commit 0b73f6575e3bcf53dd2b4c498d64a108e8e04026 parent c9aa05fd8029c5a2eff63cf3c66a35ba50378f15 Author: kchelilim <98861797+KipChelilim@users.noreply.github.com> Date: Wed, 26 Nov 2025 14:36:35 +0000 Bug 1905323 - Fully remove confirm auth prompts, prefs, and related tests. r=emz,necko-reviewers,extension-reviewers,valentin,robwu,urlbar-reviewers,Sasha Differential Revision: https://phabricator.services.mozilla.com/D271294 Diffstat:
25 files changed, 2 insertions(+), 479 deletions(-)
diff --git a/accessible/tests/browser/tree/browser_test_nsIAccessibleDocument_URL.js b/accessible/tests/browser/tree/browser_test_nsIAccessibleDocument_URL.js @@ -35,9 +35,6 @@ add_task(async function testInDataURI() { }); add_task(async function testInHTTPSURIContainingPrivateThings() { - await SpecialPowers.pushPrefEnv({ - set: [["network.auth.confirmAuth.enabled", false]], - }); const kURL = "https://username:password@example.com/browser/toolkit/content/tests/browser/file_empty.html?query=some#ref"; const kURLWithoutUserPass = diff --git a/browser/components/urlbar/tests/browser/browser_UrlbarInput_setURI.js b/browser/components/urlbar/tests/browser/browser_UrlbarInput_setURI.js @@ -4,18 +4,9 @@ function test() { waitForExplicitFinish(); - - // avoid prompting about phishing - Services.prefs.setIntPref(phishyUserPassPref, 32); - registerCleanupFunction(function () { - Services.prefs.clearUserPref(phishyUserPassPref); - }); - nextTest(); } -const phishyUserPassPref = "network.http.phishy-userpass-length"; - function nextTest() { let testCase = tests.shift(); if (testCase) { diff --git a/browser/components/urlbar/tests/browser/browser_copying.js b/browser/components/urlbar/tests/browser/browser_copying.js @@ -28,8 +28,6 @@ async function test_copy_values(testValues, trimHttps) { ["browser.urlbar.scotchBonnet.enableOverride", false], ["browser.urlbar.trimURLs", true], ["browser.urlbar.trimHttps", trimHttps], - // avoid prompting about phishing - ["network.http.phishy-userpass-length", 32], ], }); diff --git a/browser/modules/test/browser/browser_SitePermissions_tab_urls.js b/browser/modules/test/browser/browser_SitePermissions_tab_urls.js @@ -12,11 +12,6 @@ function newPrincipal(origin) { // This tests the key used to store the URI -> permission map on a tab. add_task(async function testTemporaryPermissionTabURLs() { - // Prevent showing a dialog for https://name:password@example.com - SpecialPowers.pushPrefEnv({ - set: [["network.http.phishy-userpass-length", 2048]], - }); - // This usually takes about 60 seconds on 32bit Linux debug, // due to the combinatory nature of the test that is hard to fix. requestLongerTimeout(2); diff --git a/dom/security/nsHTTPSOnlyUtils.cpp b/dom/security/nsHTTPSOnlyUtils.cpp @@ -775,7 +775,7 @@ bool nsHTTPSOnlyUtils::HttpsUpgradeUnrelatedErrorCode(nsresult aError) { NS_ERROR_UNKNOWN_HOST == aError || NS_ERROR_PHISHING_URI == aError || NS_ERROR_MALWARE_URI == aError || NS_ERROR_UNWANTED_URI == aError || NS_ERROR_HARMFUL_URI == aError || NS_ERROR_CONTENT_CRASHED == aError || - NS_ERROR_FRAME_CRASHED == aError || NS_ERROR_SUPERFLUOS_AUTH == aError; + NS_ERROR_FRAME_CRASHED == aError; } /* ------ Logging ------ */ diff --git a/dom/security/test/https-first/browser.toml b/dom/security/test/https-first/browser.toml @@ -101,8 +101,6 @@ support-files = [ "file_subdocument_downgrade.sjs", ] -["browser_superfluos_auth.js"] - ["browser_tlds.js"] ["browser_upgrade_onion.js"] diff --git a/dom/security/test/https-first/browser_superfluos_auth.js b/dom/security/test/https-first/browser_superfluos_auth.js @@ -1,70 +0,0 @@ -/* Any copyright is dedicated to the Public Domain. - * https://creativecommons.org/publicdomain/zero/1.0/ */ - -"use strict"; - -// This test checks the superfluos auth prompt when HTTPS-First is enabled (Bug 1858565). - -const TEST_URI = "https://www.mozilla.org@example.com/"; - -const { MockRegistrar } = ChromeUtils.importESModule( - "resource://testing-common/MockRegistrar.sys.mjs" -); - -let respondMockPromptWithYes = false; - -const gMockPromptService = { - firstTimeCalled: false, - confirmExBC() { - return respondMockPromptWithYes ? 0 : 1; - }, - - QueryInterface: ChromeUtils.generateQI(["nsIPromptService"]), -}; - -var gMockPromptServiceCID = MockRegistrar.register( - "@mozilla.org/prompter;1", - gMockPromptService -); - -registerCleanupFunction(() => { - MockRegistrar.unregister(gMockPromptServiceCID); -}); - -function checkBrowserLoad(browser) { - return new Promise(resolve => { - BrowserTestUtils.browserLoaded(browser, false, null, true).then(() => { - resolve(true); - }); - BrowserTestUtils.browserStopped(browser, false, null, true).then(() => { - resolve(false); - }); - }); -} - -add_task(async function () { - await SpecialPowers.pushPrefEnv({ - set: [ - ["dom.security.https_first", true], - ["network.auth.confirmAuth.enabled", true], - ], - }); - - respondMockPromptWithYes = false; - let didBrowserLoadPromise = checkBrowserLoad(gBrowser.selectedBrowser); - BrowserTestUtils.startLoadingURIString(gBrowser.selectedBrowser, TEST_URI); - let didBrowserLoad = await didBrowserLoadPromise; - ok( - !didBrowserLoad, - "The browser should stop the load when the user refuses to load a page with superfluos authentication" - ); - - respondMockPromptWithYes = true; - didBrowserLoadPromise = checkBrowserLoad(gBrowser.selectedBrowser); - BrowserTestUtils.startLoadingURIString(gBrowser.selectedBrowser, TEST_URI); - didBrowserLoad = await didBrowserLoadPromise; - ok( - didBrowserLoad, - "The browser should load when the user agrees to load a page with superfluos authentication" - ); -}); diff --git a/js/xpconnect/src/xpc.msg b/js/xpconnect/src/xpc.msg @@ -139,7 +139,6 @@ XPC_MSG_DEF(NS_ERROR_FIRST_HEADER_FIELD_COMPONENT_EMPTY, "Couldn't extract first XPC_MSG_DEF(NS_ERROR_ALREADY_CONNECTED , "The connection is already established") XPC_MSG_DEF(NS_ERROR_NOT_CONNECTED , "The connection does not exist") XPC_MSG_DEF(NS_ERROR_CONNECTION_REFUSED , "The connection was refused") -XPC_MSG_DEF(NS_ERROR_SUPERFLUOS_AUTH , "User refused navigation to potentially unsafe URL with embedded credentials/superfluos authentication") XPC_MSG_DEF(NS_ERROR_BASIC_HTTP_AUTH_DISABLED , "User attempted basic HTTP authentication when it is disabled") XPC_MSG_DEF(NS_ERROR_LOCAL_NETWORK_ACCESS_DENIED , "The access to local network is denied") diff --git a/modules/libpref/init/StaticPrefList.yaml b/modules/libpref/init/StaticPrefList.yaml @@ -13298,13 +13298,6 @@ value: false mirror: always -# Whether to show anti-spoof confirmation prompts when navigating to a url -# with userinfo -- name: network.auth.confirmAuth.enabled - type: bool - value: false - mirror: always - # Whether to display auth prompts if X-Frame-Options header will block loading # page - name: network.auth.supress_auth_prompt_for_XFO_failures @@ -16932,12 +16925,6 @@ value: 2 mirror: always -# nsHttpChannelAuthProvider#ConfirmAuth anti-phishing prompts. -- name: prompts.modalType.confirmAuth - type: int32_t - value: 2 - mirror: always - #--------------------------------------------------------------------------- # Prefs starting with "security." #--------------------------------------------------------------------------- diff --git a/netwerk/locales/en-US/necko.properties b/netwerk/locales/en-US/necko.properties @@ -13,9 +13,6 @@ DirColSize=Size DirColMTime=Last Modified DirFileLabel=File: -SuperfluousAuth=You are about to log in to the site “%1$S” with the username “%2$S”, but the website does not require authentication. This may be an attempt to trick you.\n\nIs “%1$S” the site you want to visit? -AutomaticAuth=You are about to log in to the site “%1$S” with the username “%2$S”. - TrackerUriBlockedByETP=The resource at “%1$S” was blocked because Enhanced Tracking Protection is enabled. UnsafeUriBlocked=The resource at “%1$S” was blocked by Safe Browsing. diff --git a/netwerk/protocol/http/nsHttpChannel.cpp b/netwerk/protocol/http/nsHttpChannel.cpp @@ -3135,20 +3135,7 @@ nsresult nsHttpChannel::ContinueProcessResponse1( return NS_ERROR_CORRUPTED_CONTENT; } - // handle unused username and password in url (see bug 232567) if (httpStatus != 401 && httpStatus != 407) { - if (!mAuthRetryPending) { - MOZ_DIAGNOSTIC_ASSERT(mAuthProvider); - rv = mAuthProvider ? mAuthProvider->CheckForSuperfluousAuth() - : NS_ERROR_UNEXPECTED; - if (NS_FAILED(rv)) { - mStatus = rv; - LOG((" CheckForSuperfluousAuth failed (%08x)", - static_cast<uint32_t>(rv))); - } - } - if (mCanceled) return CallOnStartRequest(); - // reset the authentication's current continuation state because ourvr // last authentication attempt has been completed successfully MOZ_DIAGNOSTIC_ASSERT(mAuthProvider); @@ -3393,15 +3380,6 @@ nsresult nsHttpChannel::ContinueProcessResponse3(nsresult rv) { } if (rv == NS_ERROR_BASIC_HTTP_AUTH_DISABLED) { mStatus = rv; - } else if (!mAuthRetryPending) { - MOZ_DIAGNOSTIC_ASSERT(mAuthProvider); - rv = mAuthProvider ? mAuthProvider->CheckForSuperfluousAuth() - : NS_ERROR_UNEXPECTED; - if (NS_FAILED(rv)) { - mStatus = rv; - LOG(("CheckForSuperfluousAuth failed [rv=%x]\n", - static_cast<uint32_t>(rv))); - } } rv = ProcessNormal(); } else { @@ -9282,24 +9260,6 @@ nsresult nsHttpChannel::ContinueOnStartRequest3(nsresult result) { return NS_OK; } - return ContinueOnStartRequest4(NS_OK); -} - -nsresult nsHttpChannel::ContinueOnStartRequest4(nsresult result) { - LOG(("nsHttpChannel::ContinueOnStartRequest4 [this=%p]", this)); - - if (NS_SUCCEEDED(mStatus) && mResponseHead && mAuthProvider) { - uint32_t httpStatus = mResponseHead->Status(); - if (httpStatus != 401 && httpStatus != 407) { - nsresult rv = mAuthProvider->CheckForSuperfluousAuth(); - if (NS_FAILED(rv)) { - mStatus = rv; - LOG((" CheckForSuperfluousAuth failed (%08x)", - static_cast<uint32_t>(rv))); - } - } - } - return CallOnStartRequest(); } diff --git a/netwerk/protocol/http/nsHttpChannel.h b/netwerk/protocol/http/nsHttpChannel.h @@ -385,7 +385,6 @@ class nsHttpChannel final : public HttpBaseChannel, [[nodiscard]] nsresult ContinueOnStartRequest1(nsresult); [[nodiscard]] nsresult ContinueOnStartRequest2(nsresult); [[nodiscard]] nsresult ContinueOnStartRequest3(nsresult); - [[nodiscard]] nsresult ContinueOnStartRequest4(nsresult); void OnClassOfServiceUpdated(); diff --git a/netwerk/protocol/http/nsHttpChannelAuthProvider.cpp b/netwerk/protocol/http/nsHttpChannelAuthProvider.cpp @@ -68,7 +68,6 @@ nsHttpChannelAuthProvider::nsHttpChannelAuthProvider() : mProxyAuth(false), mTriedProxyAuth(false), mTriedHostAuth(false), - mSuppressDefensiveAuth(false), mCrossOrigin(false), mConnectionBased(false), mHttpHandler(gHttpHandler) {} @@ -244,29 +243,6 @@ nsHttpChannelAuthProvider::AddAuthorizationHeaders( } NS_IMETHODIMP -nsHttpChannelAuthProvider::CheckForSuperfluousAuth() { - LOG( - ("nsHttpChannelAuthProvider::CheckForSuperfluousAuth? " - "[this=%p channel=%p]\n", - this, mAuthChannel)); - - MOZ_ASSERT(mAuthChannel, "Channel not initialized"); - - // we've been called because it has been determined that this channel is - // getting loaded without taking the userpass from the URL. if the URL - // contained a userpass, then (provided some other conditions are true), - // we'll give the user an opportunity to abort the channel as this might be - // an attempt to spoof a different site (see bug 232567). - if (!ConfirmAuth("SuperfluousAuth", true)) { - // calling cancel here sets our mStatus and aborts the HTTP - // transaction, which prevents OnDataAvailable events. - (void)mAuthChannel->Cancel(NS_ERROR_SUPERFLUOS_AUTH); - return NS_ERROR_SUPERFLUOS_AUTH; - } - return NS_OK; -} - -NS_IMETHODIMP nsHttpChannelAuthProvider::Cancel(nsresult status) { MOZ_ASSERT(mAuthChannel, "Channel not initialized"); @@ -976,23 +952,6 @@ nsresult nsHttpChannelAuthProvider::GetCredentialsForChallenge( } } - if (identFromURI) { - // Warn the user before automatically using the identity from the URL - // to automatically log them into a site (see bug 232567). - if (!ConfirmAuth("AutomaticAuth", false)) { - // calling cancel here sets our mStatus and aborts the HTTP - // transaction, which prevents OnDataAvailable events. - rv = mAuthChannel->Cancel(NS_ERROR_ABORT); - MOZ_ASSERT(NS_SUCCEEDED(rv)); - // this return code alone is not equivalent to Cancel, since - // it only instructs our caller that authentication failed. - // without an explicit call to Cancel, our caller would just - // load the page that accompanies the HTTP auth challenge. - return NS_ERROR_ABORT; - } - } - - // // get credentials for the given user:pass // // always store the credentials we're trying now so that they will be used @@ -1380,9 +1339,6 @@ nsresult nsHttpChannelAuthProvider::PromptForIdentity( } } - // remember that we successfully showed the user an auth dialog - if (!proxyAuth) mSuppressDefensiveAuth = true; - if (mConnectionBased) { // Connection can be reset by the server in the meantime user is entering // the credentials. Result would be just a "Connection was reset" error. @@ -1610,138 +1566,6 @@ nsresult nsHttpChannelAuthProvider::ContinueOnAuthAvailable( return NS_OK; } -bool nsHttpChannelAuthProvider::ConfirmAuth(const char* bundleKey, - bool doYesNoPrompt) { - // skip prompting the user if - // 1) prompts are disabled by pref - // 2) we've already prompted the user - // 3) we're not a toplevel channel - // 4) the userpass length is less than the "phishy" threshold - - if (!StaticPrefs::network_auth_confirmAuth_enabled()) { - return true; - } - - uint32_t loadFlags; - nsresult rv = mAuthChannel->GetLoadFlags(&loadFlags); - if (NS_FAILED(rv)) return true; - - if (mSuppressDefensiveAuth || - !(loadFlags & nsIChannel::LOAD_INITIAL_DOCUMENT_URI)) { - return true; - } - - nsAutoCString userPass; - rv = mURI->GetUserPass(userPass); - if (NS_FAILED(rv) || - (userPass.Length() < gHttpHandler->PhishyUserPassLength())) { - return true; - } - - // we try to confirm by prompting the user. if we cannot do so, then - // assume the user said ok. this is done to keep things working in - // embedded builds, where the string bundle might not be present, etc. - - nsCOMPtr<nsIStringBundleService> bundleService; - bundleService = mozilla::components::StringBundle::Service(); - if (!bundleService) return true; - - nsCOMPtr<nsIStringBundle> bundle; - bundleService->CreateBundle(NECKO_MSGS_URL, getter_AddRefs(bundle)); - if (!bundle) return true; - - nsAutoCString host; - rv = mURI->GetHost(host); - if (NS_FAILED(rv)) return true; - - nsAutoCString user; - rv = mURI->GetUsername(user); - if (NS_FAILED(rv)) return true; - - NS_ConvertUTF8toUTF16 ucsHost(host), ucsUser(user); - - size_t userLength = ucsUser.Length(); - if (userLength > MAX_DISPLAYED_USER_LENGTH) { - size_t desiredLength = MAX_DISPLAYED_USER_LENGTH; - // Don't cut off right before a low surrogate. Just include it. - if (NS_IS_LOW_SURROGATE(ucsUser[desiredLength])) { - desiredLength++; - } - ucsUser.Replace(desiredLength, userLength - desiredLength, - nsContentUtils::GetLocalizedEllipsis()); - } - - size_t hostLen = ucsHost.Length(); - if (hostLen > MAX_DISPLAYED_HOST_LENGTH) { - size_t cutPoint = hostLen - MAX_DISPLAYED_HOST_LENGTH; - // Likewise, don't cut off right before a low surrogate here. - // Keep the low surrogate - if (NS_IS_LOW_SURROGATE(ucsHost[cutPoint])) { - cutPoint--; - } - // It's possible cutPoint was 1 and is now 0. Only insert the ellipsis - // if we're actually removing anything. - if (cutPoint > 0) { - ucsHost.Replace(0, cutPoint, nsContentUtils::GetLocalizedEllipsis()); - } - } - - AutoTArray<nsString, 2> strs = {ucsHost, ucsUser}; - - nsAutoString msg; - rv = bundle->FormatStringFromName(bundleKey, strs, msg); - if (NS_FAILED(rv)) return true; - - nsCOMPtr<nsIInterfaceRequestor> callbacks; - rv = mAuthChannel->GetNotificationCallbacks(getter_AddRefs(callbacks)); - if (NS_FAILED(rv)) return true; - - nsCOMPtr<nsILoadGroup> loadGroup; - rv = mAuthChannel->GetLoadGroup(getter_AddRefs(loadGroup)); - if (NS_FAILED(rv)) return true; - - nsCOMPtr<nsIPromptService> promptSvc = - do_GetService("@mozilla.org/prompter;1", &rv); - if (NS_FAILED(rv) || !promptSvc) { - return true; - } - - // do not prompt again - mSuppressDefensiveAuth = true; - - // Get current browsing context to use as prompt parent - nsCOMPtr<nsIChannel> chan = do_QueryInterface(mAuthChannel); - if (!chan) { - return true; - } - - nsCOMPtr<nsILoadInfo> loadInfo = chan->LoadInfo(); - RefPtr<mozilla::dom::BrowsingContext> browsingContext; - loadInfo->GetBrowsingContext(getter_AddRefs(browsingContext)); - - bool confirmed; - if (doYesNoPrompt) { - int32_t choice; - bool checkState = false; - rv = promptSvc->ConfirmExBC( - browsingContext, StaticPrefs::prompts_modalType_confirmAuth(), nullptr, - msg.get(), - nsIPromptService::BUTTON_POS_1_DEFAULT + - nsIPromptService::STD_YES_NO_BUTTONS, - nullptr, nullptr, nullptr, nullptr, &checkState, &choice); - if (NS_FAILED(rv)) return true; - - confirmed = choice == 0; - } else { - rv = promptSvc->ConfirmBC(browsingContext, - StaticPrefs::prompts_modalType_confirmAuth(), - nullptr, msg.get(), &confirmed); - if (NS_FAILED(rv)) return true; - } - - return confirmed; -} - void nsHttpChannelAuthProvider::SetAuthorizationHeader( nsHttpAuthCache* authCache, const nsHttpAtom& header, const nsACString& scheme, const nsACString& host, int32_t port, @@ -1839,12 +1663,6 @@ void nsHttpChannelAuthProvider::SetAuthorizationHeader( rv = mAuthChannel->SetWWWCredentials(creds); MOZ_ASSERT(NS_SUCCEEDED(rv)); } - - // suppress defensive auth prompting for this channel since we know - // that we already prompted at least once this session. we only do - // this for non-proxy auth since the URL's userpass is not used for - // proxy auth. - if (header == nsHttp::Authorization) mSuppressDefensiveAuth = true; } else { ident.Clear(); // don't remember the identity } diff --git a/netwerk/protocol/http/nsHttpChannelAuthProvider.h b/netwerk/protocol/http/nsHttpChannelAuthProvider.h @@ -85,7 +85,6 @@ class nsHttpChannelAuthProvider final : public nsIHttpChannelAuthProvider, uint32_t authFlags, nsHttpAuthIdentity&); - bool ConfirmAuth(const char* bundleKey, bool doYesNoPrompt); void SetAuthorizationHeader(nsHttpAuthCache*, const nsHttpAtom& header, const nsACString& scheme, const nsACString& host, int32_t port, const nsACString& path, @@ -167,7 +166,6 @@ class nsHttpChannelAuthProvider final : public nsIHttpChannelAuthProvider, uint32_t mProxyAuth : 1; uint32_t mTriedProxyAuth : 1; uint32_t mTriedHostAuth : 1; - uint32_t mSuppressDefensiveAuth : 1; // If a cross-origin sub-resource is being loaded, this flag will be set. // In that case, the prompt text will be different to warn users. diff --git a/netwerk/protocol/http/nsHttpHandler.cpp b/netwerk/protocol/http/nsHttpHandler.cpp @@ -1577,13 +1577,6 @@ void nsHttpHandler::PrefsChanged(const char* pref) { if (NS_SUCCEEDED(rv)) mEnablePersistentHttpsCaching = cVar; } - if (PREF_CHANGED(HTTP_PREF("phishy-userpass-length"))) { - rv = Preferences::GetInt(HTTP_PREF("phishy-userpass-length"), &val); - if (NS_SUCCEEDED(rv)) { - mPhishyUserPassLength = (uint8_t)std::clamp(val, 0, 0xff); - } - } - if (PREF_CHANGED(HTTP_PREF("http2.timeout"))) { mSpdyTimeout = PR_SecondsToInterval( std::clamp(StaticPrefs::network_http_http2_timeout(), 1, 0xffff)); diff --git a/netwerk/protocol/http/nsHttpHandler.h b/netwerk/protocol/http/nsHttpHandler.h @@ -142,7 +142,6 @@ class nsHttpHandler final : public nsIHttpProtocolHandler, uint32_t NetworkChangedTimeout() { return mNetworkChangedTimeout; } uint16_t MaxRequestAttempts() { return mMaxRequestAttempts; } const nsCString& DefaultSocketType() { return mDefaultSocketType; } - uint32_t PhishyUserPassLength() { return mPhishyUserPassLength; } uint8_t GetQoSBits() { return mQoSBits; } uint16_t GetIdleSynTimeout() { return mIdleSynTimeout; } uint16_t GetFallbackSynTimeout() { return mFallbackSynTimeout; } @@ -616,12 +615,6 @@ class nsHttpHandler final : public nsIHttpProtocolHandler, bool mBeConservativeForProxy{true}; - // we'll warn the user if we load an URL containing a userpass field - // unless its length is less than this threshold. this warning is - // intended to protect the user against spoofing attempts that use - // the userpass field of the URL to obscure the actual origin server. - uint8_t mPhishyUserPassLength{1}; - uint8_t mQoSBits{0x00}; bool mEnforceAssocReq{false}; diff --git a/netwerk/protocol/http/nsIHttpChannelAuthProvider.idl b/netwerk/protocol/http/nsIHttpChannelAuthProvider.idl @@ -21,8 +21,7 @@ interface nsIHttpAuthenticableChannel; * unsuccessful because of receiving either a 401 or 407 http response code * ProcessAuthentication MUST be called and the page MUST be requested again * with the new credentials that the user has provided. After a successful - * request, checkForSuperfluousAuth MAY be called, and disconnect MUST be - * called. + * request disconnect MUST be called. */ [uuid(788f331b-2e1f-436c-b405-4f88a31a105b)] @@ -66,12 +65,6 @@ interface nsIHttpChannelAuthProvider : nsICancelable [must_use] void addAuthorizationHeaders(in boolean dontUseCachedWWWCreds); /** - * Check if an unnecessary(and maybe malicious) url authentication has been - * provided. - */ - [must_use] void checkForSuperfluousAuth(); - - /** * Cancel pending user auth prompts and release the callback and channel * weak references. */ diff --git a/netwerk/test/unit/test_SuperfluousAuth.js b/netwerk/test/unit/test_SuperfluousAuth.js @@ -1,102 +0,0 @@ -/* - -Create two http requests with the same URL in which has a user name. We allow -first http request to be loaded and saved in the cache, so the second request -will be served from the cache. However, we disallow loading by returning 1 -in the prompt service. In the end, the second request will be failed. - -*/ - -"use strict"; - -const { HttpServer } = ChromeUtils.importESModule( - "resource://testing-common/httpd.sys.mjs" -); - -const { MockRegistrar } = ChromeUtils.importESModule( - "resource://testing-common/MockRegistrar.sys.mjs" -); - -var httpProtocolHandler = Cc[ - "@mozilla.org/network/protocol;1?name=http" -].getService(Ci.nsIHttpProtocolHandler); - -ChromeUtils.defineLazyGetter(this, "URL", function () { - return "http://foo@localhost:" + httpServer.identity.primaryPort; -}); - -var httpServer = null; - -const gMockPromptService = { - firstTimeCalled: false, - confirmExBC() { - if (!this.firstTimeCalled) { - this.firstTimeCalled = true; - return 0; - } - - return 1; - }, - - QueryInterface: ChromeUtils.generateQI(["nsIPromptService"]), -}; - -var gMockPromptServiceCID = MockRegistrar.register( - "@mozilla.org/prompter;1", - gMockPromptService -); - -registerCleanupFunction(() => { - MockRegistrar.unregister(gMockPromptServiceCID); -}); - -function makeChan(uri) { - let chan = NetUtil.newChannel({ - uri, - loadUsingSystemPrincipal: true, - }).QueryInterface(Ci.nsIHttpChannel); - chan.loadFlags = Ci.nsIChannel.LOAD_INITIAL_DOCUMENT_URI; - return chan; -} - -const responseBody = "body"; - -function contentHandler(metadata, response) { - response.setHeader("Content-Type", "text/plain"); - response.setHeader("ETag", "Just testing"); - response.setHeader("Cache-Control", "max-age=99999"); - response.setHeader("Content-Length", "" + responseBody.length); - response.bodyOutputStream.write(responseBody, responseBody.length); -} - -function run_test() { - do_get_profile(); - - Services.prefs.setBoolPref("network.http.rcwn.enabled", false); - Services.prefs.setBoolPref("network.auth.confirmAuth.enabled", true); - - httpServer = new HttpServer(); - httpServer.registerPathHandler("/content", contentHandler); - httpServer.start(-1); - - httpProtocolHandler.EnsureHSTSDataReady().then(function () { - var chan1 = makeChan(URL + "/content"); - chan1.asyncOpen(new ChannelListener(firstTimeThrough, null)); - var chan2 = makeChan(URL + "/content"); - chan2.asyncOpen( - new ChannelListener(secondTimeThrough, null, CL_EXPECT_FAILURE) - ); - }); - - do_test_pending(); -} - -function firstTimeThrough(request, buffer) { - Assert.equal(buffer, responseBody); - Assert.ok(gMockPromptService.firstTimeCalled, "Prompt service invoked"); -} - -function secondTimeThrough(request) { - Assert.equal(request.status, Cr.NS_ERROR_SUPERFLUOS_AUTH); - httpServer.stop(do_test_finished); -} diff --git a/netwerk/test/unit/xpcshell.toml b/netwerk/test/unit/xpcshell.toml @@ -60,8 +60,6 @@ prefs = [ ["test_NetUtil.js"] -["test_SuperfluousAuth.js"] - ["test_URIs.js"] ["test_URIs2.js"] diff --git a/remote/shared/RecommendedPreferences.sys.mjs b/remote/shared/RecommendedPreferences.sys.mjs @@ -337,9 +337,6 @@ const COMMON_PREFERENCES = new Map([ // Disable connectivity service pings ["network.connectivity-service.enabled", false], - // Do not prompt with long usernames or passwords in URLs - ["network.http.phishy-userpass-length", 255], - // Do not prompt for temporary redirects ["network.http.prompt-temp-redirect", false], diff --git a/testing/profiles/web-platform/user.js b/testing/profiles/web-platform/user.js @@ -41,8 +41,6 @@ user_pref("toolkit.startup.max_resumed_crashes", -1); user_pref("gfx.font_loader.delay", 0); // Disable antialiasing for the Ahem font. user_pref("gfx.font_rendering.ahem_antialias_none", true); -// Disable antiphishing popup -user_pref("network.http.phishy-userpass-length", 255); // Disable safebrowsing components user_pref("browser.safebrowsing.blockedURIs.enabled", false); user_pref("browser.safebrowsing.downloads.enabled", false); diff --git a/toolkit/components/extensions/test/xpcshell/test_ext_dnr_redirect_transform.js b/toolkit/components/extensions/test/xpcshell/test_ext_dnr_redirect_transform.js @@ -11,9 +11,6 @@ add_setup(() => { Services.prefs.setBoolPref("extensions.manifestV3.enabled", true); Services.prefs.setBoolPref("extensions.dnr.enabled", true); - // Allow navigation to URLs with embedded credentials, without prompt. - Services.prefs.setBoolPref("network.auth.confirmAuth.enabled", false); - // We don't normally allow localhost channels to be proxied, but this // is easier than updating all the certs and/or domains. Services.prefs.setBoolPref("network.proxy.allow_hijacking_localhost", true); diff --git a/toolkit/components/places/tests/browser/browser_visituri.js b/toolkit/components/places/tests/browser/browser_visituri.js @@ -98,11 +98,6 @@ add_task(async function test_basic() { }); add_task(async function test_userpass() { - // Avoid showing the auth prompt. - await SpecialPowers.pushPrefEnv({ - set: [["network.auth.confirmAuth.enabled", false]], - }); - // Open a html having test links. await BrowserTestUtils.openNewForegroundTab( gBrowser, diff --git a/widget/tests/browser/browser_test_InputContextURI.js b/widget/tests/browser/browser_test_InputContextURI.js @@ -121,9 +121,6 @@ add_task(async function test_input_in_data() { }); add_task(async function test_omit_private_things_in_URL() { - await SpecialPowers.pushPrefEnv({ - set: [["network.auth.confirmAuth.enabled", false]], - }); await promiseURLBarFocus(); await BrowserTestUtils.withNewTab( diff --git a/xpcom/base/ErrorList.py b/xpcom/base/ErrorList.py @@ -356,9 +356,6 @@ with modules["NETWORK"]: errors["NS_ERROR_BAD_HSTS_CERT"] = FAILURE(89) # Error parsing the status line of an HTTP response errors["NS_ERROR_PARSING_HTTP_STATUS_LINE"] = FAILURE(90) - # The user refused to navigate to a potentially unsafe URL with - # embedded credentials/superfluos authentication. - errors["NS_ERROR_SUPERFLUOS_AUTH"] = FAILURE(91) # The user attempted basic HTTP authentication while # the basic_http_auth pref is disabled errors["NS_ERROR_BASIC_HTTP_AUTH_DISABLED"] = FAILURE(92)