It's been on for several years, do we need to support turning it off anymore?

I do not think we need the way to turn it off. It's browser's job to alert user of potential trouble.

Backed out for causing multiple failures related to Autocomplete.

Push with failures

Failure log for xpcshell failures
Failure log for mochitest-plain failures
Failure log for browser-chrome failures
Failure log for gv-junit failures

Backout link

https://hg.mozilla.org/mozilla-central/rev/3f0f5bd2bde6

To comment on the "It's browser's job to alert user of potential trouble."

Nope, currently it's the browser jobs to annoy me on, with something i can't change and prevent me from effordless log me into my router.

This is not useful, not at all! I was guessing that firefox gives the choice to the USERS? If i want others to control what i'm doing in the software i could also use google chrome. Come on guys, are you serious?

and to comment on "I do not think we need the way to turn it off. " well, you thought wrong! Did you guys made a meeting about that or did you as a single person made that change? We need that option back, sry is not a working solution right now.

That message is overlapping my password filler overlay, it's completly messed up

Especially when i made a manual import of the certificate that was made by my router lets encrypt like and i added an exception to my settings.

Why firefox does simply ignore what i choose there? From the logical perspective i told him to whitelist that domain.

Nope, that can't be right, not by any definition!

This is one big bad move. All of sudden that ugly warning started to appear for every local hosted webpage covering the password field and annoying and slowing the navigation flow doing so. DO NOT EVER go with the idea "it's not useful for me so it's not for others too", it's simply a bad development moves; the browser's job is to alert me by default but it has to let me take my own decision and do whatever I want with my settings. Revert all this mess asap please.

We have heard the feedback and are considering improving the behavior; some of the involved engineers are away right now so we will update the bug at a later date.

Why would you remove something that isn't causing an issue??
It's not like this was a GUI configuration, so using this setting means the user knows what they're doing.
If this setting is a security concern, then make it revert the setting everytime you do an update, but don't remove the setting.
Please revert and bring back this setting.

(In reply to Tom Ritter [:tjr] from comment #0)

It's been on for several years, do we need to support turning it off anymore?

Yes please.

(In reply to Sergey Galich [:serg] from comment #1)

I do not think we need the way to turn it off. It's browser's job to alert user of potential trouble.

In default installations, yes.
People who change these settings in about:config have their reasons for doing so. It's not a browsers job to annoy me and/or treat its advanced users like they're clueless.

(In reply to Tom Ritter [:tjr] from comment #10)

We have heard the feedback and are considering improving the behavior; some of the involved engineers are away right now so we will update the bug at a later date.

Can't we just revert this, at least until you have the improved solution ready?

I run an internal NAS with mostly http sites that will never ever touch the internet and I'm getting hampered by these prompts. The about:config setting "security.insecure_field_warning.contextual.enabled" used to take care of this but it seems that setting no longer has any effect. Can this please be fixed? It's causing usability issues and there is a valid use case for use of http sites in highly locked down/isolated/legacy environments.

(In reply to Tom Ritter [:tjr] from comment #10)

We have heard the feedback and are considering improving the behavior; some of the involved engineers are away right now so we will update the bug at a later date.

So, feedback heard nine months ago but this is still causing problems for and/or annoying devs and sysadmins who work on systems where HTTPS is unsupported or impractical to maintain. Mozilla used to care about a diverse range of users. What changed?

The improved behaviour would be to provide an option for users to dismiss your helicoptering... Kind of like the hidden about:config option that existed. Please revert this change.