Merge mozilla-inbound to mozilla-central. a=merge

browser/actors/NetErrorChild.jsm

@@ -26,6 +26,8 @@ XPCOMUtils.defineLazyGetter(this, "gBrandBundle", function() {
 });
 XPCOMUtils.defineLazyPreferenceGetter(this, "newErrorPagesEnabled",
   "browser.security.newcerterrorpage.enabled");
+XPCOMUtils.defineLazyPreferenceGetter(this, "mitmErrorPageEnabled",
+  "browser.security.newcerterrorpage.mitm.enabled");
 XPCOMUtils.defineLazyGetter(this, "gNSSErrorsBundle", function() {
   return Services.strings.createBundle("chrome://pipnss/locale/nsserrors.properties");
 });
@@ -124,8 +126,18 @@ class NetErrorChild extends ActorChild {
 
     if (input.data.certIsUntrusted) {
       switch (input.data.code) {
-        // We only want to measure MitM rates for now. Treat it as unkown issuer.
         case MOZILLA_PKIX_ERROR_MITM_DETECTED:
+          if (newErrorPagesEnabled && mitmErrorPageEnabled) {
+            let brandName = gBrandBundle.GetStringFromName("brandShortName");
+            msg1 = gPipNSSBundle.GetStringFromName("certErrorMitM");
+            msg1 += "\n\n";
+            msg1 += gPipNSSBundle.formatStringFromName("certErrorMitM2", [brandName], 1);
+            msg1 += "\n\n";
+            msg1 += gPipNSSBundle.formatStringFromName("certErrorMitM3", [brandName], 1);
+            msg1 += "\n";
+            break;
+          }
+          // If the condition is false, fall through...
         case SEC_ERROR_UNKNOWN_ISSUER:
           let brandName = gBrandBundle.GetStringFromName("brandShortName");
           if (newErrorPagesEnabled) {
@@ -410,6 +422,39 @@ class NetErrorChild extends ActorChild {
         updateContainerPosition();
         break;
       case MOZILLA_PKIX_ERROR_MITM_DETECTED:
+        if (newErrorPagesEnabled && mitmErrorPageEnabled) {
+          // We don't actually know what the MitM is called (since we don't
+          // maintain a list), so we'll try and display the common name of the
+          // root issuer to the user. In the worst case they are as clueless as
+          // before, in the best case this gives them an actionable hint.
+          // This may be revised in the future.
+          let {securityInfo} = docShell.failedChannel;
+          securityInfo.QueryInterface(Ci.nsITransportSecurityInfo);
+          let mitmName = null;
+          for (let cert of securityInfo.failedCertChain.getEnumerator()) {
+            mitmName = cert.issuerCommonName;
+          }
+          for (let span of doc.querySelectorAll(".mitm-name")) {
+            span.textContent = mitmName;
+          }
+
+          learnMoreLink.href = baseURL + "security-error";
+
+          let title = doc.getElementById("et_mitm");
+          let desc = doc.getElementById("ed_mitm");
+          doc.querySelector(".title-text").textContent = title.textContent;
+          // eslint-disable-next-line no-unsanitized/property
+          doc.getElementById("errorShortDescText").innerHTML = desc.innerHTML;
+
+          // eslint-disable-next-line no-unsanitized/property
+          es.innerHTML = errWhatToDo.innerHTML;
+          // eslint-disable-next-line no-unsanitized/property
+          est.innerHTML = errWhatToDoTitle.innerHTML;
+
+          updateContainerPosition();
+          break;
+        }
+        // If the condition is false, fall through...
       case MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT:
         learnMoreLink.href = baseURL + "security-error";
         break;

browser/app/profile/firefox.js

@@ -956,8 +956,10 @@ pref("security.alternate_certificate_error_page", "certerror");
 // Enable the new certificate error pages.
 #ifdef EARLY_BETA_OR_EARLIER
 pref("browser.security.newcerterrorpage.enabled", true);
+pref("browser.security.newcerterrorpage.mitm.enabled", true);
 #else
 pref("browser.security.newcerterrorpage.enabled", false);
+pref("browser.security.newcerterrorpage.mitm.enabled", false);
 #endif
 
 pref("security.certerrors.recordEventTelemetry", true);

browser/base/content/aboutNetError-new.xhtml

@@ -68,6 +68,7 @@
         <h1 id="et_sslv3Used">&sslv3Used.title;</h1>
         <h1 id="et_inadequateSecurityError">&inadequateSecurityError.title;</h1>
         <h1 id="et_blockedByPolicy">&blockedByPolicy.title;</h1>
+        <h1 id="et_mitm">&certerror.mitm.title;</h1>
         <h1 id="et_clockSkewError">&clockSkewError.title;</h1>
         <h1 id="et_networkProtocolError">&networkProtocolError.title;</h1>
       </div>
@@ -96,6 +97,7 @@
         <div id="ed_nssBadCert">&certerror.introPara2;</div>
         <div id="ed_nssBadCert_sts">&certerror.sts.introPara;</div>
         <div id="ed_nssBadCert_SEC_ERROR_EXPIRED_CERTIFICATE">&certerror.expiredCert.introPara;</div>
+        <div id="ed_mitm">&certerror.mitm.longDesc;</div>
         <div id="ed_cspBlocked">&cspBlocked.longDesc;</div>
         <div id="ed_remoteXUL">&remoteXUL.longDesc;</div>
         <div id="ed_corruptedContentErrorv2">&corruptedContentErrorv2.longDesc;</div>
@@ -119,11 +121,19 @@
         <div id="es_nssBadCert_MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE">&certerror.expiredCert.whatCanYouDoAboutIt2;</div>
         <div id="es_nssBadCert_MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE">&certerror.expiredCert.whatCanYouDoAboutIt2;</div>
         <div id="es_nssBadCert_SSL_ERROR_BAD_CERT_DOMAIN">&certerror.badCertDomain.whatCanYouDoAboutIt;</div>
+        <div id="es_nssBadCert_MOZILLA_PKIX_ERROR_MITM_DETECTED">
+          <ul>
+            <li>&certerror.mitm.whatCanYouDoAboutIt1;</li>
+            <li>&certerror.mitm.whatCanYouDoAboutIt2;</li>
+            <li id="mitmWhatCanYouDoAboutIt3">&certerror.mitm.whatCanYouDoAboutIt3;</li>
+          </ul>
+        </div>
       </div>
       <!-- Stores an alternative text for when we don't want to add "Recommended" to the
            return button. This is one of many l10n atrocities in this file and should be
            removed when we finally switch to Fluent. -->
       <span id="stsReturnButtonText">&returnToPreviousPage.label;</span>
+      <span id="stsMitmWhatCanYouDoAboutIt3">&certerror.mitm.sts.whatCanYouDoAboutIt3;</span>
     </div>
 
     <!-- PAGE CONTAINER (for styling purposes only) -->

browser/base/content/aboutNetError.js

@@ -134,6 +134,11 @@ function disallowCertOverridesIfNeeded() {
       let stsReturnButtonText = document.getElementById("stsReturnButtonText").textContent;
       document.getElementById("returnButton").textContent = stsReturnButtonText;
       document.getElementById("advancedPanelReturnButton").textContent = stsReturnButtonText;
+
+      let stsMitmWhatCanYouDoAboutIt3 =
+        document.getElementById("stsMitmWhatCanYouDoAboutIt3").innerHTML;
+      // eslint-disable-next-line no-unsanitized/property
+      document.getElementById("mitmWhatCanYouDoAboutIt3").innerHTML = stsMitmWhatCanYouDoAboutIt3;
     }
   }
 }

browser/base/content/test/static/browser_misused_characters_in_strings.js

@@ -48,6 +48,18 @@ let gWhitelist = [{
     file: "netError.dtd",
     key: "clockSkewError.longDesc",
     type: "single-quote",
+  }, {
+    file: "netError.dtd",
+    key: "certerror.mitm.longDesc",
+    type: "single-quote",
+  }, {
+    file: "netError.dtd",
+    key: "certerror.mitm.whatCanYouDoAboutIt3",
+    type: "single-quote",
+  }, {
+    file: "netError.dtd",
+    key: "certerror.mitm.sts.whatCanYouDoAboutIt3",
+    type: "single-quote",
   }, {
     file: "phishing-afterload-warning-message.dtd",
     key: "safeb.palm.advisory.desc2",

browser/locales/en-US/chrome/overrides/netError.dtd

@@ -234,6 +234,13 @@ certificate.">
 
 <!ENTITY blockedByPolicy.title "Blocked Page">
 
+<!ENTITY certerror.mitm.title "Software is Preventing &brandShortName; From Safely Connecting to This Site">
+<!ENTITY certerror.mitm.longDesc "<span class='hostname'></span> is most likely a safe site, but a secure connection could not be established. This issue is caused by <span class='mitm-name'/>, which is either software on your computer or your network.">
+<!ENTITY certerror.mitm.whatCanYouDoAboutIt1 "If your antivirus software includes a feature that scans encrypted connections (often called “web scanning” or “https scanning”), you can disable that feature. If that doesn’t work, you can remove and reinstall the antivirus software.">
+<!ENTITY certerror.mitm.whatCanYouDoAboutIt2 "If you are on a corporate network, you can contact your IT department.">
+<!ENTITY certerror.mitm.whatCanYouDoAboutIt3 "If you are not familiar with <span class='mitm-name'/>, then this could be an attack and you should not continue to the site.">
+<!ENTITY certerror.mitm.sts.whatCanYouDoAboutIt3 "If you are not familiar with <span class='mitm-name'/>, then this could be an attack, and there is nothing you can do to access the site.">
+
 <!ENTITY clockSkewError.title "Your Computer Clock is Wrong">
 <!ENTITY clockSkewError.longDesc "Your computer thinks it is <span id='wrongSystemTime_systemDate1'/>, which prevents &brandShortName; from connecting securely. To visit <span class='hostname'></span>, update your computer clock in your system settings to the current date, time, and time zone, and then refresh <span class='hostname'></span>.">
 

browser/themes/shared/aboutNetError-new.css

@@ -145,7 +145,8 @@ body:not(:-moz-any(.clockSkewError,.badStsCert,.neterror)) #advancedButton {
   margin-top: 1em;
 }
 
-span#hostname {
+.mitm-name,
+#hostname {
   font-weight: bold;
 }
 

devtools/client/debugger/new/src/components/App.js

@@ -269,6 +269,7 @@ class App extends Component<Props, State> {
         vert={horizontal}
         onResizeEnd={num => {
           prefs.endPanelSize = num;
+          this.triggerEditorPaneResize();
         }}
         startPanel={
           <SplitBox
@@ -293,7 +294,6 @@ class App extends Component<Props, State> {
           />
         }
         endPanelCollapsed={endPanelCollapsed}
-        onResizeEnd={this.triggerEditorPaneResize}
       />
     );
   };

layout/reftests/svg/reftest.list

@@ -325,7 +325,7 @@ fuzzy-if(/^Windows\x20NT\x2010\.0/.test(http.oscpu)||skiaContent,0-1,0-10000) ==
 
 fuzzy-if(Android,0-8,0-200) == outer-svg-border-and-padding-01.svg outer-svg-border-and-padding-01-ref.svg
 
-fuzzy(0-16,0-193) fuzzy-if(skiaContent,0-7,0-175) fuzzy-if(webrender,54-54,124-124) == outline.html outline-ref.html # Bug 1392106, Bug 1503525
+fuzzy(0-16,0-193) fuzzy-if(skiaContent,0-7,0-193) fuzzy-if(webrender,54-54,124-124) == outline.html outline-ref.html # Bug 1392106, Bug 1503525
 
 == overflow-on-outer-svg-01.svg overflow-on-outer-svg-01-ref.svg
 == overflow-on-outer-svg-02a.xhtml overflow-on-outer-svg-02-ref.xhtml

layout/reftests/w3c-css/submitted/contain/contain-layout-suppress-baseline-002.html

@@ -6,7 +6,7 @@
   <link rel="author" title="Daniel Holbert" href="mailto:dholbert@mozilla.com">
   <link rel="help" href="https://drafts.csswg.org/css-contain/#containment-layout">
   <link rel="help" href="https://drafts.csswg.org/css-flexbox-1/#valdef-align-items-baseline">
-  <link rel="match" href="contain-layout-suppress-baseline-001-ref.html">
+  <link rel="match" href="contain-layout-suppress-baseline-002-ref.html">
   <style>
   .flexBaselineCheck {
     display: flex;

modules/libpref/init/StaticPrefList.h

@@ -709,7 +709,7 @@ VARCACHE_PREF(
 )
 
 // Are -moz-prefixed gradient functions enabled?
-#ifdef EARLY_BETA_OR_EARLIER
+#ifdef NIGHTLY_BUILD
 # define PREF_VALUE false
 #else
 # define PREF_VALUE true

security/manager/locales/en-US/chrome/pipnss/pipnss.properties

@@ -291,6 +291,12 @@ certErrorExpiredNow2=Websites prove their identity via certificates, which are v
 certErrorNotYetValidNow=The certificate will not be valid until %1$S. The current time is %2$S.
 certErrorNotYetValidNow2=Websites prove their identity via certificates, which are valid for a set time period. The certificate for %S appears to be not yet valid.
 
+certErrorMitM=Websites prove their identity via certificates, which are issued by certificate authorities.
+# LOCALIZATION NOTE (certErrorMitM2): %S is brandShortName
+certErrorMitM2=%S is backed by the non-profit Mozilla, which administers a completely open certificate authority (CA) store. The CA store helps ensure that certificate authorities are following best practices for user security.
+# LOCALIZATION NOTE (certErrorMitM3): %S is brandShortName
+certErrorMitM3=%S uses the Mozilla CA store to verify that a connection is secure, rather than certificates supplied by the user’s operating system. So, if an antivirus program or a network is intercepting a connection with a security certificate issued by a CA that is not in the Mozilla CA store, the connection is considered unsafe.
+
 # LOCALIZATION NOTE (certErrorSymantecDistrustDescription1): %S will be replaced by the domain for which the certificate is valid.
 certErrorSymantecDistrustDescription1=Websites prove their identity via certificates, which are issued by certificate authorities. Most browsers no longer trust certificates issued by GeoTrust, RapidSSL, Symantec, Thawte, and VeriSign. %S uses a certificate from one of these authorities and so the website’s identity cannot be proven.
 certErrorSymantecDistrustAdministrator=You may notify the website’s administrator about this problem.

taskcluster/docs/actions.rst

@@ -63,14 +63,19 @@ To create a new callback action you must create a file
 The arguments are:
 ``parameters``
   an instance of ``taskgraph.parameters.Parameters``, carrying decision task parameters from the original decision task.
+
 ``graph_config``
   an instance of ``taskgraph.config.GraphConfig``, carrying configuration for this tree
+
 ``input``
   the input from the user triggering the action (if any)
+
 ``task_group_id``
   the target task group on which this action should operate
+
 ``task_id``
   the target task on which this action should operate (or None if it is operating on the whole group)
+
 ``task``
   the definition of the target task (or None, as for ``task_id``)
 

taskcluster/docs/attributes.rst

@@ -42,7 +42,7 @@ run_on_hg_branches
 
 On a given project, the mercurial branch where this task should be in the target
 task set.  This is how requirements like "only run this RELBRANCH" get implemented.
-These are either the regular expression of a branch (e.g.: "GECKOVIEW_\d+_RELBRANCH")
+These are either the regular expression of a branch (e.g.: ``GECKOVIEW_\d+_RELBRANCH``)
 or the following alias:
 
  * `all` -- everywhere (the default)

taskcluster/docs/kinds.rst

@@ -288,7 +288,7 @@ release-notify-promote
 Notify when a release has been promoted.
 
 release-notify-started
--------------------
+----------------------
 Notify when a release has been started.
 
 release-bouncer-sub

testing/mozharness/mozharness/mozilla/building/buildbase.py

@@ -149,7 +149,8 @@ class CheckTestCompleteParser(OutputParser):
                                                 levels=TBPL_WORST_LEVEL_TUPLE)
 
         # Account for the possibility that no test summary was output.
-        if self.pass_count == 0 and self.fail_count == 0:
+        if (self.pass_count == 0 and self.fail_count == 0 and
+           os.environ.get('TRY_SELECTOR') != 'coverage'):
             self.error('No tests run or test summary not found')
             self.tbpl_status = self.worst_level(TBPL_WARNING, self.tbpl_status,
                                                 levels=TBPL_WORST_LEVEL_TUPLE)

testing/mozharness/mozharness/mozilla/testing/unittest.py

@@ -6,6 +6,7 @@
 # ***** END LICENSE BLOCK *****
 
 import re
+import os
 
 from mozharness.mozilla.testing.errors import TinderBoxPrintRe
 from mozharness.base.log import OutputParser, WARNING, INFO, CRITICAL, ERROR
@@ -202,8 +203,9 @@ class DesktopUnittestOutputParser(OutputParser):
                                                 levels=TBPL_WORST_LEVEL_TUPLE)
 
         # Account for the possibility that no test summary was output.
-        if self.pass_count <= 0 and self.fail_count <= 0 and \
-                (self.known_fail_count is None or self.known_fail_count <= 0):
+        if (self.pass_count <= 0 and self.fail_count <= 0 and
+           (self.known_fail_count is None or self.known_fail_count <= 0) and
+           os.environ.get('TRY_SELECTOR') != 'coverage'):
             self.error('No tests run or test summary not found')
             self.worst_log_level = self.worst_level(WARNING,
                                                     self.worst_log_level)

testing/xpcshell/runxpcshelltests.py

@@ -1620,7 +1620,7 @@ class XPCShellTests(object):
                 self.log.error(t)
             raise exceptions[0]
 
-        if self.testCount == 0:
+        if self.testCount == 0 and os.environ.get('TRY_SELECTOR') != 'coverage':
             self.log.error("No tests run. Did you pass an invalid --test-path?")
             self.failCount = 1
 

tools/tryselect/push.py

@@ -90,6 +90,9 @@ def push_to_try(method, msg, labels=None, templates=None, try_task_config=None,
     commit_message = ('%s%s\n\nPushed via `mach try %s`' %
                       (msg, closed_tree_string, method))
 
+    if templates is not None:
+        templates.setdefault('env', {}).update({'TRY_SELECTOR': method})
+
     if labels or labels == []:
         try_task_config = {
             'version': 1,

tools/tryselect/test/test_again.py

@@ -39,7 +39,10 @@ def test_try_again(monkeypatch):
 
     try_task_config = kwargs.pop('try_task_config')
     assert sorted(try_task_config.get('tasks')) == sorted(['foo', 'bar'])
-    assert try_task_config.get('templates') == {'artifact': True}
+    assert try_task_config.get('templates') == {
+        'artifact': True,
+        'env': {'TRY_SELECTOR': 'fuzzy'},
+    }
 
     with open(push.history_path, 'r') as fh:
         assert len(fh.readlines()) == 1

widget/nsBaseWidget.cpp

@@ -3117,7 +3117,8 @@ static PrefPair debug_PrefValues[] = {
     {"nglayout.debug.invalidate_dumping", false},
     {"nglayout.debug.motion_event_dumping", false},
     {"nglayout.debug.paint_dumping", false},
-    {"nglayout.debug.paint_flashing", false}};
+    {"nglayout.debug.paint_flashing", false},
+    {"nglayout.debug.paint_flashing_chrome", false}};
 
 //////////////////////////////////////////////////////////////
 bool nsBaseWidget::debug_GetCachedBoolPref(const char* aPrefName) {