e10s HTTPS: securityInfo. sr=biesi.

2010-06-30 09:17:51 -07:00 · 2010-06-30 09:17:51 -07:00 · 099c13dad3
--- a/dom/ipc/Makefile.in
+++ b/dom/ipc/Makefile.in
@ -81,6 +81,7 @@ LOCAL_INCLUDES += \
 		-I$(srcdir)/../../content/events/src \
 		-I$(srcdir)/../src/geolocation \
 		-I$(topsrcdir)/chrome/src \
+		-I$(srcdir)/../../netwerk/base/src \
 		$(NULL)

 CXXFLAGS += $(TK_CFLAGS)
--- a/dom/ipc/PIFrameEmbedding.ipdl
+++ b/dom/ipc/PIFrameEmbedding.ipdl
@ -90,7 +90,10 @@ parent:
    notifyStatusChange(nsresult status,
                       nsString message);

-    notifySecurityChange(PRUint32 aState);
+    notifySecurityChange(PRUint32 aState,
+                         PRBool aUseSSLStatusObject,
+                         nsString aTooltip,
+                         nsCString aSecInfoAsString);

    sync refreshAttempted(nsCString uri, PRInt32 millis,
                          bool sameURI) returns (bool retval);
--- a/dom/ipc/TabChild.cpp
+++ b/dom/ipc/TabChild.cpp
@ -45,6 +45,8 @@
 #include "nsComponentManagerUtils.h"
 #include "nsIBaseWindow.h"
 #include "nsIDOMWindow.h"
+#include "nsIWebProgress.h"
+#include "nsIDocShell.h"
 #include "nsIDocShellTreeItem.h"
 #include "nsThreadUtils.h"
 #include "nsIInterfaceRequestorUtils.h"
@ -76,6 +78,9 @@
 #include "nsIDocument.h"
 #include "nsIScriptGlobalObject.h"
 #include "nsWeakReference.h"
+#include "nsISecureBrowserUI.h"
+#include "nsISSLStatusProvider.h"
+#include "nsSerializationHelper.h"

 #ifdef MOZ_WIDGET_QT
 #include <QX11EmbedWidget>
@ -521,7 +526,57 @@ TabChild::OnSecurityChange(nsIWebProgress *aWebProgress,
                           nsIRequest *aRequest,
                           PRUint32 aState)
 {
-  SendnotifySecurityChange(aState);
+  nsCString secInfoAsString;
+  if (aState & nsIWebProgressListener::STATE_IS_SECURE) {
+    nsCOMPtr<nsIChannel> channel = do_QueryInterface(aRequest);
+    if (channel) {
+      nsCOMPtr<nsISupports> secInfoSupports;
+      channel->GetSecurityInfo(getter_AddRefs(secInfoSupports));
+
+      nsCOMPtr<nsISerializable> secInfoSerializable =
+          do_QueryInterface(secInfoSupports);
+      NS_SerializeToString(secInfoSerializable, secInfoAsString);
+    }
+  }
+
+  PRBool useSSLStatusObject = PR_FALSE;
+  nsAutoString securityTooltip;
+  nsCOMPtr<nsIDocShell> docShell = do_QueryInterface(aWebProgress);
+  if (docShell) {
+    nsCOMPtr<nsISecureBrowserUI> secureUI;
+    docShell->GetSecurityUI(getter_AddRefs(secureUI));
+    if (secureUI) {
+      secureUI->GetTooltipText(securityTooltip);
+      nsCOMPtr<nsISupports> supports;
+      nsCOMPtr<nsISSLStatusProvider> provider =
+        do_QueryInterface(secureUI);
+      nsresult rv = provider->GetSSLStatus(getter_AddRefs(supports));
+      if (NS_SUCCEEDED(rv) && supports) {
+        /*
+         * useSSLStatusObject: Security UI internally holds 4 states: secure, mixed,
+         * broken, no security.  In cases of secure, mixed and broken it holds reference
+         * to a valid SSL status object.  But, in case of the 'broken' state it doesn't
+         * return the SSL status object (returns null), in contrary to the 'mixed' state
+         * for which it returns.
+         * 
+         * However, mixed and broken states are both reported to the upper level
+         * as nsIWebProgressListener::STATE_IS_BROKEN, i.e. states are merged,
+         * so we cannot determine, if to return the status object or not.
+         *
+         * TabParent is extracting the SSL status object from the security info
+         * serialization (string). SSL status object is always present there
+         * even security UI implementation doesn't present it.  This argument 
+         * tells the parent if the SSL status object is being presented by 
+         * the security UI here, on the child process, and so if it has to be
+         * presented also on the parent process.
+         */
+        useSSLStatusObject = PR_TRUE;
+      }
+    }
+  }
+
+  SendnotifySecurityChange(aState, useSSLStatusObject, securityTooltip,
+                           secInfoAsString);
  return NS_OK;
 }

--- a/dom/ipc/TabParent.cpp
+++ b/dom/ipc/TabParent.cpp
@ -53,6 +53,7 @@
 #include "nsIWindowWatcher.h"
 #include "nsIDOMWindow.h"
 #include "nsPIDOMWindow.h"
+#include "nsIIdentityInfo.h"
 #include "TabChild.h"
 #include "nsIDOMEvent.h"
 #include "nsIPrivateDOMEvent.h"
@ -67,6 +68,7 @@
 #include "nsThreadUtils.h"
 #include "nsIPromptFactory.h"
 #include "nsIContent.h"
+#include "nsSerializationHelper.h"

 using mozilla::ipc::DocumentRendererParent;
 using mozilla::ipc::DocumentRendererShmemParent;
@ -80,9 +82,11 @@ using mozilla::dom::ContentProcessParent;
 namespace mozilla {
 namespace dom {

-NS_IMPL_ISUPPORTS3(TabParent, nsITabParent, nsIWebProgress, nsIAuthPromptProvider)
+NS_IMPL_ISUPPORTS5(TabParent, nsITabParent, nsIWebProgress, nsIAuthPromptProvider, 
+                   nsISecureBrowserUI, nsISSLStatusProvider)

 TabParent::TabParent()
+  : mSecurityState(nsIWebProgressListener::STATE_IS_INSECURE)
 {
 }

@ -284,7 +288,10 @@ TabParent::RecvnotifyStatusChange(const nsresult& status,
 }

 bool
-TabParent::RecvnotifySecurityChange(const PRUint32& aState)
+TabParent::RecvnotifySecurityChange(const PRUint32& aState,
+                                    const PRBool& aUseSSLStatusObject,
+                                    const nsString& aTooltip,
+                                    const nsCString& aSecInfoAsString)
 {
  /*                                                                           
   * First notify any listeners of the new state info...
@ -293,6 +300,32 @@ TabParent::RecvnotifySecurityChange(const PRUint32& aState)
   * get removed from the list it won't affect our iteration
   */

+  mSecurityState = aState;
+  mSecurityTooltipText = aTooltip;
+
+  if (!aSecInfoAsString.IsEmpty()) {
+    nsCOMPtr<nsISupports> secInfoSupports;
+    nsresult rv = NS_DeserializeObject(aSecInfoAsString, getter_AddRefs(secInfoSupports));
+
+    if (NS_SUCCEEDED(rv)) {
+      nsCOMPtr<nsIIdentityInfo> idInfo = do_QueryInterface(secInfoSupports);
+      if (idInfo) {
+        PRBool isEV;
+        if (NS_SUCCEEDED(idInfo->GetIsExtendedValidation(&isEV)) && isEV)
+          mSecurityState |= nsIWebProgressListener::STATE_IDENTITY_EV_TOPLEVEL;
+      }
+    }
+
+    mSecurityStatusObject = nsnull;
+    if (aUseSSLStatusObject)
+    {
+      nsCOMPtr<nsISSLStatusProvider> sslStatusProvider =
+        do_QueryInterface(secInfoSupports);
+      if (sslStatusProvider)
+        sslStatusProvider->GetSSLStatus(getter_AddRefs(mSecurityStatusObject));
+    }
+  }
+
  nsCOMPtr<nsIWebProgressListener> listener;
  PRUint32 count = mListenerInfoList.Length();

@ -309,7 +342,7 @@ TabParent::RecvnotifySecurityChange(const PRUint32& aState)
      continue;
    }

-    listener->OnSecurityChange(this, nsnull, aState);
+    listener->OnSecurityChange(this, nsnull, mSecurityState);
  }

  return true;
@ -618,6 +651,34 @@ TabParent::GetIsLoadingDocument(PRBool *aIsLoadingDocument)
  return NS_ERROR_NOT_IMPLEMENTED;
 }

+NS_IMETHODIMP
+TabParent::Init(nsIDOMWindow *window)
+{
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+TabParent::GetState(PRUint32 *aState)
+{
+  NS_ENSURE_ARG(aState);
+  *aState = mSecurityState;
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+TabParent::GetTooltipText(nsAString & aTooltipText)
+{
+  aTooltipText = mSecurityTooltipText;
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+TabParent::GetSSLStatus(nsISupports ** aStatus)
+{
+  NS_IF_ADDREF(*aStatus = mSecurityStatusObject);
+  return NS_OK;
+}
+
 // nsIAuthPromptProvider

 // This method is largely copied from nsDocShell::GetAuthPrompt
--- a/dom/ipc/TabParent.h
+++ b/dom/ipc/TabParent.h
@ -52,6 +52,8 @@
 #include "nsWeakReference.h"
 #include "nsIDialogParamBlock.h"
 #include "nsIAuthPromptProvider.h"
+#include "nsISecureBrowserUI.h"
+#include "nsISSLStatusProvider.h"

 class nsIURI;
 class nsIDOMElement;
@ -91,6 +93,8 @@ class TabParent : public PIFrameEmbeddingParent
                , public nsITabParent 
                , public nsIWebProgress
                , public nsIAuthPromptProvider
+                , public nsISecureBrowserUI
+                , public nsISSLStatusProvider
 {
 public:
    TabParent();
@ -111,7 +115,10 @@ public:
    virtual bool RecvnotifyLocationChange(const nsCString& aUri);
    virtual bool RecvnotifyStatusChange(const nsresult& status,
                                        const nsString& message);
-    virtual bool RecvnotifySecurityChange(const PRUint32& aState);
+    virtual bool RecvnotifySecurityChange(const PRUint32& aState,
+                                          const PRBool& aUseSSLStatusObject,
+                                          const nsString& aTooltip,
+                                          const nsCString& aSecInfoAsString);
    virtual bool RecvrefreshAttempted(const nsCString& aURI,
                                      const PRInt32& aMillis,
                                      const bool& aSameURI,
@ -187,6 +194,8 @@ public:
    NS_DECL_ISUPPORTS
    NS_DECL_NSIWEBPROGRESS
    NS_DECL_NSIAUTHPROMPTPROVIDER
+    NS_DECL_NSISECUREBROWSERUI
+    NS_DECL_NSISSLSTATUSPROVIDER

    void HandleDelayedDialogs();
 protected:
@ -202,6 +211,10 @@ protected:
    nsIDOMElement* mFrameElement;
    nsCOMPtr<nsIBrowserDOMWindow> mBrowserDOMWindow;

+    PRUint32 mSecurityState;
+    nsString mSecurityTooltipText;
+    nsCOMPtr<nsISupports> mSecurityStatusObject;
+
    nsTArray<TabParentListenerInfo> mListenerInfoList;

    struct DelayedDialogData
--- a/netwerk/protocol/http/HttpChannelChild.cpp
+++ b/netwerk/protocol/http/HttpChannelChild.cpp
@ -48,6 +48,7 @@
 #include "nsHttpHandler.h"
 #include "nsMimeTypes.h"
 #include "nsNetUtil.h"
+#include "nsSerializationHelper.h"

 namespace mozilla {
 namespace net {
@ -99,6 +100,7 @@ NS_INTERFACE_MAP_BEGIN(HttpChannelChild)
  NS_INTERFACE_MAP_ENTRY(nsITraceableChannel)
  NS_INTERFACE_MAP_ENTRY(nsIApplicationCacheContainer)
  NS_INTERFACE_MAP_ENTRY(nsIApplicationCacheChannel)
+  NS_INTERFACE_MAP_ENTRY_CONDITIONAL(nsIAssociatedContentSecurity, GetAssociatedContentSecurity())
 NS_INTERFACE_MAP_END_INHERITING(HttpBaseChannel)

 //-----------------------------------------------------------------------------
@ -111,7 +113,8 @@ HttpChannelChild::RecvOnStartRequest(const nsHttpResponseHead& responseHead,
                                     const PRBool& isFromCache,
                                     const PRBool& cacheEntryAvailable,
                                     const PRUint32& cacheExpirationTime,
-                                     const nsCString& cachedCharset)
+                                     const nsCString& cachedCharset,
+                                     const nsCString& securityInfoSerialization)
 {
  LOG(("HttpChannelChild::RecvOnStartRequest [this=%x]\n", this));

@ -122,6 +125,11 @@ HttpChannelChild::RecvOnStartRequest(const nsHttpResponseHead& responseHead,
  else
    mResponseHead = nsnull;
 
+  if (!securityInfoSerialization.IsEmpty())
+    NS_DeserializeObject(securityInfoSerialization, getter_AddRefs(mSecurityInfo));
+  else
+    mSecurityInfo = nsnull;
+
  mIsFromCache = isFromCache;
  mCacheEntryAvailable = cacheEntryAvailable;
  mCacheExpirationTime = cacheExpirationTime;
@ -280,9 +288,8 @@ HttpChannelChild::Resume()
 NS_IMETHODIMP
 HttpChannelChild::GetSecurityInfo(nsISupports **aSecurityInfo)
 {
-  // FIXME: Stub for bug 536301 .
  NS_ENSURE_ARG_POINTER(aSecurityInfo);
-  *aSecurityInfo = 0;
+  NS_IF_ADDREF(*aSecurityInfo = mSecurityInfo);
  return NS_OK;
 }

@ -600,6 +607,127 @@ HttpChannelChild::SetChooseApplicationCache(PRBool aChooseApplicationCache)
  return NS_OK;
 }

+//-----------------------------------------------------------------------------
+// HttpChannelChild::nsIAssociatedContentSecurity
+//-----------------------------------------------------------------------------
+
+bool
+HttpChannelChild::GetAssociatedContentSecurity(nsIAssociatedContentSecurity** _result)
+{
+  if (!mSecurityInfo)
+    return false;
+
+  nsCOMPtr<nsIAssociatedContentSecurity> assoc =
+      do_QueryInterface(mSecurityInfo);
+  if (!assoc)
+    return false;
+
+  if (_result)
+    assoc.forget(_result);
+  return true;
+}
+
+/* attribute unsigned long countSubRequestsHighSecurity; */
+NS_IMETHODIMP
+HttpChannelChild::GetCountSubRequestsHighSecurity(PRInt32 *aSubRequestsHighSecurity)
+{
+  nsCOMPtr<nsIAssociatedContentSecurity> assoc;
+  if (!GetAssociatedContentSecurity(getter_AddRefs(assoc)))
+    return NS_OK;
+
+  return assoc->GetCountSubRequestsHighSecurity(aSubRequestsHighSecurity);
+}
+NS_IMETHODIMP
+HttpChannelChild::SetCountSubRequestsHighSecurity(PRInt32 aSubRequestsHighSecurity)
+{
+  nsCOMPtr<nsIAssociatedContentSecurity> assoc;
+  if (!GetAssociatedContentSecurity(getter_AddRefs(assoc)))
+    return NS_OK;
+
+  return assoc->SetCountSubRequestsHighSecurity(aSubRequestsHighSecurity);
+}
+
+/* attribute unsigned long countSubRequestsLowSecurity; */
+NS_IMETHODIMP
+HttpChannelChild::GetCountSubRequestsLowSecurity(PRInt32 *aSubRequestsLowSecurity)
+{
+  nsCOMPtr<nsIAssociatedContentSecurity> assoc;
+  if (!GetAssociatedContentSecurity(getter_AddRefs(assoc)))
+    return NS_OK;
+
+  return assoc->GetCountSubRequestsLowSecurity(aSubRequestsLowSecurity);
+}
+NS_IMETHODIMP
+HttpChannelChild::SetCountSubRequestsLowSecurity(PRInt32 aSubRequestsLowSecurity)
+{
+  nsCOMPtr<nsIAssociatedContentSecurity> assoc;
+  if (!GetAssociatedContentSecurity(getter_AddRefs(assoc)))
+    return NS_OK;
+
+  return assoc->SetCountSubRequestsLowSecurity(aSubRequestsLowSecurity);
+}
+
+/* attribute unsigned long countSubRequestsBrokenSecurity; */
+NS_IMETHODIMP HttpChannelChild::GetCountSubRequestsBrokenSecurity(PRInt32 *aSubRequestsBrokenSecurity)
+{
+  nsCOMPtr<nsIAssociatedContentSecurity> assoc;
+  if (!GetAssociatedContentSecurity(getter_AddRefs(assoc)))
+    return NS_OK;
+
+  return assoc->GetCountSubRequestsBrokenSecurity(aSubRequestsBrokenSecurity);
+}
+NS_IMETHODIMP HttpChannelChild::SetCountSubRequestsBrokenSecurity(PRInt32 aSubRequestsBrokenSecurity)
+{
+  nsCOMPtr<nsIAssociatedContentSecurity> assoc;
+  if (!GetAssociatedContentSecurity(getter_AddRefs(assoc)))
+    return NS_OK;
+
+  return assoc->SetCountSubRequestsBrokenSecurity(aSubRequestsBrokenSecurity);
+}
+
+/* attribute unsigned long countSubRequestsNoSecurity; */
+NS_IMETHODIMP
+HttpChannelChild::GetCountSubRequestsNoSecurity(PRInt32 *aSubRequestsNoSecurity)
+{
+  nsCOMPtr<nsIAssociatedContentSecurity> assoc;
+  if (!GetAssociatedContentSecurity(getter_AddRefs(assoc)))
+    return NS_OK;
+
+  return assoc->GetCountSubRequestsNoSecurity(aSubRequestsNoSecurity);
+}
+NS_IMETHODIMP
+HttpChannelChild::SetCountSubRequestsNoSecurity(PRInt32 aSubRequestsNoSecurity)
+{
+  nsCOMPtr<nsIAssociatedContentSecurity> assoc;
+  if (!GetAssociatedContentSecurity(getter_AddRefs(assoc)))
+    return NS_OK;
+
+  return assoc->SetCountSubRequestsNoSecurity(aSubRequestsNoSecurity);
+}
+
+NS_IMETHODIMP
+HttpChannelChild::Flush()
+{
+  nsCOMPtr<nsIAssociatedContentSecurity> assoc;
+  if (!GetAssociatedContentSecurity(getter_AddRefs(assoc)))
+    return NS_OK;
+
+  nsresult rv;
+  PRInt32 hi, low, broken, no;
+
+  rv = assoc->GetCountSubRequestsHighSecurity(&hi);
+  NS_ENSURE_SUCCESS(rv, rv);
+  rv = assoc->GetCountSubRequestsLowSecurity(&low);
+  NS_ENSURE_SUCCESS(rv, rv);
+  rv = assoc->GetCountSubRequestsBrokenSecurity(&broken);
+  NS_ENSURE_SUCCESS(rv, rv);
+  rv = assoc->GetCountSubRequestsNoSecurity(&no);
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  SendUpdateAssociatedContentSecurity(hi, low, broken, no);
+
+  return NS_OK;
+}

 //------------------------------------------------------------------------------
 }} // mozilla::net
--- a/netwerk/protocol/http/HttpChannelChild.h
+++ b/netwerk/protocol/http/HttpChannelChild.h
@ -58,6 +58,7 @@
 #include "nsIResumableChannel.h"
 #include "nsIProxiedChannel.h"
 #include "nsITraceableChannel.h"
+#include "nsIAssociatedContentSecurity.h"

 namespace mozilla {
 namespace net {
@ -80,6 +81,7 @@ class HttpChannelChild : public PHttpChannelChild
                       , public nsIProxiedChannel
                       , public nsITraceableChannel
                       , public nsIApplicationCacheChannel
+                       , public nsIAssociatedContentSecurity
 {
 public:
  NS_DECL_ISUPPORTS_INHERITED
@ -90,6 +92,7 @@ public:
  NS_DECL_NSITRACEABLECHANNEL
  NS_DECL_NSIAPPLICATIONCACHECONTAINER
  NS_DECL_NSIAPPLICATIONCACHECHANNEL
+  NS_DECL_NSIASSOCIATEDCONTENTSECURITY

  HttpChannelChild();
  virtual ~HttpChannelChild();
@ -119,7 +122,8 @@ protected:
                          const PRBool& isFromCache,
                          const PRBool& cacheEntryAvailable,
                          const PRUint32& cacheExpirationTime,
-                          const nsCString& cachedCharset);
+                          const nsCString& cachedCharset,
+                          const nsCString& securityInfoSerialization);
  bool RecvOnDataAvailable(const nsCString& data, 
                           const PRUint32& offset,
                           const PRUint32& count);
@ -127,8 +131,11 @@ protected:
  bool RecvOnProgress(const PRUint64& progress, const PRUint64& progressMax);
  bool RecvOnStatus(const nsresult& status, const nsString& statusArg);

+  bool GetAssociatedContentSecurity(nsIAssociatedContentSecurity** _result = nsnull);
+
 private:
  RequestHeaderTuples mRequestHeaders;
+  nsCOMPtr<nsISupports> mSecurityInfo;

  PRPackedBool mIsFromCache;
  PRPackedBool mCacheEntryAvailable;
--- a/netwerk/protocol/http/HttpChannelParent.cpp
+++ b/netwerk/protocol/http/HttpChannelParent.cpp
@ -48,6 +48,9 @@
 #include "nsIDocShellTreeItem.h"
 #include "nsIBadCertListener2.h"
 #include "nsICacheEntryDescriptor.h"
+#include "nsSerializationHelper.h"
+#include "nsISerializable.h"
+#include "nsIAssociatedContentSecurity.h"

 namespace mozilla {
 namespace net {
@ -198,6 +201,29 @@ HttpChannelParent::RecvOnStopRequestCompleted()
  return true;
 }

+bool
+HttpChannelParent::RecvUpdateAssociatedContentSecurity(const PRInt32& high,
+                                                       const PRInt32& low,
+                                                       const PRInt32& broken,
+                                                       const PRInt32& no)
+{
+  nsHttpChannel *chan = static_cast<nsHttpChannel *>(mChannel.get());
+
+  nsCOMPtr<nsISupports> secInfo;
+  chan->GetSecurityInfo(getter_AddRefs(secInfo));
+
+  nsCOMPtr<nsIAssociatedContentSecurity> assoc = do_QueryInterface(secInfo);
+  if (!assoc)
+    return true;
+
+  assoc->SetCountSubRequestsHighSecurity(high);
+  assoc->SetCountSubRequestsLowSecurity(low);
+  assoc->SetCountSubRequestsBrokenSecurity(broken);
+  assoc->SetCountSubRequestsNoSecurity(no);
+
+  return true;
+}
+
 //-----------------------------------------------------------------------------
 // HttpChannelParent::nsIRequestObserver
 //-----------------------------------------------------------------------------
@ -221,11 +247,20 @@ HttpChannelParent::OnStartRequest(nsIRequest *aRequest, nsISupports *aContext)
  // It could be already released by nsHttpChannel at that time.
  chan->GetCacheToken(getter_AddRefs(mCacheDescriptor));

+  nsCOMPtr<nsISupports> secInfoSupp;
+  chan->GetSecurityInfo(getter_AddRefs(secInfoSupp));
+
+  nsCOMPtr<nsISerializable> secInfoSer =
+      do_QueryInterface(secInfoSupp);
+
+  nsCString secInfoSerialization;
+  NS_SerializeToString(secInfoSer, secInfoSerialization);
+
  if (mIPCClosed || 
      !SendOnStartRequest(responseHead ? *responseHead : nsHttpResponseHead(), 
                          !!responseHead, isFromCache,
                          mCacheDescriptor ? PR_TRUE : PR_FALSE,
-                          expirationTime, cachedCharset)) {
+                          expirationTime, cachedCharset, secInfoSerialization)) {
    return NS_ERROR_UNEXPECTED; 
  }
  return NS_OK;
--- a/netwerk/protocol/http/HttpChannelParent.h
+++ b/netwerk/protocol/http/HttpChannelParent.h
@ -91,6 +91,10 @@ protected:
  virtual bool RecvSetPriority(const PRUint16& priority);
  virtual bool RecvSetCacheTokenCachedCharset(const nsCString& charset);
  virtual bool RecvOnStopRequestCompleted();
+  virtual bool RecvUpdateAssociatedContentSecurity(const PRInt32& high,
+                                                   const PRInt32& low,
+                                                   const PRInt32& broken,
+                                                   const PRInt32& no);

  virtual void ActorDestroy(ActorDestroyReason why);

--- a/netwerk/protocol/http/PHttpChannel.ipdl
+++ b/netwerk/protocol/http/PHttpChannel.ipdl
@ -82,13 +82,19 @@ parent:

  OnStopRequestCompleted();

+  UpdateAssociatedContentSecurity(PRInt32 high,
+                                  PRInt32 low,
+                                  PRInt32 broken,
+                                  PRInt32 no);
+
 child:
  OnStartRequest(nsHttpResponseHead responseHead,
                 PRBool             useResponseHead,
                 PRBool             isFromCache,
                 PRBool             cacheEntryAvailable,
                 PRUint32           cacheExpirationTime,
-                 nsCString          cachedCharset);
+                 nsCString          cachedCharset,
+                 nsCString          securityInfoSerialization);

  OnDataAvailable(nsCString data, 
                  PRUint32  offset, 
--- a/security/manager/boot/src/nsSecureBrowserUIImpl.cpp
+++ b/security/manager/boot/src/nsSecureBrowserUIImpl.cpp
@ -567,7 +567,12 @@ nsSecureBrowserUIImpl::EvaluateAndUpdateSecurityState(nsIRequest* aRequest, nsIS
    PR_LOG(gSecureDocLog, PR_LOG_DEBUG,
           ("SecureUI:%p: remember securityInfo %p\n", this,
            info));
-    mCurrentToplevelSecurityInfo = info;
+    nsCOMPtr<nsIAssociatedContentSecurity> associatedContentSecurityFromRequest =
+        do_QueryInterface(aRequest);
+    if (associatedContentSecurityFromRequest)
+        mCurrentToplevelSecurityInfo = aRequest;
+    else
+        mCurrentToplevelSecurityInfo = info;
  }

  return UpdateSecurityState(aRequest, withNewLocation, 
@ -1106,6 +1111,7 @@ nsSecureBrowserUIImpl::OnStateChange(nsIWebProgress* aWebProgress,
        prevContentSecurity->SetCountSubRequestsLowSecurity(saveSubLow);
        prevContentSecurity->SetCountSubRequestsBrokenSecurity(saveSubBroken);
        prevContentSecurity->SetCountSubRequestsNoSecurity(saveSubNo);
+        prevContentSecurity->Flush();
      }

      PRBool retrieveAssociatedState = PR_FALSE;
--- a/security/manager/ssl/public/nsIAssociatedContentSecurity.idl
+++ b/security/manager/ssl/public/nsIAssociatedContentSecurity.idl
@ -46,11 +46,12 @@

 #include "nsISupports.idl"

-[scriptable, uuid(8DB92DDE-799F-4d33-80F7-459CAC800DC9)]
+[scriptable, uuid(6AC9A699-D12A-45dc-9B02-9E5E0DD831B9)]
 interface nsIAssociatedContentSecurity : nsISupports
 {
  attribute long countSubRequestsHighSecurity;
  attribute long countSubRequestsLowSecurity;
  attribute long countSubRequestsBrokenSecurity;
  attribute long countSubRequestsNoSecurity;
+  void flush();
 };
--- a/security/manager/ssl/src/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/src/nsNSSIOLayer.cpp
@ -511,6 +511,10 @@ NS_IMETHODIMP nsNSSSocketInfo::SetCountSubRequestsNoSecurity(PRInt32 aSubRequest
  mSubRequestsNoSecurity = aSubRequestsNoSecurity;
  return NS_OK;
 }
+NS_IMETHODIMP nsNSSSocketInfo::Flush()
+{
+  return NS_OK;
+}

 NS_IMETHODIMP
 nsNSSSocketInfo::GetShortSecurityDescription(PRUnichar** aText) {