Bug 1838183: Include HTTPS-First in current HTTPS-Only exemption options on site identity pane r=freddyb,fluent-reviewers

Depends on D182322

Differential Revision: https://phabricator.services.mozilla.com/D181356

browser/base/content/browser-siteIdentity.js

@@ -122,6 +122,13 @@ var gIdentityHandler = {
     );
   },
 
+  get _isContentHttpsFirstModeUpgraded() {
+    return (
+      this._state &
+      Ci.nsIWebProgressListener.STATE_HTTPS_ONLY_MODE_UPGRADED_FIRST
+    );
+  },
+
   get _isCertUserOverridden() {
     return this._state & Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN;
   },
@@ -346,6 +353,38 @@ var gIdentityHandler = {
     );
     return this._httpsOnlyModeEnabledPBM;
   },
+  get _httpsFirstModeEnabled() {
+    delete this._httpsFirstModeEnabled;
+    XPCOMUtils.defineLazyPreferenceGetter(
+      this,
+      "_httpsFirstModeEnabled",
+      "dom.security.https_first"
+    );
+    return this._httpsFirstModeEnabled;
+  },
+  get _httpsFirstModeEnabledPBM() {
+    delete this._httpsFirstModeEnabledPBM;
+    XPCOMUtils.defineLazyPreferenceGetter(
+      this,
+      "_httpsFirstModeEnabledPBM",
+      "dom.security.https_first_pbm"
+    );
+    return this._httpsFirstModeEnabledPBM;
+  },
+
+  _isHttpsOnlyModeActive(isWindowPrivate) {
+    return (
+      this._httpsOnlyModeEnabled ||
+      (isWindowPrivate && this._httpsOnlyModeEnabledPBM)
+    );
+  },
+  _isHttpsFirstModeActive(isWindowPrivate) {
+    return (
+      !this._isHttpsOnlyModeActive(isWindowPrivate) &&
+      (this._httpsFirstModeEnabled ||
+        (isWindowPrivate && this._httpsFirstModeEnabledPBM))
+    );
+  },
 
   /**
    * Handles clicks on the "Clear Cookies and Site Data" button.
@@ -990,11 +1029,14 @@ var gIdentityHandler = {
 
     // If HTTPS-Only Mode is enabled, check the permission status
     const privateBrowsingWindow = PrivateBrowsingUtils.isWindowPrivate(window);
+    const isHttpsOnlyModeActive = this._isHttpsOnlyModeActive(
+      privateBrowsingWindow
+    );
+    const isHttpsFirstModeActive = this._isHttpsFirstModeActive(
+      privateBrowsingWindow
+    );
     let httpsOnlyStatus = "";
-    if (
+    if (isHttpsFirstModeActive || isHttpsOnlyModeActive) {
-      this._httpsOnlyModeEnabled ||
-      (privateBrowsingWindow && this._httpsOnlyModeEnabledPBM)
-    ) {
       // Note: value and permission association is laid out
       //       in _getHttpsOnlyPermission
       let value = this._getHttpsOnlyPermission();
@@ -1014,11 +1056,17 @@ var gIdentityHandler = {
 
       if (value > 0) {
         httpsOnlyStatus = "exception";
-      } else if (this._isAboutHttpsOnlyErrorPage) {
+      } else if (
+        this._isAboutHttpsOnlyErrorPage ||
+        (isHttpsFirstModeActive && this._isContentHttpsOnlyModeUpgradeFailed)
+      ) {
         httpsOnlyStatus = "failed-top";
       } else if (this._isContentHttpsOnlyModeUpgradeFailed) {
         httpsOnlyStatus = "failed-sub";
-      } else if (this._isContentHttpsOnlyModeUpgraded) {
+      } else if (
+        this._isContentHttpsOnlyModeUpgraded ||
+        this._isContentHttpsFirstModeUpgraded
+      ) {
         httpsOnlyStatus = "upgraded";
       }
     }

browser/base/content/test/siteIdentity/browser_identityPopup_HttpsOnlyMode.js

@@ -20,10 +20,10 @@ add_task(async function () {
   });
 
   // Site gets upgraded to HTTPS, so the UI should be visible.
-  // Disabling HTTPS-Only Mode through the menulist should reload the page and
+  // Adding a HTTPS-Only exemption through the menulist should reload the page and
   // set the permission accordingly.
   await runTest({
-    name: "Disable HTTPS-Only",
+    name: "Add HTTPS-Only exemption",
     initialScheme: "http",
     initialPermission: 0,
     permissionScheme: "https",
@@ -34,10 +34,10 @@ add_task(async function () {
   });
 
   // HTTPS-Only Mode is disabled for this site, so the UI should be visible.
-  // Disabling HTTPS-Only Mode through the menulist should not reload the page
+  // Switching HTTPS-Only exemption modes through the menulist should not reload the page
   // but set the permission accordingly.
   await runTest({
-    name: "Switch between off states",
+    name: "Switch between HTTPS-Only exemption modes",
     initialScheme: "http",
     initialPermission: 1,
     permissionScheme: "http",
@@ -48,10 +48,66 @@ add_task(async function () {
   });
 
   // HTTPS-Only Mode is disabled for this site, so the UI should be visible.
-  // Enabling HTTPS-Only Mode through the menulist should reload and upgrade the
+  // Disabling HTTPS-Only exemptions through the menulist should reload and upgrade the
   // page and set the permission accordingly.
   await runTest({
-    name: "Enable HTTPS-Only again",
+    name: "Remove HTTPS-Only exemption again",
+    initialScheme: "http",
+    initialPermission: 2,
+    permissionScheme: "http",
+    isUiVisible: true,
+    selectPermission: 0,
+    expectReload: true,
+    finalScheme: "https",
+  });
+
+  await SpecialPowers.flushPrefEnv();
+  await SpecialPowers.pushPrefEnv({
+    set: [["dom.security.https_first", true]],
+  });
+
+  // Site is already HTTPS, so the UI should not be visible.
+  await runTest({
+    name: "No HTTPS-Only UI",
+    initialScheme: "https",
+    initialPermission: 0,
+    permissionScheme: "https",
+    isUiVisible: false,
+  });
+
+  // Site gets upgraded to HTTPS, so the UI should be visible.
+  // Adding a HTTPS-Only exemption through the menulist should reload the page and
+  // set the permission accordingly.
+  await runTest({
+    name: "Add HTTPS-Only exemption",
+    initialScheme: "http",
+    initialPermission: 0,
+    permissionScheme: "https",
+    isUiVisible: true,
+    selectPermission: 1,
+    expectReload: true,
+    finalScheme: "https",
+  });
+
+  // HTTPS-First Mode is disabled for this site, so the UI should be visible.
+  // Switching HTTPS-Only exemption modes through the menulist should not reload the page
+  // but set the permission accordingly.
+  await runTest({
+    name: "Switch between HTTPS-Only exemption modes",
+    initialScheme: "http",
+    initialPermission: 1,
+    permissionScheme: "http",
+    isUiVisible: true,
+    selectPermission: 2,
+    expectReload: false,
+    finalScheme: "http",
+  });
+
+  // HTTPS-First Mode is disabled for this site, so the UI should be visible.
+  // Disabling HTTPS-Only exemptions through the menulist should reload and upgrade the
+  // page and set the permission accordingly.
+  await runTest({
+    name: "Remove HTTPS-Only exemption again",
     initialScheme: "http",
     initialPermission: 2,
     permissionScheme: "http",

browser/components/controlcenter/content/identityPanel.inc.xhtml

@@ -63,7 +63,7 @@
             </vbox>
 
             <vbox id="identity-popup-security-httpsonlymode" when-httpsonlystatus="exception upgraded failed-top failed-sub">
-              <label flex="1" data-l10n-id="identity-https-only-label"></label>
+              <label flex="1" data-l10n-id="identity-https-only-label2"></label>
               <menulist id="identity-popup-security-httpsonlymode-menulist"
                         oncommand="gIdentityHandler.changeHttpsOnlyPermission();" sizetopopup="none">
                 <menupopup>
@@ -74,9 +74,9 @@
                 </menupopup>
               </menulist>
               <vbox id="identity-popup-security-httpsonlymode-info">
-                <description when-httpsonlystatus="exception" flex="1" data-l10n-id="identity-https-only-info-turn-on2">
+                <description when-httpsonlystatus="exception" flex="1" data-l10n-id="identity-https-only-info-turn-on3">
                 </description>
-                <description when-httpsonlystatus="failed-sub" flex="1" data-l10n-id="identity-https-only-info-turn-off2">
+                <description when-httpsonlystatus="failed-sub" flex="1" data-l10n-id="identity-https-only-info-turn-off3">
                 </description>
                 <description when-httpsonlystatus="failed-top" flex="1" data-l10n-id="identity-https-only-info-no-upgrade">
                 </description>

browser/locales/en-US/browser/browser.ftl

@@ -386,15 +386,15 @@ identity-weak-encryption = This page uses weak encryption.
 identity-insecure-login-forms = Logins entered on this page could be compromised.
 
 identity-https-only-connection-upgraded = (upgraded to HTTPS)
-identity-https-only-label = HTTPS-Only Mode
+identity-https-only-label2 = Automatically upgrade this site to a secure connection
 identity-https-only-dropdown-on =
     .label = On
 identity-https-only-dropdown-off =
     .label = Off
 identity-https-only-dropdown-off-temporarily =
     .label = Off temporarily
-identity-https-only-info-turn-on2 = Turn on HTTPS-Only Mode for this site if you want { -brand-short-name } to upgrade the connection when possible.
+identity-https-only-info-turn-on3 = Turn on HTTPS upgrades for this site if you want { -brand-short-name } to upgrade the connection when possible.
-identity-https-only-info-turn-off2 = If the page seems broken, you may want to turn off HTTPS-Only Mode for this site to reload using insecure HTTP.
+identity-https-only-info-turn-off3 = If the page seems broken, you may want to turn off HTTPS upgrades for this site to reload using insecure HTTP.
 identity-https-only-info-no-upgrade = Unable to upgrade connection from HTTP.
 
 identity-permissions-storage-access-header = Cross-site cookies

browser/themes/shared/controlcenter/panel.css

@@ -55,7 +55,7 @@
 #identity-popup[mixedcontent~=active-blocked]:not([mixedcontent~=passive-loaded]) [when-mixedcontent=active-blocked],
 /* Show the right elements when there is mixed passive content loaded and active blocked. */
 #identity-popup[mixedcontent~=active-blocked][mixedcontent~=passive-loaded] [when-mixedcontent~=active-blocked][when-mixedcontent~=passive-loaded],
-/* HTTPS-Only Mode */
+/* HTTPS-Only and HTTPS-First Mode */
 #identity-popup[httpsonlystatus=exception] [when-httpsonlystatus~=exception],
 #identity-popup[httpsonlystatus=upgraded] [when-httpsonlystatus~=upgraded],
 #identity-popup[httpsonlystatus=failed-top] [when-httpsonlystatus~=failed-top],

docshell/base/WindowContext.cpp

@@ -18,6 +18,7 @@
 #include "mozilla/ClearOnShutdown.h"
 #include "nsGlobalWindowInner.h"
 #include "nsIScriptError.h"
+#include "nsIWebProgressListener.h"
 #include "nsIXULRuntime.h"
 #include "nsRefPtrHashtable.h"
 #include "nsContentUtils.h"
@@ -456,7 +457,8 @@ void WindowContext::AddSecurityState(uint32_t aStateFlags) {
                nsIWebProgressListener::STATE_BLOCKED_MIXED_DISPLAY_CONTENT |
                nsIWebProgressListener::STATE_BLOCKED_MIXED_ACTIVE_CONTENT |
                nsIWebProgressListener::STATE_HTTPS_ONLY_MODE_UPGRADED |
-               nsIWebProgressListener::STATE_HTTPS_ONLY_MODE_UPGRADE_FAILED)) ==
+               nsIWebProgressListener::STATE_HTTPS_ONLY_MODE_UPGRADE_FAILED |
+               nsIWebProgressListener::STATE_HTTPS_ONLY_MODE_UPGRADED_FIRST)) ==
                  aStateFlags,
              "Invalid flags specified!");
 

dom/ipc/WindowGlobalParent.cpp

@@ -54,6 +54,7 @@
 #include "nsITransportSecurityInfo.h"
 #include "nsISharePicker.h"
 #include "nsIURIMutator.h"
+#include "nsIWebProgressListener.h"
 
 #include "mozilla/dom/DOMException.h"
 #include "mozilla/dom/DOMExceptionBinding.h"
@@ -1531,7 +1532,8 @@ void WindowGlobalParent::AddSecurityState(uint32_t aStateFlags) {
                nsIWebProgressListener::STATE_BLOCKED_MIXED_DISPLAY_CONTENT |
                nsIWebProgressListener::STATE_BLOCKED_MIXED_ACTIVE_CONTENT |
                nsIWebProgressListener::STATE_HTTPS_ONLY_MODE_UPGRADED |
-               nsIWebProgressListener::STATE_HTTPS_ONLY_MODE_UPGRADE_FAILED)) ==
+               nsIWebProgressListener::STATE_HTTPS_ONLY_MODE_UPGRADE_FAILED |
+               nsIWebProgressListener::STATE_HTTPS_ONLY_MODE_UPGRADED_FIRST)) ==
                  aStateFlags,
              "Invalid flags specified!");
 

dom/security/nsHTTPSOnlyStreamListener.cpp

@@ -16,6 +16,7 @@
 #include "nsIRequest.h"
 #include "nsITransportSecurityInfo.h"
 #include "nsIURI.h"
+#include "nsIWebProgressListener.h"
 #include "nsPrintfCString.h"
 #include "secerr.h"
 #include "sslerr.h"

security/manager/ssl/nsSecureBrowserUI.cpp

@@ -96,6 +96,13 @@ void nsSecureBrowserUI::RecomputeSecurityFlags() {
         !(httpsOnlyStatus & nsILoadInfo::HTTPS_ONLY_EXEMPT)) {
       mState |= nsIWebProgressListener::STATE_HTTPS_ONLY_MODE_UPGRADED;
     }
+    if (httpsOnlyStatus & nsILoadInfo::HTTPS_ONLY_UPGRADED_HTTPS_FIRST) {
+      if (win->GetDocumentURI()->SchemeIs("https")) {
+        mState |= nsIWebProgressListener::STATE_HTTPS_ONLY_MODE_UPGRADED_FIRST;
+      } else {
+        mState |= nsIWebProgressListener::STATE_HTTPS_ONLY_MODE_UPGRADE_FAILED;
+      }
+    }
     // Add the secruity flags from the window
     mState |= win->GetSecurityFlags();
   }

uriloader/base/nsIWebProgressListener.idl

@@ -369,16 +369,20 @@ interface nsIWebProgressListener : nsISupports
   const unsigned long STATE_LOADED_EMAILTRACKING_LEVEL_2_CONTENT = 0x00000100;
 
   /**
-   * Flag for HTTPS-Only Mode upgrades
+   * Flags for HTTPS-Only and HTTPS-First Mode upgrades
    *
    * STATE_HTTPS_ONLY_MODE_UPGRADED
    *   When a request has been upgraded by HTTPS-Only Mode
    *
    * STATE_HTTPS_ONLY_MODE_UPGRADE_FAILED
    *   When an upgraded request failed.
+   *
+   * STATE_HTTPS_ONLY_MODE_UPGRADED_FIRST
+   *   When a request has been upgraded by HTTPS-First Mode
    */
   const unsigned long STATE_HTTPS_ONLY_MODE_UPGRADED        = 0x00400000;
   const unsigned long STATE_HTTPS_ONLY_MODE_UPGRADE_FAILED  = 0x00800000;
+  const unsigned long STATE_HTTPS_ONLY_MODE_UPGRADED_FIRST  = 0x08000000;
 
   /**
    * Notification indicating the state has changed for one of the requests