From e72674d7b60631d491c7f00e9479ed2049416cfd Mon Sep 17 00:00:00 2001
From: Benjamin VanderSloot <bvandersloot@mozilla.com>
Date: Thu, 30 Nov 2023 18:32:48 +0000
Subject: [PATCH] Bug 1525943 - Add associated to the identity UI -
 r=pbz,Gijs,nika,flod

Differential Revision: https://phabricator.services.mozilla.com/D193806
---
 browser/base/content/browser-siteIdentity.js  | 23 +++++++++++++++++--
 browser/base/content/browser.js               |  6 ++++-
 ...ser_about_blank_same_document_tabswitch.js |  4 +---
 .../content/identityPanel.inc.xhtml           |  1 +
 browser/locales/en-US/browser/browser.ftl     |  1 +
 browser/themes/shared/controlcenter/panel.css |  5 ++++
 uriloader/base/nsIWebProgressListener.idl     | 11 +++++++++
 7 files changed, 45 insertions(+), 6 deletions(-)

diff --git a/browser/base/content/browser-siteIdentity.js b/browser/base/content/browser-siteIdentity.js
index 224f88738ae9..dd045561e498 100644
--- a/browser/base/content/browser-siteIdentity.js
+++ b/browser/base/content/browser-siteIdentity.js
@@ -91,6 +91,10 @@ var gIdentityHandler = {
     );
   },
 
+  get _isAssociatedIdentity() {
+    return this._state & Ci.nsIWebProgressListener.STATE_IDENTITY_ASSOCIATED;
+  },
+
   get _isMixedActiveContentLoaded() {
     return (
       this._state & Ci.nsIWebProgressListener.STATE_LOADED_MIXED_ACTIVE_CONTENT
@@ -872,8 +876,13 @@ var gIdentityHandler = {
     } else if (this._isAboutHttpsOnlyErrorPage) {
       // We show a not secure lock icon for 'about:httpsonlyerror' page.
       this._identityBox.className = "httpsOnlyErrorPage";
-    } else if (this._isAboutNetErrorPage || this._isAboutBlockedPage) {
-      // Network errors and blocked pages get a more neutral icon
+    } else if (
+      this._isAboutNetErrorPage ||
+      this._isAboutBlockedPage ||
+      this._isAssociatedIdentity
+    ) {
+      // Network errors, blocked pages, and pages associated
+      // with another page get a more neutral icon
       this._identityBox.className = "unknownIdentity";
     } else if (this._isPotentiallyTrustworthy) {
       // This is a local resource (and shouldn't be marked insecure).
@@ -986,6 +995,8 @@ var gIdentityHandler = {
       connection = "not-secure";
     } else if (this._isAboutNetErrorPage) {
       connection = "net-error-page";
+    } else if (this._isAssociatedIdentity) {
+      connection = "associated";
     } else if (this._isPotentiallyTrustworthy) {
       connection = "file";
     }
@@ -1150,6 +1161,14 @@ var gIdentityHandler = {
       }
     );
 
+    document.l10n.setAttributes(
+      this._identityPopupMainViewHeaderLabel,
+      "identity-site-information",
+      {
+        host,
+      }
+    );
+
     this._identityPopupSecurityEVContentOwner.textContent =
       gNavigatorBundle.getFormattedString("identity.ev.contentOwner2", [owner]);
 
diff --git a/browser/base/content/browser.js b/browser/base/content/browser.js
index f0dd0eafca00..0fef250785f5 100644
--- a/browser/base/content/browser.js
+++ b/browser/base/content/browser.js
@@ -5582,7 +5582,11 @@ var XULBrowserWindow = {
 
     // Update the identity panel, making sure we use the precursorPrincipal's
     // URI where appropriate, for example about:blank windows.
-    uri = this._securityURIOverride(gBrowser.selectedBrowser) ?? uri;
+    let uriOverride = this._securityURIOverride(gBrowser.selectedBrowser);
+    if (uriOverride) {
+      uri = uriOverride;
+      this._state |= Ci.nsIWebProgressListener.STATE_IDENTITY_ASSOCIATED;
+    }
 
     try {
       uri = Services.io.createExposableURI(uri);
diff --git a/browser/base/content/test/siteIdentity/browser_about_blank_same_document_tabswitch.js b/browser/base/content/test/siteIdentity/browser_about_blank_same_document_tabswitch.js
index 739d729dbadf..d7ec29dc140f 100644
--- a/browser/base/content/test/siteIdentity/browser_about_blank_same_document_tabswitch.js
+++ b/browser/base/content/test/siteIdentity/browser_about_blank_same_document_tabswitch.js
@@ -76,9 +76,7 @@ add_task(async function test_identityBlock_inherited_blank() {
     );
     is(
       identityBox.className,
-      Services.prefs.getBoolPref("security.insecure_connection_text.enabled")
-        ? "notSecure notSecureText"
-        : "notSecure",
+      "unknownIdentity",
       "Identity box should have been updated."
     );
 
diff --git a/browser/components/controlcenter/content/identityPanel.inc.xhtml b/browser/components/controlcenter/content/identityPanel.inc.xhtml
index 8bc64faa1ee0..7253366905f7 100644
--- a/browser/components/controlcenter/content/identityPanel.inc.xhtml
+++ b/browser/components/controlcenter/content/identityPanel.inc.xhtml
@@ -36,6 +36,7 @@
                         when-connection="net-error-page" data-l10n-id="identity-connection-failure"></label>
             <label when-connection="chrome" data-l10n-id="identity-connection-internal"></label>
             <label when-connection="file" data-l10n-id="identity-connection-file"></label>
+            <label when-connection="associated" data-l10n-id="identity-connection-associated"></label>
             <label when-connection="extension" data-l10n-id="identity-extension-page"></label>
             <label class="identity-popup-connection-secure upgraded" when-httpsonlystatus="upgraded failed-sub"
               data-l10n-id="identity-https-only-connection-upgraded"></label>
diff --git a/browser/locales/en-US/browser/browser.ftl b/browser/locales/en-US/browser/browser.ftl
index 89dfc2e6f200..b1603f9fb767 100644
--- a/browser/locales/en-US/browser/browser.ftl
+++ b/browser/locales/en-US/browser/browser.ftl
@@ -377,6 +377,7 @@ identity-connection-secure = Connection secure
 identity-connection-failure = Connection failure
 identity-connection-internal = This is a secure { -brand-short-name } page.
 identity-connection-file = This page is stored on your computer.
+identity-connection-associated = This page is loaded from another page.
 identity-extension-page = This page is loaded from an extension.
 identity-active-blocked = { -brand-short-name } has blocked parts of this page that are not secure.
 identity-custom-root = Connection verified by a certificate issuer that is not recognized by Mozilla.
diff --git a/browser/themes/shared/controlcenter/panel.css b/browser/themes/shared/controlcenter/panel.css
index 7bd0f3bca110..d7685cdc6942 100644
--- a/browser/themes/shared/controlcenter/panel.css
+++ b/browser/themes/shared/controlcenter/panel.css
@@ -43,6 +43,7 @@
 #identity-popup[connection=secure] [when-connection~=secure],
 #identity-popup[connection=chrome] [when-connection~=chrome],
 #identity-popup[connection=file] [when-connection~=file],
+#identity-popup[connection=associated] [when-connection~=associated],
 #identity-popup[connection=extension] [when-connection~=extension],
 #identity-popup[connection=cert-error-page] [when-connection~=cert-error-page],
 #identity-popup[connection=net-error-page] [when-connection~=net-error-page],
@@ -215,6 +216,10 @@
   list-style-image: url(chrome://global/skin/icons/page-portrait.svg);
 }
 
+#identity-popup[connection=associated] .identity-popup-security-connection {
+  list-style-image: url(chrome://global/skin/icons/info.svg);
+}
+
 #identity-popup[connection^=secure] .identity-popup-security-connection {
   list-style-image: url(chrome://global/skin/icons/security.svg);
 }
diff --git a/uriloader/base/nsIWebProgressListener.idl b/uriloader/base/nsIWebProgressListener.idl
index a536059f2943..43fa055eac10 100644
--- a/uriloader/base/nsIWebProgressListener.idl
+++ b/uriloader/base/nsIWebProgressListener.idl
@@ -223,6 +223,17 @@ interface nsIWebProgressListener : nsISupports
 
   const unsigned long STATE_IDENTITY_EV_TOPLEVEL    = 0x00100000;
 
+  /***
+   * Associated state flag
+   *
+   * This flag is used to if a page is inheriting its security context.
+   *
+   * STATE_IDENTITY_ASSOCIATED
+   *   This document doesn't have an identity of its own, and instead
+   *   uses its predecessor's identity.
+   */
+   const unsigned long STATE_IDENTITY_ASSOCIATED    = 0x00200000;
+
   /**
     * Broken state flags
     *