Bug 1767292 - Show scheme for Auth Dialog if HTTP r=Gijs

Differential Revision: https://phabricator.services.mozilla.com/D224379

browser/base/content/test/tabPrompts/browser.toml

@@ -31,7 +31,7 @@ skip-if = ["verify && debug && (os == 'linux')"]
 ["browser_confirmFolderUpload.js"]
 
 ["browser_contentOrigins.js"]
-support-files = ["file_beforeunload_stop.html"]
+support-files = ["file_beforeunload_stop.html", "auth-route.sjs"]
 
 ["browser_multiplePrompts.js"]
 

browser/base/content/test/tabPrompts/browser_contentOrigins.js

@@ -16,10 +16,13 @@ const TEST_ROOT = getRootDirectory(gTestPath).replace(
   "https://example.com"
 );
 
+const DEFAULT_FAVICON = "chrome://global/skin/icons/defaultFavicon.svg";
+const BROKEN_FAVICON = "chrome://global/skin/icons/security-broken.svg";
+
 async function checkAlert(
   pageToLoad,
   expectedTitle,
-  expectedIcon = "chrome://global/skin/icons/defaultFavicon.svg"
+  expectedIcon = DEFAULT_FAVICON
 ) {
   function openFn(browser) {
     return SpecialPowers.spawn(browser, [], () => {
@@ -38,7 +41,7 @@ async function checkAlert(
 async function checkBeforeunload(
   pageToLoad,
   expectedTitle,
-  expectedIcon = "chrome://global/skin/icons/defaultFavicon.svg"
+  expectedIcon = DEFAULT_FAVICON
 ) {
   async function openFn(browser) {
     let tab = gBrowser.getTabForBrowser(browser);
@@ -178,20 +181,30 @@ add_task(async function test_check_auth() {
   const HOST = `localhost:${server.identity.primaryPort}`;
   // eslint-disable-next-line @microsoft/sdl/no-insecure-url
   const AUTH_URI = `http://${HOST}/forbidden`;
+  const HTTPS_AUTH_URI = TEST_ROOT + "auth-route.sjs";
 
   // Try a simple load:
+  // Should be broken favicon since AUTH_URI's spec is http
   await checkDialog(
     "https://example.com/",
     browser => BrowserTestUtils.startLoadingURIString(browser, AUTH_URI),
     HOST,
-    "chrome://global/skin/icons/defaultFavicon.svg",
+    BROKEN_FAVICON,
     Ci.nsIPrompt.MODAL_TYPE_TAB
   );
 
-  let subframeLoad = function (browser) {
-    return SpecialPowers.spawn(browser, [AUTH_URI], uri => {
+  await checkDialog(
+    "https://example.com/",
+    browser => BrowserTestUtils.startLoadingURIString(browser, HTTPS_AUTH_URI),
+    HOST,
+    DEFAULT_FAVICON,
+    Ci.nsIPrompt.MODAL_TYPE_TAB
+  );
+
+  let subframeLoad = function (browser, uri) {
+    return SpecialPowers.spawn(browser, [uri], frameUri => {
       let f = content.document.createElement("iframe");
-      f.src = uri;
+      f.src = frameUri;
       content.document.body.appendChild(f);
     });
   };
@@ -200,10 +213,18 @@ add_task(async function test_check_auth() {
   await checkDialog(
     // eslint-disable-next-line @microsoft/sdl/no-insecure-url
     "http://example.org/1",
-    subframeLoad,
+    browser => subframeLoad(browser, AUTH_URI),
     HOST,
-    /* Because this is x-origin, we expect a different icon: */
-    "chrome://global/skin/icons/security-broken.svg",
+    BROKEN_FAVICON,
+    Ci.nsIPrompt.MODAL_TYPE_TAB
+  );
+
+  await checkDialog(
+    // eslint-disable-next-line @microsoft/sdl/no-insecure-url
+    "http://example.org/1",
+    browser => subframeLoad(browser, HTTPS_AUTH_URI),
+    HOST,
+    DEFAULT_FAVICON,
     Ci.nsIPrompt.MODAL_TYPE_TAB
   );
 });

toolkit/components/prompts/src/Prompter.sys.mjs

@@ -6,6 +6,7 @@ import { XPCOMUtils } from "resource://gre/modules/XPCOMUtils.sys.mjs";
 
 // This is redefined below, for strange and unfortunate reasons.
 import { PromptUtils } from "resource://gre/modules/PromptUtils.sys.mjs";
+import { BrowserUtils } from "resource://gre/modules/BrowserUtils.sys.mjs";
 
 const lazy = {};
 ChromeUtils.defineESModuleGetters(lazy, {
@@ -1128,13 +1129,14 @@ class ModalPrompter {
      */
     if (args.channel) {
       try {
-        args.authOrigin = args.channel.URI.hostPort;
+        // Bug 1767292: Display scheme if it is HTTP, otherwise omit it.
+        args.authOrigin = BrowserUtils.formatURIForDisplay(args.channel.URI, {
+          showInsecureHTTP: true,
+        });
       } catch (ex) {
         args.authOrigin = args.channel.URI.prePath;
       }
-      args.isInsecureAuth =
-        args.channel.URI.schemeIs("http") &&
-        !args.channel.loadInfo.isTopLevelLoad;
+      args.isInsecureAuth = args.channel.URI.schemeIs("http");
       // whether we are going to prompt the user for their credentials for a different base domain.
       // When true, auth prompt spoofing protection mechanisms will be triggered (see bug 791594).
       args.isTopLevelCrossDomainAuth = false;