If I load the testcase first thing in a new profile, Firefox pops up a dialog asking me to set a master password.

I'd suspect this is a PSM/NSS bug, since the key here seems to be that you need to do this immediately with a new profile. I can reproduce this by visiting the attachment URL directly in a new profile -- but if I load the bug first and then click the attachment, I do not. I'd especially be looking at why this code has historically been needed: (http://mxr.mozilla.org/mozilla-central/source/toolkit/components/passwordmgr/crypto-SDR.js#71) 77 // Check to see if the internal PKCS#11 token has been initialized. 78 // If not, set a blank password. 79 let tokenDB = Cc["@mozilla.org/security/pk11tokendb;1"]. 80 getService(Ci.nsIPK11TokenDB); 81 82 let token = tokenDB.getInternalKeyToken(); 83 if (token.needsUserInit) { 84 this.log("Initializing key3.db with default blank password."); 85 token.initPassword(""); 86 } I bet this bug only happens if you tickle it before password manager happens to do this.

Blech. See also bug 717490 comment 17, wherein I suspect a closely-related issue. Softtoken's lack of self-initialization (and/or it's confusion about what state it is in) is pretty dumb.

Bug 1030963 removed this functionality entirely.