Backed out changesets fbba341b5faf, 4b2c9adef1e4, and bde98e3a7194 (bug 762593) for mochitest-bc failures.

browser/base/content/content.js

@@ -11,8 +11,6 @@ Cu.import("resource://gre/modules/XPCOMUtils.jsm");
 
 XPCOMUtils.defineLazyModuleGetter(this,
   "LoginManagerContent", "resource://gre/modules/LoginManagerContent.jsm");
-XPCOMUtils.defineLazyModuleGetter(this,
-  "InsecurePasswordUtils", "resource://gre/modules/InsecurePasswordUtils.jsm");
 
 // Bug 671101 - directly using webNavigation in this context
 // causes docshells to leak
@@ -40,9 +38,6 @@ if (!Services.prefs.getBoolPref("browser.tabs.remote")) {
   addEventListener("DOMContentLoaded", function(event) {
     LoginManagerContent.onContentLoaded(event);
   });
-  addEventListener("DOMFormHasPassword", function(event) {
-    InsecurePasswordUtils.checkForInsecurePasswords(event.target);
-  });
   addEventListener("DOMAutoComplete", function(event) {
     LoginManagerContent.onUsernameInput(event);
   });

browser/devtools/webconsole/test/Makefile.in

@@ -145,8 +145,6 @@ MOCHITEST_BROWSER_FILES = \
 	browser_webconsole_bug_686937_autocomplete_JSTerm_helpers.js \
 	browser_webconsole_cached_autocomplete.js \
 	browser_console_navigation_marker.js \
-	browser_webconsole_bug_762593_insecure_passwords_web_console_warning.js \
-	browser_webconsole_bug_762593_insecure_passwords_about_blank_web_console_warning.js \
 	head.js \
 	$(NULL)
 
@@ -246,10 +244,6 @@ MOCHITEST_BROWSER_FILES += \
 	test-bug-837351-security-errors.html \
 	test-bug-869003-top-window.html \
 	test-bug-869003-iframe.html \
-	test-iframe-762593-insecure-form-action.html \
-	test-iframe-762593-insecure-frame.html \
-	test-bug-762593-insecure-passwords-web-console-warning.html \
-	test-bug-762593-insecure-passwords-about-blank-web-console-warning.html \
 	test-consoleiframes.html \
 	test-iframe1.html \
 	test-iframe2.html \

browser/devtools/webconsole/test/browser_webconsole_bug_762593_insecure_passwords_about_blank_web_console_warning.js

@@ -1,29 +0,0 @@
-/* Any copyright is dedicated to the Public Domain.
- * http://creativecommons.org/publicdomain/zero/1.0/ */
-/*
- * Tests that errors about insecure passwords are logged
- * to the web console
- */
-
-const TEST_URI = "http://example.com/browser/browser/devtools/webconsole/test/test-bug-762593-insecure-passwords-about-blank-web-console-warning.html";
-const INSECURE_PASSWORD_MSG = "Password fields present on an insecure (http://) page. This is a security risk that allows user login credentials to be stolen.";
-
-function test() {
-  addTab(TEST_URI);
-  browser.addEventListener("load", function onLoad(aEvent) {
-    browser.removeEventListener(aEvent.type, onLoad, true);
-    openConsole(null, function testInsecurePasswordErrorLogged (hud) {
-      waitForMessages({
-        webconsole: hud,
-        messages: [
-          {
-            name: "Insecure password error displayed successfully",
-            text: INSECURE_PASSWORD_MSG,
-            category: CATEGORY_SECURITY,
-            severity: SEVERITY_WARNING
-          },
-        ],
-      }).then(finishTest);
-    });
-  }, true);
-}

browser/devtools/webconsole/test/browser_webconsole_bug_762593_insecure_passwords_web_console_warning.js

@@ -1,68 +0,0 @@
-/* Any copyright is dedicated to the Public Domain.
- * http://creativecommons.org/publicdomain/zero/1.0/ */
-/*
- * Tests that errors about insecure passwords are logged
- * to the web console
- */
-
-const TEST_URI = "http://example.com/browser/browser/devtools/webconsole/test/test-bug-762593-insecure-passwords-web-console-warning.html";
-const INSECURE_PASSWORD_MSG = "Password fields present on an insecure (http://) page. This is a security risk that allows user login credentials to be stolen.";
-const INSECURE_FORM_ACTION_MSG = "Password fields present in a form with an insecure (http://) form action. This is a security risk that allows user login credentials to be stolen.";
-const INSECURE_IFRAME_MSG = "Password fields present on an insecure (http://) iframe. This is a security risk that allows user login credentials to be stolen.";
-const INSECURE_PASSWORDS_URI = "https://developer.mozilla.org/en-US/docs/Security/InsecurePasswords";
-
-function test() {
-  addTab(TEST_URI);
-  browser.addEventListener("load", function onLoad(aEvent) {
-    browser.removeEventListener(aEvent.type, onLoad, true);
-    openConsole(null, function testInsecurePasswordErrorLogged (hud) {
-      waitForMessages({
-        webconsole: hud,
-        messages: [
-          {
-            name: "Insecure password error displayed successfully",
-            text: INSECURE_PASSWORD_MSG,
-            category: CATEGORY_SECURITY,
-            severity: SEVERITY_WARNING
-          },
-          {
-            name: "Insecure iframe error displayed successfully",
-            text: INSECURE_IFRAME_MSG,
-            category: CATEGORY_SECURITY,
-            severity: SEVERITY_WARNING
-          },
-          {
-            name: "Insecure form action error displayed successfully",
-            text: INSECURE_FORM_ACTION_MSG,
-            category: CATEGORY_SECURITY,
-            severity: SEVERITY_WARNING
-          },
-        ],
-      }).then( () => testClickOpenNewTab(hud));
-    });
-  }, true);
-}
-
-function testClickOpenNewTab(hud) {
-  let warningNode = hud.outputNode.querySelector(
-    ".webconsole-msg-body .webconsole-learn-more-link");
-
-  /*
-   * Invoke the click event and check if a new tab would open to the correct
-   * page
-   */
-  let linkOpened = false;
-  let oldOpenUILinkIn = window.openUILinkIn;
-  window.openUILinkIn = function(aLink) {
-    if (aLink == INSECURE_PASSWORDS_URI) {
-      linkOpened = true;
-    }
-  }
-
-  EventUtils.synthesizeMouse(warningNode, 2, 2, {},
-                             warningNode.ownerDocument.defaultView);
-  ok(linkOpened, "Clicking the Insecure Passwords Warning node opens the desired page");
-  window.openUILinkIn = oldOpenUILinkIn;
-
-  finishTest();
-}

browser/devtools/webconsole/test/test-bug-762593-insecure-passwords-about-blank-web-console-warning.html

@@ -1,28 +0,0 @@
-<!doctype html>
-<html>
-  <head>
-    <meta charset="utf8">
-    <title>Bug 762593 - Add warning/error Message to Web Console when the
-      page includes Insecure Password fields</title>
-    <!-- Any copyright is dedicated to the Public Domain.
-    http://creativecommons.org/publicdomain/zero/1.0/ -->
-
-    <!-- This test tests the scenario where a javascript adds password fields to
-     an about:blank iframe inside an insecure web page. It ensures that
-     insecure password fields like those are detected and a warning is sent to
-     the web console. -->
-  </head>
-  <body>
-    <p>This insecure page is served with an about:blank iframe. A script then adds a
-    password field to it.</p>
-    <iframe id = "myiframe" width = "300" height="300" >
-    </iframe>
-    <script>
-      var doc = window.document;
-      var myIframe = doc.getElementById("myiframe");
-      myIframe.contentDocument.open();
-      myIframe.contentDocument.write("<form><input type = 'password' name='pwd' value='test'> </form>");
-      myIframe.contentDocument.close();
-    </script>
-  </body>
-</html>

browser/devtools/webconsole/test/test-bug-762593-insecure-passwords-web-console-warning.html

@@ -1,16 +0,0 @@
-<!doctype html>
-<html>
-  <head>
-    <meta charset="utf8">
-    <title>Bug 762593 - Add warning/error Message to Web Console when the
-      page includes Insecure Password fields</title>
-    <!-- Any copyright is dedicated to the Public Domain.
-    http://creativecommons.org/publicdomain/zero/1.0/ -->
-  </head>
-  <body>
-    <p>This page is served with an iframe with insecure password field.</p>
-    <iframe src
-      ="http://example.com/browser/browser/devtools/webconsole/test/test-iframe-762593-insecure-frame.html">
-    </iframe>
-  </body>
-</html>

browser/devtools/webconsole/test/test-iframe-762593-insecure-form-action.html

@@ -1,15 +0,0 @@
-<!doctype html>
-<html>
-  <head>
-    <meta http-equiv="Content-type" content="text/html;charset=UTF-8">
-    <!-- Any copyright is dedicated to the Public Domain.
-    http://creativecommons.org/publicdomain/zero/1.0/ -->
-  </head>
-  <body>
-    <h1>iframe 2</h1>
-    <p>This frame contains a password field inside a form with insecure action.</p>
-    <form action="http://test">
-      <input type="password" name="pwd">
-    </form>
-  </body>
-</html>

browser/devtools/webconsole/test/test-iframe-762593-insecure-frame.html

@@ -1,15 +0,0 @@
-<!doctype html>
-<html>
-  <head>
-    <meta http-equiv="Content-type" content="text/html;charset=UTF-8">
-    <!-- Any copyright is dedicated to the Public Domain.
-    http://creativecommons.org/publicdomain/zero/1.0/ -->
-  </head>
-  <body>
-    <h1>iframe 1</h1>
-    <p>This frame is served with an insecure password field.</p>
-    <iframe src=
-      "http://example.com/browser/browser/devtools/webconsole/test/test-iframe-762593-insecure-form-action.html">
-    </iframe>
-  </body>
-</html>

browser/devtools/webconsole/webconsole.js

@@ -39,8 +39,6 @@ const XUL_NS = "http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul";
 
 const MIXED_CONTENT_LEARN_MORE = "https://developer.mozilla.org/en/Security/MixedContent";
 
-const INSECURE_PASSWORDS_LEARN_MORE = "https://developer.mozilla.org/en-US/docs/Security/InsecurePasswords";
-
 const HELP_URL = "https://developer.mozilla.org/docs/Tools/Web_Console/Helpers";
 
 const VARIABLES_VIEW_URL = "chrome://browser/content/devtools/widgets/VariablesView.xul";
@@ -1243,12 +1241,6 @@ WebConsoleFrame.prototype = {
                                       aScriptError.sourceName,
                                       aScriptError.lineNumber, null, null,
                                       aScriptError.timeStamp);
-
-    // Select the body of the message node that is displayed in the console
-    let msgBody = node.querySelector(".webconsole-msg-body");
-    // Add the more info link node to messages that belong to certain categories
-    this.addMoreInfoLink(msgBody, aScriptError);
-
     if (aScriptError.private) {
       node.setAttribute("private", true);
     }
@@ -1419,59 +1411,6 @@ WebConsoleFrame.prototype = {
     }.bind(this));
   },
 
-  /**
-   * Adds a more info link node to messages based on the nsIScriptError object
-   * that we need to report to the console
-   *
-   * @param aNode
-   *        The node to which we will be adding the more info link node
-   * @param aScriptError
-   *        The script error object that we are reporting to the console
-   */
-  addMoreInfoLink: function WCF_addMoreInfoLink(aNode, aScriptError)
-  {
-    // We have a single category for now, but more are to be
-    // expected soon
-    if (aScriptError.category == "Insecure Password Field") {
-      this.addInsecurePasswordsWarningNode(aNode);
-    }
-  },
-
-  /*
-   * Appends a clickable insecure passwords warning node to the node passed
-   * as a parameter to the function. When a user clicks on the appended
-   * warning node, the browser navigates to a page where the user can learn
-   * more about security issues associated with insecure passwords.
-   */
-  addInsecurePasswordsWarningNode:
-  function WCF_addInsecurePasswordsWarningNode(aNode)
-  {
-    let moreInfoLabel =
-      "[" + l10n.getStr("webConsoleMoreInfoLabel") + "]";
-
-    // The node that holds the clickable warning node.
-    let linkNode = this.document.createElementNS(XUL_NS, "hbox");
-    linkNode.flex = 1;
-    linkNode.classList.add("webconsole-msg-body-piece");
-    linkNode.classList.add("webconsole-msg-link");
-    aNode.appendChild(linkNode);
-
-    // Create the actual insecure passwords warning node and make it clickable
-    let warningNode = this.document.createElement("label");
-    warningNode.setAttribute("value", moreInfoLabel);
-    warningNode.setAttribute("title", moreInfoLabel);
-    warningNode.classList.add("hud-clickable");
-    warningNode.classList.add("webconsole-learn-more-link");
-
-    warningNode.addEventListener("click", function(aEvent) {
-      this.owner.openLink(INSECURE_PASSWORDS_LEARN_MORE);
-      aEvent.preventDefault();
-      aEvent.stopPropagation();
-    }.bind(this));
-
-    linkNode.appendChild(warningNode);
-  },
-
   /**
    * Log file activity.
    *
@@ -4533,7 +4472,6 @@ var Utils = {
       case "Mixed Content Blocker":
       case "CSP":
       case "Invalid HSTS Headers":
-      case "Insecure Password Field":
         return CATEGORY_SECURITY;
 
       default:

browser/locales/en-US/chrome/browser/devtools/webconsole.properties

@@ -75,10 +75,6 @@ webConsoleWindowTitleAndURL=Web Console - %S
 # http content in an https page).
 webConsoleMixedContentWarning=Mixed Content
 
-# LOCALIZATION NOTE (webConsoleMoreInfoLabel): the more info tag displayed
-# after security related web console messages.
-webConsoleMoreInfoLabel=Learn More
-
 # LOCALIZATION NOTE (scratchpad.linkText): the text used in the right hand
 # side of the Web Console command line when JavaScript is being entered, to
 # indicate how to jump into scratchpad mode.

browser/themes/shared/devtools/webconsole.inc.css

@@ -79,11 +79,6 @@
   margin: 0;
 }
 
-.webconsole-learn-more-link {
-  color: #0000EE;
-  margin: 0 0 0 4px;
-}
-
 .hud-msg-node[selected="true"] > .webconsole-timestamp,
 .hud-msg-node[selected="true"] > .webconsole-location {
   color: inherit;

dom/locales/en-US/chrome/security/security.properties

@@ -11,6 +11,3 @@ OldCSPHeaderDeprecated=The X-Content-Security-Policy and X-Content-Security-Repo
 BothCSPHeadersPresent=This site specified both an X-Content-Security-Policy/Report-Only header and a Content-Security-Policy/Report-Only header. The X-Content-Security-Policy/Report-Only header(s) will be ignored.
 # LOCALIZATION NOTE: Do not translate "Strict-Transport-Security" or "HSTS"
 InvalidSTSHeaders=The site specified an invalid Strict-Transport-Security header.
-InsecurePasswordsPresentOnPage=Password fields present on an insecure (http://) page. This is a security risk that allows user login credentials to be stolen.
-InsecureFormActionPasswordsPresent=Password fields present in a form with an insecure (http://) form action. This is a security risk that allows user login credentials to be stolen.
-InsecurePasswordsPresentOnIframe=Password fields present on an insecure (http://) iframe. This is a security risk that allows user login credentials to be stolen.

toolkit/components/passwordmgr/InsecurePasswordUtils.jsm

@@ -1,135 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-this.EXPORTED_SYMBOLS = [ "InsecurePasswordUtils" ];
-
-const Ci = Components.interfaces;
-const Cu = Components.utils;
-const Cc = Components.classes;
-
-Cu.import("resource://gre/modules/Services.jsm");
-Cu.import("resource://gre/modules/devtools/WebConsoleUtils.jsm");
-
-const STRINGS_URI = "chrome://global/locale/security/security.properties";
-let l10n = new WebConsoleUtils.l10n(STRINGS_URI);
-
-this.InsecurePasswordUtils = {
-
-  _sendWebConsoleMessage : function (messageTag, domDoc) {
-    /*
-     * All web console messages are warnings for now so I decided to set the
-     * flag here and save a bit of the flag creation in the callers.
-     * It's easy to expose this later if needed
-     */
-
-    let  windowId = WebConsoleUtils.getInnerWindowId(domDoc.defaultView);
-    let category = "Insecure Password Field";
-    let flag = Ci.nsIScriptError.warningFlag;
-    let message = l10n.getStr(messageTag);
-    let consoleMsg = Cc["@mozilla.org/scripterror;1"]
-      .createInstance(Ci.nsIScriptError);
-
-    consoleMsg.initWithWindowID(
-      message, "", 0, 0, 0, flag, category, windowId);
-
-    Services.console.logMessage(consoleMsg);
-  },
-
-  /*
-   * Checks whether the passed uri is secure
-   * Check Protocol Flags to determine if scheme is secure:
-   * URI_DOES_NOT_RETURN_DATA - e.g.
-   *   "mailto"
-   * URI_IS_LOCAL_RESOURCE - e.g.
-   *   "data",
-   *   "resource",
-   *   "moz-icon"
-   * URI_INHERITS_SECURITY_CONTEXT - e.g.
-   *   "javascript"
-   * URI_SAFE_TO_LOAD_IN_SECURE_CONTEXT - e.g.
-   *   "https",
-   *   "moz-safe-about"
-   *
-   *   The use of this logic comes directly from nsMixedContentBlocker.cpp
-   *   At the time it was decided to include these protocols since a secure
-   *   uri for mixed content blocker means that the resource can't be
-   *   easily tampered with because 1) it is sent over an encrypted channel or
-   *   2) it is a local resource that never hits the network
-   *   or 3) it is a request sent without any response that could alter
-   *   the behavior of the page. It was decided to include the same logic
-   *   here both to be consistent with MCB and to make sure we cover all
-   *   "safe" protocols. Eventually, the code here and the code in MCB
-   *   will be moved to a common location that will be referenced from
-   *   both places. Look at
-   *   https://bugzilla.mozilla.org/show_bug.cgi?id=899099 for more info.
-   */
-  _checkIfURIisSecure : function(uri) {
-    let isSafe = false;
-    let netutil = Cc["@mozilla.org/network/util;1"].getService(Ci.nsINetUtil);
-    let ph = Ci.nsIProtocolHandler;
-
-    if (netutil.URIChainHasFlags(uri, ph.URI_IS_LOCAL_RESOURCE) ||
-        netutil.URIChainHasFlags(uri, ph.URI_DOES_NOT_RETURN_DATA) ||
-        netutil.URIChainHasFlags(uri, ph.URI_INHERITS_SECURITY_CONTEXT) ||
-        netutil.URIChainHasFlags(uri, ph.URI_SAFE_TO_LOAD_IN_SECURE_CONTEXT)) {
-
-      isSafe = true;
-    }
-
-    return isSafe;
-  },
-
-  /*
-   * Checks whether the passed nested document is insecure
-   * or is inside an insecure parent document.
-   *
-   * We check the chain of frame ancestors all the way until the top document
-   * because MITM attackers could replace https:// iframes if they are nested inside
-   * http:// documents with their own content, thus creating a security risk
-   * and potentially stealing user data. Under such scenario, a user might not
-   * get a Mixed Content Blocker message, if the main document is served over HTTP
-   * and framing an HTTPS page as it would under the reverse scenario (http
-   * inside https).
-   */
-  _checkForInsecureNestedDocuments : function(domDoc) {
-    let uri = domDoc.documentURIObject;
-    if (domDoc.defaultView == domDoc.defaultView.parent) {
-      // We are at the top, nothing to check here
-      return false;
-    }
-    if (!this._checkIfURIisSecure(uri)) {
-      // We are insecure
-      return true;
-    }
-    // I am secure, but check my parent
-    return this._checkForInsecureNestedDocuments(domDoc.defaultView.parent.document);
-  },
-
-
-  /*
-   * Checks if there are insecure password fields present on the form's document
-   * i.e. passwords inside forms with http action, inside iframes with http src,
-   * or on insecure web pages. If insecure password fields are present,
-   * a log message is sent to the web console to warn developers.
-   */
-  checkForInsecurePasswords : function (aForm) {
-    var domDoc = aForm.ownerDocument;
-    let pageURI = domDoc.defaultView.top.document.documentURIObject;
-    let isSafePage = this._checkIfURIisSecure(pageURI);
-
-    if (!isSafePage) {
-      this._sendWebConsoleMessage("InsecurePasswordsPresentOnPage", domDoc);
-    }
-
-    // Check if we are on an iframe with insecure src, or inside another
-    // insecure iframe or document.
-    if (this._checkForInsecureNestedDocuments(domDoc)) {
-      this._sendWebConsoleMessage("InsecurePasswordsPresentOnIframe", domDoc);
-    }
-
-    if (aForm.action.match(/^http:\/\//)) {
-      this._sendWebConsoleMessage("InsecureFormActionPasswordsPresent", domDoc);
-    }
-  },
-};

toolkit/components/passwordmgr/moz.build

@@ -32,6 +32,5 @@ EXTRA_PP_COMPONENTS += [
 ]
 
 EXTRA_JS_MODULES += [
-    'InsecurePasswordUtils.jsm',
     'LoginManagerContent.jsm',
 ]