Bug 1072859 - Disable Geolocation on non-secure origins. r=jdm

MozReview-Commit-ID: KnHOb0aN4nE

--HG--
extra : rebase_source : 844cce898bc717345db8438642f545eb043bb4a5

browser/app/profile/firefox.js

@@ -1289,11 +1289,6 @@ pref("geo.provider.use_gpsd", true);
 
 #endif
 
-// We keep allowing non-HTTPS geo requests on all the release
-// channels, for now.
-// TODO: default to false (or remove altogether) for #1072859.
-pref("geo.security.allowinsecure", true);
-
 // Necko IPC security checks only needed for app isolation for cookies/cache/etc:
 // currently irrelevant for desktop e10s
 pref("network.disable.ipc.security", true);

browser/components/privatebrowsing/test/browser/browser_privatebrowsing_geoprompt.js

@@ -6,7 +6,7 @@
 // control inside the private browsing mode.
 
 add_task(function* test() {
-  const testPageURL = "http://mochi.test:8888/browser/" +
+  const testPageURL = "https://example.com/browser/" +
     "browser/components/privatebrowsing/test/browser/browser_privatebrowsing_geoprompt_page.html";
 
   function checkGeolocation(aPrivateMode, aWindow) {

devtools/client/responsive.html/test/browser/browser_permission_doorhanger.js

@@ -6,6 +6,7 @@
 // Test that permission popups asking for user approval still appear in RDM
 const DUMMY_URL = "http://example.com/";
 const TEST_URL = `${URL_ROOT}geolocation.html`;
+const TEST_SURL = TEST_URL.replace('http://example.com', 'https://example.com');
 
 function waitForGeolocationPrompt(win, browser) {
   return new Promise(resolve => {
@@ -28,7 +29,7 @@ add_task(function* () {
 
   // Checks if a geolocation permission doorhanger appears when openning a page
   // requesting geolocation
-  yield load(browser, TEST_URL);
+  yield load(browser, TEST_SURL);
   yield waitPromptPromise;
 
   ok(true, "Permission doorhanger appeared without RDM enabled");
@@ -42,7 +43,7 @@ add_task(function* () {
 
   // Checks if the doorhanger appeared again when reloading the geolocation
   // page inside RDM
-  yield load(browser, TEST_URL);
+  yield load(browser, TEST_SURL);
   yield waitPromptPromise;
 
   ok(true, "Permission doorhanger appeared inside RDM");

dom/geolocation/nsGeolocation.cpp

@@ -1172,9 +1172,7 @@ Geolocation::IsAlreadyCleared(nsGeolocationRequest* aRequest)
 bool
 Geolocation::ShouldBlockInsecureRequests() const
 {
-  // TODO: Also remove all the *_SECURE_ORIGIN Telemetry probes before
-  // landing the patch for #1072859. Also default to false.
-  if (Preferences::GetBool(PREF_GEO_SECURITY_ALLOWINSECURE, true)) {
+  if (Preferences::GetBool(PREF_GEO_SECURITY_ALLOWINSECURE, false)) {
     return false;
   }
 
@@ -1188,7 +1186,7 @@ Geolocation::ShouldBlockInsecureRequests() const
     return false;
   }
 
-  if (!nsGlobalWindow::Cast(win)->IsSecureContext()) {
+  if (!nsGlobalWindow::Cast(win)->IsSecureContextIfOpenerIgnored()) {
     nsContentUtils::ReportToConsole(nsIScriptError::errorFlag,
                                     NS_LITERAL_CSTRING("DOM"), doc,
                                     nsContentUtils::eDOM_PROPERTIES,

dom/tests/browser/browser_bug1008941_dismissGeolocationHanger.js

@@ -4,7 +4,7 @@
  */
 "use strict";
 
-const TEST_URI = "http://example.com/" +
+const TEST_URI = "https://example.com/" +
                  "browser/dom/tests/browser/position.html";
 
 add_task(function* testDismissHanger() {

testing/web-platform/meta/MANIFEST.json

@@ -87994,9 +87994,9 @@
      {}
     ]
    ],
-   "geolocation-API/PositionOptions.html": [
+   "geolocation-API/PositionOptions.https.html": [
     [
-     "/geolocation-API/PositionOptions.html",
+     "/geolocation-API/PositionOptions.https.html",
      {}
     ]
    ],
@@ -88006,9 +88006,9 @@
      {}
     ]
    ],
-   "geolocation-API/getCurrentPosition_IDL.html": [
+   "geolocation-API/getCurrentPosition_IDL.https.html": [
     [
-     "/geolocation-API/getCurrentPosition_IDL.html",
+     "/geolocation-API/getCurrentPosition_IDL.https.html",
      {}
     ]
    ],
@@ -88018,15 +88018,15 @@
      {}
     ]
    ],
-   "geolocation-API/getCurrentPosition_permission_allow.html": [
+   "geolocation-API/getCurrentPosition_permission_allow.https.html": [
     [
-     "/geolocation-API/getCurrentPosition_permission_allow.html",
+     "/geolocation-API/getCurrentPosition_permission_allow.https.html",
      {}
     ]
    ],
-   "geolocation-API/getCurrentPosition_permission_deny.html": [
+   "geolocation-API/getCurrentPosition_permission_deny.https.html": [
     [
-     "/geolocation-API/getCurrentPosition_permission_deny.html",
+     "/geolocation-API/getCurrentPosition_permission_deny.https.html",
      {}
     ]
    ],
@@ -88042,9 +88042,9 @@
      {}
     ]
    ],
-   "geolocation-API/watchPosition_permission_deny.html": [
+   "geolocation-API/watchPosition_permission_deny.https.html": [
     [
-     "/geolocation-API/watchPosition_permission_deny.html",
+     "/geolocation-API/watchPosition_permission_deny.https.html",
      {}
     ]
    ],
@@ -164783,7 +164783,7 @@
    "0657e9c1d1281428355eb545ba0b4552dc8900ec",
    "support"
   ],
-  "geolocation-API/PositionOptions.html": [
+  "geolocation-API/PositionOptions.https.html": [
    "3ed405ebbe4b6fde9dfa6b3426c52c7025efd84c",
    "testharness"
   ],
@@ -164791,7 +164791,7 @@
    "281cdbc3d81e498514a0cca3e839c33e1b217974",
    "testharness"
   ],
-  "geolocation-API/getCurrentPosition_IDL.html": [
+  "geolocation-API/getCurrentPosition_IDL.https.html": [
    "5c7c8f7406a82140384687bfc66b2ef1d8bdc259",
    "testharness"
   ],
@@ -164807,7 +164807,7 @@
    "e75a1408296aeed55b5edee35d86cb523cce5a4c",
    "manual"
   ],
-  "geolocation-API/getCurrentPosition_permission_allow.html": [
+  "geolocation-API/getCurrentPosition_permission_allow.https.html": [
    "695f80f5a06279b3a0bdd137e6a402da66a5eeee",
    "testharness"
   ],
@@ -164835,7 +164835,7 @@
    "39f9b8442320f67323f55f26a417deb2ae12eacf",
    "manual"
   ],
-  "geolocation-API/watchPosition_permission_deny.html": [
+  "geolocation-API/watchPosition_permission_deny.https.html": [
    "8da70bf5b65ace1e8a26e458d6c011c6183c5501",
    "testharness"
   ],

testing/web-platform/meta/geolocation-API/PositionOptions.https.html.ini

@@ -1,4 +1,4 @@
-[PositionOptions.html]
+[PositionOptions.https.html]
   type: testharness
   expected: TIMEOUT
   [Set timeout and maximumAge to 0, check that timeout error raised (getCurrentPosition)]

testing/web-platform/meta/geolocation-API/getCurrentPosition_IDL.https.html.ini

@@ -1,4 +1,4 @@
-[getCurrentPosition_IDL.html]
+[getCurrentPosition_IDL.https.html]
   type: testharness
   expected: TIMEOUT
   [getCurrentPosition success callback tests]

testing/web-platform/meta/geolocation-API/getCurrentPosition_permission_allow.https.html.ini

@@ -1,4 +1,4 @@
-[getCurrentPosition_permission_allow.html]
+[getCurrentPosition_permission_allow.https.html]
   type: testharness
   expected: TIMEOUT
   [User allows access, check that success callback is called or error callback is called with correct code.]

testing/web-platform/meta/geolocation-API/getCurrentPosition_permission_deny.https.html.ini

@@ -1,4 +1,4 @@
-[getCurrentPosition_permission_deny.html]
+[getCurrentPosition_permission_deny.https.html]
   type: testharness
   expected: TIMEOUT
   [User denies access, check that error callback is called with correct code]

testing/web-platform/meta/geolocation-API/watchPosition_permission_deny.https.html.ini

@@ -1,4 +1,4 @@
-[watchPosition_permission_deny.html]
+[watchPosition_permission_deny.https.html]
   type: testharness
   expected: TIMEOUT
   [Check that watchPosition returns synchronously before any callbacks are invoked.]