Bug 1650961 - Restrict the clickjacking delay to credit card fields. r=abr

Differential Revision: https://phabricator.services.mozilla.com/D82638

browser/extensions/formautofill/test/browser/browser.ini

@@ -27,5 +27,3 @@ skip-if = !debug && os == "mac" # perma-fail see Bug 1600059
 skip-if = !debug && os == "mac" # perma-fail see Bug 1600059
 [browser_update_doorhanger.js]
 skip-if = true # bug 1426981 # Bug 1445538
-[browser_anti_clickjacking.js]
-skip-if = !debug && os == "mac" # perma-fail see Bug 1600059

browser/extensions/formautofill/test/browser/browser_anti_clickjacking.js

@@ -1,62 +0,0 @@
-"use strict";
-
-const URL =
-  "http://example.org/browser/browser/extensions/formautofill/test/browser/autocomplete_basic.html";
-
-add_task(async function setup_storage() {
-  await saveAddress(TEST_ADDRESS_1);
-  await saveAddress(TEST_ADDRESS_2);
-  await saveAddress(TEST_ADDRESS_3);
-});
-
-add_task(async function test_active_delay() {
-  await SpecialPowers.pushPrefEnv({
-    set: [["security.notification_enable_delay", 500]],
-  });
-  await BrowserTestUtils.withNewTab({ gBrowser, url: URL }, async function(
-    browser
-  ) {
-    const focusInput = "#organization";
-
-    // Open the popup -- we don't use openPopupOn() because there
-    // are things we need to check between these steps.
-    await SimpleTest.promiseFocus(browser);
-    await focusAndWaitForFieldsIdentified(browser, focusInput);
-    const start = Date.now();
-    await BrowserTestUtils.synthesizeKey("VK_DOWN", {}, browser);
-    await expectPopupOpen(browser);
-    const firstItem = getDisplayedPopupItems(browser)[0];
-    ok(firstItem.disabled, "Popup should be disbled upon opening.");
-    is(
-      browser.autoCompletePopup.selectedIndex,
-      -1,
-      "No item selected at first"
-    );
-
-    // Check that clicking on menu doesn't do anything while
-    // it is disabled
-    firstItem.click();
-    is(
-      browser.autoCompletePopup.selectedIndex,
-      -1,
-      "No item selected after clicking on disabled item"
-    );
-
-    // Check that the delay before enabling is as long as expected
-    await waitForPopupEnabled(browser);
-    const delta = Date.now() - start;
-    info(`Popup was disabled for ${delta} ms`);
-    ok(delta >= 500, "Popup was disabled for at least 500 ms");
-
-    // Check the clicking on the menu works now
-    firstItem.click();
-    is(
-      browser.autoCompletePopup.selectedIndex,
-      0,
-      "First item selected after clicking on enabled item"
-    );
-
-    // Clean up
-    await closePopup(browser);
-  });
-});

browser/extensions/formautofill/test/browser/creditCard/browser.ini

@@ -23,3 +23,5 @@ skip-if = (os == 'linux' && !debug) || (os == 'win' || os == 'mac') # bug 145628
 skip-if = (verify && (os == 'win' || os == 'mac'))
 [browser_privacyPreferences.js]
 skip-if = !debug && os == "mac" # perma-fail see Bug 1600059
+[browser_anti_clickjacking.js]
+skip-if = !debug && os == "mac" # perma-fail see Bug 1600059

browser/extensions/formautofill/test/browser/creditCard/browser_anti_clickjacking.js

@@ -0,0 +1,119 @@
+"use strict";
+
+const ADDRESS_URL =
+  "http://example.org/browser/browser/extensions/formautofill/test/browser/autocomplete_basic.html";
+const CC_URL =
+  "https://example.org/browser/browser/extensions/formautofill/test/browser/creditCard/autocomplete_creditcard_basic.html";
+
+add_task(async function setup_storage() {
+  await saveAddress(TEST_ADDRESS_1);
+  await saveAddress(TEST_ADDRESS_2);
+  await saveAddress(TEST_ADDRESS_3);
+
+  await saveCreditCard(TEST_CREDIT_CARD_1);
+  await saveCreditCard(TEST_CREDIT_CARD_2);
+  await saveCreditCard(TEST_CREDIT_CARD_3);
+});
+
+add_task(async function test_active_delay() {
+  // This is a workaround for the fact that we don't have a way
+  // to know when the popup was opened exactly and this makes our test
+  // racy when ensuring that we first test for disabled items before
+  // the delayed enabling happens.
+  //
+  // In the future we should consider adding an event when a popup
+  // gets opened and listen for it in this test before we check if the item
+  // is disabled.
+  await SpecialPowers.pushPrefEnv({
+    set: [
+      ["security.notification_enable_delay", 1000],
+      ["extensions.formautofill.reauth.enabled", false],
+    ],
+  });
+  await BrowserTestUtils.withNewTab({ gBrowser, url: CC_URL }, async function(
+    browser
+  ) {
+    const focusInput = "#cc-number";
+
+    // Open the popup -- we don't use openPopupOn() because there
+    // are things we need to check between these steps.
+    await SimpleTest.promiseFocus(browser);
+    const start = performance.now();
+    await focusAndWaitForFieldsIdentified(browser, focusInput);
+    await expectPopupOpen(browser);
+    const firstItem = getDisplayedPopupItems(browser)[0];
+    ok(firstItem.disabled, "Popup should be disbled upon opening.");
+    is(
+      browser.autoCompletePopup.selectedIndex,
+      -1,
+      "No item selected at first"
+    );
+
+    // Check that clicking on menu doesn't do anything while
+    // it is disabled
+    firstItem.click();
+    is(
+      browser.autoCompletePopup.selectedIndex,
+      -1,
+      "No item selected after clicking on disabled item"
+    );
+
+    // Check that the delay before enabling is as long as expected
+    await waitForPopupEnabled(browser);
+    const delta = performance.now() - start;
+    info(`Popup was disabled for ${delta} ms`);
+    ok(delta >= 1000, "Popup was disabled for at least 1000 ms");
+
+    // Check the clicking on the menu works now
+    firstItem.click();
+    is(
+      browser.autoCompletePopup.selectedIndex,
+      0,
+      "First item selected after clicking on enabled item"
+    );
+
+    // Clean up
+    await closePopup(browser);
+  });
+});
+
+add_task(async function test_no_delay() {
+  await SpecialPowers.pushPrefEnv({
+    set: [
+      ["security.notification_enable_delay", 1000],
+      ["extensions.formautofill.reauth.enabled", false],
+    ],
+  });
+  await BrowserTestUtils.withNewTab(
+    { gBrowser, url: ADDRESS_URL },
+    async function(browser) {
+      const focusInput = "#organization";
+
+      // Open the popup -- we don't use openPopupOn() because there
+      // are things we need to check between these steps.
+      await SimpleTest.promiseFocus(browser);
+      await focusAndWaitForFieldsIdentified(browser, focusInput);
+      await BrowserTestUtils.synthesizeKey("VK_DOWN", {}, browser);
+      await expectPopupOpen(browser);
+      const firstItem = getDisplayedPopupItems(browser)[0];
+      ok(!firstItem.disabled, "Popup should be enabled upon opening.");
+      is(
+        browser.autoCompletePopup.selectedIndex,
+        -1,
+        "No item selected at first"
+      );
+
+      // Check that clicking on menu doesn't do anything while
+      // it is disabled
+      firstItem.click();
+      is(
+        browser.autoCompletePopup.selectedIndex,
+        0,
+        "First item selected after clicking on enabled item"
+      );
+
+      // Clean up
+      await closePopup(browser);
+    }
+  );
+});

toolkit/actors/AutoCompleteParent.jsm

@@ -283,6 +283,17 @@ class AutoCompleteParent extends JSWindowActorParent {
     );
     this.openedPopup.invalidate();
     this._maybeRecordTelemetryEvents(results);
+
+    // This is a temporary solution. We should replace it with
+    // proper meta information about the popup once such field
+    // becomes available.
+    let isCreditCard = results.some(result =>
+      result?.comment?.includes("cc-number")
+    );
+
+    if (isCreditCard) {
+      this.delayPopupInput();
+    }
   }
 
   /**
@@ -421,7 +432,6 @@ class AutoCompleteParent extends JSWindowActorParent {
           this.showPopupWithResults({ results, rect, dir });
           this.notifyListeners();
         }
-        this.delayPopupInput();
         break;
       }