Bug 1266571 - Add telemetry to measure incidence of non-TLS use of HTTP AUTH. r=mayhemer

2016-04-30 17:58:34 -05:00 · 2016-04-30 17:58:34 -05:00 · e67b36376c
--- a/netwerk/protocol/http/nsHttpChannelAuthProvider.cpp
+++ b/netwerk/protocol/http/nsHttpChannelAuthProvider.cpp
@ -41,6 +41,15 @@ namespace net {
 #define HTTP_AUTH_DIALOG_SAME_ORIGIN_SUBRESOURCE 1
 #define HTTP_AUTH_DIALOG_CROSS_ORIGIN_SUBRESOURCE 2

+#define HTTP_AUTH_BASIC_INSECURE 0
+#define HTTP_AUTH_BASIC_SECURE 1
+#define HTTP_AUTH_DIGEST_INSECURE 2
+#define HTTP_AUTH_DIGEST_SECURE 3
+#define HTTP_AUTH_NTLM_INSECURE 4
+#define HTTP_AUTH_NTLM_SECURE 5
+#define HTTP_AUTH_NEGOTIATE_INSECURE 6
+#define HTTP_AUTH_NEGOTIATE_SECURE 7
+
 static void
 GetOriginAttributesSuffix(nsIChannel* aChan, nsACString &aSuffix)
 {
@ -764,6 +773,24 @@ nsHttpChannelAuthProvider::GetCredentialsForChallenge(const char *challenge,
            else if (authFlags & nsIHttpAuthenticator::IDENTITY_ENCRYPTED)
                level = nsIAuthPrompt2::LEVEL_PW_ENCRYPTED;

+            // Collect statistics on how frequently the various types of HTTP
+            // authentication are used over SSL and non-SSL connections.
+            if (gHttpHandler->IsTelemetryEnabled()) {
+              if (NS_LITERAL_CSTRING("basic").LowerCaseEqualsASCII(authType)) {
+                Telemetry::Accumulate(Telemetry::HTTP_AUTH_TYPE_STATS,
+                  UsingSSL() ? HTTP_AUTH_BASIC_SECURE : HTTP_AUTH_BASIC_INSECURE);
+              } else if (NS_LITERAL_CSTRING("digest").LowerCaseEqualsASCII(authType)) {
+                Telemetry::Accumulate(Telemetry::HTTP_AUTH_TYPE_STATS,
+                  UsingSSL() ? HTTP_AUTH_DIGEST_SECURE : HTTP_AUTH_DIGEST_INSECURE);
+              } else if (NS_LITERAL_CSTRING("ntlm").LowerCaseEqualsASCII(authType)) {
+                Telemetry::Accumulate(Telemetry::HTTP_AUTH_TYPE_STATS,
+                  UsingSSL() ? HTTP_AUTH_NTLM_SECURE : HTTP_AUTH_NTLM_INSECURE);
+              } else if (NS_LITERAL_CSTRING("negotiate").LowerCaseEqualsASCII(authType)) {
+                Telemetry::Accumulate(Telemetry::HTTP_AUTH_TYPE_STATS,
+                  UsingSSL() ? HTTP_AUTH_NEGOTIATE_SECURE : HTTP_AUTH_NEGOTIATE_INSECURE);
+              }
+            }
+
            // Depending on the pref setting, the authentication dialog may be
            // blocked for all sub-resources, blocked for cross-origin
            // sub-resources, or always allowed for sub-resources.
--- a/toolkit/components/telemetry/Histograms.json
+++ b/toolkit/components/telemetry/Histograms.json
@ -1370,6 +1370,15 @@
    "n_values": 3,
    "description": "Stats about what kind of resource requested http authentication. (0=top-level doc, 1=same origin subresources 2=cross-origin subresources)"
  },
+  "HTTP_AUTH_TYPE_STATS": {
+    "alert_emails": ["rbarnes@mozilla.com"],
+    "bug_numbers": [1266571],
+    "expires_in_version": "52",
+    "kind": "enumerated",
+    "n_values": 8,
+    "releaseChannelCollection": "opt-out",
+    "description": "Recorded once for each HTTP 401 response. The value records the type of authentication and the TLS-enabled status. (0=basic/clear, 1=basic/tls, 2=digest/clear, 3=digest/tls, 4=ntlm/clear, 5=ntlm/tls, 6=negotiate/clear, 7=negotiate/tls)"
+  },
  "SSL_HANDSHAKE_VERSION": {
    "expires_in_version": "never",
    "kind": "enumerated",