Turn on Insecure Password Warning for Firefox Dev Edition

VERIFIED FIXED in Firefox 46

Status

()

Firefox
Security
P1
normal
VERIFIED FIXED
2 years ago
a year ago

People

(Reporter: tanvi, Assigned: tanvi)

Tracking

(Depends on: 1 bug, Blocks: 1 bug, {site-compat})

44 Branch
Firefox 46
site-compat
Points:
---
Dependency tree / graph
Bug Flags:
qe-verify +

Firefox Tracking Flags

(firefox46+ verified, relnote-firefox 46+)

Details

(Whiteboard: [fxprivacy])

Attachments

(1 attachment)

(Assignee)

Description

2 years ago
The pref for this is nightly only right now (https://bugzilla.mozilla.org/show_bug.cgi?id=1217156).

This bug is to enable in on dev edition.  The "depends on" bugs below are blocking this change.

So far they are:
https://bugzilla.mozilla.org/show_bug.cgi?id=1217766 - don't warn for pdf.js
https://bugzilla.mozilla.org/show_bug.cgi?id=1217133 - don't warn for localhost

I don't think the other bugs (dependencies of the meta bug 1217142) are needed to turn this feature on for developer edition.  If others disagree, please provide your thoughts here.

Updated

2 years ago
Whiteboard: [fxprivacy] → [fxprivacy] [triage]
(Assignee)

Comment 1

2 years ago
Pasted the wrong bugs into dependencies.  Fixing.
Depends on: 1217766, 1217133
No longer depends on: 1216802, 1217162
Will be prioritized as a 'P1' and added to the Release 45 plan once the two dependencies are resolved.
Priority: -- → P2
Whiteboard: [fxprivacy] [triage] → [fxprivacy]
(Assignee)

Comment 3

2 years ago
I'll do this once the dependencies are resolved.
Assignee: nobody → tanvi
Depends on: 1221771
(Assignee)

Updated

2 years ago
Depends on: 1217165

Updated

2 years ago
Blocks: 1216897
No longer blocks: 1217142
(Assignee)

Updated

2 years ago
Blocks: 1188121

Updated

2 years ago
No longer blocks: 1216897
(Assignee)

Updated

2 years ago
Blocks: 1217142
Depends on: 1231914

Updated

2 years ago
Priority: P2 → P3
Release Note Request (optional, but appreciated)
[Why is this notable]: Improve the security of our users
[Suggested wording]: Usage of the password field on HTTP marks the website as insecure
[Links (documentation, blog post, etc)]: Not to link against a third party website but FYI: http://www.ghacks.net/2015/10/21/firefox-44-special-notification-if-logins-are-not-secure/
relnote-firefox: --- → ?
(Assignee)

Comment 5

2 years ago
(In reply to Sylvestre Ledru [:sylvestre] from comment #4)
> Release Note Request (optional, but appreciated)
> [Why is this notable]: Improve the security of our users
> [Suggested wording]: Usage of the password field on HTTP marks the website
> as insecure
> [Links (documentation, blog post, etc)]: Not to link against a third party
> website but FYI:
> http://www.ghacks.net/2015/10/21/firefox-44-special-notification-if-logins-
> are-not-secure/

This hasn't happened yet, so we don't need release notes yet.  This is only turned on in Nightly.  We hope to turn it on in dev edition in Firefox 46.  We need to close all the dependencies first.
We are a week away from 46 moving to aurora. Is this ready to ship to dev edition?
It looks like bug 1179961 and bug 667233 may be related as well and they have some dependencies not noted here.  We should also get ready for QE to test this feature in mid-aurora.

How will this be disabled for aurora, if we need to do that?
status-firefox46: --- → affected
tracking-firefox46: --- → +
Flags: needinfo?(tanvi)
Comment hidden (advocacy)

Comment 8

2 years ago
(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #6)
> We are a week away from 46 moving to aurora. Is this ready to ship to dev
> edition?

I think the dependencies here are correct, we're waiting on bug 1217766, that will also fix bug 1221771 unless it's heavily changed in review.

> How will this be disabled for aurora, if we need to do that?

This bug will just switch the default state of the preference by changing the "#ifdef", we can back it out if other major blockers arise later.

http://mxr.mozilla.org/mozilla-central/source/browser/app/profile/firefox.js#1397
Flags: needinfo?(tanvi)
(Assignee)

Comment 9

2 years ago
(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #6)
> How will this be disabled for aurora, if we need to do that?
This feature is already disabled on aurora.  If we get 121776 and 1221771 done by next week, I will add a patch here to enable this on aurora and push that.

The other bugs you mentioned is a blocker to get this in release, which we aren't going to do just yet.  We want to give developers a chance to fix their issues by keeping this warning on dev edition for a bit.
(Assignee)

Comment 10

a year ago
Created attachment 8710111 [details] [diff] [review]
Bug1221206-01-20-16.patch

All the dependencies for turning this on the insecure password warning for dev edition are fixed[1].  Here is a patch to turn the warning on for non-release and non-beta builds.  This will include nightly, dev edition, and local nightly and dev edition builds.

[1] The Learn More link bug isn't closed, but only because of a couple minor edits that just need to be approved.  It is okay as it is as well, so we can considered that bug done.
Attachment #8710111 - Flags: review?(MattN+bmo)
Comment on attachment 8710111 [details] [diff] [review]
Bug1221206-01-20-16.patch

Review of attachment 8710111 [details] [diff] [review]:
-----------------------------------------------------------------

I think the current Control Center panel string is confusing for the developer audience and should be revised at some point.
Attachment #8710111 - Flags: review?(MattN+bmo) → review+
(Assignee)

Updated

a year ago
Keywords: checkin-needed
(Assignee)

Updated

a year ago
Keywords: checkin-needed

Comment 12

a year ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/b6f7edabbf1e

Comment 13

a year ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/b6f7edabbf1e
Status: NEW → RESOLVED
Last Resolved: a year ago
status-firefox46: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 46
The site compatibility doc is here: https://www.fxsitecompat.com/en-CA/docs/2015/non-https-sites-containing-login-form-will-be-marked-insecure/
Iteration: --- → 46.3 - Jan 25
Flags: qe-verify?
Priority: P3 → P1
Keywords: site-compat
(Assignee)

Comment 15

a year ago
(In reply to Kohei Yoshino [:kohei] from comment #14)
> The site compatibility doc is here:
> https://www.fxsitecompat.com/en-CA/docs/2015/non-https-sites-containing-
> login-form-will-be-marked-insecure/

Thank you Kohei!
Flags: qe-verify? → qe-verify+
QA Contact: paul.silaghi
Noted for aurora 46 with a link to https://www.fxsitecompat.com/en-CA/docs/2015/non-https-sites-containing-login-form-will-be-marked-insecure/
relnote-firefox: ? → 46+
Bug 1217133, bug 1217766 are verified fixed.
Tested on 46.0a2 (2016-01-25) Win7:
- security.insecure_password.ui.enabled=TRUE
- The lock with a strikethrough is displayed fine on the test pages:
http://people.mozilla.org/~tvyas/password/password_insecure.html
http://people.mozilla.org/~tvyas/password/frame_password.html
Verified fixed.
Status: RESOLVED → VERIFIED
status-firefox46: fixed → verified
You need to log in before you can comment on or make changes to this bug.