зеркало из https://github.com/mozilla/gecko-dev.git
Backed out changesets fbba341b5faf, 4b2c9adef1e4, and bde98e3a7194 (bug 762593) for mochitest-bc failures.
This commit is contained in:
Родитель
9973ce0c8b
Коммит
cde7e2e3b5
|
@ -11,8 +11,6 @@ Cu.import("resource://gre/modules/XPCOMUtils.jsm");
|
|||
|
||||
XPCOMUtils.defineLazyModuleGetter(this,
|
||||
"LoginManagerContent", "resource://gre/modules/LoginManagerContent.jsm");
|
||||
XPCOMUtils.defineLazyModuleGetter(this,
|
||||
"InsecurePasswordUtils", "resource://gre/modules/InsecurePasswordUtils.jsm");
|
||||
|
||||
// Bug 671101 - directly using webNavigation in this context
|
||||
// causes docshells to leak
|
||||
|
@ -40,9 +38,6 @@ if (!Services.prefs.getBoolPref("browser.tabs.remote")) {
|
|||
addEventListener("DOMContentLoaded", function(event) {
|
||||
LoginManagerContent.onContentLoaded(event);
|
||||
});
|
||||
addEventListener("DOMFormHasPassword", function(event) {
|
||||
InsecurePasswordUtils.checkForInsecurePasswords(event.target);
|
||||
});
|
||||
addEventListener("DOMAutoComplete", function(event) {
|
||||
LoginManagerContent.onUsernameInput(event);
|
||||
});
|
||||
|
|
|
@ -145,8 +145,6 @@ MOCHITEST_BROWSER_FILES = \
|
|||
browser_webconsole_bug_686937_autocomplete_JSTerm_helpers.js \
|
||||
browser_webconsole_cached_autocomplete.js \
|
||||
browser_console_navigation_marker.js \
|
||||
browser_webconsole_bug_762593_insecure_passwords_web_console_warning.js \
|
||||
browser_webconsole_bug_762593_insecure_passwords_about_blank_web_console_warning.js \
|
||||
head.js \
|
||||
$(NULL)
|
||||
|
||||
|
@ -246,10 +244,6 @@ MOCHITEST_BROWSER_FILES += \
|
|||
test-bug-837351-security-errors.html \
|
||||
test-bug-869003-top-window.html \
|
||||
test-bug-869003-iframe.html \
|
||||
test-iframe-762593-insecure-form-action.html \
|
||||
test-iframe-762593-insecure-frame.html \
|
||||
test-bug-762593-insecure-passwords-web-console-warning.html \
|
||||
test-bug-762593-insecure-passwords-about-blank-web-console-warning.html \
|
||||
test-consoleiframes.html \
|
||||
test-iframe1.html \
|
||||
test-iframe2.html \
|
||||
|
|
|
@ -1,29 +0,0 @@
|
|||
/* Any copyright is dedicated to the Public Domain.
|
||||
* http://creativecommons.org/publicdomain/zero/1.0/ */
|
||||
/*
|
||||
* Tests that errors about insecure passwords are logged
|
||||
* to the web console
|
||||
*/
|
||||
|
||||
const TEST_URI = "http://example.com/browser/browser/devtools/webconsole/test/test-bug-762593-insecure-passwords-about-blank-web-console-warning.html";
|
||||
const INSECURE_PASSWORD_MSG = "Password fields present on an insecure (http://) page. This is a security risk that allows user login credentials to be stolen.";
|
||||
|
||||
function test() {
|
||||
addTab(TEST_URI);
|
||||
browser.addEventListener("load", function onLoad(aEvent) {
|
||||
browser.removeEventListener(aEvent.type, onLoad, true);
|
||||
openConsole(null, function testInsecurePasswordErrorLogged (hud) {
|
||||
waitForMessages({
|
||||
webconsole: hud,
|
||||
messages: [
|
||||
{
|
||||
name: "Insecure password error displayed successfully",
|
||||
text: INSECURE_PASSWORD_MSG,
|
||||
category: CATEGORY_SECURITY,
|
||||
severity: SEVERITY_WARNING
|
||||
},
|
||||
],
|
||||
}).then(finishTest);
|
||||
});
|
||||
}, true);
|
||||
}
|
|
@ -1,68 +0,0 @@
|
|||
/* Any copyright is dedicated to the Public Domain.
|
||||
* http://creativecommons.org/publicdomain/zero/1.0/ */
|
||||
/*
|
||||
* Tests that errors about insecure passwords are logged
|
||||
* to the web console
|
||||
*/
|
||||
|
||||
const TEST_URI = "http://example.com/browser/browser/devtools/webconsole/test/test-bug-762593-insecure-passwords-web-console-warning.html";
|
||||
const INSECURE_PASSWORD_MSG = "Password fields present on an insecure (http://) page. This is a security risk that allows user login credentials to be stolen.";
|
||||
const INSECURE_FORM_ACTION_MSG = "Password fields present in a form with an insecure (http://) form action. This is a security risk that allows user login credentials to be stolen.";
|
||||
const INSECURE_IFRAME_MSG = "Password fields present on an insecure (http://) iframe. This is a security risk that allows user login credentials to be stolen.";
|
||||
const INSECURE_PASSWORDS_URI = "https://developer.mozilla.org/en-US/docs/Security/InsecurePasswords";
|
||||
|
||||
function test() {
|
||||
addTab(TEST_URI);
|
||||
browser.addEventListener("load", function onLoad(aEvent) {
|
||||
browser.removeEventListener(aEvent.type, onLoad, true);
|
||||
openConsole(null, function testInsecurePasswordErrorLogged (hud) {
|
||||
waitForMessages({
|
||||
webconsole: hud,
|
||||
messages: [
|
||||
{
|
||||
name: "Insecure password error displayed successfully",
|
||||
text: INSECURE_PASSWORD_MSG,
|
||||
category: CATEGORY_SECURITY,
|
||||
severity: SEVERITY_WARNING
|
||||
},
|
||||
{
|
||||
name: "Insecure iframe error displayed successfully",
|
||||
text: INSECURE_IFRAME_MSG,
|
||||
category: CATEGORY_SECURITY,
|
||||
severity: SEVERITY_WARNING
|
||||
},
|
||||
{
|
||||
name: "Insecure form action error displayed successfully",
|
||||
text: INSECURE_FORM_ACTION_MSG,
|
||||
category: CATEGORY_SECURITY,
|
||||
severity: SEVERITY_WARNING
|
||||
},
|
||||
],
|
||||
}).then( () => testClickOpenNewTab(hud));
|
||||
});
|
||||
}, true);
|
||||
}
|
||||
|
||||
function testClickOpenNewTab(hud) {
|
||||
let warningNode = hud.outputNode.querySelector(
|
||||
".webconsole-msg-body .webconsole-learn-more-link");
|
||||
|
||||
/*
|
||||
* Invoke the click event and check if a new tab would open to the correct
|
||||
* page
|
||||
*/
|
||||
let linkOpened = false;
|
||||
let oldOpenUILinkIn = window.openUILinkIn;
|
||||
window.openUILinkIn = function(aLink) {
|
||||
if (aLink == INSECURE_PASSWORDS_URI) {
|
||||
linkOpened = true;
|
||||
}
|
||||
}
|
||||
|
||||
EventUtils.synthesizeMouse(warningNode, 2, 2, {},
|
||||
warningNode.ownerDocument.defaultView);
|
||||
ok(linkOpened, "Clicking the Insecure Passwords Warning node opens the desired page");
|
||||
window.openUILinkIn = oldOpenUILinkIn;
|
||||
|
||||
finishTest();
|
||||
}
|
|
@ -1,28 +0,0 @@
|
|||
<!doctype html>
|
||||
<html>
|
||||
<head>
|
||||
<meta charset="utf8">
|
||||
<title>Bug 762593 - Add warning/error Message to Web Console when the
|
||||
page includes Insecure Password fields</title>
|
||||
<!-- Any copyright is dedicated to the Public Domain.
|
||||
http://creativecommons.org/publicdomain/zero/1.0/ -->
|
||||
|
||||
<!-- This test tests the scenario where a javascript adds password fields to
|
||||
an about:blank iframe inside an insecure web page. It ensures that
|
||||
insecure password fields like those are detected and a warning is sent to
|
||||
the web console. -->
|
||||
</head>
|
||||
<body>
|
||||
<p>This insecure page is served with an about:blank iframe. A script then adds a
|
||||
password field to it.</p>
|
||||
<iframe id = "myiframe" width = "300" height="300" >
|
||||
</iframe>
|
||||
<script>
|
||||
var doc = window.document;
|
||||
var myIframe = doc.getElementById("myiframe");
|
||||
myIframe.contentDocument.open();
|
||||
myIframe.contentDocument.write("<form><input type = 'password' name='pwd' value='test'> </form>");
|
||||
myIframe.contentDocument.close();
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
|
@ -1,16 +0,0 @@
|
|||
<!doctype html>
|
||||
<html>
|
||||
<head>
|
||||
<meta charset="utf8">
|
||||
<title>Bug 762593 - Add warning/error Message to Web Console when the
|
||||
page includes Insecure Password fields</title>
|
||||
<!-- Any copyright is dedicated to the Public Domain.
|
||||
http://creativecommons.org/publicdomain/zero/1.0/ -->
|
||||
</head>
|
||||
<body>
|
||||
<p>This page is served with an iframe with insecure password field.</p>
|
||||
<iframe src
|
||||
="http://example.com/browser/browser/devtools/webconsole/test/test-iframe-762593-insecure-frame.html">
|
||||
</iframe>
|
||||
</body>
|
||||
</html>
|
|
@ -1,15 +0,0 @@
|
|||
<!doctype html>
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-type" content="text/html;charset=UTF-8">
|
||||
<!-- Any copyright is dedicated to the Public Domain.
|
||||
http://creativecommons.org/publicdomain/zero/1.0/ -->
|
||||
</head>
|
||||
<body>
|
||||
<h1>iframe 2</h1>
|
||||
<p>This frame contains a password field inside a form with insecure action.</p>
|
||||
<form action="http://test">
|
||||
<input type="password" name="pwd">
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
|
@ -1,15 +0,0 @@
|
|||
<!doctype html>
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-type" content="text/html;charset=UTF-8">
|
||||
<!-- Any copyright is dedicated to the Public Domain.
|
||||
http://creativecommons.org/publicdomain/zero/1.0/ -->
|
||||
</head>
|
||||
<body>
|
||||
<h1>iframe 1</h1>
|
||||
<p>This frame is served with an insecure password field.</p>
|
||||
<iframe src=
|
||||
"http://example.com/browser/browser/devtools/webconsole/test/test-iframe-762593-insecure-form-action.html">
|
||||
</iframe>
|
||||
</body>
|
||||
</html>
|
|
@ -39,8 +39,6 @@ const XUL_NS = "http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul";
|
|||
|
||||
const MIXED_CONTENT_LEARN_MORE = "https://developer.mozilla.org/en/Security/MixedContent";
|
||||
|
||||
const INSECURE_PASSWORDS_LEARN_MORE = "https://developer.mozilla.org/en-US/docs/Security/InsecurePasswords";
|
||||
|
||||
const HELP_URL = "https://developer.mozilla.org/docs/Tools/Web_Console/Helpers";
|
||||
|
||||
const VARIABLES_VIEW_URL = "chrome://browser/content/devtools/widgets/VariablesView.xul";
|
||||
|
@ -1243,12 +1241,6 @@ WebConsoleFrame.prototype = {
|
|||
aScriptError.sourceName,
|
||||
aScriptError.lineNumber, null, null,
|
||||
aScriptError.timeStamp);
|
||||
|
||||
// Select the body of the message node that is displayed in the console
|
||||
let msgBody = node.querySelector(".webconsole-msg-body");
|
||||
// Add the more info link node to messages that belong to certain categories
|
||||
this.addMoreInfoLink(msgBody, aScriptError);
|
||||
|
||||
if (aScriptError.private) {
|
||||
node.setAttribute("private", true);
|
||||
}
|
||||
|
@ -1419,59 +1411,6 @@ WebConsoleFrame.prototype = {
|
|||
}.bind(this));
|
||||
},
|
||||
|
||||
/**
|
||||
* Adds a more info link node to messages based on the nsIScriptError object
|
||||
* that we need to report to the console
|
||||
*
|
||||
* @param aNode
|
||||
* The node to which we will be adding the more info link node
|
||||
* @param aScriptError
|
||||
* The script error object that we are reporting to the console
|
||||
*/
|
||||
addMoreInfoLink: function WCF_addMoreInfoLink(aNode, aScriptError)
|
||||
{
|
||||
// We have a single category for now, but more are to be
|
||||
// expected soon
|
||||
if (aScriptError.category == "Insecure Password Field") {
|
||||
this.addInsecurePasswordsWarningNode(aNode);
|
||||
}
|
||||
},
|
||||
|
||||
/*
|
||||
* Appends a clickable insecure passwords warning node to the node passed
|
||||
* as a parameter to the function. When a user clicks on the appended
|
||||
* warning node, the browser navigates to a page where the user can learn
|
||||
* more about security issues associated with insecure passwords.
|
||||
*/
|
||||
addInsecurePasswordsWarningNode:
|
||||
function WCF_addInsecurePasswordsWarningNode(aNode)
|
||||
{
|
||||
let moreInfoLabel =
|
||||
"[" + l10n.getStr("webConsoleMoreInfoLabel") + "]";
|
||||
|
||||
// The node that holds the clickable warning node.
|
||||
let linkNode = this.document.createElementNS(XUL_NS, "hbox");
|
||||
linkNode.flex = 1;
|
||||
linkNode.classList.add("webconsole-msg-body-piece");
|
||||
linkNode.classList.add("webconsole-msg-link");
|
||||
aNode.appendChild(linkNode);
|
||||
|
||||
// Create the actual insecure passwords warning node and make it clickable
|
||||
let warningNode = this.document.createElement("label");
|
||||
warningNode.setAttribute("value", moreInfoLabel);
|
||||
warningNode.setAttribute("title", moreInfoLabel);
|
||||
warningNode.classList.add("hud-clickable");
|
||||
warningNode.classList.add("webconsole-learn-more-link");
|
||||
|
||||
warningNode.addEventListener("click", function(aEvent) {
|
||||
this.owner.openLink(INSECURE_PASSWORDS_LEARN_MORE);
|
||||
aEvent.preventDefault();
|
||||
aEvent.stopPropagation();
|
||||
}.bind(this));
|
||||
|
||||
linkNode.appendChild(warningNode);
|
||||
},
|
||||
|
||||
/**
|
||||
* Log file activity.
|
||||
*
|
||||
|
@ -4533,7 +4472,6 @@ var Utils = {
|
|||
case "Mixed Content Blocker":
|
||||
case "CSP":
|
||||
case "Invalid HSTS Headers":
|
||||
case "Insecure Password Field":
|
||||
return CATEGORY_SECURITY;
|
||||
|
||||
default:
|
||||
|
|
|
@ -75,10 +75,6 @@ webConsoleWindowTitleAndURL=Web Console - %S
|
|||
# http content in an https page).
|
||||
webConsoleMixedContentWarning=Mixed Content
|
||||
|
||||
# LOCALIZATION NOTE (webConsoleMoreInfoLabel): the more info tag displayed
|
||||
# after security related web console messages.
|
||||
webConsoleMoreInfoLabel=Learn More
|
||||
|
||||
# LOCALIZATION NOTE (scratchpad.linkText): the text used in the right hand
|
||||
# side of the Web Console command line when JavaScript is being entered, to
|
||||
# indicate how to jump into scratchpad mode.
|
||||
|
|
|
@ -79,11 +79,6 @@
|
|||
margin: 0;
|
||||
}
|
||||
|
||||
.webconsole-learn-more-link {
|
||||
color: #0000EE;
|
||||
margin: 0 0 0 4px;
|
||||
}
|
||||
|
||||
.hud-msg-node[selected="true"] > .webconsole-timestamp,
|
||||
.hud-msg-node[selected="true"] > .webconsole-location {
|
||||
color: inherit;
|
||||
|
|
|
@ -11,6 +11,3 @@ OldCSPHeaderDeprecated=The X-Content-Security-Policy and X-Content-Security-Repo
|
|||
BothCSPHeadersPresent=This site specified both an X-Content-Security-Policy/Report-Only header and a Content-Security-Policy/Report-Only header. The X-Content-Security-Policy/Report-Only header(s) will be ignored.
|
||||
# LOCALIZATION NOTE: Do not translate "Strict-Transport-Security" or "HSTS"
|
||||
InvalidSTSHeaders=The site specified an invalid Strict-Transport-Security header.
|
||||
InsecurePasswordsPresentOnPage=Password fields present on an insecure (http://) page. This is a security risk that allows user login credentials to be stolen.
|
||||
InsecureFormActionPasswordsPresent=Password fields present in a form with an insecure (http://) form action. This is a security risk that allows user login credentials to be stolen.
|
||||
InsecurePasswordsPresentOnIframe=Password fields present on an insecure (http://) iframe. This is a security risk that allows user login credentials to be stolen.
|
||||
|
|
|
@ -1,135 +0,0 @@
|
|||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
this.EXPORTED_SYMBOLS = [ "InsecurePasswordUtils" ];
|
||||
|
||||
const Ci = Components.interfaces;
|
||||
const Cu = Components.utils;
|
||||
const Cc = Components.classes;
|
||||
|
||||
Cu.import("resource://gre/modules/Services.jsm");
|
||||
Cu.import("resource://gre/modules/devtools/WebConsoleUtils.jsm");
|
||||
|
||||
const STRINGS_URI = "chrome://global/locale/security/security.properties";
|
||||
let l10n = new WebConsoleUtils.l10n(STRINGS_URI);
|
||||
|
||||
this.InsecurePasswordUtils = {
|
||||
|
||||
_sendWebConsoleMessage : function (messageTag, domDoc) {
|
||||
/*
|
||||
* All web console messages are warnings for now so I decided to set the
|
||||
* flag here and save a bit of the flag creation in the callers.
|
||||
* It's easy to expose this later if needed
|
||||
*/
|
||||
|
||||
let windowId = WebConsoleUtils.getInnerWindowId(domDoc.defaultView);
|
||||
let category = "Insecure Password Field";
|
||||
let flag = Ci.nsIScriptError.warningFlag;
|
||||
let message = l10n.getStr(messageTag);
|
||||
let consoleMsg = Cc["@mozilla.org/scripterror;1"]
|
||||
.createInstance(Ci.nsIScriptError);
|
||||
|
||||
consoleMsg.initWithWindowID(
|
||||
message, "", 0, 0, 0, flag, category, windowId);
|
||||
|
||||
Services.console.logMessage(consoleMsg);
|
||||
},
|
||||
|
||||
/*
|
||||
* Checks whether the passed uri is secure
|
||||
* Check Protocol Flags to determine if scheme is secure:
|
||||
* URI_DOES_NOT_RETURN_DATA - e.g.
|
||||
* "mailto"
|
||||
* URI_IS_LOCAL_RESOURCE - e.g.
|
||||
* "data",
|
||||
* "resource",
|
||||
* "moz-icon"
|
||||
* URI_INHERITS_SECURITY_CONTEXT - e.g.
|
||||
* "javascript"
|
||||
* URI_SAFE_TO_LOAD_IN_SECURE_CONTEXT - e.g.
|
||||
* "https",
|
||||
* "moz-safe-about"
|
||||
*
|
||||
* The use of this logic comes directly from nsMixedContentBlocker.cpp
|
||||
* At the time it was decided to include these protocols since a secure
|
||||
* uri for mixed content blocker means that the resource can't be
|
||||
* easily tampered with because 1) it is sent over an encrypted channel or
|
||||
* 2) it is a local resource that never hits the network
|
||||
* or 3) it is a request sent without any response that could alter
|
||||
* the behavior of the page. It was decided to include the same logic
|
||||
* here both to be consistent with MCB and to make sure we cover all
|
||||
* "safe" protocols. Eventually, the code here and the code in MCB
|
||||
* will be moved to a common location that will be referenced from
|
||||
* both places. Look at
|
||||
* https://bugzilla.mozilla.org/show_bug.cgi?id=899099 for more info.
|
||||
*/
|
||||
_checkIfURIisSecure : function(uri) {
|
||||
let isSafe = false;
|
||||
let netutil = Cc["@mozilla.org/network/util;1"].getService(Ci.nsINetUtil);
|
||||
let ph = Ci.nsIProtocolHandler;
|
||||
|
||||
if (netutil.URIChainHasFlags(uri, ph.URI_IS_LOCAL_RESOURCE) ||
|
||||
netutil.URIChainHasFlags(uri, ph.URI_DOES_NOT_RETURN_DATA) ||
|
||||
netutil.URIChainHasFlags(uri, ph.URI_INHERITS_SECURITY_CONTEXT) ||
|
||||
netutil.URIChainHasFlags(uri, ph.URI_SAFE_TO_LOAD_IN_SECURE_CONTEXT)) {
|
||||
|
||||
isSafe = true;
|
||||
}
|
||||
|
||||
return isSafe;
|
||||
},
|
||||
|
||||
/*
|
||||
* Checks whether the passed nested document is insecure
|
||||
* or is inside an insecure parent document.
|
||||
*
|
||||
* We check the chain of frame ancestors all the way until the top document
|
||||
* because MITM attackers could replace https:// iframes if they are nested inside
|
||||
* http:// documents with their own content, thus creating a security risk
|
||||
* and potentially stealing user data. Under such scenario, a user might not
|
||||
* get a Mixed Content Blocker message, if the main document is served over HTTP
|
||||
* and framing an HTTPS page as it would under the reverse scenario (http
|
||||
* inside https).
|
||||
*/
|
||||
_checkForInsecureNestedDocuments : function(domDoc) {
|
||||
let uri = domDoc.documentURIObject;
|
||||
if (domDoc.defaultView == domDoc.defaultView.parent) {
|
||||
// We are at the top, nothing to check here
|
||||
return false;
|
||||
}
|
||||
if (!this._checkIfURIisSecure(uri)) {
|
||||
// We are insecure
|
||||
return true;
|
||||
}
|
||||
// I am secure, but check my parent
|
||||
return this._checkForInsecureNestedDocuments(domDoc.defaultView.parent.document);
|
||||
},
|
||||
|
||||
|
||||
/*
|
||||
* Checks if there are insecure password fields present on the form's document
|
||||
* i.e. passwords inside forms with http action, inside iframes with http src,
|
||||
* or on insecure web pages. If insecure password fields are present,
|
||||
* a log message is sent to the web console to warn developers.
|
||||
*/
|
||||
checkForInsecurePasswords : function (aForm) {
|
||||
var domDoc = aForm.ownerDocument;
|
||||
let pageURI = domDoc.defaultView.top.document.documentURIObject;
|
||||
let isSafePage = this._checkIfURIisSecure(pageURI);
|
||||
|
||||
if (!isSafePage) {
|
||||
this._sendWebConsoleMessage("InsecurePasswordsPresentOnPage", domDoc);
|
||||
}
|
||||
|
||||
// Check if we are on an iframe with insecure src, or inside another
|
||||
// insecure iframe or document.
|
||||
if (this._checkForInsecureNestedDocuments(domDoc)) {
|
||||
this._sendWebConsoleMessage("InsecurePasswordsPresentOnIframe", domDoc);
|
||||
}
|
||||
|
||||
if (aForm.action.match(/^http:\/\//)) {
|
||||
this._sendWebConsoleMessage("InsecureFormActionPasswordsPresent", domDoc);
|
||||
}
|
||||
},
|
||||
};
|
|
@ -32,6 +32,5 @@ EXTRA_PP_COMPONENTS += [
|
|||
]
|
||||
|
||||
EXTRA_JS_MODULES += [
|
||||
'InsecurePasswordUtils.jsm',
|
||||
'LoginManagerContent.jsm',
|
||||
]
|
||||
|
|
Загрузка…
Ссылка в новой задаче