commit 905631b92892af528f228c55ee2437ad4b467976
parent c1aecb7d5c2c10c5f4d48658732d7a94adaa68ab
Author: Dale Harvey <dale@arandomurl.com>
Date: Wed, 19 Nov 2025 03:49:51 +0000
Bug 1997230 - Blob urls should be considered secure. r=daisuke,urlbar-reviewers
Differential Revision: https://phabricator.services.mozilla.com/D273093
Diffstat:
3 files changed, 28 insertions(+), 9 deletions(-)
diff --git a/browser/base/content/browser-trustPanel.js b/browser/base/content/browser-trustPanel.js
@@ -71,7 +71,6 @@ class TrustPanel {
#uri = null;
#uriHasHost = null;
#pageExtensionPolicy = null;
- #isURILoadedFromFile = null;
#isSecureContext = null;
#isSecureInternalUI = null;
@@ -227,7 +226,6 @@ class TrustPanel {
this.#secInfo = gBrowser.securityUI.secInfo;
this.#pageExtensionPolicy = WebExtensionPolicy.getByURI(uri);
- this.#isURILoadedFromFile = uri.schemeIs("file");
this.#isSecureContext = this.#getIsSecureContext();
this.#isSecureInternalUI = false;
@@ -266,11 +264,7 @@ class TrustPanel {
async #updatePopup() {
let secureConnection = this.#isSecurePage();
-
- let connection = "not-secure";
- if (secureConnection || this.#isInternalSecurePage(this.#uri)) {
- connection = "secure";
- }
+ let connection = secureConnection ? "secure" : "not-secure";
this.#popup.setAttribute("connection", connection);
this.#popup.setAttribute(
@@ -529,7 +523,8 @@ class TrustPanel {
#isSecurePage() {
return (
this.#state & Ci.nsIWebProgressListener.STATE_IS_SECURE ||
- this.#isInternalSecurePage(this.#uri)
+ this.#isInternalSecurePage(this.#uri) ||
+ this.#isPotentiallyTrustworthy
);
}
@@ -780,6 +775,10 @@ class TrustPanel {
return documentURI?.scheme == "about" && documentURI.filePath == "blocked";
}
+ get #isURILoadedFromFile() {
+ return this.#uri.schemeIs("file");
+ }
+
#supplementalText() {
let supplemental = "";
let verifier = "";
diff --git a/browser/components/urlbar/tests/browser/browser_trust_panel.js b/browser/components/urlbar/tests/browser/browser_trust_panel.js
@@ -94,3 +94,23 @@ add_task(async function test_notsecure_label() {
await BrowserTestUtils.removeTab(tab);
});
+
+add_task(async function test_blob_secure() {
+ const tab = await BrowserTestUtils.openNewForegroundTab({
+ gBrowser,
+ opening: "https://example.com",
+ waitForLoad: true,
+ });
+
+ await SpecialPowers.spawn(tab.linkedBrowser, [], () => {
+ let blob = new Blob(["<h2>hey!</h2>"], { type: "text/html" });
+ content.document.location = URL.createObjectURL(blob);
+ });
+
+ Assert.ok(
+ !BrowserTestUtils.isVisible(urlbarLabel(window)),
+ "Not showing Not Secure label"
+ );
+
+ await BrowserTestUtils.removeTab(tab);
+});
diff --git a/browser/components/urlbar/tests/browser/browser_trust_panel_pages.js b/browser/components/urlbar/tests/browser/browser_trust_panel_pages.js
@@ -14,7 +14,7 @@ const ICONS = {
const TESTS = [
{
url: "about:about",
- icon: ICONS.insecure,
+ icon: ICONS.active,
},
{
url: "https://example.com",
