Bug 1721654 - show 'Not Secure' chiclet for certificate errors, r=pbz

This also causes nssFailure2 network errors to be treated as certificate errors in the identity block, and adjusts tests for this new reality. It also readds a test to test a non-cert-related network error to ensure that case doesn't lose coverage. Differential Revision: https://phabricator.services.mozilla.com/D121176
2024-10-17 23:35:34 +00:00 · 2021-08-02 13:20:27 +00:00 · 2021-08-02 13:20:27 +00:00 · c88bc927dc
commit c88bc927dc
parent c899d04fbf
2 changed files with 77 additions and 33 deletions
--- a/browser/base/content/browser-siteIdentity.js
+++ b/browser/base/content/browser-siteIdentity.js
@ -132,29 +132,28 @@ var gIdentityHandler = {
    return this._state & Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN;
  },

-  get _isAboutCertErrorPage() {
+  get _isCertErrorPage() {
+    let { documentURI } = gBrowser.selectedBrowser;
+    if (documentURI?.scheme != "about") {
+      return false;
+    }
+
    return (
-      gBrowser.selectedBrowser.documentURI &&
-      gBrowser.selectedBrowser.documentURI.scheme == "about" &&
-      gBrowser.selectedBrowser.documentURI.pathQueryRef.startsWith("certerror")
+      documentURI.filePath == "certerror" ||
+      (documentURI.filePath == "neterror" &&
+        new URLSearchParams(documentURI.query).get("e") == "nssFailure2")
    );
  },

  get _isAboutNetErrorPage() {
-    return (
-      gBrowser.selectedBrowser.documentURI &&
-      gBrowser.selectedBrowser.documentURI.scheme == "about" &&
-      gBrowser.selectedBrowser.documentURI.pathQueryRef.startsWith("neterror")
-    );
+    let { documentURI } = gBrowser.selectedBrowser;
+    return documentURI?.scheme == "about" && documentURI.filePath == "neterror";
  },

  get _isAboutHttpsOnlyErrorPage() {
+    let { documentURI } = gBrowser.selectedBrowser;
    return (
-      gBrowser.selectedBrowser.documentURI &&
-      gBrowser.selectedBrowser.documentURI.scheme == "about" &&
-      gBrowser.selectedBrowser.documentURI.pathQueryRef.startsWith(
-        "httpsonlyerror"
-      )
+      documentURI?.scheme == "about" && documentURI.filePath == "httpsonlyerror"
    );
  },

@ -173,17 +172,13 @@ var gIdentityHandler = {
      !this._isBrokenConnection &&
      !this._isPDFViewer &&
      (this._isSecureContext ||
-        (gBrowser.selectedBrowser.documentURI &&
-          gBrowser.selectedBrowser.documentURI.scheme == "chrome"))
+        gBrowser.selectedBrowser.documentURI?.scheme == "chrome")
    );
  },

  get _isAboutBlockedPage() {
-    return (
-      gBrowser.selectedBrowser.documentURI &&
-      gBrowser.selectedBrowser.documentURI.scheme == "about" &&
-      gBrowser.selectedBrowser.documentURI.pathQueryRef.startsWith("blocked")
-    );
+    let { documentURI } = gBrowser.selectedBrowser;
+    return documentURI?.scheme == "about" && documentURI.filePath == "blocked";
  },

  _popupInitialized: false,
@ -823,9 +818,11 @@ var gIdentityHandler = {
      } else {
        this._identityBox.classList.add("weakCipher");
      }
-    } else if (this._isAboutCertErrorPage) {
-      // We show a warning lock icon for 'about:certerror' page.
-      this._identityBox.className = "certErrorPage";
+    } else if (this._isCertErrorPage) {
+      // We show a warning lock icon for certificate errors, and
+      // show the "Not Secure" text.
+      this._identityBox.className = "certErrorPage notSecureText";
+      icon_label = gNavigatorBundle.getString("identity.notSecure.label");
    } else if (this._isAboutHttpsOnlyErrorPage) {
      // We show a not secure lock icon for 'about:httpsonlyerror' page.
      this._identityBox.className = "httpsOnlyErrorPage";
@ -964,7 +961,7 @@ var gIdentityHandler = {
    } else if (this._isSecureConnection) {
      connection = "secure";
      customRoot = this._hasCustomRoot();
-    } else if (this._isAboutCertErrorPage) {
+    } else if (this._isCertErrorPage) {
      connection = "cert-error-page";
    } else if (this._isAboutHttpsOnlyErrorPage) {
      connection = "https-only-error-page";
--- a/browser/base/content/test/siteIdentity/browser_check_identity_state.js
+++ b/browser/base/content/test/siteIdentity/browser_check_identity_state.js
@ -379,7 +379,7 @@ async function noCertErrorTest(secureCheck) {
  await promise;
  is(
    getIdentityMode(),
-    "certErrorPage",
+    "certErrorPage notSecureText",
    "Identity should be the cert error page."
  );
  is(
@ -394,7 +394,7 @@ async function noCertErrorTest(secureCheck) {
  gBrowser.selectedTab = newTab;
  is(
    getIdentityMode(),
-    "certErrorPage",
+    "certErrorPage notSecureText",
    "Identity should be the cert error page."
  );
  is(
@ -481,7 +481,7 @@ async function noCertErrorFromNavigationTest(secureCheck) {
  );
  is(
    getIdentityMode(),
-    "certErrorPage",
+    "certErrorPage notSecureText",
    "Identity should be the cert error page."
  );
  is(
@ -500,10 +500,14 @@ add_task(async function test_about_net_error_uri_from_navigation_tab() {
  await noCertErrorFromNavigationTest(false);
 });

-add_task(async function netErrorPageTest() {
+add_task(async function tlsErrorPageTest() {
  const TLS10_PAGE = "https://tls1.example.com/";
-  Services.prefs.setIntPref("security.tls.version.min", 3);
-  Services.prefs.setIntPref("security.tls.version.max", 4);
+  await SpecialPowers.pushPrefEnv({
+    set: [
+      ["security.tls.version.min", 3],
+      ["security.tls.version.max", 4],
+    ],
+  });

  let browser;
  let pageLoaded;
@ -530,8 +534,8 @@ add_task(async function netErrorPageTest() {

  is(
    getConnectionState(),
-    "net-error-page",
-    "Connection should be the net error page."
+    "cert-error-page",
+    "Connection state should be the cert error page."
  );

  BrowserTestUtils.removeTab(gBrowser.selectedTab);
@ -539,6 +543,49 @@ add_task(async function netErrorPageTest() {
  await SpecialPowers.popPrefEnv();
 });

+add_task(async function netErrorPageTest() {
+  // Connect to a server that rejects all requests, to test network error pages:
+  let { HttpServer } = ChromeUtils.import("resource://testing-common/httpd.js");
+  let server = new HttpServer();
+  server.registerPrefixHandler("/", (req, res) =>
+    res.abort(new Error("Noooope."))
+  );
+  server.start(-1);
+  let port = server.identity.primaryPort;
+  const ERROR_PAGE = `http://localhost:${port}/`;
+
+  let browser;
+  let pageLoaded;
+  await BrowserTestUtils.openNewForegroundTab(
+    gBrowser,
+    () => {
+      gBrowser.selectedTab = BrowserTestUtils.addTab(gBrowser, ERROR_PAGE);
+      browser = gBrowser.selectedBrowser;
+      pageLoaded = BrowserTestUtils.waitForErrorPage(browser);
+    },
+    false
+  );
+
+  info("Loading and waiting for the net error");
+  await pageLoaded;
+
+  await SpecialPowers.spawn(browser, [], function() {
+    const doc = content.document;
+    ok(
+      doc.documentURI.startsWith("about:neterror"),
+      "Should be showing error page"
+    );
+  });
+
+  is(
+    getConnectionState(),
+    "net-error-page",
+    "Connection should be the net error page."
+  );
+
+  BrowserTestUtils.removeTab(gBrowser.selectedTab);
+});
+
 async function aboutBlockedTest(secureCheck) {
  let url = "http://www.itisatrap.org/firefox/its-an-attack.html";
  let oldTab = await loadNewTab("about:robots");