Bug 1257757 - Add filenames to insecure password warnings. r=bgrins
MozReview-Commit-ID: IT6yhL5hJvA
--- a/toolkit/components/passwordmgr/InsecurePasswordUtils.jsm
+++ b/toolkit/components/passwordmgr/InsecurePasswordUtils.jsm
@@ -24,17 +24,17 @@ XPCOMUtils.defineLazyGetter(this, "l10n"
this.InsecurePasswordUtils = {
_sendWebConsoleMessage(messageTag, domDoc) {
let windowId = WebConsoleUtils.getInnerWindowId(domDoc.defaultView);
let category = "Insecure Password Field";
// All web console messages are warnings for now.
let flag = Ci.nsIScriptError.warningFlag;
let message = l10n.getStr(messageTag);
let consoleMsg = Cc["@mozilla.org/scripterror;1"].createInstance(Ci.nsIScriptError);
- consoleMsg.initWithWindowID(message, "", 0, 0, 0, flag, category, windowId);
+ consoleMsg.initWithWindowID(message, domDoc.location.href, 0, 0, 0, flag, category, windowId);
Services.console.logMessage(consoleMsg);
},
/**
* Checks whether the passed nested document is insecure
* or is inside an insecure parent document.
*
@@ -80,16 +80,19 @@ this.InsecurePasswordUtils = {
// Check if we are on an iframe with insecure src, or inside another
// insecure iframe or document.
if (this._checkForInsecureNestedDocuments(domDoc)) {
this._sendWebConsoleMessage("InsecurePasswordsPresentOnIframe", domDoc);
isSafePage = false;
}
let isFormSubmitHTTP = false, isFormSubmitHTTPS = false;
+ // Note that aForm.action can be a relative path (e.g. "", "/login", "//example.com", etc.)
+ // but we don't warn about those since we would have already warned about the form's document
+ // not being safe above.
if (aForm.action.match(/^http:\/\//)) {
this._sendWebConsoleMessage("InsecureFormActionPasswordsPresent", domDoc);
isFormSubmitHTTP = true;
} else if (aForm.action.match(/^https:\/\//)) {
isFormSubmitHTTPS = true;
}
// The safety of a password field determined by the form action and the page protocol