Bug 1175702 - Implement mixed content states in the control center r=paolo

2015-08-04 20:04:24 +02:00 · 2015-08-04 20:04:24 +02:00 · 2d06faf7c4
--- a/browser/base/content/browser.js
+++ b/browser/base/content/browser.js
@ -6678,12 +6678,10 @@ var gIdentityHandler = {
  IDENTITY_MODE_MIXED_ACTIVE_BLOCKED                   : "verifiedDomain mixedContent mixedActiveBlocked",  // SSL with unauthenticated active content blocked; no unauthenticated display content
  IDENTITY_MODE_MIXED_ACTIVE_BLOCKED_IDENTIFIED        : "verifiedIdentity mixedContent mixedActiveBlocked",  // SSL with unauthenticated active content blocked; no unauthenticated display content
  IDENTITY_MODE_CHROMEUI                               : "chromeUI",         // Part of the product's UI
  IDENTITY_MODE_FILE_URI                               : "fileURI",  // File path
-  // Cache the most recent SSLStatus and Location seen in checkIdentity
+  _isChromeUI: false,
-  _lastStatus : null,
+  _sslStatus: null,
-  _lastUri : null,
+  _uri: null,
  _mode : "unknownIdentity",
  // smart getters
  get _identityPopup () {
@ -6714,20 +6712,10 @@ var gIdentityHandler = {
    return this._identityPopupContentVerif =
      document.getElementById("identity-popup-content-verifier");
  },
-  get _identityPopupSecurityContent () {
+  get _identityPopupMixedContentLearnMore () {
-    delete this._identityPopupSecurityContent;
+    delete this._identityPopupMixedContentLearnMore;
-    return this._identityPopupSecurityContent =
+    return this._identityPopupMixedContentLearnMore =
-      document.getElementById("identity-popup-security-content");
+      document.getElementById("identity-popup-mcb-learn-more");
  },
  get _identityPopupSecurityView () {
    delete this._identityPopupSecurityView;
    return this._identityPopupSecurityView =
      document.getElementById("identity-popup-securityView");
  },
  get _identityPopupMainView () {
    delete this._identityPopupMainView;
    return this._identityPopupMainView =
      document.getElementById("identity-popup-mainView");
  },
  get _identityIconLabel () {
    delete this._identityIconLabel;
@ -6806,13 +6794,33 @@ var gIdentityHandler = {
    }
  },
  disableMixedContentProtection() {
    // Use telemetry to measure how often unblocking happens
    const kMIXED_CONTENT_UNBLOCK_EVENT = 2;
    let histogram =
      Services.telemetry.getHistogramById(
        "MIXED_CONTENT_UNBLOCK_COUNTER");
    histogram.add(kMIXED_CONTENT_UNBLOCK_EVENT);
    // Reload the page with the content unblocked
    BrowserReloadWithFlags(
      Ci.nsIWebNavigation.LOAD_FLAGS_ALLOW_MIXED_CONTENT);
    this._identityPopup.hidePopup();
  },
  enableMixedContentProtection() {
    gBrowser.selectedBrowser.messageManager.sendAsyncMessage(
      "MixedContent:ReenableProtection", {});
    BrowserReload();
    this._identityPopup.hidePopup();
  },
  /**
-   * Helper to parse out the important parts of _lastStatus (of the SSL cert in
+   * Helper to parse out the important parts of _sslStatus (of the SSL cert in
   * particular) for use in constructing identity UI strings
  */
  getIdentityData : function() {
    var result = {};
-    var status = this._lastStatus.QueryInterface(Components.interfaces.nsISSLStatus);
+    var status = this._sslStatus.QueryInterface(Ci.nsISSLStatus);
    var cert = status.serverCert;
    // Human readable name of Subject
@ -6848,68 +6856,58 @@ var gIdentityHandler = {
   * @param nsIURI uri The address for which the UI should be updated.
   */
  checkIdentity : function(state, uri) {
    var currentStatus = gBrowser.securityUI
                                .QueryInterface(Components.interfaces.nsISSLStatusProvider)
                                .SSLStatus;
    this._lastStatus = currentStatus;
    this._lastUri = uri;
    let nsIWebProgressListener = Ci.nsIWebProgressListener;
    // For some URIs like data: we can't get a host and so can't do
    // anything useful here.
    let unknown = false;
    try {
      uri.host;
    } catch (e) { unknown = true; }
    // Chrome URIs however get special treatment. Some chrome URIs are
    // whitelisted to provide a positive security signal to the user.
    let whitelist = /^about:(accounts|addons|app-manager|config|crashes|customizing|downloads|healthreport|home|license|newaddon|permissions|preferences|privatebrowsing|rights|sessionrestore|support|welcomeback)/i;
    let isChromeUI = uri.schemeIs("about") && whitelist.test(uri.spec);
    let mode = this.IDENTITY_MODE_UNKNOWN;
    if (isChromeUI) {
-      this.setMode(this.IDENTITY_MODE_CHROMEUI);
+      mode = this.IDENTITY_MODE_CHROMEUI;
    } else if (unknown) {
      this.setMode(this.IDENTITY_MODE_UNKNOWN);
    } else if (state & nsIWebProgressListener.STATE_IDENTITY_EV_TOPLEVEL) {
      if (state & nsIWebProgressListener.STATE_BLOCKED_MIXED_ACTIVE_CONTENT) {
-        this.setMode(this.IDENTITY_MODE_MIXED_ACTIVE_BLOCKED_IDENTIFIED);
+        mode = this.IDENTITY_MODE_MIXED_ACTIVE_BLOCKED_IDENTIFIED;
      } else {
-        this.setMode(this.IDENTITY_MODE_IDENTIFIED);
+        mode = this.IDENTITY_MODE_IDENTIFIED;
      }
    } else if (state & nsIWebProgressListener.STATE_IS_SECURE) {
      if (state & nsIWebProgressListener.STATE_BLOCKED_MIXED_ACTIVE_CONTENT) {
-        this.setMode(this.IDENTITY_MODE_MIXED_ACTIVE_BLOCKED);
+        mode = this.IDENTITY_MODE_MIXED_ACTIVE_BLOCKED;
      } else {
-        this.setMode(this.IDENTITY_MODE_DOMAIN_VERIFIED);
+        mode = this.IDENTITY_MODE_DOMAIN_VERIFIED;
      }
    } else if (state & nsIWebProgressListener.STATE_IS_BROKEN) {
      if (state & nsIWebProgressListener.STATE_LOADED_MIXED_ACTIVE_CONTENT) {
-        this.setMode(this.IDENTITY_MODE_MIXED_ACTIVE_LOADED);
+        mode = this.IDENTITY_MODE_MIXED_ACTIVE_LOADED;
      } else if (state & nsIWebProgressListener.STATE_BLOCKED_MIXED_ACTIVE_CONTENT) {
-        this.setMode(this.IDENTITY_MODE_MIXED_DISPLAY_LOADED_ACTIVE_BLOCKED);
+        mode = this.IDENTITY_MODE_MIXED_DISPLAY_LOADED_ACTIVE_BLOCKED;
      } else if (state & nsIWebProgressListener.STATE_LOADED_MIXED_DISPLAY_CONTENT) {
-        this.setMode(this.IDENTITY_MODE_MIXED_DISPLAY_LOADED);
+        mode = this.IDENTITY_MODE_MIXED_DISPLAY_LOADED;
      } else {
-        this.setMode(this.IDENTITY_MODE_USES_WEAK_CIPHER);
+        mode = this.IDENTITY_MODE_USES_WEAK_CIPHER;
      }
    } else {
      // Create a channel for the sole purpose of getting the resolved URI
      // of the request to determine if it's loaded from the file system.
      let resolvedURI = NetUtil.newChannel({uri,loadUsingSystemPrincipal:true}).URI;
      if (resolvedURI.schemeIs("jar")) {
        // Given a URI "jar:<jar-file-uri>!/<jar-entry>"
        // create a new URI using <jar-file-uri>!/<jar-entry>
        resolvedURI = NetUtil.newURI(resolvedURI.path);
      }
      if (resolvedURI.schemeIs("file")) {
        this.setMode(this.IDENTITY_MODE_FILE_URI);
      } else {
        this.setMode(this.IDENTITY_MODE_UNKNOWN);
      }
    }
    // We need those values later when populating the control center.
    this._uri = uri;
    this._state = state;
    this._isChromeUI = isChromeUI;
    this._sslStatus =
      gBrowser.securityUI.QueryInterface(Ci.nsISSLStatusProvider).SSLStatus;
    // Update the identity block.
    if (this._identityBox) {
      this._identityBox.className = mode;
      this.refreshIdentityBlock(mode);
    }
    // NOTE: We do NOT update the identity popup (the control center) when
    // we receive a new security state. If the user opened the popup and looks
    // at the provided information we don't want to suddenly change the panel
    // contents.
    // Show the doorhanger when:
    // - mixed active content is blocked
    // - mixed active content is loaded (detected but not blocked)
@ -6961,46 +6959,22 @@ var gIdentityHandler = {
                         .getService(Ci.nsIIDNService);
    try {
      let baseDomain =
-        Services.eTLD.getBaseDomainFromHost(this._lastUri.host);
+        Services.eTLD.getBaseDomainFromHost(this._uri.host);
      return this._IDNService.convertToDisplayIDN(baseDomain, {});
    } catch (e) {
      // If something goes wrong (e.g. host is an IP address) just fail back
      // to the full domain.
-      return this._lastUri.host;
+      return this._uri.host;
    }
  },
  /**
   * Update the UI to reflect the specified mode, which should be one of the
   * IDENTITY_MODE_* constants.
   */
  setMode : function(newMode) {
    if (!this._identityBox) {
      // No identity box means the identity box is not visible, in which
      // case there's nothing to do.
      return;
    }
    this._identityPopup.className = newMode;
    this._identityBox.className = newMode;
    this.setIdentityMessages(newMode);
    // Update the popup too, if it's open
    if (this._identityPopup.state == "open") {
      this.setPopupMessages(newMode);
      this.updateSitePermissions();
    }
    this._mode = newMode;
  },
  /**
   * Set up the messages for the primary identity UI based on the specified mode,
   * and the details of the SSL cert, where applicable
   *
   * @param newMode The newly set identity mode.  Should be one of the IDENTITY_MODE_* constants.
   */
-  setIdentityMessages : function(newMode) {
+  refreshIdentityBlock(newMode) {
    let icon_label = "";
    let tooltip = "";
    let icon_country_label = "";
@ -7017,11 +6991,11 @@ var gIdentityHandler = {
                                                    [iData.caOrg]);
      // This can't throw, because URI's with a host that throw don't end up in this case.
-      let host = this._lastUri.host;
+      let host = this._uri.host;
      let port = 443;
      try {
-        if (this._lastUri.port > 0)
+        if (this._uri.port > 0)
-          port = this._lastUri.port;
+          port = this._uri.port;
      } catch (e) {}
      if (this._overrideService.hasMatchingOverride(host, port, iData.cert, {}, {}))
@ -7070,15 +7044,78 @@ var gIdentityHandler = {
   * Set up the title and content messages for the identity message popup,
   * based on the specified mode, and the details of the SSL cert, where
   * applicable
   *
   * @param newMode The newly set identity mode.  Should be one of the IDENTITY_MODE_* constants.
   */
-  setPopupMessages : function(newMode) {
+  refreshIdentityPopup() {
    // Update the "Learn More" hrefs for Mixed Content Blocking.
    let baseURL = Services.urlFormatter.formatURLPref("app.support.baseURL");
    let learnMoreHref = `${baseURL}mixed-content`;
    this._identityPopupMixedContentLearnMore.setAttribute("href", learnMoreHref);
-    this._identityPopup.className = newMode;
+    // Basic connection properties.
-    this._identityPopupMainView.className = newMode;
+    let isBroken = this._state & Ci.nsIWebProgressListener.STATE_IS_BROKEN;
-    this._identityPopupSecurityView.className = newMode;
+    let isSecure = this._state & Ci.nsIWebProgressListener.STATE_IS_SECURE;
-    this._identityPopupSecurityContent.className = newMode;
+    let isEV = this._state & Ci.nsIWebProgressListener.STATE_IDENTITY_EV_TOPLEVEL;
    // Determine connection security information.
    let connection = "not-secure";
    if (this._isChromeUI) {
      connection = "chrome";
    } else if (this._isURILoadedFromFile(this._uri)) {
      connection = "file";
    } else if (isEV) {
      connection = "secure-ev";
    } else if (isSecure) {
      connection = "secure";
    }
    // Mixed content flags.
    let isMixedActiveContentLoaded =
      this._state & Ci.nsIWebProgressListener.STATE_LOADED_MIXED_ACTIVE_CONTENT;
    let isMixedActiveContentBlocked =
      this._state & Ci.nsIWebProgressListener.STATE_BLOCKED_MIXED_ACTIVE_CONTENT;
    let isMixedPassiveContentLoaded =
      this._state & Ci.nsIWebProgressListener.STATE_LOADED_MIXED_DISPLAY_CONTENT;
    // Determine the mixed content state.
    let mixedcontent = [];
    if (isMixedPassiveContentLoaded) {
      mixedcontent.push("passive-loaded");
    }
    if (isMixedActiveContentLoaded) {
      mixedcontent.push("active-loaded");
    } else if (isMixedActiveContentBlocked) {
      mixedcontent.push("active-blocked");
    }
    mixedcontent = mixedcontent.join(" ");
    // We have no specific flags for weak ciphers (yet). If a connection is
    // broken and we can't detect any mixed active content loaded then it's
    // a weak cipher.
    let ciphers = "";
    if (isBroken && !isMixedActiveContentLoaded) {
      ciphers = "weak";
    }
    // Update all elements.
    let elementIDs = [
      "identity-popup",
      "identity-popup-securityView-body",
    ];
    function updateAttribute(elem, attr, value) {
      if (value) {
        elem.setAttribute(attr, value);
      } else {
        elem.removeAttribute(attr);
      }
    }
    for (let id of elementIDs) {
      let element = document.getElementById(id);
      updateAttribute(element, "connection", connection);
      updateAttribute(element, "ciphers", ciphers);
      updateAttribute(element, "mixedcontent", mixedcontent);
    }
    // Initialize the optional strings to empty values
    let supplemental = "";
@ -7092,19 +7129,18 @@ var gIdentityHandler = {
      // Some URIs might have no hosts.
    }
    // Fallback for special protocols.
    if (!host) {
-      // Fallback for special protocols.
+      host = this._uri.specIgnoringRef;
      host = this._lastUri.specIgnoringRef;
    }
-    switch (newMode) {
+    // Fill in the CA name if we have a valid TLS certificate.
-    case this.IDENTITY_MODE_DOMAIN_VERIFIED:
+    if (isSecure) {
    case this.IDENTITY_MODE_MIXED_ACTIVE_BLOCKED:
      verifier = this._identityBox.tooltipText;
-      break;
+    }
-    case this.IDENTITY_MODE_IDENTIFIED:
+
-    case this.IDENTITY_MODE_MIXED_ACTIVE_BLOCKED_IDENTIFIED: {
+    // Fill in organization information if we have a valid EV certificate.
-      // If it's identified, then we can populate the dialog with credentials
+    if (isEV) {
      let iData = this.getIdentityData();
      host = owner = iData.subjectOrg;
      verifier = this._identityBox.tooltipText;
@ -7119,21 +7155,6 @@ var gIdentityHandler = {
        supplemental += iData.state;
      else if (iData.country) // Country only
        supplemental += iData.country;
      break;
    }
    case this.IDENTITY_MODE_UNKNOWN:
      supplemental = gNavigatorBundle.getString("identity.not_secure");
      break;
    case this.IDENTITY_MODE_USES_WEAK_CIPHER:
      supplemental = gNavigatorBundle.getString("identity.uses_weak_cipher");
      break;
    case this.IDENTITY_MODE_MIXED_DISPLAY_LOADED:
    case this.IDENTITY_MODE_MIXED_DISPLAY_LOADED_ACTIVE_BLOCKED:
      supplemental = gNavigatorBundle.getString("identity.mixed_display_loaded");
      break;
    case this.IDENTITY_MODE_MIXED_ACTIVE_LOADED:
      supplemental = gNavigatorBundle.getString("identity.mixed_active_loaded2");
      break;
    }
    // Push the appropriate strings out to the UI. Need to use |value| for the
@ -7144,8 +7165,31 @@ var gIdentityHandler = {
    this._identityPopupContentSupp.textContent = supplemental;
    this._identityPopupContentVerif.textContent = verifier;
-    // Hide subviews when updating panel information.
+    // Update per-site permissions section.
-    document.getElementById("identity-popup-multiView").showMainView();
+    this.updateSitePermissions();
  },
  _isURILoadedFromFile(uri) {
    try {
      uri.host;
      // No internal/file URI if we have a host.
      return false;
    } catch (e) {
      // All good, let's continue.
    }
    // Create a channel for the sole purpose of getting the resolved URI
    // of the request to determine if it's loaded from the file system.
    let chanOptions = {uri, loadUsingSystemPrincipal: true};
    let resolvedURI = NetUtil.newChannel(chanOptions).URI;
    if (resolvedURI.schemeIs("jar")) {
      // Given a URI "jar:<jar-file-uri>!/<jar-entry>"
      // create a new URI using <jar-file-uri>!/<jar-entry>
      resolvedURI = NetUtil.newURI(resolvedURI.path);
    }
    // Check the URI again after resolving.
    return resolvedURI.schemeIs("file");
  },
  /**
@ -7170,9 +7214,7 @@ var gIdentityHandler = {
    this._identityPopup.hidden = false;
    // Update the popup strings
-    this.setPopupMessages(this._identityBox.className);
+    this.refreshIdentityPopup();
    this.updateSitePermissions();
    // Add the "open" attribute to the identity box for styling
    this._identityBox.setAttribute("open", "true");
--- a/browser/components/controlcenter/content/panel.inc.xul
+++ b/browser/components/controlcenter/content/panel.inc.xul
@ -10,7 +10,8 @@
       orient="vertical">
  <broadcasterset>
-    <broadcaster id="identity-popup-content-host" value=""/>
+    <broadcaster id="identity-popup-content-host" class="identity-popup-headline" crop="end"/>
    <broadcaster id="identity-popup-mcb-learn-more" class="text-link plain" value="&identity.learnMore;"/>
  </broadcasterset>
  <panelmultiview id="identity-popup-multiView"
@ -18,39 +19,50 @@
    <panelview id="identity-popup-mainView" flex="1">
      <!-- Security Section -->
-      <hbox class="identity-popup-section">
+      <hbox id="identity-popup-security" class="identity-popup-section">
        <vbox id="identity-popup-security-content" flex="1">
-          <label class="identity-popup-headline" crop="end">
+          <label observes="identity-popup-content-host"/>
-            <observes element="identity-popup-content-host" attribute="value"/>
+          <description class="identity-popup-connection-not-secure"
-          </label>
+                       value="&identity.connectionNotSecure;"
-          <label class="identity-popup-connection-secure identity-popup-text"
+                       when-connection="not-secure"/>
-                 value="&identity.connectionSecure;"/>
+          <description class="identity-popup-connection-secure"
-          <label class="identity-popup-connection-not-secure identity-popup-text"
+                       value="&identity.connectionSecure;"
-                 value="&identity.connectionNotSecure;"/>
+                       when-connection="secure secure-ev"/>
-          <label class="identity-popup-connection-file-uri identity-popup-text"
+          <description value="&identity.connectionInternal;"
-                 value="&identity.connectionFile;"/>
+                       when-connection="chrome"/>
-          <label class="identity-popup-connection-internal identity-popup-text"
+          <description value="&identity.connectionFile;"
-                 value="&identity.connectionInternal;"/>
+                       when-connection="file"/>
          <vbox id="identity-popup-security-descriptions">
            <description class="identity-popup-warning-gray"
                         when-mixedcontent="active-blocked">&identity.activeBlocked;</description>
            <description class="identity-popup-warning-yellow"
                         when-mixedcontent="passive-loaded">&identity.passiveLoaded;</description>
            <description when-mixedcontent="active-loaded">&identity.activeLoaded;</description>
            <description class="identity-popup-warning-yellow"
                         when-ciphers="weak">&identity.weakEncryption;</description>
          </vbox>
        </vbox>
-        <button class="identity-popup-expander"
+        <button id="identity-popup-security-expander"
                class="identity-popup-expander"
                when-connection="not-secure secure secure-ev"
                oncommand="gIdentityHandler.toggleSubView('security', this)"/>
      </hbox>
      <!-- Tracking Protection Section -->
-      <hbox id="tracking-protection-container" class="identity-popup-section">
+      <hbox id="tracking-protection-container"
            class="identity-popup-section"
            when-connection="not-secure secure secure-ev file">
        <vbox id="tracking-protection-content" flex="1">
-          <description class="identity-popup-text identity-popup-headline"
+          <description class="identity-popup-headline"
                       crop="end"
                       value="&trackingProtection.title;" />
          <label id="tracking-blocked"
                 class="identity-popup-text"
                 crop="end">&trackingProtection.detectedBlocked2;</label>
          <label id="tracking-loaded"
                 class="identity-popup-text"
                 crop="end">&trackingProtection.detectedNotBlocked2;</label>
          <label id="tracking-not-detected"
                 class="identity-popup-text"
                 crop="end">&trackingProtection.notDetected2;</label>
          <button id="tracking-action-unblock"
@ -71,7 +83,7 @@
      <!-- Permissions Section -->
      <hbox id="identity-popup-permissions" class="identity-popup-section">
        <vbox id="identity-popup-permissions-content" flex="1">
-          <label class="identity-popup-text identity-popup-headline"
+          <label class="identity-popup-headline"
                 value="&identity.permissions;"/>
          <vbox id="identity-popup-permission-list"/>
        </vbox>
@ -90,29 +102,63 @@
    <!-- Security SubView -->
    <panelview id="identity-popup-securityView" flex="1">
      <vbox id="identity-popup-securityView-header">
-        <label class="identity-popup-headline" crop="end">
+        <label observes="identity-popup-content-host"/>
-          <observes element="identity-popup-content-host" attribute="value"/>
+        <description class="identity-popup-connection-not-secure"
-        </label>
+                     value="&identity.connectionNotSecure;"
-        <label class="identity-popup-connection-secure identity-popup-text"
+                     when-connection="not-secure"/>
-               value="&identity.connectionSecure;"/>
+        <description class="identity-popup-connection-secure"
-        <label class="identity-popup-connection-not-secure identity-popup-text"
+                     value="&identity.connectionSecure;"
-               value="&identity.connectionNotSecure;"/>
+                     when-connection="secure secure-ev"/>
        <label class="identity-popup-connection-file-uri identity-popup-text"
               value="&identity.connectionFile;"/>
        <label class="identity-popup-connection-internal identity-popup-text"
               value="&identity.connectionInternal;"/>
      </vbox>
-      <description id="identity-popup-content-verifier"
+      <vbox id="identity-popup-securityView-body">
-                   class="identity-popup-text"/>
+        <!-- (EV) Certificate Information -->
        <description id="identity-popup-content-verified-by"
                     when-connection="secure-ev">&identity.connectionVerified;</description>
        <description id="identity-popup-content-owner"
                     when-connection="secure-ev"
                     class="header"/>
        <description id="identity-popup-content-supplemental"
                     when-connection="secure-ev"/>
        <description id="identity-popup-content-verifier"
                     when-connection="secure secure-ev"/>
-      <description id="identity-popup-securityView-connection"
+        <!-- Connection is Not Secure -->
-                   class="identity-popup-text">&identity.connectionVerified;</description>
+        <description when-connection="not-secure">&identity.description.insecure;</description>
-      <description id="identity-popup-content-owner"
+        <!-- Weak Cipher -->
-                   class="identity-popup-text"/>
+        <description when-ciphers="weak">&identity.description.weakCipher;</description>
-      <description id="identity-popup-content-supplemental"
+        <description class="identity-popup-warning-yellow"
-                   class="identity-popup-text"/>
+                     when-ciphers="weak">&identity.description.weakCipher2;</description>
        <!-- Active Mixed Content Blocked -->
        <description class="identity-popup-warning-gray"
                     when-mixedcontent="active-blocked">&identity.description.activeBlocked; <label observes="identity-popup-mcb-learn-more"/></description>
        <!-- Passive Mixed Content Loaded -->
        <description when-mixedcontent="passive-loaded">&identity.description.passiveLoaded;</description>
        <description class="identity-popup-warning-yellow"
                     when-mixedcontent="passive-loaded">&identity.description.passiveLoaded2; <label observes="identity-popup-mcb-learn-more"/></description>
        <!-- Passive Mixed Content Loaded, Active Mixed Content Blocked -->
        <description when-mixedcontent="passive-loaded active-blocked">&identity.description.passiveLoaded;</description>
        <description when-mixedcontent="passive-loaded active-blocked"
                     class="identity-popup-warning-yellow">&identity.description.passiveLoaded3; <label observes="identity-popup-mcb-learn-more"/></description>
        <!-- Active Mixed Content Blocking Disabled -->
        <description when-mixedcontent="active-loaded">&identity.description.activeLoaded;</description>
        <description when-mixedcontent="active-loaded">&identity.description.activeLoaded2;</description>
        <!-- Buttons to enable/disable mixed content blocking. -->
        <button when-mixedcontent="active-blocked"
                label="&identity.disableMixedContentBlocking.label;"
                accesskey="&identity.disableMixedContentBlocking.accesskey;"
                oncommand="gIdentityHandler.disableMixedContentProtection()"/>
        <button when-mixedcontent="active-loaded"
                label="&identity.enableMixedContentBlocking.label;"
                accesskey="&identity.enableMixedContentBlocking.accesskey;"
                oncommand="gIdentityHandler.enableMixedContentProtection()"/>
      </vbox>
    </panelview>
  </panelmultiview>
 </panel>
--- a/browser/locales/en-US/chrome/browser/browser.dtd
+++ b/browser/locales/en-US/chrome/browser/browser.dtd
@ -689,6 +689,29 @@ you can use these alternative items. Otherwise, their values should be empty.  -
 <!ENTITY identity.connectionVerified "&brandShortName; verified that you are securely connected to this site, run by:">
 <!ENTITY identity.connectionInternal "This is a secure &brandShortName; page.">
 <!-- Strings for connection state warnings. -->
 <!ENTITY identity.activeBlocked "&brandShortName; has blocked parts of this page that are not secure.">
 <!ENTITY identity.passiveLoaded "Parts of this page are not secure (such as images).">
 <!ENTITY identity.activeLoaded "You have disabled protection on this page.">
 <!ENTITY identity.weakEncryption "This page uses weak encryption.">
 <!-- Strings for connection state warnings in the subview. -->
 <!ENTITY identity.description.insecure "Your connection to this site is not private. Information you submit could be viewed by others (like passwords, messages, credit cards, etc.).">
 <!ENTITY identity.description.weakCipher "Your connection to this website uses weak encryption and is not private.">
 <!ENTITY identity.description.weakCipher2 "Other people can view your information or modify the website's behavior.">
 <!ENTITY identity.description.activeBlocked "&brandShortName; has blocked parts of this page that are not secure.">
 <!ENTITY identity.description.passiveLoaded "Your connection is not private and information you share with the site could be viewed by others.">
 <!ENTITY identity.description.passiveLoaded2 "This website contains content that is not secure (such as images).">
 <!ENTITY identity.description.passiveLoaded3 "Although &brandShortName; has blocked some content, there is still content on the page that is not secure (such as images).">
 <!ENTITY identity.description.activeLoaded "This website contains content that is not secure (such as scripts) and your connection to it is not private.">
 <!ENTITY identity.description.activeLoaded2 "Information you share with this site could be viewed by others (like passwords, messages, credit cards, etc.).">
 <!ENTITY identity.enableMixedContentBlocking.label "Enable protection">
 <!ENTITY identity.enableMixedContentBlocking.accesskey "E">
 <!ENTITY identity.disableMixedContentBlocking.label "Disable protection for now">
 <!ENTITY identity.disableMixedContentBlocking.accesskey "D">
 <!ENTITY identity.learnMore "Learn More">
 <!ENTITY identity.moreInfoLinkText2 "More Information">
 <!ENTITY identity.permissions "Permissions">
--- a/browser/locales/en-US/chrome/browser/browser.properties
+++ b/browser/locales/en-US/chrome/browser/browser.properties
@ -329,11 +329,6 @@ identity.identified.verifier=Verified by: %S
 identity.identified.verified_by_you=You have added a security exception for this site.
 identity.identified.state_and_country=%S, %S
 identity.not_secure=Your connection to this site is not private. Information you submit could be viewable to others (for example passwords, messages, credit cards, etc.).
 identity.uses_weak_cipher=Your connection to this website uses weak encryption and is not private. Other people can view your information or modify the website's behavior.
 identity.mixed_display_loaded=The connection to this website is not fully secure because it contains unencrypted elements (such as images).
 identity.mixed_active_loaded2=This website contains interactive content that isn't encrypted (such as scripts). Other people can view your information or modify the website's behavior.
 identity.unknown.tooltip=This website does not supply identity information.
 trackingProtection.intro.title=How Tracking Protection works
--- a/browser/themes/osx/controlcenter/panel.css
+++ b/browser/themes/osx/controlcenter/panel.css
@ -21,20 +21,23 @@
 #tracking-action-block,
 #tracking-action-unblock,
-#tracking-action-unblock-private {
+#tracking-action-unblock-private,
 #identity-popup-securityView-body > button {
  @hudButton@
  min-height: 30px;
 }
 #tracking-action-block:hover:active,
 #tracking-action-unblock:hover:active,
-#tracking-action-unblock-private:hover:active {
+#tracking-action-unblock-private:hover:active,
 #identity-popup-securityView-body > button:hover:active {
  @hudButtonPressed@
 }
 #tracking-action-block:-moz-focusring,
 #tracking-action-unblock:-moz-focusring,
-#tracking-action-unblock-private:-moz-focusring {
+#tracking-action-unblock-private:-moz-focusring,
 #identity-popup-securityView-body > button:-moz-focusring {
  @hudButtonFocused@
 }
--- a/browser/themes/osx/jar.mn
+++ b/browser/themes/osx/jar.mn
@ -195,8 +195,10 @@ browser.jar:
  skin/classic/browser/controlcenter/conn-degraded.svg  (../shared/controlcenter/conn-degraded.svg)
  skin/classic/browser/controlcenter/mcb-disabled.svg  (../shared/controlcenter/mcb-disabled.svg)
  skin/classic/browser/controlcenter/permissions.svg  (../shared/controlcenter/permissions.svg)
-  skin/classic/browser/controlcenter/tracking-protection.svg                 (../shared/controlcenter/tracking-protection.svg)
+  skin/classic/browser/controlcenter/tracking-protection.svg  (../shared/controlcenter/tracking-protection.svg)
-  skin/classic/browser/controlcenter/tracking-protection-disabled.svg        (../shared/controlcenter/tracking-protection-disabled.svg)
+  skin/classic/browser/controlcenter/tracking-protection-disabled.svg  (../shared/controlcenter/tracking-protection-disabled.svg)
  skin/classic/browser/controlcenter/warning-gray.svg  (../shared/controlcenter/warning-gray.svg)
  skin/classic/browser/controlcenter/warning-yellow.svg  (../shared/controlcenter/warning-yellow.svg)
  skin/classic/browser/customizableui/background-noise-toolbar.png  (customizableui/background-noise-toolbar.png)
  skin/classic/browser/customizableui/customize-titleBar-toggle.png  (customizableui/customize-titleBar-toggle.png)
  skin/classic/browser/customizableui/customize-titleBar-toggle@2x.png  (customizableui/customize-titleBar-toggle@2x.png)
--- a/browser/themes/shared/controlcenter/panel.inc.css
+++ b/browser/themes/shared/controlcenter/panel.inc.css
@ -1,33 +1,39 @@
-/* Show the organization name only for EV certs. */
+%if 0
-#identity-popup-securityView:not(.verifiedIdentity) > #identity-popup-content-owner,
+/* This Source Code Form is subject to the terms of the Mozilla Public
-#identity-popup-securityView:not(.verifiedIdentity) > #identity-popup-securityView-connection,
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
-/* Show the "Verified by" label only for DV and EV certs. */
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-#identity-popup-securityView:not(.verifiedIdentity):not(.verifiedDomain) > #identity-popup-content-verifier,
+%endif
-/* Show a longer explanation for non-secure sites, mixed content, and weak
+
-   connection security. Show the organization address for EV certs. */
+/* Hide all conditional elements by default. */
-#identity-popup-securityView:not(.unknownIdentity):not(.verifiedIdentity):not(.mixedContent):not(.weakCipher) > #identity-popup-content-supplemental,
+:-moz-any([when-connection],[when-mixedcontent],[when-ciphers]) {
 /* Show the "Connection is secure" labels only for EV and DV certs. */
 #identity-popup-security-content:not(.verifiedIdentity):not(.verifiedDomain) > .identity-popup-connection-secure,
 #identity-popup-securityView:not(.verifiedIdentity):not(.verifiedDomain) > #identity-popup-securityView-header > .identity-popup-connection-secure,
 /* Show the "Connection is not secure" labels only for non-secure sites. */
 #identity-popup-security-content:not(.unknownIdentity) > .identity-popup-connection-not-secure,
 #identity-popup-securityView:not(.unknownIdentity) > #identity-popup-securityView-header > .identity-popup-connection-not-secure,
 /* Show "This page is stored on your computer" only for file URLs. */
 #identity-popup-security-content:not(.fileURI) > .identity-popup-connection-file-uri,
 #identity-popup-securityView:not(.fileURI) > #identity-popup-securityView-header > .identity-popup-connection-file-uri,
 /* Show "This is a secure internal page" only for whitelisted pages. */
 #identity-popup-securityView:not(.chromeUI) > #identity-popup-securityView-header > .identity-popup-connection-internal,
 #identity-popup-security-content:not(.chromeUI) > .identity-popup-connection-internal,
 /* Hide the subsection arrow for whitelisted chromeUI pages. */
 #identity-popup-security-content.chromeUI + .identity-popup-expander,
 /* Hide the subsection arrow for whitelisted file URI pages. */
 #identity-popup-security-content.fileURI + .identity-popup-expander,
 /* Hide the tracking protection section for whitelisted chromeUI pages. */
 #identity-popup-mainView.chromeUI > #tracking-protection-container {
  display: none;
 }
-/* PANEL */
+/* Show the right elements for the right connection states. */
 #identity-popup[connection=not-secure] [when-connection~=not-secure],
 #identity-popup[connection=secure-ev] [when-connection~=secure-ev],
 #identity-popup[connection=secure] [when-connection~=secure],
 #identity-popup[connection=chrome] [when-connection~=chrome],
 #identity-popup[connection=file] [when-connection~=file],
 /* Show weak cipher messages when needed. */
 #identity-popup[ciphers=weak]:not([mixedcontent]) [when-ciphers~=weak],
 /* Show mixed content warnings when needed */
 #identity-popup[mixedcontent~=active-loaded] [when-mixedcontent=active-loaded],
 #identity-popup[mixedcontent~=passive-loaded]:not([mixedcontent~=active-loaded]) [when-mixedcontent=passive-loaded],
 #identity-popup[mixedcontent~=active-blocked]:not([mixedcontent~=passive-loaded]) [when-mixedcontent=active-blocked],
 /* Show the right elements when there is mixed passive content loaded and active blocked. */
 #identity-popup[mixedcontent~=active-blocked][mixedcontent~=passive-loaded] [when-mixedcontent~=active-blocked][when-mixedcontent~=passive-loaded],
 /* Show 'disable MCB' button always when there is mixed active content blocked. */
 #identity-popup-securityView-body[mixedcontent~=active-blocked] > button[when-mixedcontent=active-blocked] {
  display: inherit;
 }
 /* Hide 'not secure' message in subview when weak cipher or mixed content messages are shown. */
 #identity-popup-securityView-body:-moz-any([mixedcontent],[ciphers]) > description[when-connection=not-secure],
 /* Hide 'passive-loaded (only)' message when there is mixed passive content loaded and active blocked. */
 #identity-popup-securityView-body[mixedcontent~=passive-loaded][mixedcontent~=active-blocked] > description[when-mixedcontent=passive-loaded] {
  display: none;
 }
 #identity-popup,
 #identity-popup:not([panelopen]) .panel-viewstack[viewtype="main"]:not([transitioning]) #identity-popup-mainView {
@ -143,7 +149,11 @@
 /* CONTENT */
-.identity-popup-text {
+#identity-popup-security-content > description,
 #identity-popup-security-descriptions > description,
 #identity-popup-securityView-header > description,
 #identity-popup-securityView-body > description,
 #tracking-protection-content > label {
  white-space: pre-wrap;
  font-size: 110%;
  margin: 0;
@ -154,12 +164,18 @@
  font-size: 150%;
 }
-/* SECURITY */
+.identity-popup-warning-gray {
-
+  -moz-padding-start: 24px;
-#identity-popup-securityView > .identity-popup-text:not(#identity-popup-content-owner) {
+  background: url(chrome://browser/skin/controlcenter/warning-gray.svg) no-repeat 0 50%;
  margin: 2px 0 4px;
 }
 .identity-popup-warning-yellow {
  -moz-padding-start: 24px;
  background: url(chrome://browser/skin/controlcenter/warning-yellow.svg) no-repeat 0 50%;
 }
 /* SECURITY */
 .identity-popup-connection-secure {
  color: #418220;
 }
@ -168,12 +184,6 @@
  color: #d74345;
 }
 #identity-popup-security-content.chromeUI {
  background-image: url(chrome://branding/content/icon48.png);
 }
 /* SECURITY SUBVIEW */
 #identity-popup-securityView {
  padding-bottom: 2em;
  overflow: hidden;
@ -184,46 +194,59 @@
  background-image: url(chrome://browser/skin/controlcenter/conn-not-secure.svg);
 }
-#identity-popup-securityView.verifiedDomain,
+#identity-popup[connection=chrome] #identity-popup-securityView,
-#identity-popup-securityView.verifiedIdentity,
+#identity-popup[connection=chrome] #identity-popup-security-content {
-#identity-popup-security-content.verifiedDomain,
+  background-image: url(chrome://branding/content/icon48.png);
-#identity-popup-security-content.verifiedIdentity {
+}
 #identity-popup[connection^=secure] #identity-popup-securityView,
 #identity-popup[connection^=secure] #identity-popup-security-content {
  background-image: url(chrome://browser/skin/controlcenter/conn-secure.svg);
 }
-#identity-popup-securityView.weakCipher,
+#identity-popup[ciphers=weak] #identity-popup-securityView,
-#identity-popup-securityView.mixedDisplayContent,
+#identity-popup[ciphers=weak] #identity-popup-security-content,
-#identity-popup-securityView.mixedDisplayContentLoadedActiveBlocked,
+#identity-popup[mixedcontent~=passive-loaded] #identity-popup-securityView,
-#identity-popup-security-content.weakCipher,
+#identity-popup[mixedcontent~=passive-loaded] #identity-popup-security-content {
 #identity-popup-security-content.mixedDisplayContent,
 #identity-popup-security-content.mixedDisplayContentLoadedActiveBlocked {
  background-image: url(chrome://browser/skin/controlcenter/conn-degraded.svg);
 }
-#identity-popup-securityView.mixedActiveContent,
+#identity-popup[mixedcontent~=active-loaded] #identity-popup-securityView,
-#identity-popup-security-content.mixedActiveContent {
+#identity-popup[mixedcontent~=active-loaded] #identity-popup-security-content {
  background-image: url(chrome://browser/skin/controlcenter/mcb-disabled.svg);
 }
 #identity-popup-security-descriptions > description {
  margin-top: 6px;
  color: Graytext;
 }
 #identity-popup-securityView-header {
  border-bottom: 1px solid var(--panel-separator-color);
  padding-bottom: 1em;
  margin-bottom: 1em;
 }
-#identity-popup-content-owner {
+#identity-popup-securityView-body {
-  font-weight: 700;
+  -moz-padding-end: 1em;
 }
-#identity-popup-content-verifier {
+#identity-popup-content-verifier ~ description {
  margin-top: 1em;
  color: Graytext;
 }
-#identity-popup-content-owner,
+description#identity-popup-content-verified-by,
-#identity-popup-securityView > #identity-popup-securityView-connection.identity-popup-text {
+description#identity-popup-content-owner,
 description#identity-popup-content-verifier,
 #identity-popup-securityView-body > button {
  margin-top: 1em;
 }
 #identity-popup-securityView-body > button {
  margin-inline-start: 0;
  margin-inline-end: 0;
 }
 /* TRACKING PROTECTION */
 #tracking-protection-content {
--- a/browser/themes/shared/controlcenter/warning-gray.svg
+++ b/browser/themes/shared/controlcenter/warning-gray.svg
@ -0,0 +1,9 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!-- This Source Code Form is subject to the terms of the Mozilla Public
   - License, v. 2.0. If a copy of the MPL was not distributed with this
   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
 <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"
     width="16" height="16" viewBox="0 0 16 16">
  <path fill="#808080" d="M14.8,12.5L9.3,1.9C9,1.3,8.5,1,8,1C7.5,1,7,1.3,6.7,1.9L1.2,12.5c-0.3,0.6-0.3,1.2,0,1.7C1.5,14.7,2,15,2.6,15h10.8 c0.6,0,1.1-0.3,1.4-0.8C15.1,13.7,15.1,13.1,14.8,12.5z"/>
  <path fill="#fff" d="M8,11c-0.8,0-1.5,0.7-1.5,1.5C6.5,13.3,7.2,14,8,14 c0.8,0,1.5-0.7,1.5-1.5C9.5,11.7,8.8,11,8,11z M8,10L8,10C8.6,10,9,9.6,9,9l0.2-4.2c0-0.7-0.5-1.2-1.2-1.2S6.8,4.1,6.8,4.8L7,9 C7,9.6,7.4,10,8,10z"/>
 </svg>
--- a/browser/themes/shared/controlcenter/warning-yellow.svg
+++ b/browser/themes/shared/controlcenter/warning-yellow.svg
@ -0,0 +1,9 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!-- This Source Code Form is subject to the terms of the Mozilla Public
   - License, v. 2.0. If a copy of the MPL was not distributed with this
   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
 <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"
     width="16" height="16" viewBox="0 0 16 16">
  <path fill="#ffbf00" d="M14.8,12.5L9.3,1.9C9,1.3,8.5,1,8,1C7.5,1,7,1.3,6.7,1.9L1.2,12.5c-0.3,0.6-0.3,1.2,0,1.7C1.5,14.7,2,15,2.6,15h10.8 c0.6,0,1.1-0.3,1.4-0.8C15.1,13.7,15.1,13.1,14.8,12.5z"/>
  <path fill="#fff" d="M8,11c-0.8,0-1.5,0.7-1.5,1.5C6.5,13.3,7.2,14,8,14 c0.8,0,1.5-0.7,1.5-1.5C9.5,11.7,8.8,11,8,11z M8,10L8,10C8.6,10,9,9.6,9,9l0.2-4.2c0-0.7-0.5-1.2-1.2-1.2S6.8,4.1,6.8,4.8L7,9 C7,9.6,7.4,10,8,10z"/>
 </svg>