Bug 1838183: Include HTTPS-First in current HTTPS-Only exemption options on site identity pane r=freddyb,fluent-reviewers

Depends on D182322 Differential Revision: https://phabricator.services.mozilla.com/D181356
2023-07-11 11:07:24 +00:00 · 2023-07-11 11:07:24 +00:00 · a7c59a9b78
--- a/browser/base/content/browser-siteIdentity.js
+++ b/browser/base/content/browser-siteIdentity.js
@ -122,6 +122,13 @@ var gIdentityHandler = {
    );
  },

+  get _isContentHttpsFirstModeUpgraded() {
+    return (
+      this._state &
+      Ci.nsIWebProgressListener.STATE_HTTPS_ONLY_MODE_UPGRADED_FIRST
+    );
+  },
+
  get _isCertUserOverridden() {
    return this._state & Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN;
  },
@ -346,6 +353,38 @@ var gIdentityHandler = {
    );
    return this._httpsOnlyModeEnabledPBM;
  },
+  get _httpsFirstModeEnabled() {
+    delete this._httpsFirstModeEnabled;
+    XPCOMUtils.defineLazyPreferenceGetter(
+      this,
+      "_httpsFirstModeEnabled",
+      "dom.security.https_first"
+    );
+    return this._httpsFirstModeEnabled;
+  },
+  get _httpsFirstModeEnabledPBM() {
+    delete this._httpsFirstModeEnabledPBM;
+    XPCOMUtils.defineLazyPreferenceGetter(
+      this,
+      "_httpsFirstModeEnabledPBM",
+      "dom.security.https_first_pbm"
+    );
+    return this._httpsFirstModeEnabledPBM;
+  },
+
+  _isHttpsOnlyModeActive(isWindowPrivate) {
+    return (
+      this._httpsOnlyModeEnabled ||
+      (isWindowPrivate && this._httpsOnlyModeEnabledPBM)
+    );
+  },
+  _isHttpsFirstModeActive(isWindowPrivate) {
+    return (
+      !this._isHttpsOnlyModeActive(isWindowPrivate) &&
+      (this._httpsFirstModeEnabled ||
+        (isWindowPrivate && this._httpsFirstModeEnabledPBM))
+    );
+  },

  /**
   * Handles clicks on the "Clear Cookies and Site Data" button.
@ -990,11 +1029,14 @@ var gIdentityHandler = {

    // If HTTPS-Only Mode is enabled, check the permission status
    const privateBrowsingWindow = PrivateBrowsingUtils.isWindowPrivate(window);
+    const isHttpsOnlyModeActive = this._isHttpsOnlyModeActive(
+      privateBrowsingWindow
+    );
+    const isHttpsFirstModeActive = this._isHttpsFirstModeActive(
+      privateBrowsingWindow
+    );
    let httpsOnlyStatus = "";
-    if (
-      this._httpsOnlyModeEnabled ||
-      (privateBrowsingWindow && this._httpsOnlyModeEnabledPBM)
-    ) {
+    if (isHttpsFirstModeActive || isHttpsOnlyModeActive) {
      // Note: value and permission association is laid out
      //       in _getHttpsOnlyPermission
      let value = this._getHttpsOnlyPermission();
@ -1014,11 +1056,17 @@ var gIdentityHandler = {

      if (value > 0) {
        httpsOnlyStatus = "exception";
-      } else if (this._isAboutHttpsOnlyErrorPage) {
+      } else if (
+        this._isAboutHttpsOnlyErrorPage ||
+        (isHttpsFirstModeActive && this._isContentHttpsOnlyModeUpgradeFailed)
+      ) {
        httpsOnlyStatus = "failed-top";
      } else if (this._isContentHttpsOnlyModeUpgradeFailed) {
        httpsOnlyStatus = "failed-sub";
-      } else if (this._isContentHttpsOnlyModeUpgraded) {
+      } else if (
+        this._isContentHttpsOnlyModeUpgraded ||
+        this._isContentHttpsFirstModeUpgraded
+      ) {
        httpsOnlyStatus = "upgraded";
      }
    }
--- a/browser/base/content/test/siteIdentity/browser_identityPopup_HttpsOnlyMode.js
+++ b/browser/base/content/test/siteIdentity/browser_identityPopup_HttpsOnlyMode.js
@ -20,10 +20,10 @@ add_task(async function () {
  });

  // Site gets upgraded to HTTPS, so the UI should be visible.
-  // Disabling HTTPS-Only Mode through the menulist should reload the page and
+  // Adding a HTTPS-Only exemption through the menulist should reload the page and
  // set the permission accordingly.
  await runTest({
-    name: "Disable HTTPS-Only",
+    name: "Add HTTPS-Only exemption",
    initialScheme: "http",
    initialPermission: 0,
    permissionScheme: "https",
@ -34,10 +34,10 @@ add_task(async function () {
  });

  // HTTPS-Only Mode is disabled for this site, so the UI should be visible.
-  // Disabling HTTPS-Only Mode through the menulist should not reload the page
+  // Switching HTTPS-Only exemption modes through the menulist should not reload the page
  // but set the permission accordingly.
  await runTest({
-    name: "Switch between off states",
+    name: "Switch between HTTPS-Only exemption modes",
    initialScheme: "http",
    initialPermission: 1,
    permissionScheme: "http",
@ -48,10 +48,66 @@ add_task(async function () {
  });

  // HTTPS-Only Mode is disabled for this site, so the UI should be visible.
-  // Enabling HTTPS-Only Mode through the menulist should reload and upgrade the
+  // Disabling HTTPS-Only exemptions through the menulist should reload and upgrade the
  // page and set the permission accordingly.
  await runTest({
-    name: "Enable HTTPS-Only again",
+    name: "Remove HTTPS-Only exemption again",
+    initialScheme: "http",
+    initialPermission: 2,
+    permissionScheme: "http",
+    isUiVisible: true,
+    selectPermission: 0,
+    expectReload: true,
+    finalScheme: "https",
+  });
+
+  await SpecialPowers.flushPrefEnv();
+  await SpecialPowers.pushPrefEnv({
+    set: [["dom.security.https_first", true]],
+  });
+
+  // Site is already HTTPS, so the UI should not be visible.
+  await runTest({
+    name: "No HTTPS-Only UI",
+    initialScheme: "https",
+    initialPermission: 0,
+    permissionScheme: "https",
+    isUiVisible: false,
+  });
+
+  // Site gets upgraded to HTTPS, so the UI should be visible.
+  // Adding a HTTPS-Only exemption through the menulist should reload the page and
+  // set the permission accordingly.
+  await runTest({
+    name: "Add HTTPS-Only exemption",
+    initialScheme: "http",
+    initialPermission: 0,
+    permissionScheme: "https",
+    isUiVisible: true,
+    selectPermission: 1,
+    expectReload: true,
+    finalScheme: "https",
+  });
+
+  // HTTPS-First Mode is disabled for this site, so the UI should be visible.
+  // Switching HTTPS-Only exemption modes through the menulist should not reload the page
+  // but set the permission accordingly.
+  await runTest({
+    name: "Switch between HTTPS-Only exemption modes",
+    initialScheme: "http",
+    initialPermission: 1,
+    permissionScheme: "http",
+    isUiVisible: true,
+    selectPermission: 2,
+    expectReload: false,
+    finalScheme: "http",
+  });
+
+  // HTTPS-First Mode is disabled for this site, so the UI should be visible.
+  // Disabling HTTPS-Only exemptions through the menulist should reload and upgrade the
+  // page and set the permission accordingly.
+  await runTest({
+    name: "Remove HTTPS-Only exemption again",
    initialScheme: "http",
    initialPermission: 2,
    permissionScheme: "http",
--- a/browser/components/controlcenter/content/identityPanel.inc.xhtml
+++ b/browser/components/controlcenter/content/identityPanel.inc.xhtml
@ -63,7 +63,7 @@
            </vbox>

            <vbox id="identity-popup-security-httpsonlymode" when-httpsonlystatus="exception upgraded failed-top failed-sub">
-              <label flex="1" data-l10n-id="identity-https-only-label"></label>
+              <label flex="1" data-l10n-id="identity-https-only-label2"></label>
              <menulist id="identity-popup-security-httpsonlymode-menulist"
                        oncommand="gIdentityHandler.changeHttpsOnlyPermission();" sizetopopup="none">
                <menupopup>
@ -74,9 +74,9 @@
                </menupopup>
              </menulist>
              <vbox id="identity-popup-security-httpsonlymode-info">
-                <description when-httpsonlystatus="exception" flex="1" data-l10n-id="identity-https-only-info-turn-on2">
+                <description when-httpsonlystatus="exception" flex="1" data-l10n-id="identity-https-only-info-turn-on3">
                </description>
-                <description when-httpsonlystatus="failed-sub" flex="1" data-l10n-id="identity-https-only-info-turn-off2">
+                <description when-httpsonlystatus="failed-sub" flex="1" data-l10n-id="identity-https-only-info-turn-off3">
                </description>
                <description when-httpsonlystatus="failed-top" flex="1" data-l10n-id="identity-https-only-info-no-upgrade">
                </description>
--- a/browser/locales/en-US/browser/browser.ftl
+++ b/browser/locales/en-US/browser/browser.ftl
@ -386,15 +386,15 @@ identity-weak-encryption = This page uses weak encryption.
 identity-insecure-login-forms = Logins entered on this page could be compromised.

 identity-https-only-connection-upgraded = (upgraded to HTTPS)
-identity-https-only-label = HTTPS-Only Mode
+identity-https-only-label2 = Automatically upgrade this site to a secure connection
 identity-https-only-dropdown-on =
    .label = On
 identity-https-only-dropdown-off =
    .label = Off
 identity-https-only-dropdown-off-temporarily =
    .label = Off temporarily
-identity-https-only-info-turn-on2 = Turn on HTTPS-Only Mode for this site if you want { -brand-short-name } to upgrade the connection when possible.
-identity-https-only-info-turn-off2 = If the page seems broken, you may want to turn off HTTPS-Only Mode for this site to reload using insecure HTTP.
+identity-https-only-info-turn-on3 = Turn on HTTPS upgrades for this site if you want { -brand-short-name } to upgrade the connection when possible.
+identity-https-only-info-turn-off3 = If the page seems broken, you may want to turn off HTTPS upgrades for this site to reload using insecure HTTP.
 identity-https-only-info-no-upgrade = Unable to upgrade connection from HTTP.

 identity-permissions-storage-access-header = Cross-site cookies
--- a/browser/themes/shared/controlcenter/panel.css
+++ b/browser/themes/shared/controlcenter/panel.css
@ -55,7 +55,7 @@
 #identity-popup[mixedcontent~=active-blocked]:not([mixedcontent~=passive-loaded]) [when-mixedcontent=active-blocked],
 /* Show the right elements when there is mixed passive content loaded and active blocked. */
 #identity-popup[mixedcontent~=active-blocked][mixedcontent~=passive-loaded] [when-mixedcontent~=active-blocked][when-mixedcontent~=passive-loaded],
-/* HTTPS-Only Mode */
+/* HTTPS-Only and HTTPS-First Mode */
 #identity-popup[httpsonlystatus=exception] [when-httpsonlystatus~=exception],
 #identity-popup[httpsonlystatus=upgraded] [when-httpsonlystatus~=upgraded],
 #identity-popup[httpsonlystatus=failed-top] [when-httpsonlystatus~=failed-top],
--- a/docshell/base/WindowContext.cpp
+++ b/docshell/base/WindowContext.cpp
@ -18,6 +18,7 @@
 #include "mozilla/ClearOnShutdown.h"
 #include "nsGlobalWindowInner.h"
 #include "nsIScriptError.h"
+#include "nsIWebProgressListener.h"
 #include "nsIXULRuntime.h"
 #include "nsRefPtrHashtable.h"
 #include "nsContentUtils.h"
@ -456,7 +457,8 @@ void WindowContext::AddSecurityState(uint32_t aStateFlags) {
               nsIWebProgressListener::STATE_BLOCKED_MIXED_DISPLAY_CONTENT |
               nsIWebProgressListener::STATE_BLOCKED_MIXED_ACTIVE_CONTENT |
               nsIWebProgressListener::STATE_HTTPS_ONLY_MODE_UPGRADED |
-               nsIWebProgressListener::STATE_HTTPS_ONLY_MODE_UPGRADE_FAILED)) ==
+               nsIWebProgressListener::STATE_HTTPS_ONLY_MODE_UPGRADE_FAILED |
+               nsIWebProgressListener::STATE_HTTPS_ONLY_MODE_UPGRADED_FIRST)) ==
                 aStateFlags,
             "Invalid flags specified!");

--- a/dom/ipc/WindowGlobalParent.cpp
+++ b/dom/ipc/WindowGlobalParent.cpp
@ -54,6 +54,7 @@
 #include "nsITransportSecurityInfo.h"
 #include "nsISharePicker.h"
 #include "nsIURIMutator.h"
+#include "nsIWebProgressListener.h"

 #include "mozilla/dom/DOMException.h"
 #include "mozilla/dom/DOMExceptionBinding.h"
@ -1531,7 +1532,8 @@ void WindowGlobalParent::AddSecurityState(uint32_t aStateFlags) {
               nsIWebProgressListener::STATE_BLOCKED_MIXED_DISPLAY_CONTENT |
               nsIWebProgressListener::STATE_BLOCKED_MIXED_ACTIVE_CONTENT |
               nsIWebProgressListener::STATE_HTTPS_ONLY_MODE_UPGRADED |
-               nsIWebProgressListener::STATE_HTTPS_ONLY_MODE_UPGRADE_FAILED)) ==
+               nsIWebProgressListener::STATE_HTTPS_ONLY_MODE_UPGRADE_FAILED |
+               nsIWebProgressListener::STATE_HTTPS_ONLY_MODE_UPGRADED_FIRST)) ==
                 aStateFlags,
             "Invalid flags specified!");

--- a/dom/security/nsHTTPSOnlyStreamListener.cpp
+++ b/dom/security/nsHTTPSOnlyStreamListener.cpp
@ -16,6 +16,7 @@
 #include "nsIRequest.h"
 #include "nsITransportSecurityInfo.h"
 #include "nsIURI.h"
+#include "nsIWebProgressListener.h"
 #include "nsPrintfCString.h"
 #include "secerr.h"
 #include "sslerr.h"
--- a/security/manager/ssl/nsSecureBrowserUI.cpp
+++ b/security/manager/ssl/nsSecureBrowserUI.cpp
@ -96,6 +96,13 @@ void nsSecureBrowserUI::RecomputeSecurityFlags() {
        !(httpsOnlyStatus & nsILoadInfo::HTTPS_ONLY_EXEMPT)) {
      mState |= nsIWebProgressListener::STATE_HTTPS_ONLY_MODE_UPGRADED;
    }
+    if (httpsOnlyStatus & nsILoadInfo::HTTPS_ONLY_UPGRADED_HTTPS_FIRST) {
+      if (win->GetDocumentURI()->SchemeIs("https")) {
+        mState |= nsIWebProgressListener::STATE_HTTPS_ONLY_MODE_UPGRADED_FIRST;
+      } else {
+        mState |= nsIWebProgressListener::STATE_HTTPS_ONLY_MODE_UPGRADE_FAILED;
+      }
+    }
    // Add the secruity flags from the window
    mState |= win->GetSecurityFlags();
  }
--- a/uriloader/base/nsIWebProgressListener.idl
+++ b/uriloader/base/nsIWebProgressListener.idl
@ -369,16 +369,20 @@ interface nsIWebProgressListener : nsISupports
  const unsigned long STATE_LOADED_EMAILTRACKING_LEVEL_2_CONTENT = 0x00000100;

  /**
-   * Flag for HTTPS-Only Mode upgrades
+   * Flags for HTTPS-Only and HTTPS-First Mode upgrades
   *
   * STATE_HTTPS_ONLY_MODE_UPGRADED
   *   When a request has been upgraded by HTTPS-Only Mode
   *
   * STATE_HTTPS_ONLY_MODE_UPGRADE_FAILED
   *   When an upgraded request failed.
+   *
+   * STATE_HTTPS_ONLY_MODE_UPGRADED_FIRST
+   *   When a request has been upgraded by HTTPS-First Mode
   */
  const unsigned long STATE_HTTPS_ONLY_MODE_UPGRADED        = 0x00400000;
  const unsigned long STATE_HTTPS_ONLY_MODE_UPGRADE_FAILED  = 0x00800000;
+  const unsigned long STATE_HTTPS_ONLY_MODE_UPGRADED_FIRST  = 0x08000000;

  /**
   * Notification indicating the state has changed for one of the requests