Bug 1582499 - P3. Test insecure warning is not shown when the url of top-level and iframe are both local ip r=sfoster

Depends on D99042

Differential Revision: https://phabricator.services.mozilla.com/D99043

build/pgo/server-locations.txt

@@ -332,3 +332,7 @@ http://localhost:80                 privileged
 
 # Host for testing APIs whitelisted for mozilla.org
 https://www.mozilla.org:443
+
+# local-IP origins for password manager tests (Bug 1582499)
+http://10.0.0.0:80                 privileged
+http://192.168.0.0:80              privileged

toolkit/components/passwordmgr/test/browser/browser.ini

@@ -2,6 +2,7 @@
 support-files =
   ../formsubmit.sjs
   authenticate.sjs
+  empty.html
   form_basic.html
   form_basic_iframe.html
   form_basic_login.html
@@ -11,6 +12,7 @@ support-files =
   form_cross_origin_secure_action.html
   form_cross_origin_insecure_action.html
   form_expanded.html
+  insecure_test_subframe.html
   head.js
   multiple_forms.html
 
@@ -103,6 +105,7 @@ support-files =
 [browser_formless_submit_chrome.js]
 [browser_insecurePasswordConsoleWarning.js]
 skip-if = verify
+[browser_localip_frame.js]
 [browser_openPasswordManager.js]
 [browser_private_window.js]
 support-files =

toolkit/components/passwordmgr/test/browser/browser_localip_frame.js

@@ -0,0 +1,88 @@
+"use strict";
+
+add_task(async function setup() {
+  let login = LoginTestUtils.testData.formLogin({
+    origin: "http://10.0.0.0",
+    formActionOrigin: "https://example.org",
+    username: "username1",
+    password: "password1",
+  });
+  Services.logins.addLogin(login);
+
+  login = LoginTestUtils.testData.formLogin({
+    origin: "http://example.org",
+    formActionOrigin: "http://example.org",
+    username: "username2",
+    password: "password2",
+  });
+  Services.logins.addLogin(login);
+});
+
+add_task(async function test_warningForLocalIP() {
+  let tests = [
+    /* when the url of top-level and iframe are both ip address, do not show insecure warning */
+    {
+      top: "http://192.168.0.0",
+      iframe: "http://10.0.0.0",
+      expected: `[originaltype="loginWithOrigin"]`,
+    },
+    {
+      top: "http://192.168.0.0",
+      iframe: "http://example.org",
+      expected: `[type="insecureWarning"]`,
+    },
+    {
+      top: "http://example.com",
+      iframe: "http://10.0.0.0",
+      expected: `[type="insecureWarning"]`,
+    },
+    {
+      top: "http://example.com",
+      iframe: "http://example.org",
+      expected: `[type="insecureWarning"]`,
+    },
+  ];
+
+  for (let test of tests) {
+    let urlTop = test.top + DIRECTORY_PATH + "empty.html";
+    let urlIframe =
+      test.iframe + DIRECTORY_PATH + "insecure_test_subframe.html";
+
+    let tab = await BrowserTestUtils.openNewForegroundTab(gBrowser, urlTop);
+    let browser = tab.linkedBrowser;
+
+    await SpecialPowers.spawn(browser, [urlIframe], async url => {
+      await new content.Promise(resolve => {
+        let ifr = content.document.createElement("iframe");
+        ifr.onload = resolve;
+        ifr.src = url;
+        content.document.body.appendChild(ifr);
+      });
+    });
+
+    let popup = document.getElementById("PopupAutoComplete");
+    ok(popup, "Got popup");
+
+    let ifr = browser.browsingContext.children[0];
+    ok(ifr, "Got iframe");
+
+    let popupShown = openACPopup(
+      popup,
+      tab.linkedBrowser,
+      "#form-basic-username",
+      ifr
+    );
+    await popupShown;
+
+    let item = popup.querySelector(test.expected);
+    ok(item, "Got expected richlistitem");
+
+    await BrowserTestUtils.waitForCondition(
+      () => !item.collapsed,
+      "Wait for autocomplete to show"
+    );
+
+    await closePopup(popup);
+    BrowserTestUtils.removeTab(tab);
+  }
+});

toolkit/components/passwordmgr/test/browser/empty.html

@@ -0,0 +1,8 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+<title>Empty file</title>
+</head>
+<body>
+</body>
+</html>

toolkit/components/passwordmgr/test/browser/insecure_test_subframe.html

@@ -2,8 +2,11 @@
 <!-- Any copyright is dedicated to the Public Domain.
    - http://creativecommons.org/publicdomain/zero/1.0/ -->
 
-<form>
-  <input name="password" type="password">
+<!-- Simplest form with username and password fields. -->
+<form id="form-basic" action="https://example.org/custom_action.html">
+  <input id="form-basic-username" name="username">
+  <input id="form-basic-password" name="password" type="password">
+  <input id="form-basic-submit" type="submit">
 </form>
 
 <!-- Link to reload this page over HTTPS. -->