCKED_MIXED_DISPLAY_CONTENT |
15321533
nsIWebProgressListener::STATE_BLOCKED_MIXED_ACTIVE_CONTENT |
15331534
nsIWebProgressListener::STATE_HTTPS_ONLY_MODE_UPGRADED |
1534-
nsIWebProgressListener::STATE_HTTPS_ONLY_MODE_UPGRADE_FAILED)) ==
1535+
nsIWebProgressListener::STATE_HTTPS_ONLY_MODE_UPGRADE_FAILED |
1536+
nsIWebProgressListener::STATE_HTTPS_ONLY_MODE_UPGRADED_FIRST)) ==
15351537
aStateFlags,
15361538
"Invalid flags specified!");
15371539

dom/security/nsHTTPSOnlyStreamListener.cpp

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@
1616
#include "nsIRequest.h"
1717
#include "nsITransportSecurityInfo.h"
1818
#include "nsIURI.h"
19+
#include "nsIWebProgressListener.h"
1920
#include "nsPrintfCString.h"
2021
#include "secerr.h"
2122
#include "sslerr.h"

security/manager/ssl/nsSecureBrowserUI.cpp

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -96,6 +96,13 @@ void nsSecureBrowserUI::RecomputeSecurityFlags() {
9696
!(httpsOnlyStatus & nsILoadInfo::HTTPS_ONLY_EXEMPT)) {
9797
mState |= nsIWebProgressListener::STATE_HTTPS_ONLY_MODE_UPGRADED;
9898
}
99+
if (httpsOnlyStatus & nsILoadInfo::HTTPS_ONLY_UPGRADED_HTTPS_FIRST) {
100+
if (win->GetDocumentURI()->SchemeIs("https")) {
101+
mState |= nsIWebProgressListener::STATE_HTTPS_ONLY_MODE_UPGRADED_FIRST;
102+
} else {
103+
mState |= nsIWebProgressListener::STATE_HTTPS_ONLY_MODE_UPGRADE_FAILED;
104+
}
105+
}
99106
// Add the secruity flags from the window
100107
mState |= win->GetSecurityFlags();
101108
}

uriloader/base/nsIWebProgressListener.idl

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -369,16 +369,20 @@ interface nsIWebProgressListener : nsISupports
369369
const unsigned long STATE_LOADED_EMAILTRACKING_LEVEL_2_CONTENT = 0x00000100;
370370

371371
/**
372-
* Flag for HTTPS-Only Mode upgrades
372+
* Flags for HTTPS-Only and HTTPS-First Mode upgrades
373373
*
374374
* STATE_HTTPS_ONLY_MODE_UPGRADED
375375
* When a request has been upgraded by HTTPS-Only Mode
376376
*
377377
* STATE_HTTPS_ONLY_MODE_UPGRADE_FAILED
378378
* When an upgraded request failed.
379+
*
380+
* STATE_HTTPS_ONLY_MODE_UPGRADED_FIRST
381+
* When a request has been upgraded by HTTPS-First Mode
379382
*/
380383
const unsigned long STATE_HTTPS_ONLY_MODE_UPGRADED = 0x00400000;
381384
const unsigned long STATE_HTTPS_ONLY_MODE_UPGRADE_FAILED = 0x00800000;
385+
const unsigned long STATE_HTTPS_ONLY_MODE_UPGRADED_FIRST = 0x08000000;
382386

383387
/**
384388
* Notification indicating the state has changed for one of the requests

0 commit comments

Comments
 (0)