The pref for this is nightly only right now (https://bugzilla.mozilla.org/show_bug.cgi?id=1217156). This bug is to enable in on dev edition. The "depends on" bugs below are blocking this change. So far they are: https://bugzilla.mozilla.org/show_bug.cgi?id=1217766 - don't warn for pdf.js https://bugzilla.mozilla.org/show_bug.cgi?id=1217133 - don't warn for localhost I don't think the other bugs (dependencies of the meta bug 1217142) are needed to turn this feature on for developer edition. If others disagree, please provide your thoughts here.

Pasted the wrong bugs into dependencies. Fixing.

Will be prioritized as a 'P1' and added to the Release 45 plan once the two dependencies are resolved.

I'll do this once the dependencies are resolved.

Release Note Request (optional, but appreciated) [Why is this notable]: Improve the security of our users [Suggested wording]: Usage of the password field on HTTP marks the website as insecure [Links (documentation, blog post, etc)]: Not to link against a third party website but FYI: http://www.ghacks.net/2015/10/21/firefox-44-special-notification-if-logins-are-not-secure/

(In reply to Sylvestre Ledru [:sylvestre] from comment #4) > Release Note Request (optional, but appreciated) > [Why is this notable]: Improve the security of our users > [Suggested wording]: Usage of the password field on HTTP marks the website > as insecure > [Links (documentation, blog post, etc)]: Not to link against a third party > website but FYI: > http://www.ghacks.net/2015/10/21/firefox-44-special-notification-if-logins- > are-not-secure/ This hasn't happened yet, so we don't need release notes yet. This is only turned on in Nightly. We hope to turn it on in dev edition in Firefox 46. We need to close all the dependencies first.

We are a week away from 46 moving to aurora. Is this ready to ship to dev edition? It looks like bug 1179961 and bug 667233 may be related as well and they have some dependencies not noted here. We should also get ready for QE to test this feature in mid-aurora. How will this be disabled for aurora, if we need to do that?

(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #6) > We are a week away from 46 moving to aurora. Is this ready to ship to dev > edition? I think the dependencies here are correct, we're waiting on bug 1217766, that will also fix bug 1221771 unless it's heavily changed in review. > How will this be disabled for aurora, if we need to do that? This bug will just switch the default state of the preference by changing the "#ifdef", we can back it out if other major blockers arise later. http://mxr.mozilla.org/mozilla-central/source/browser/app/profile/firefox.js#1397

(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #6) > How will this be disabled for aurora, if we need to do that? This feature is already disabled on aurora. If we get 121776 and 1221771 done by next week, I will add a patch here to enable this on aurora and push that. The other bugs you mentioned is a blocker to get this in release, which we aren't going to do just yet. We want to give developers a chance to fix their issues by keeping this warning on dev edition for a bit.

All the dependencies for turning this on the insecure password warning for dev edition are fixed[1]. Here is a patch to turn the warning on for non-release and non-beta builds. This will include nightly, dev edition, and local nightly and dev edition builds. [1] The Learn More link bug isn't closed, but only because of a couple minor edits that just need to be approved. It is okay as it is as well, so we can considered that bug done.

Comment on attachment 8710111 [details] [diff] [review] Bug1221206-01-20-16.patch Review of attachment 8710111 [details] [diff] [review]: ----------------------------------------------------------------- I think the current Control Center panel string is confusing for the developer audience and should be revised at some point.

The site compatibility doc is here: https://www.fxsitecompat.com/en-CA/docs/2015/non-https-sites-containing-login-form-will-be-marked-insecure/

(In reply to Kohei Yoshino [:kohei] from comment #14) > The site compatibility doc is here: > https://www.fxsitecompat.com/en-CA/docs/2015/non-https-sites-containing- > login-form-will-be-marked-insecure/ Thank you Kohei!

Noted for aurora 46 with a link to https://www.fxsitecompat.com/en-CA/docs/2015/non-https-sites-containing-login-form-will-be-marked-insecure/

Bug 1217133, bug 1217766 are verified fixed. Tested on 46.0a2 (2016-01-25) Win7: - security.insecure_password.ui.enabled=TRUE - The lock with a strikethrough is displayed fine on the test pages: http://people.mozilla.org/~tvyas/password/password_insecure.html http://people.mozilla.org/~tvyas/password/frame_password.html Verified fixed.