1025427 - Firefox Accounts sign-in UI triggers "Password fields present on an insecure (http://) page" in Browser Console, hopefully incorrectly

Status: RESOLVED DUPLICATE of bug 983326

(Toolkit :: Password Manager, defect)

Description

[Daniel Holbert [:dholbert]]

STR:
 0. Open Browser Console. Clear it, if you like.

 1. Visit this URL:  about:accounts?action=signin
    (This is where the Sync preferences UI takes you to sign in.)

 2. Check Browser console.

ACTUAL RESULTS: Browser console says:
{
Password fields present on an insecure (http://) page. This is a security risk that allows user login credentials to be stolen.[Learn More]
}


I believe this message is incorrect. If I right-click the form and choose "This Frame | Open this frame in new tab", then it loads this HTTPS url: 
https://accounts.firefox.com/signin?service=sync&context=fx_desktop_v1
and does not cause any new instances of the warning to appear.


I'm guessing the root of the problem is that we're seeing that the "about:" page itself is not HTTPS (it's "about:"), and we're treating that as worrisome, when really we shouldn't.  Just a guess, though.

I hit this in most recent Nightly (33.0a1 (2014-06-13)) with a fresh profile.
Mozilla/5.0 (X11; Linux i686; rv:33.0) Gecko/20100101 Firefox/33.0

Comment 1

[Daniel Holbert [:dholbert]]

From searching MXR for the warning text, I think this traces back to:
> 127   checkForInsecurePasswords : function (aForm) {
> 128     var domDoc = aForm.ownerDocument;
> 129     let pageURI = domDoc.defaultView.top.document.documentURIObject;
> 130     let isSafePage = this._checkIfURIisSecure(pageURI);
> 131 
> 132     if (!isSafePage) {
> 133       this._sendWebConsoleMessage("InsecurePasswordsPresentOnPage", domDoc);
> 134     }

http://mxr.mozilla.org/mozilla-central/source/toolkit/components/passwordmgr/InsecurePasswordUtils.jsm?rev=a46b44af697f#133

...which was added in bug 762593.