I have no idea how autoconfig / autodiscover works, but some of the URIs we're checking for look strange, and they all cause console errors as they are not found.

STR

• set up existing email address
• enter gmail credentials (email, pw)
• proceed to test the credentials
• monitor error console

Actual result

• autoconfig / autodiscover tests for weird URIs, in turn causing HTTP 404 Not Found errors in console
• one URI and its error message even contain my password in plaintext, is that safe?
  • GET https://gmail.com/.well-known/autoconfig/mail/config-v1.1.xml?emailaddress=doejohn@gmail.com
    [HTTP/2 404 Not Found 382ms]
  • POST https://doejohn@gmail.com:*password*@gmail.com/autodiscover/autodiscover.xml [HTTP/2 404 Not Found 434ms]

Expected

• no errors in console
• avoid plain password in URI and error messages if possible

These errors are not really console errors: only "logged" if you have the console open.
Which makes the second point somewhat moot: if you're debugging, you need to see what's going on and why it failed. Anyway, toolkit code.

But, I there are some related console spew we could remove so I'm using this bug for that.

These are handled errors so we should not spwe them onto the console.

Pushed by mkmelin@iki.fi:
https://hg.mozilla.org/comm-central/rev/9cf5ac27abe5
remove unwarranted console errors related to account setup. r=aleca

Comment on attachment 9237812 [details]
Bug 1726767 - remove unwarranted console errors related to account setup. r=aleca

[Approval Request Comment]
User impact if declined: for some cases, unwarranted error spew in the console
Testing completed (on c-c, etc.): yes
Risk to taking this patch (and alternatives if risky): as safe as it gets

Comment on attachment 9237812 [details]
Bug 1726767 - remove unwarranted console errors related to account setup. r=aleca

[Triage Comment]
Approved for beta

Thunderbird 92.0b5:
https://hg.mozilla.org/releases/comm-beta/rev/6ab86369c522

Comment on attachment 9237812 [details]
Bug 1726767 - remove unwarranted console errors related to account setup. r=aleca

[Triage Comment]
Approved for esr91

Thunderbird 91.1.1:
https://hg.mozilla.org/releases/comm-esr91/rev/a9d21a0ca952

(In reply to Thomas D. (:thomas8) from comment #0)

I'm not sure if my bug report has been understood.
I was trying to get some feedback if the URLs listed in comment 0 are correct URLs which we should check for. It seems surprising that for a standard case like setting up a gmail account, so many of the URLs we are using should fail to be found.

Created attachment 9237203 [details]
I have no idea how autoconfig / autodiscover works, but some of the URIs we're checking for look strange,

• GET https://gmail.com/.well-known/autoconfig/mail/config-v1.1.xml?emailaddress=doejohn@gmail.com
  [HTTP/2 404 Not Found 382ms]

Why is this not found?

• POST https://doejohn@gmail.com:*password*@gmail.com/autodiscover/autodiscover.xml [HTTP/2 404 Not Found 434ms]

Can someone enlighten me why we're sending a request with an invalid domain: https://doejohn@gmail.com:password@gmail.com/... ?

(In reply to Thomas D. (:thomas8) from comment #10)

Why is this not found?

Because google doesn't support .well-known.

Can someone enlighten me why we're sending a request with an invalid domain: https://doejohn@gmail.com:password@gmail.com/... ?

gmail.com is a valid domain.

(In reply to Thomas D. (:thomas8) from comment #10)

• POST https://doejohn@gmail.com:*password*@gmail.com/autodiscover/autodiscover.xml [HTTP/2 404 Not Found 434ms]

Can someone enlighten me why we're sending a request with an invalid domain: https://doejohn@gmail.com:password@gmail.com/... ?

I don't have too much light to shed upon this but my reading is that the '@' sign in the <username> part of that url is a reserved character and requires escaping: https://doejohn%40gmail.com:password@gmail.com/...

I was initially concerned about the plain-text password thing, but then I remembered that https sets up the encryption before the request is sent. Just as long as it doesn't ever do the same with http :-)
I agree that dumping the url to the console, password and all, doesn't inspire confidence. Even if it's never sent over the wire in plain text, it's a little nerve-jangling initially.