Bug 1364208 - Consider local IP address form actions secure for the insecure password warning. r=MattN
We whitelist local IP addresses for the in-content insecure password warning,
but many of them will have forms that point to e.g., /login.php. That should
not show the insecure password warning either.
MozReview-Commit-ID: KozEWAqKGIA
--- a/toolkit/components/passwordmgr/InsecurePasswordUtils.jsm
+++ b/toolkit/components/passwordmgr/InsecurePasswordUtils.jsm
@@ -82,17 +82,20 @@ this.InsecurePasswordUtils = {
_checkFormSecurity(aForm) {
let isFormSubmitHTTP = false, isFormSubmitSecure = false;
if (aForm.rootElement instanceof Ci.nsIDOMHTMLFormElement) {
let uri = Services.io.newURI(aForm.rootElement.action || aForm.rootElement.baseURI);
let principal = gScriptSecurityManager.createCodebasePrincipal(uri, {});
if (uri.schemeIs("http")) {
isFormSubmitHTTP = true;
- if (gContentSecurityManager.isOriginPotentiallyTrustworthy(principal)) {
+ if (gContentSecurityManager.isOriginPotentiallyTrustworthy(principal) ||
+ // Ignore sites with local IP addresses pointing to local forms.
+ (this._isPrincipalForLocalIPAddress(aForm.rootElement.nodePrincipal) &&
+ this._isPrincipalForLocalIPAddress(principal))) {
isFormSubmitSecure = true;
}
} else {
isFormSubmitSecure = true;
}
}
return { isFormSubmitHTTP, isFormSubmitSecure };