From 36d22d82aa202bb199967e9512281e9a53db42c9 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Sun, 7 Apr 2024 21:33:14 +0200
Subject: Adding upstream version 115.7.0esr.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 .../auto_upgrading_identity.html                   |  11 +
 .../auto_upgrading_identity.png                    | Bin 0 -> 70 bytes
 dom/security/test/mixedcontentblocker/browser.ini  |  28 ++
 .../browser_auto_upgrading_identity.js             |  55 ++++
 ...xedcontent_and_mixed_content_display_upgrade.js |  78 +++++
 .../browser_mixed_content_auth_download.js         | 165 ++++++++++
 ...r_mixed_content_auto_upgrade_display_console.js |  51 ++++
 .../browser_test_mixed_content_download.js         | 333 ++++++++++++++++++++
 .../test/mixedcontentblocker/download_page.html    |  41 +++
 .../test/mixedcontentblocker/download_server.sjs   |  20 ++
 .../file_auth_download_page.html                   |  22 ++
 .../file_auth_download_server.sjs                  |  62 ++++
 .../test/mixedcontentblocker/file_bug1551886.html  |  25 ++
 .../file_bug803225_test_mailto.html                |  13 +
 ...dcontent_and_mixed_content_display_upgrade.html |  14 +
 .../mixedcontentblocker/file_frameNavigation.html  |  74 +++++
 .../file_frameNavigation_blankTarget.html          |  33 ++
 .../file_frameNavigation_grandchild.html           |  57 ++++
 .../file_frameNavigation_innermost.html            |  74 +++++
 .../file_frameNavigation_secure.html               |  73 +++++
 .../file_frameNavigation_secure_grandchild.html    |  58 ++++
 .../test/mixedcontentblocker/file_main.html        | 338 +++++++++++++++++++++
 .../mixedcontentblocker/file_main_bug803225.html   | 175 +++++++++++
 .../file_main_bug803225_websocket_wsh.py           |   6 +
 ...mixed_content_auto_upgrade_display_console.html |  10 +
 .../test/mixedcontentblocker/file_redirect.html    |  31 ++
 .../mixedcontentblocker/file_redirect_handler.sjs  |  35 +++
 .../test/mixedcontentblocker/file_server.sjs       | 131 ++++++++
 .../test/mixedcontentblocker/mochitest.ini         |  40 +++
 dom/security/test/mixedcontentblocker/pass.png     | Bin 0 -> 1689 bytes
 dom/security/test/mixedcontentblocker/test.ogv     | Bin 0 -> 2344665 bytes
 dom/security/test/mixedcontentblocker/test.wav     | Bin 0 -> 353022 bytes
 .../test/mixedcontentblocker/test_bug1551886.html  |  33 ++
 .../test/mixedcontentblocker/test_bug803225.html   | 157 ++++++++++
 .../mixedcontentblocker/test_frameNavigation.html  | 127 ++++++++
 .../test/mixedcontentblocker/test_main.html        | 231 ++++++++++++++
 .../test/mixedcontentblocker/test_redirect.html    |  45 +++
 37 files changed, 2646 insertions(+)
 create mode 100644 dom/security/test/mixedcontentblocker/auto_upgrading_identity.html
 create mode 100644 dom/security/test/mixedcontentblocker/auto_upgrading_identity.png
 create mode 100644 dom/security/test/mixedcontentblocker/browser.ini
 create mode 100644 dom/security/test/mixedcontentblocker/browser_auto_upgrading_identity.js
 create mode 100644 dom/security/test/mixedcontentblocker/browser_csp_block_all_mixedcontent_and_mixed_content_display_upgrade.js
 create mode 100644 dom/security/test/mixedcontentblocker/browser_mixed_content_auth_download.js
 create mode 100644 dom/security/test/mixedcontentblocker/browser_mixed_content_auto_upgrade_display_console.js
 create mode 100644 dom/security/test/mixedcontentblocker/browser_test_mixed_content_download.js
 create mode 100644 dom/security/test/mixedcontentblocker/download_page.html
 create mode 100644 dom/security/test/mixedcontentblocker/download_server.sjs
 create mode 100644 dom/security/test/mixedcontentblocker/file_auth_download_page.html
 create mode 100644 dom/security/test/mixedcontentblocker/file_auth_download_server.sjs
 create mode 100644 dom/security/test/mixedcontentblocker/file_bug1551886.html
 create mode 100644 dom/security/test/mixedcontentblocker/file_bug803225_test_mailto.html
 create mode 100644 dom/security/test/mixedcontentblocker/file_csp_block_all_mixedcontent_and_mixed_content_display_upgrade.html
 create mode 100644 dom/security/test/mixedcontentblocker/file_frameNavigation.html
 create mode 100644 dom/security/test/mixedcontentblocker/file_frameNavigation_blankTarget.html
 create mode 100644 dom/security/test/mixedcontentblocker/file_frameNavigation_grandchild.html
 create mode 100644 dom/security/test/mixedcontentblocker/file_frameNavigation_innermost.html
 create mode 100644 dom/security/test/mixedcontentblocker/file_frameNavigation_secure.html
 create mode 100644 dom/security/test/mixedcontentblocker/file_frameNavigation_secure_grandchild.html
 create mode 100644 dom/security/test/mixedcontentblocker/file_main.html
 create mode 100644 dom/security/test/mixedcontentblocker/file_main_bug803225.html
 create mode 100644 dom/security/test/mixedcontentblocker/file_main_bug803225_websocket_wsh.py
 create mode 100644 dom/security/test/mixedcontentblocker/file_mixed_content_auto_upgrade_display_console.html
 create mode 100644 dom/security/test/mixedcontentblocker/file_redirect.html
 create mode 100644 dom/security/test/mixedcontentblocker/file_redirect_handler.sjs
 create mode 100644 dom/security/test/mixedcontentblocker/file_server.sjs
 create mode 100644 dom/security/test/mixedcontentblocker/mochitest.ini
 create mode 100644 dom/security/test/mixedcontentblocker/pass.png
 create mode 100644 dom/security/test/mixedcontentblocker/test.ogv
 create mode 100644 dom/security/test/mixedcontentblocker/test.wav
 create mode 100644 dom/security/test/mixedcontentblocker/test_bug1551886.html
 create mode 100644 dom/security/test/mixedcontentblocker/test_bug803225.html
 create mode 100644 dom/security/test/mixedcontentblocker/test_frameNavigation.html
 create mode 100644 dom/security/test/mixedcontentblocker/test_main.html
 create mode 100644 dom/security/test/mixedcontentblocker/test_redirect.html

(limited to 'dom/security/test/mixedcontentblocker')

diff --git a/dom/security/test/mixedcontentblocker/auto_upgrading_identity.html b/dom/security/test/mixedcontentblocker/auto_upgrading_identity.html
new file mode 100644
index 0000000000..d843b7fae1
--- /dev/null
+++ b/dom/security/test/mixedcontentblocker/auto_upgrading_identity.html
@@ -0,0 +1,11 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset='utf-8'>
+  <title>Bug 1674341: Test SiteIdentity when auto-upgrading mixed content</title>
+</head>
+<body>
+  <!-- needs to be http: image for mixed content and auto-upgrading -->
+  <img type="image/png" id="testimage" src="http://example.com/browser/dom/security/test/mixedcontentblocker/auto_upgrading_identity.png" />
+</body>
+</html>
diff --git a/dom/security/test/mixedcontentblocker/auto_upgrading_identity.png b/dom/security/test/mixedcontentblocker/auto_upgrading_identity.png
new file mode 100644
index 0000000000..52c591798e
Binary files /dev/null and b/dom/security/test/mixedcontentblocker/auto_upgrading_identity.png differ
diff --git a/dom/security/test/mixedcontentblocker/browser.ini b/dom/security/test/mixedcontentblocker/browser.ini
new file mode 100644
index 0000000000..eae1091128
--- /dev/null
+++ b/dom/security/test/mixedcontentblocker/browser.ini
@@ -0,0 +1,28 @@
+[DEFAULT]
+prefs =
+  dom.security.https_first=false
+support-files =
+  download_page.html
+  download_server.sjs
+
+[browser_auto_upgrading_identity.js]
+support-files =
+  auto_upgrading_identity.html
+  auto_upgrading_identity.png
+[browser_csp_block_all_mixedcontent_and_mixed_content_display_upgrade.js]
+support-files =
+  file_csp_block_all_mixedcontent_and_mixed_content_display_upgrade.html
+  pass.png
+  test.ogv
+  test.wav
+[browser_mixed_content_auth_download.js]
+support-files =
+  file_auth_download_page.html
+  file_auth_download_server.sjs
+[browser_mixed_content_auto_upgrade_display_console.js]
+support-files = file_mixed_content_auto_upgrade_display_console.html
+[browser_test_mixed_content_download.js]
+skip-if = 
+  win10_2004 && debug # Bug 1723573
+  win11_2009 # Bug 1784764
+  os == "linux" && !debug # Bug 1784764
diff --git a/dom/security/test/mixedcontentblocker/browser_auto_upgrading_identity.js b/dom/security/test/mixedcontentblocker/browser_auto_upgrading_identity.js
new file mode 100644
index 0000000000..7860c06fc2
--- /dev/null
+++ b/dom/security/test/mixedcontentblocker/browser_auto_upgrading_identity.js
@@ -0,0 +1,55 @@
+"use strict";
+
+const TEST_PATH = getRootDirectory(gTestPath).replace(
+  "chrome://mochitests/content",
+  "https://example.com"
+);
+const TEST_TOPLEVEL_URI = TEST_PATH + "auto_upgrading_identity.html";
+
+// auto upgrading mixed content should not indicate passive mixed content loaded
+add_task(async () => {
+  await SpecialPowers.pushPrefEnv({
+    set: [["security.mixed_content.upgrade_display_content", true]],
+  });
+  await BrowserTestUtils.withNewTab(
+    TEST_TOPLEVEL_URI,
+    async function (browser) {
+      await ContentTask.spawn(browser, {}, async function () {
+        let testImg = content.document.getElementById("testimage");
+        ok(
+          testImg.src.includes("auto_upgrading_identity.png"),
+          "sanity: correct image is loaded"
+        );
+      });
+      // Ensure the identiy handler does not show mixed content!
+      ok(
+        !gIdentityHandler._isMixedPassiveContentLoaded,
+        "Auto-Upgrading Mixed Content: Identity should note indicate mixed content"
+      );
+    }
+  );
+});
+
+// regular mixed content test should indicate passive mixed content loaded
+add_task(async () => {
+  await SpecialPowers.pushPrefEnv({
+    set: [["security.mixed_content.upgrade_display_content", false]],
+  });
+  await BrowserTestUtils.withNewTab(
+    TEST_TOPLEVEL_URI,
+    async function (browser) {
+      await ContentTask.spawn(browser, {}, async function () {
+        let testImg = content.document.getElementById("testimage");
+        ok(
+          testImg.src.includes("auto_upgrading_identity.png"),
+          "sanity: correct image is loaded"
+        );
+      });
+      // Ensure the identiy handler does show mixed content!
+      ok(
+        gIdentityHandler._isMixedPassiveContentLoaded,
+        "Regular Mixed Content: Identity should indicate mixed content"
+      );
+    }
+  );
+});
diff --git a/dom/security/test/mixedcontentblocker/browser_csp_block_all_mixedcontent_and_mixed_content_display_upgrade.js b/dom/security/test/mixedcontentblocker/browser_csp_block_all_mixedcontent_and_mixed_content_display_upgrade.js
new file mode 100644
index 0000000000..1f738b951d
--- /dev/null
+++ b/dom/security/test/mixedcontentblocker/browser_csp_block_all_mixedcontent_and_mixed_content_display_upgrade.js
@@ -0,0 +1,78 @@
+/*
+ * Description of the Test:
+ * We load an https page which uses a CSP including block-all-mixed-content.
+ * The page embedded an audio, img and video. ML2 should upgrade them and
+ * CSP should not be triggered.
+ */
+
+const PRE_PATH = getRootDirectory(gTestPath).replace(
+  "chrome://mochitests/content",
+  "https://example.com"
+);
+var gTestBrowser = null;
+let expectedMessages = 3;
+function on_new_message(msgObj) {
+  const message = msgObj.message;
+
+  // Check if csp warns about block-all-mixed content being obsolete
+  if (message.includes("Content-Security-Policy")) {
+    ok(
+      message.includes("block-all-mixed-content obsolete"),
+      "CSP warns about block-all-mixed content being obsolete"
+    );
+  }
+  if (message.includes("Mixed Content:")) {
+    ok(
+      message.includes("Upgrading insecure display request"),
+      "msg included a mixed content upgrade"
+    );
+    expectedMessages--;
+  }
+}
+
+add_task(async function () {
+  await SpecialPowers.pushPrefEnv({
+    set: [["security.mixed_content.upgrade_display_content", true]],
+  });
+  Services.console.registerListener(on_new_message);
+  // Starting the test
+  var url =
+    PRE_PATH +
+    "file_csp_block_all_mixedcontent_and_mixed_content_display_upgrade.html";
+
+  await BrowserTestUtils.withNewTab(
+    {
+      gBrowser,
+      url,
+      waitForLoad: true,
+    },
+    async function (browser) {
+      let loadedElements = await ContentTask.spawn(
+        browser,
+        [],
+        async function () {
+          // Check image loaded
+          let image = content.document.getElementById("some-img");
+          let imageLoaded =
+            image && image.complete && image.naturalHeight !== 0;
+          // Check audio loaded
+          let audio = content.document.getElementById("some-audio");
+          let audioLoaded = audio && audio.readyState >= 2;
+          // Check video loaded
+          let video = content.document.getElementById("some-video");
+          //let videoPlayable = await once(video, "loadeddata").then(_ => true);
+          let videoLoaded = video && video.readyState === 4;
+          return { audio: audioLoaded, img: imageLoaded, video: videoLoaded };
+        }
+      );
+      is(true, loadedElements.img, "Image loaded and was upgraded " + url);
+      is(true, loadedElements.video, "Video loaded and was upgraded " + url);
+      is(true, loadedElements.audio, "Audio loaded and was upgraded " + url);
+    }
+  );
+
+  await BrowserTestUtils.waitForCondition(() => expectedMessages === 0);
+
+  // Clean up
+  Services.console.unregisterListener(on_new_message);
+});
diff --git a/dom/security/test/mixedcontentblocker/browser_mixed_content_auth_download.js b/dom/security/test/mixedcontentblocker/browser_mixed_content_auth_download.js
new file mode 100644
index 0000000000..e6b01a0cc0
--- /dev/null
+++ b/dom/security/test/mixedcontentblocker/browser_mixed_content_auth_download.js
@@ -0,0 +1,165 @@
+/* Any copyright is dedicated to the Public Domain.
+ * https://creativecommons.org/publicdomain/zero/1.0/ */
+
+"use strict";
+
+ChromeUtils.defineESModuleGetters(this, {
+  Downloads: "resource://gre/modules/Downloads.sys.mjs",
+  DownloadsCommon: "resource:///modules/DownloadsCommon.sys.mjs",
+});
+
+const { PromptTestUtils } = ChromeUtils.importESModule(
+  "resource://testing-common/PromptTestUtils.sys.mjs"
+);
+
+let authPromptModalType = Services.prefs.getIntPref(
+  "prompts.modalType.httpAuth"
+);
+
+const downloadMonitoringView = {
+  _listeners: [],
+  onDownloadAdded(download) {
+    for (let listener of this._listeners) {
+      listener(download);
+    }
+    this._listeners = [];
+  },
+  waitForDownload(listener) {
+    this._listeners.push(listener);
+  },
+};
+
+let SECURE_BASE_URL =
+  getRootDirectory(gTestPath).replace(
+    "chrome://mochitests/content/",
+    "https://example.com/"
+  ) + "file_auth_download_page.html";
+
+/**
+ * Waits until a download is triggered.
+ * It waits until a prompt is shown,
+ * saves and then accepts the dialog.
+ * @returns {Promise} Resolved once done.
+ */
+
+function shouldTriggerDownload() {
+  return new Promise(res => {
+    downloadMonitoringView.waitForDownload(res);
+  });
+}
+function shouldNotifyDownloadUI() {
+  return new Promise(res => {
+    downloadMonitoringView.waitForDownload(async aDownload => {
+      let { error } = aDownload;
+      if (
+        error.becauseBlockedByReputationCheck &&
+        error.reputationCheckVerdict == Downloads.Error.BLOCK_VERDICT_INSECURE
+      ) {
+        // It's an insecure Download, now Check that it has been cleaned up properly
+        if ((await IOUtils.stat(aDownload.target.path)).size != 0) {
+          throw new Error(`Download target is not empty!`);
+        }
+        if ((await IOUtils.stat(aDownload.target.path)).size != 0) {
+          throw new Error(`Download partFile was not cleaned up properly`);
+        }
+        // Assert that the Referrer is present
+        if (!aDownload.source.referrerInfo) {
+          throw new Error("The Blocked download is missing the ReferrerInfo");
+        }
+
+        res(aDownload);
+      } else {
+        ok(false, "No error for download that was expected to error!");
+      }
+    });
+  });
+}
+
+async function resetDownloads() {
+  // Removes all downloads from the download List
+  const types = new Set();
+  let publicList = await Downloads.getList(Downloads.ALL);
+  let downloads = await publicList.getAll();
+  for (let download of downloads) {
+    if (download.contentType) {
+      types.add(download.contentType);
+    }
+    publicList.remove(download);
+    await download.finalize(true);
+  }
+}
+
+async function runTest(url, link, checkFunction, description) {
+  await resetDownloads();
+  let tab = await BrowserTestUtils.openNewForegroundTab(gBrowser, url);
+  is(
+    gBrowser.currentURI.schemeIs("https"),
+    true,
+    "Scheme of opened tab should be https"
+  );
+  info("Checking: " + description);
+
+  let checkPromise = checkFunction();
+  // Click the Link to trigger the download
+  SpecialPowers.spawn(gBrowser.selectedBrowser, [link], contentLink => {
+    content.document.getElementById(contentLink).click();
+  });
+  // Wait for the auth prompt, enter the login details and close the prompt
+  await PromptTestUtils.handleNextPrompt(
+    gBrowser.selectedBrowser,
+    { modalType: authPromptModalType, promptType: "promptUserAndPass" },
+    { buttonNumClick: 0, loginInput: "user", passwordInput: "pass" }
+  );
+  await checkPromise;
+  ok(true, description);
+  // Close download panel
+  DownloadsPanel.hidePanel();
+  is(DownloadsPanel.panel.state, "closed", "Panel should be closed");
+  await BrowserTestUtils.removeTab(tab);
+}
+
+add_setup(async function () {
+  let list = await Downloads.getList(Downloads.ALL);
+  list.addView(downloadMonitoringView);
+  registerCleanupFunction(() => list.removeView(downloadMonitoringView));
+  // Ensure to delete all cached credentials before running test
+  await new Promise(resolve => {
+    Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, resolve);
+  });
+  await SpecialPowers.pushPrefEnv({
+    set: [["dom.block_download_insecure", true]],
+  });
+});
+//Test description:
+// 1. Open "https://example.com".
+// 2. From "https://example.com" download something, but that download is only available via http
+//    and with authentication.
+// 3. Login and start download.
+// 4. Mixed-content blocker blocks download.
+// 5. Unblock download and verify the downloaded file.
+add_task(async function test_auth_download() {
+  await runTest(
+    SECURE_BASE_URL,
+    "insecure",
+    async () => {
+      let [, download] = await Promise.all([
+        shouldTriggerDownload(),
+        shouldNotifyDownloadUI(),
+      ]);
+      await download.unblock();
+      ok(download.error == null, "There should be no error after unblocking");
+      info(
+        "Start download to be able to validate the size and the success of the download"
+      );
+      await download.start();
+      is(
+        download.contentType,
+        "text/html",
+        "File contentType should be correct."
+      );
+      ok(download.succeeded, "Download succeeded!");
+      is(download.target.size, 27, "Download has correct size");
+    },
+    "A locked Download from an auth server should succeeded to Download after a Manual unblock"
+  );
+});
diff --git a/dom/security/test/mixedcontentblocker/browser_mixed_content_auto_upgrade_display_console.js b/dom/security/test/mixedcontentblocker/browser_mixed_content_auto_upgrade_display_console.js
new file mode 100644
index 0000000000..4f41d8b51c
--- /dev/null
+++ b/dom/security/test/mixedcontentblocker/browser_mixed_content_auto_upgrade_display_console.js
@@ -0,0 +1,51 @@
+// Bug 1673574 - Improve Console logging for mixed content auto upgrading
+"use strict";
+
+const testPath = getRootDirectory(gTestPath).replace(
+  "chrome://mochitests/content",
+  "https://example.com"
+);
+
+let seenAutoUpgradeMessage = false;
+
+const kTestURI =
+  testPath + "file_mixed_content_auto_upgrade_display_console.html";
+
+add_task(async function () {
+  // A longer timeout is necessary for this test than the plain mochitests
+  // due to opening a new tab with the web console.
+  requestLongerTimeout(4);
+
+  // Enable HTTPS-Only Mode and register console-listener
+  await SpecialPowers.pushPrefEnv({
+    set: [["security.mixed_content.upgrade_display_content", true]],
+  });
+  Services.console.registerListener(on_auto_upgrade_message);
+
+  BrowserTestUtils.loadURIString(gBrowser.selectedBrowser, kTestURI);
+
+  await BrowserTestUtils.waitForCondition(() => seenAutoUpgradeMessage);
+
+  Services.console.unregisterListener(on_auto_upgrade_message);
+});
+
+function on_auto_upgrade_message(msgObj) {
+  const message = msgObj.message;
+
+  // The console message is:
+  // "Mixed Content: Upgrading insecure display request
+  // ‘http://example.com/file_mixed_content_auto_upgrade_display_console.jpg’ to use ‘https’"
+
+  if (!message.includes("Mixed Content:")) {
+    return;
+  }
+  ok(
+    message.includes("Upgrading insecure display request"),
+    "msg includes info"
+  );
+  ok(
+    message.includes("file_mixed_content_auto_upgrade_display_console.jpg"),
+    "msg includes file"
+  );
+  seenAutoUpgradeMessage = true;
+}
diff --git a/dom/security/test/mixedcontentblocker/browser_test_mixed_content_download.js b/dom/security/test/mixedcontentblocker/browser_test_mixed_content_download.js
new file mode 100644
index 0000000000..41b4d3d524
--- /dev/null
+++ b/dom/security/test/mixedcontentblocker/browser_test_mixed_content_download.js
@@ -0,0 +1,333 @@
+ChromeUtils.defineESModuleGetters(this, {
+  Downloads: "resource://gre/modules/Downloads.sys.mjs",
+  DownloadsCommon: "resource:///modules/DownloadsCommon.sys.mjs",
+});
+
+const HandlerService = Cc[
+  "@mozilla.org/uriloader/handler-service;1"
+].getService(Ci.nsIHandlerService);
+
+const MIMEService = Cc["@mozilla.org/mime;1"].getService(Ci.nsIMIMEService);
+
+let INSECURE_BASE_URL =
+  getRootDirectory(gTestPath).replace(
+    "chrome://mochitests/content/",
+    "http://example.com/"
+  ) + "download_page.html";
+let SECURE_BASE_URL =
+  getRootDirectory(gTestPath).replace(
+    "chrome://mochitests/content/",
+    "https://example.com/"
+  ) + "download_page.html";
+
+function promiseFocus() {
+  return new Promise(resolve => {
+    waitForFocus(resolve);
+  });
+}
+
+function promisePanelOpened() {
+  if (DownloadsPanel.panel && DownloadsPanel.panel.state == "open") {
+    return Promise.resolve();
+  }
+  return BrowserTestUtils.waitForEvent(DownloadsPanel.panel, "popupshown");
+}
+
+async function task_openPanel() {
+  await promiseFocus();
+
+  let promise = promisePanelOpened();
+  DownloadsPanel.showPanel();
+  await promise;
+}
+
+const downloadMonitoringView = {
+  _listeners: [],
+  onDownloadAdded(download) {
+    for (let listener of this._listeners) {
+      listener(download);
+    }
+    this._listeners = [];
+  },
+  waitForDownload(listener) {
+    this._listeners.push(listener);
+  },
+};
+
+/**
+ * Waits until a download is triggered.
+ * Unless the always_ask_before_handling_new_types pref is true, the download
+ * will simply be saved, so resolve when the view is notified of the new
+ * download. Otherwise, it waits until a prompt is shown, selects the choosen
+ * <action>, then accepts the dialog
+ * @param [action] Which action to select, either:
+ *        "handleInternally", "save" or "open".
+ * @returns {Promise} Resolved once done.
+ */
+
+function shouldTriggerDownload(action = "save") {
+  if (
+    Services.prefs.getBoolPref(
+      "browser.download.always_ask_before_handling_new_types"
+    )
+  ) {
+    return new Promise((resolve, reject) => {
+      Services.wm.addListener({
+        onOpenWindow(xulWin) {
+          Services.wm.removeListener(this);
+          let win = xulWin.docShell.domWindow;
+          waitForFocus(() => {
+            if (
+              win.location ==
+              "chrome://mozapps/content/downloads/unknownContentType.xhtml"
+            ) {
+              let dialog = win.document.getElementById("unknownContentType");
+              let button = dialog.getButton("accept");
+              let actionRadio = win.document.getElementById(action);
+              actionRadio.click();
+              button.disabled = false;
+              dialog.acceptDialog();
+              resolve();
+            } else {
+              reject();
+            }
+          }, win);
+        },
+      });
+    });
+  }
+  return new Promise(res => {
+    downloadMonitoringView.waitForDownload(res);
+  });
+}
+
+const CONSOLE_ERROR_MESSAGE = "Blocked downloading insecure content";
+
+function shouldConsoleError() {
+  // Waits until CONSOLE_ERROR_MESSAGE was logged
+  return new Promise((resolve, reject) => {
+    function listener(msgObj) {
+      let text = msgObj.message;
+      if (text.includes(CONSOLE_ERROR_MESSAGE)) {
+        Services.console.unregisterListener(listener);
+        resolve();
+      }
+    }
+    Services.console.registerListener(listener);
+  });
+}
+
+async function resetDownloads() {
+  // Removes all downloads from the download List
+  const types = new Set();
+  let publicList = await Downloads.getList(Downloads.PUBLIC);
+  let downloads = await publicList.getAll();
+  for (let download of downloads) {
+    if (download.contentType) {
+      types.add(download.contentType);
+    }
+    publicList.remove(download);
+    await download.finalize(true);
+  }
+
+  if (types.size) {
+    // reset handlers for the contentTypes of any files previously downloaded
+    for (let type of types) {
+      const mimeInfo = MIMEService.getFromTypeAndExtension(type, "");
+      info("resetting handler for type: " + type);
+      HandlerService.remove(mimeInfo);
+    }
+  }
+}
+
+function shouldNotifyDownloadUI() {
+  return new Promise(res => {
+    downloadMonitoringView.waitForDownload(async aDownload => {
+      let { error } = aDownload;
+      if (
+        error.becauseBlockedByReputationCheck &&
+        error.reputationCheckVerdict == Downloads.Error.BLOCK_VERDICT_INSECURE
+      ) {
+        // It's an insecure Download, now Check that it has been cleaned up properly
+        if ((await IOUtils.stat(aDownload.target.path)).size != 0) {
+          throw new Error(`Download target is not empty!`);
+        }
+        if ((await IOUtils.stat(aDownload.target.path)).size != 0) {
+          throw new Error(`Download partFile was not cleaned up properly`);
+        }
+        // Assert that the Referrer is presnt
+        if (!aDownload.source.referrerInfo) {
+          throw new Error("The Blocked download is missing the ReferrerInfo");
+        }
+
+        res(aDownload);
+      } else {
+        ok(false, "No error for download that was expected to error!");
+      }
+    });
+  });
+}
+
+async function runTest(url, link, checkFunction, description) {
+  await SpecialPowers.pushPrefEnv({
+    set: [["dom.block_download_insecure", true]],
+  });
+  await resetDownloads();
+
+  let tab = BrowserTestUtils.addTab(gBrowser, url);
+  gBrowser.selectedTab = tab;
+
+  let browser = gBrowser.getBrowserForTab(tab);
+  await BrowserTestUtils.browserLoaded(browser);
+
+  info("Checking: " + description);
+
+  let checkPromise = checkFunction();
+  // Click the Link to trigger the download
+  SpecialPowers.spawn(gBrowser.selectedBrowser, [link], contentLink => {
+    content.document.getElementById(contentLink).click();
+  });
+
+  await checkPromise;
+
+  ok(true, description);
+  BrowserTestUtils.removeTab(tab);
+
+  await SpecialPowers.popPrefEnv();
+}
+
+add_setup(async () => {
+  let list = await Downloads.getList(Downloads.ALL);
+  list.addView(downloadMonitoringView);
+  registerCleanupFunction(() => list.removeView(downloadMonitoringView));
+});
+
+// Test Blocking
+add_task(async function test_blocking() {
+  for (let prefVal of [true, false]) {
+    await SpecialPowers.pushPrefEnv({
+      set: [["browser.download.always_ask_before_handling_new_types", prefVal]],
+    });
+    await runTest(
+      INSECURE_BASE_URL,
+      "insecure",
+      shouldTriggerDownload,
+      "Insecure -> Insecure should download"
+    );
+    await runTest(
+      INSECURE_BASE_URL,
+      "secure",
+      shouldTriggerDownload,
+      "Insecure -> Secure should download"
+    );
+    await runTest(
+      SECURE_BASE_URL,
+      "insecure",
+      () =>
+        Promise.all([
+          shouldTriggerDownload(),
+          shouldNotifyDownloadUI(),
+          shouldConsoleError(),
+        ]),
+      "Secure -> Insecure should Error"
+    );
+    await runTest(
+      SECURE_BASE_URL,
+      "secure",
+      shouldTriggerDownload,
+      "Secure -> Secure should Download"
+    );
+    await SpecialPowers.popPrefEnv();
+  }
+});
+
+// Test Manual Unblocking
+add_task(async function test_manual_unblocking() {
+  for (let prefVal of [true, false]) {
+    await SpecialPowers.pushPrefEnv({
+      set: [["browser.download.always_ask_before_handling_new_types", prefVal]],
+    });
+    await runTest(
+      SECURE_BASE_URL,
+      "insecure",
+      async () => {
+        let [, download] = await Promise.all([
+          shouldTriggerDownload(),
+          shouldNotifyDownloadUI(),
+        ]);
+        await download.unblock();
+        ok(download.error == null, "There should be no error after unblocking");
+      },
+      "A Blocked Download Should succeeded to Download after a Manual unblock"
+    );
+    await SpecialPowers.popPrefEnv();
+  }
+});
+
+// Test Unblock Download Visible
+add_task(async function test_unblock_download_visible() {
+  for (let prefVal of [true, false]) {
+    await SpecialPowers.pushPrefEnv({
+      set: [["browser.download.always_ask_before_handling_new_types", prefVal]],
+    });
+    // Focus, open and close the panel once
+    // to make sure the panel is loaded and ready
+    await promiseFocus();
+    await runTest(
+      SECURE_BASE_URL,
+      "insecure",
+      async () => {
+        let panelHasOpened = promisePanelOpened();
+        info("awaiting that the download is triggered and added to the list");
+        await Promise.all([shouldTriggerDownload(), shouldNotifyDownloadUI()]);
+        info("awaiting that the Download list shows itself");
+        await panelHasOpened;
+        DownloadsPanel.hidePanel();
+        ok(true, "The Download Panel should have opened on blocked download");
+      },
+      "A Blocked Download Should open the Download Panel"
+    );
+    await SpecialPowers.popPrefEnv();
+  }
+});
+
+// Test Download an insecure svg and choose "Open with Firefox"
+add_task(async function download_open_insecure_SVG() {
+  const mimeInfo = MIMEService.getFromTypeAndExtension("image/svg+xml", "svg");
+  mimeInfo.alwaysAskBeforeHandling = false;
+  mimeInfo.preferredAction = mimeInfo.handleInternally;
+  HandlerService.store(mimeInfo);
+
+  await SpecialPowers.pushPrefEnv({
+    set: [["browser.download.always_ask_before_handling_new_types", false]],
+  });
+  await promiseFocus();
+  await runTest(
+    SECURE_BASE_URL,
+    "insecureSVG",
+    async () => {
+      info("awaiting that the download is triggered and added to the list");
+      let [_, download] = await Promise.all([
+        shouldTriggerDownload("handleInternally"),
+        shouldNotifyDownloadUI(),
+      ]);
+
+      let newTabPromise = BrowserTestUtils.waitForNewTab(gBrowser);
+      await download.unblock();
+      ok(download.error == null, "There should be no error after unblocking");
+
+      let tab = await newTabPromise;
+
+      ok(
+        tab.linkedBrowser._documentURI.filePath.includes(".svg"),
+        "The download target was opened"
+      );
+      BrowserTestUtils.removeTab(tab);
+      ok(true, "The Content was opened in a new tab");
+      await SpecialPowers.popPrefEnv();
+    },
+    "A Blocked SVG can be opened internally"
+  );
+
+  HandlerService.remove(mimeInfo);
+});
diff --git a/dom/security/test/mixedcontentblocker/download_page.html b/dom/security/test/mixedcontentblocker/download_page.html
new file mode 100644
index 0000000000..86f605c478
--- /dev/null
+++ b/dom/security/test/mixedcontentblocker/download_page.html
@@ -0,0 +1,41 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=676619
+-->
+  <head>
+
+    <title>Test for the download attribute</title>
+
+  </head>
+  <body>
+    hi
+
+    <script>
+      const host = window.location.host;
+      const path = location.pathname.replace("download_page.html","download_server.sjs");
+
+      const secureLink = document.createElement("a");
+      secureLink.href=`https://${host}/${path}`;
+      secureLink.download="true";
+      secureLink.textContent="Secure Link";
+      secureLink.id="secure";
+
+      const insecureLink = document.createElement("a");        
+      insecureLink.href=`http://${host}/${path}`;
+      insecureLink.download="true";
+      insecureLink.id="insecure";
+      insecureLink.textContent="Not secure Link";
+
+      const insecureSVG = document.createElement("a");        
+      insecureSVG.href=`http://${host}/${path}?type=image/svg+xml&name=example.svg`;
+      insecureSVG.download="true";
+      insecureSVG.id="insecureSVG";
+      insecureSVG.textContent="Not secure Link to SVG";
+
+      document.body.append(insecureSVG);
+      document.body.append(secureLink);
+      document.body.append(insecureLink);
+  </script>
+  </body>
+</html>
diff --git a/dom/security/test/mixedcontentblocker/download_server.sjs b/dom/security/test/mixedcontentblocker/download_server.sjs
new file mode 100644
index 0000000000..e659df2f40
--- /dev/null
+++ b/dom/security/test/mixedcontentblocker/download_server.sjs
@@ -0,0 +1,20 @@
+// force the Browser to Show a Download Prompt
+
+function handleRequest(request, response) {
+  let type = "image/png";
+  let filename = "hello.png";
+  request.queryString.split("&").forEach(val => {
+    var [key, value] = val.split("=");
+    if (key == "type") {
+      type = value;
+    }
+    if (key == "name") {
+      filename = value;
+    }
+  });
+
+  response.setHeader("Cache-Control", "no-cache", false);
+  response.setHeader("Content-Disposition", `attachment; filename=${filename}`);
+  response.setHeader("Content-Type", type);
+  response.write("🙈🙊🐵🙊");
+}
diff --git a/dom/security/test/mixedcontentblocker/file_auth_download_page.html b/dom/security/test/mixedcontentblocker/file_auth_download_page.html
new file mode 100644
index 0000000000..931d9d00ad
--- /dev/null
+++ b/dom/security/test/mixedcontentblocker/file_auth_download_page.html
@@ -0,0 +1,22 @@
+<!DOCTYPE HTML>
+<html>
+  <head>
+    <title>Test mixed content download with auth header by https-first</title>
+  </head>
+  <body>
+    hi
+
+    <script>
+      const host = window.location.host;
+      const path = location.pathname.replace("file_auth_download_page.html","file_auth_download_server.sjs");
+
+      const insecureLink = document.createElement("a");
+      insecureLink.href = `http://${host}${path}?user=user&pass=pass`;
+      insecureLink.download = "true";
+      insecureLink.id = "insecure";
+      insecureLink.textContent = "Not secure Link";
+
+      document.body.append(insecureLink);
+  </script>
+  </body>
+</html>
diff --git a/dom/security/test/mixedcontentblocker/file_auth_download_server.sjs b/dom/security/test/mixedcontentblocker/file_auth_download_server.sjs
new file mode 100644
index 0000000000..d28625abb6
--- /dev/null
+++ b/dom/security/test/mixedcontentblocker/file_auth_download_server.sjs
@@ -0,0 +1,62 @@
+"use strict";
+
+function handleRequest(request, response) {
+  let match;
+
+  // Allow the caller to drive how authentication is processed via the query.
+  // Eg, http://localhost:8888/authenticate.sjs?user=foo&realm=bar
+  // The extra ? allows the user/pass/realm checks to succeed if the name is
+  // at the beginning of the query string.
+  Components.utils.importGlobalProperties(["URLSearchParams"]);
+  let query = new URLSearchParams(request.queryString);
+
+  let expected_user = query.get("user");
+  let expected_pass = query.get("pass");
+  let realm = query.get("realm");
+
+  // Look for an authentication header, if any, in the request.
+  //
+  // EG: Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
+  //
+  // This test only supports Basic auth. The value sent by the client is
+  // "username:password", obscured with base64 encoding.
+
+  let actual_user = "",
+    actual_pass = "",
+    authHeader;
+  if (request.hasHeader("Authorization")) {
+    authHeader = request.getHeader("Authorization");
+    match = /Basic (.+)/.exec(authHeader);
+    if (match.length != 2) {
+      throw new Error("Couldn't parse auth header: " + authHeader);
+    }
+    // Decode base64 to string
+    let userpass = atob(match[1]);
+    match = /(.*):(.*)/.exec(userpass);
+    if (match.length != 3) {
+      throw new Error("Couldn't decode auth header: " + userpass);
+    }
+    actual_user = match[1];
+    actual_pass = match[2];
+  }
+
+  // Don't request authentication if the credentials we got were what we
+  // expected.
+  let requestAuth =
+    expected_user != actual_user || expected_pass != actual_pass;
+
+  if (requestAuth) {
+    response.setStatusLine("1.0", 401, "Authentication required");
+    response.setHeader("WWW-Authenticate", 'basic realm="' + realm + '"', true);
+    response.write("Authentication required");
+  } else {
+    response.setStatusLine("1.0", 200, "OK");
+    response.setHeader("Cache-Control", "no-cache", false);
+    response.setHeader(
+      "Content-Disposition",
+      "attachment; filename=dummy-file.html"
+    );
+    response.setHeader("Content-Type", "text/html");
+    response.write("<p id='success'>SUCCESS</p>");
+  }
+}
diff --git a/dom/security/test/mixedcontentblocker/file_bug1551886.html b/dom/security/test/mixedcontentblocker/file_bug1551886.html
new file mode 100644
index 0000000000..41c46b5273
--- /dev/null
+++ b/dom/security/test/mixedcontentblocker/file_bug1551886.html
@@ -0,0 +1,25 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+</head>
+
+<body>
+<script>
+    let f = document.createElement("iframe");
+    f.src = "data:text/html,<iframe src='http://example.com' onload=\"parent.postMessage({status:'loaded', type: 'http'}, 'https://example.com')\" onerror=\"parent.postMessage({status:'blocked', type: 'http'}, 'https://example.com')\"></iframe>";
+    window.addEventListener("message", (event) => {
+        parent.postMessage(event.data, "http://mochi.test:8888");
+
+        // Only create second iframe once
+        if(event.data.type === "https") {
+            return;
+        }
+
+        let f2 = document.createElement("iframe");
+        f2.src = "data:text/html,<iframe src='https://example.com' onload=\"parent.postMessage({status:'loaded', type: 'https'}, 'https://example.com')\" onerror=\"parent.postMessage({status:'blocked', type: 'https'}, 'https://example.com')\"></iframe>";
+        document.body.appendChild(f2);
+    });
+    document.body.appendChild(f);
+</script>
+</body>
+</html>
diff --git a/dom/security/test/mixedcontentblocker/file_bug803225_test_mailto.html b/dom/security/test/mixedcontentblocker/file_bug803225_test_mailto.html
new file mode 100644
index 0000000000..f1459d3667
--- /dev/null
+++ b/dom/security/test/mixedcontentblocker/file_bug803225_test_mailto.html
@@ -0,0 +1,13 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+Tests for Mixed Content Blocker - Mailto Protocol Compose Page
+https://bugzilla.mozilla.org/show_bug.cgi?id=803225
+-->
+<head> <meta charset="utf-8"> 
+</head>
+<body>
+Hello
+<script>window.close();</script>
+</body>
+</html>
diff --git a/dom/security/test/mixedcontentblocker/file_csp_block_all_mixedcontent_and_mixed_content_display_upgrade.html b/dom/security/test/mixedcontentblocker/file_csp_block_all_mixedcontent_and_mixed_content_display_upgrade.html
new file mode 100644
index 0000000000..80e97443ed
--- /dev/null
+++ b/dom/security/test/mixedcontentblocker/file_csp_block_all_mixedcontent_and_mixed_content_display_upgrade.html
@@ -0,0 +1,14 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Bug 1806080 - ML2 with CSP block-all-mixed-content </title>
+  <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+</head>
+<body>
+   <!--upgradeable resources--->
+  <img id="some-img" src="http://test1.example.com/browser/dom/security/test/mixedcontentblocker/pass.png" width="100px">
+  <video id="some-video" src="http://test1.example.com/browser/dom/security/test/mixedcontentblocker/test.ogv" width="100px">
+  <audio id="some-audio" src="http://test1.example.com/browser/dom/security/test/mixedcontentblocker/test.wav" width="100px">
+</body>
+</html>
diff --git a/dom/security/test/mixedcontentblocker/file_frameNavigation.html b/dom/security/test/mixedcontentblocker/file_frameNavigation.html
new file mode 100644
index 0000000000..fd9ea23178
--- /dev/null
+++ b/dom/security/test/mixedcontentblocker/file_frameNavigation.html
@@ -0,0 +1,74 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+Tests for Mixed Content Blocker related to navigating children, grandchildren, etc
+https://bugzilla.mozilla.org/show_bug.cgi?id=840388
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Tests for Mixed Content Frame Navigation</title>
+</head>
+<body>
+<div id="testContent"></div>
+
+<script>
+  var baseUrlHttps = "https://example.com/tests/dom/security/test/mixedcontentblocker/file_frameNavigation_innermost.html";
+
+  // For tests that require setTimeout, set the maximum polling time to 50 x 100ms = 5 seconds.
+  var MAX_COUNT = 50;
+  var TIMEOUT_INTERVAL = 100;
+
+  var testContent = document.getElementById("testContent");
+
+  // Test 1: Navigate secure iframe to insecure iframe on an insecure page
+  var iframe_test1 = document.createElement("iframe");
+  var counter_test1 = 0;
+  iframe_test1.src = baseUrlHttps + "?insecurePage_navigate_child";
+  iframe_test1.setAttribute("id", "test1");
+  iframe_test1.onerror = function() {
+    parent.postMessage({"test": "insecurePage_navigate_child", "msg": "got an onerror alert when loading or navigating testing iframe"}, "http://mochi.test:8888");
+  };
+  testContent.appendChild(iframe_test1);
+
+  function navigationStatus(iframe_test1)
+  {
+    // When the page is navigating, it goes through about:blank and we will get a permission denied for loc.
+    // Catch that specific exception and return
+    try {
+      var loc = document.getElementById("test1").contentDocument.location;
+    } catch(e) {
+      if (e.name === "SecurityError") {
+        // We received an exception we didn't expect.
+        throw e;
+      }
+      counter_test1++;
+      return;
+    }
+    if (loc == "http://example.com/tests/dom/security/test/mixedcontentblocker/file_frameNavigation_innermost.html?insecurePage_navigate_child_response") {
+      return;
+    }
+    else {
+      if(counter_test1 < MAX_COUNT) {
+        counter_test1++;
+        setTimeout(navigationStatus, TIMEOUT_INTERVAL, iframe_test1);
+      }
+      else {
+        // After we have called setTimeout the maximum number of times, assume navigating the iframe is blocked
+        parent.postMessage({"test": "insecurePage_navigate_child", "msg": "navigating to insecure iframe blocked on insecure page"}, "http://mochi.test:8888");
+      }
+    }
+  }
+
+  setTimeout(navigationStatus, TIMEOUT_INTERVAL, iframe_test1);
+
+  // Test 2: Navigate secure grandchild iframe to insecure grandchild iframe on a page that has no secure parents
+  var iframe_test2 = document.createElement("iframe");
+  iframe_test2.src = "http://example.com/tests/dom/security/test/mixedcontentblocker/file_frameNavigation_grandchild.html"
+  iframe_test2.onerror = function() {
+    parent.postMessage({"test": "insecurePage_navigate_grandchild", "msg": "got an on error alert when loading or navigating testing iframe"}, "http://mochi.test:8888");
+  };
+  testContent.appendChild(iframe_test2);
+
+</script>
+</body>
+</html>
diff --git a/dom/security/test/mixedcontentblocker/file_frameNavigation_blankTarget.html b/dom/security/test/mixedcontentblocker/file_frameNavigation_blankTarget.html
new file mode 100644
index 0000000000..c4502ce8d2
--- /dev/null
+++ b/dom/security/test/mixedcontentblocker/file_frameNavigation_blankTarget.html
@@ -0,0 +1,33 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+Tests for Mixed Content Blocker - Opening link with _blank target in an https iframe.
+https://bugzilla.mozilla.org/show_bug.cgi?id=841850
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Tests for Mixed Content Frame Navigation</title>
+</head>
+<body>
+<a href="http://example.com/tests/dom/security/test/mixedcontentblocker/file_frameNavigation_innermost.html?blankTarget" id="blankTarget" target="_blank" rel="opener">Go to http site</a>
+
+<script>
+  var blankTarget = document.getElementById("blankTarget");
+  blankTarget.click();
+
+  var observer = {
+    observe(subject, topic, data) {
+     if (topic === "specialpowers-http-notify-request" &&
+         data === "http://example.com/tests/dom/security/test/mixedcontentblocker/file_frameNavigation_innermost.html?blankTarget") {
+        parent.parent.postMessage({"test": "blankTarget", "msg": "opened an http link with target=_blank from a secure page"}, "http://mochi.test:8888");
+        SpecialPowers.removeObserver(observer, "specialpowers-http-notify-request");
+      }
+    }
+  }
+
+  // This is a special observer topic that is proxied from http-on-modify-request
+  // in the parent process to inform us when a URI is loaded
+  SpecialPowers.addObserver(observer, "specialpowers-http-notify-request");
+</script>
+</body>
+</html>
diff --git a/dom/security/test/mixedcontentblocker/file_frameNavigation_grandchild.html b/dom/security/test/mixedcontentblocker/file_frameNavigation_grandchild.html
new file mode 100644
index 0000000000..10cf1e4d90
--- /dev/null
+++ b/dom/security/test/mixedcontentblocker/file_frameNavigation_grandchild.html
@@ -0,0 +1,57 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+Tests for Mixed Content Blocker - Navigating Grandchild frames when a secure parent doesn't exist
+https://bugzilla.mozilla.org/show_bug.cgi?id=840388
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Tests for Mixed Content Frame Navigation</title>
+</head>
+<body>
+<iframe src="https://example.com/tests/dom/security/test/mixedcontentblocker/file_frameNavigation_innermost.html?insecurePage_navigate_grandchild" id="child"></iframe>
+
+<script>
+  // For tests that require setTimeout, set the maximum polling time to 100 x 100ms = 10 seconds.
+  var MAX_COUNT = 50;
+  var TIMEOUT_INTERVAL = 100;
+  var counter = 0;
+
+  var child = document.getElementById("child");
+  function navigationStatus(child)
+  {
+    // When the page is navigating, it goes through about:blank and we will get a permission denied for loc.
+    // Catch that specific exception and return
+    try {
+      var loc;
+      if (child.contentDocument) {
+        loc = child.contentDocument.location;
+      }
+    } catch(e) {
+      if (e.message && !e.message.includes("Permission denied to access property")) {
+        // We received an exception we didn't expect.
+        throw e;
+      }
+      counter++;
+      return;
+    }
+    if (loc == "http://example.com/tests/dom/security/test/mixedcontentblocker/file_frameNavigation_innermost.html?insecurePage_navigate_grandchild_response") {
+      return;
+    }
+    else {
+      if(counter < MAX_COUNT) {
+        counter++;
+        setTimeout(navigationStatus, TIMEOUT_INTERVAL, child);
+      }
+      else {
+        // After we have called setTimeout the maximum number of times, assume navigating the iframe is blocked
+        parent.parent.postMessage({"test": "insecurePage_navigate_grandchild", "msg": "navigating to insecure grandchild iframe blocked on insecure page"}, "http://mochi.test:8888");
+      }
+    }
+  }
+
+  setTimeout(navigationStatus, TIMEOUT_INTERVAL, child);
+
+</script>
+</body>
+</html>
diff --git a/dom/security/test/mixedcontentblocker/file_frameNavigation_innermost.html b/dom/security/test/mixedcontentblocker/file_frameNavigation_innermost.html
new file mode 100644
index 0000000000..251bb73e33
--- /dev/null
+++ b/dom/security/test/mixedcontentblocker/file_frameNavigation_innermost.html
@@ -0,0 +1,74 @@
+<!DOCTYPE HTML>
+<html>
+<body>
+<div id="content"></div>
+<script>
+  // get the case from the query string
+  var type = location.search.substring(1);
+
+  function clickLink() {
+    // If we don't reflow before clicking the link, the test will fail intermittently. The reason is still unknown. We'll track this issue in bug 1259715.
+    requestAnimationFrame(function() {
+      setTimeout(function() {
+        document.getElementById("link").click();
+      }, 0);
+    });
+  }
+
+  switch (type) {
+    case "insecurePage_navigate_child":
+      document.getElementById("content").innerHTML =
+        '<a href="http://example.com/tests/dom/security/test/mixedcontentblocker/file_frameNavigation_innermost.html?insecurePage_navigate_child_response" id="link">Testing\<\/a>';
+      clickLink();
+      break;
+
+    case "insecurePage_navigate_child_response":
+      parent.parent.postMessage({"test": "insecurePage_navigate_child", "msg": "navigated to insecure iframe on insecure page"}, "http://mochi.test:8888");
+      document.getElementById("content").innerHTML = "Navigated from secure to insecure frame on an insecure page";
+      break;
+
+    case "insecurePage_navigate_grandchild":
+      document.getElementById("content").innerHTML =
+        '<a href="http://example.com/tests/dom/security/test/mixedcontentblocker/file_frameNavigation_innermost.html?insecurePage_navigate_grandchild_response" id="link">Testing\<\/a>';
+      clickLink();
+      break;
+
+    case "insecurePage_navigate_grandchild_response":
+      parent.parent.parent.postMessage({"test": "insecurePage_navigate_grandchild", "msg": "navigated to insecure grandchild iframe on insecure page"}, "http://mochi.test:8888");
+      document.getElementById("content").innerHTML = "Navigated from secure to insecure grandchild frame on an insecure page";
+      break;
+
+    case "securePage_navigate_child":
+      document.getElementById("content").innerHTML =
+        '<a href="http://example.com/tests/dom/security/test/mixedcontentblocker/file_frameNavigation_innermost.html?securePage_navigate_child_response" id="link">Testing\<\/a>';
+      clickLink();
+      break;
+
+    case "securePage_navigate_child_response":
+      document.getElementById("content").innerHTML = "<p>Navigated from secure to insecure frame on a secure page</p>";
+      parent.parent.postMessage({"test": "securePage_navigate_child", "msg": "navigated to insecure iframe on secure page"}, "http://mochi.test:8888");
+      break;
+
+    case "securePage_navigate_grandchild":
+      document.getElementById("content").innerHTML=
+        '<a href="http://example.com/tests/dom/security/test/mixedcontentblocker/file_frameNavigation_innermost.html?securePage_navigate_grandchild_response" id="link">Testing\<\/a>';
+      clickLink();
+      break;
+
+    case "securePage_navigate_grandchild_response":
+      parent.parent.parent.postMessage({"test": "securePage_navigate_grandchild", "msg": "navigated to insecure grandchild iframe on secure page"}, "http://mochi.test:8888");
+      document.getElementById("content").innerHTML = "<p>Navigated from secure to insecure grandchild frame on a secure page</p>";
+      break;
+
+    case "blankTarget":
+      window.close();
+      break;
+
+    default:
+      document.getElementById("content").innerHTML = "Hello";
+      break;
+   }
+
+</script>
+</body>
+</html>
diff --git a/dom/security/test/mixedcontentblocker/file_frameNavigation_secure.html b/dom/security/test/mixedcontentblocker/file_frameNavigation_secure.html
new file mode 100644
index 0000000000..692d542067
--- /dev/null
+++ b/dom/security/test/mixedcontentblocker/file_frameNavigation_secure.html
@@ -0,0 +1,73 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+Tests for Mixed Content Blocker related to navigating children, grandchildren, etc
+https://bugzilla.mozilla.org/show_bug.cgi?id=840388
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Tests for Mixed Content Frame Navigation</title>
+</head>
+<body>
+<div id="testContent"></div>
+
+<script>
+  var baseUrl = "https://example.com/tests/dom/security/test/mixedcontentblocker/file_frameNavigation_innermost.html";
+
+  // For tests that require setTimeout, set the maximum polling time to 50 x 100ms = 5 seconds.
+  var MAX_COUNT = 50;
+  var TIMEOUT_INTERVAL = 100;
+
+  var testContent = document.getElementById("testContent");
+
+  // Test 1: Navigate secure iframe to insecure iframe on a secure page
+  var iframe_test1 = document.createElement("iframe");
+  var counter_test1 = 0;
+  iframe_test1.setAttribute("id", "test1");
+  iframe_test1.src = baseUrl + "?securePage_navigate_child";
+  iframe_test1.onerror = function() {
+    parent.postMessage({"test": "securePage_navigate_child", "msg": "navigating to insecure iframe blocked on secure page"}, "http://mochi.test:8888");
+  };
+  testContent.appendChild(iframe_test1);
+
+  function navigationStatus(iframe_test1)
+  {
+    // When the page is navigating, it goes through about:blank and we will get a permission denied for loc.
+    // Catch that specific exception and return
+    try {
+      var loc = document.getElementById("test1").contentDocument.location;
+    } catch(e) {
+      if (e.name === "SecurityError") {
+        // We received an exception we didn't expect.
+        throw e;
+      }
+      counter_test1++;
+      return;
+    }
+    if (loc == "http://example.com/tests/dom/security/test/mixedcontentblocker/file_frameNavigation_innermost.html?insecurePage_navigate_child_response") {
+      return;
+    } else {
+      if(counter_test1 < MAX_COUNT) {
+        counter_test1++;
+        setTimeout(navigationStatus, TIMEOUT_INTERVAL, iframe_test1);
+      }
+      else {
+        // After we have called setTimeout the maximum number of times, assume navigating the iframe is blocked
+        parent.postMessage({"test": "securePage_navigate_child", "msg": "navigating to insecure iframe blocked on secure page"}, "http://mochi.test:8888");
+      }
+    }
+  }
+
+  setTimeout(navigationStatus, TIMEOUT_INTERVAL, iframe_test1);
+
+  // Test 2: Open an http page in a new tab from a link click with target=_blank.
+  var iframe_test3 = document.createElement("iframe");
+  iframe_test3.src = "https://example.com/tests/dom/security/test/mixedcontentblocker/file_frameNavigation_blankTarget.html";
+  iframe_test3.onerror = function() {
+    parent.postMessage({"test": "blankTarget", "msg": "got an onerror event when loading or navigating testing iframe"}, "http://mochi.test:8888");
+  };
+  testContent.appendChild(iframe_test3);
+
+</script>
+</body>
+</html>
diff --git a/dom/security/test/mixedcontentblocker/file_frameNavigation_secure_grandchild.html b/dom/security/test/mixedcontentblocker/file_frameNavigation_secure_grandchild.html
new file mode 100644
index 0000000000..235ac0055e
--- /dev/null
+++ b/dom/security/test/mixedcontentblocker/file_frameNavigation_secure_grandchild.html
@@ -0,0 +1,58 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+Tests for Mixed Content Blocker - Navigating Grandchild Frames when a secure parent exists
+https://bugzilla.mozilla.org/show_bug.cgi?id=840388
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Tests for Mixed Content Frame Navigation</title>
+</head>
+<body>
+
+<iframe src="https://example.com/tests/dom/security/test/mixedcontentblocker/file_frameNavigation_innermost.html?securePage_navigate_grandchild" id="child"></iframe>
+<script>
+  // For tests that require setTimeout, set the maximum polling time to 50 x 100ms = 5 seconds.
+  var MAX_COUNT = 50;
+  var TIMEOUT_INTERVAL = 100;
+  var counter = 0;
+
+  var child = document.getElementById("child");
+  function navigationStatus(child)
+  {
+    var loc;
+    // When the page is navigating, it goes through about:blank and we will get a permission denied for loc.
+    // Catch that specific exception and return
+    try {
+      loc = document.getElementById("child").contentDocument.location;
+    } catch(e) {
+      if (e.message && !e.message.includes("Permission denied to access property")) {
+        // We received an exception we didn't expect.
+        throw e;
+      }
+      counter++;
+      return;
+    }
+    if (loc == "http://example.com/tests/dom/security/test/mixedcontentblocker/file_frameNavigation_innermost.html?securePage_navigate_grandchild_response") {
+      return;
+    }
+    else {
+      if(counter < MAX_COUNT) {
+        counter++;
+        setTimeout(navigationStatus, TIMEOUT_INTERVAL, child);
+      }
+      else {
+        // After we have called setTimeout the maximum number of times, assume navigating the iframe is blocked
+        dump("\nThe current location of the grandchild iframe is: "+loc+".\n");
+        dump("\nWe have past the maximum timeout.  Navigating a grandchild iframe from an https location to an http location on a secure page failed.  We are about to post message to the top level page\n");
+        parent.parent.postMessage({"test": "securePage_navigate_grandchild", "msg": "navigating to insecure grandchild iframe blocked on secure page"}, "http://mochi.test:8888");
+        dump("\nAttempted postMessage\n");
+      }
+    }
+  }
+
+  setTimeout(navigationStatus, TIMEOUT_INTERVAL, child);
+
+</script>
+</body>
+</html>
diff --git a/dom/security/test/mixedcontentblocker/file_main.html b/dom/security/test/mixedcontentblocker/file_main.html
new file mode 100644
index 0000000000..e4a2d8d08b
--- /dev/null
+++ b/dom/security/test/mixedcontentblocker/file_main.html
@@ -0,0 +1,338 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+Tests for Mixed Content Blocker
+https://bugzilla.mozilla.org/show_bug.cgi?id=62178
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Tests for Bug 62178</title>
+  <script src="/tests/SimpleTest/EventUtils.js"></script>
+</head>
+<body>
+<div id="testContent"></div>
+
+<!-- types the Mixed Content Blocker can block
+     /*
+  switch (aContentType) {
+  case nsIContentPolicy::TYPE_OBJECT:
+  case nsIContentPolicy::TYPE_SCRIPT:
+  case nsIContentPolicy::TYPE_STYLESHEET:
+  case nsIContentPolicy::TYPE_SUBDOCUMENT:
+  case nsIContentPolicy::TYPE_XMLHTTPREQUEST:
+
+  case nsIContentPolicy::TYPE_FONT: - NO TEST:
+    Load events for external fonts are not detectable by javascript.
+  case nsIContentPolicy::TYPE_WEBSOCKET: - NO TEST:
+    websocket connections over https require an encrypted websocket protocol (wss:)
+
+  case nsIContentPolicy::TYPE_IMAGE:
+  case nsIContentPolicy::TYPE_IMAGESET:
+  case nsIContentPolicy::TYPE_MEDIA:
+  case nsIContentPolicy::TYPE_PING:
+    our ping implementation is off by default and does not comply with the current spec (bug 786347)
+  case nsIContentPolicy::TYPE_BEACON:
+
+  }
+     */
+-->
+
+<script>
+  function ok(a, msg) {
+    parent.postMessage({msg, check: true, status: !!a}, "http://mochi.test:8888");
+  }
+
+  function is(a, b, msg) {
+    ok(a == b, msg);
+  }
+
+  function report(type, msg) {
+    parent.postMessage({test: type, msg}, "http://mochi.test:8888");
+  }
+
+  function uniqueID() {
+    return Math.floor(Math.random() * 100000)
+  }
+  function uniqueIDParam(id) {
+    return "&uniqueID=" + id;
+  }
+
+  async function init() {
+    var baseUrl = "http://example.com/tests/dom/security/test/mixedcontentblocker/file_server.sjs";
+    var checkLastRequestUrl = "https://example.com/tests/dom/security/test/mixedcontentblocker/file_server.sjs?lastRequest=true";
+
+    //For tests that require setTimeout, set the maximum polling time to 100 x 100ms = 10 seconds.
+    var MAX_COUNT = 100;
+    var TIMEOUT_INTERVAL = 100;
+
+    var testContent = document.getElementById("testContent");
+
+    async function checkLastRequest() {
+      const response = await fetch(checkLastRequestUrl);
+      return response.json();
+    }
+
+    /* Part 1: Mixed Script tests */
+
+    // Test 1a: insecure object
+    var object = document.createElement("object");
+    var objectId = uniqueID();
+    object.data = baseUrl + "?type=object" + uniqueIDParam(objectId);
+    object.type = "image/png";
+    object.width = "200";
+    object.height = "200";
+
+    testContent.appendChild(object);
+
+    var objectCount = 0;
+
+    function objectStatus(object) {
+      // Expose our privileged bits on the object.  We will match the MIME type to the one
+      // provided by file_server.sjs
+      object = SpecialPowers.wrap(object);
+      var typeIsSet = object.actualType && (object.actualType !== '');
+      var isLoaded = typeIsSet && object.actualType === 'application/x-test-match';
+      if (isLoaded) {
+        //object loaded
+        report("object", "insecure object loaded");
+      }
+      else {
+        if(!typeIsSet && objectCount < MAX_COUNT) {
+          objectCount++;
+          setTimeout(objectStatus, TIMEOUT_INTERVAL, object);
+        }
+        else {
+          //After we have called setTimeout the maximum number of times, assume object is blocked
+          report("object", "insecure object blocked");
+        }
+      }
+    }
+
+    // object does not have onload and onerror events. Hence we need a setTimeout to check the object's status
+    setTimeout(objectStatus, TIMEOUT_INTERVAL, object);
+
+    // Test 1b: insecure script
+    var script = document.createElement("script");
+    var scriptId = uniqueID();
+    var scriptLoad = false;
+    var scriptCount = 0;
+    script.src = baseUrl + "?type=script" + uniqueIDParam(scriptId);
+    script.onload = function(e) {
+      report("script", "insecure script loaded");
+      scriptLoad = true;
+    }
+    testContent.appendChild(script);
+
+    function scriptStatus(script)
+    {
+      if(scriptLoad) {
+        return;
+      }
+      else {
+        if(scriptCount < MAX_COUNT) {
+          scriptCount++;
+          setTimeout(scriptStatus, TIMEOUT_INTERVAL, script);
+        }
+        else {
+          //After we have called setTimeout the maximum number of times, assume script is blocked
+          report("script", "insecure script blocked");
+        }
+      }
+    }
+
+    // scripts blocked by Content Policy's do not have onerror events (see bug 789856).  Hence we need a setTimeout to check the script's status
+    setTimeout(scriptStatus, TIMEOUT_INTERVAL, script);
+
+
+    // Test 1c: insecure stylesheet
+    var cssStyleSheet = document.createElement("link");
+    var cssStyleSheetId = uniqueID();
+    cssStyleSheet.rel = "stylesheet";
+    cssStyleSheet.href = baseUrl + "?type=stylesheet" + uniqueIDParam(cssStyleSheetId);
+    cssStyleSheet.type = "text/css";
+    testContent.appendChild(cssStyleSheet);
+
+    var styleCount = 0;
+
+    function styleStatus(cssStyleSheet) {
+      if( cssStyleSheet.sheet || cssStyleSheet.styleSheet || cssStyleSheet.innerHTML ) {
+        report("stylesheet", "insecure stylesheet loaded");
+      }
+      else {
+        if(styleCount < MAX_COUNT) {
+          styleCount++;
+          setTimeout(styleStatus, TIMEOUT_INTERVAL, cssStyleSheet);
+        }
+        else {
+          //After we have called setTimeout the maximum number of times, assume stylesheet is blocked
+          report("stylesheet", "insecure stylesheet blocked");
+        }
+      }
+    }
+
+    // link does not have onload and onerror events. Hence we need a setTimeout to check the link's status
+    window.setTimeout(styleStatus, TIMEOUT_INTERVAL, cssStyleSheet);
+
+    // Test 1d: insecure iframe
+    var iframe = document.createElement("iframe");
+    var iframeId = uniqueID();
+    iframe.src = baseUrl + "?type=iframe" + uniqueIDParam(iframeId);
+    iframe.onload = function() {
+      report("iframe", "insecure iframe loaded");
+    }
+    iframe.onerror = function() {
+      report("iframe", "insecure iframe blocked");
+    };
+    testContent.appendChild(iframe);
+
+
+    // Test 1e: insecure xhr
+    await new Promise((resolve) => {
+      var xhr = new XMLHttpRequest;
+      var xhrId = uniqueID();
+      try {
+        xhr.open("GET", baseUrl + "?type=xhr" + uniqueIDParam(xhrId), true);
+        xhr.send();
+        xhr.onloadend = function (oEvent) {
+          if (xhr.status == 200) {
+            report("xhr", "insecure xhr loaded");
+            resolve();
+          }
+          else {
+            report("xhr", "insecure xhr blocked");
+            resolve();
+          }
+        }
+      } catch(ex) {
+         report("xhr", "insecure xhr blocked");
+        resolve();
+      }
+    });
+
+    /* Part 2: Mixed Display tests */
+
+    // Shorthand for all image test variants
+    async function imgHandlers(img, test, uniqueID) {
+      await new Promise((resolve) => {
+        img.onload = async () => {
+          const lastRequest = await checkLastRequest();
+          is(lastRequest.uniqueID, uniqueID, "UniqueID for the last request matches");
+          let message = "insecure image loaded";
+          if (lastRequest.scheme == "https") {
+            message = "secure image loaded after upgrade";
+          }
+          report(test, message);
+          resolve();
+        }
+        img.onerror = async () => {
+          let message = "insecure image blocked";
+          report(test, message);
+          resolve();
+        }
+      });
+    }
+
+    // Test 2a: insecure image
+    var img = document.createElement("img");
+    var imgId = uniqueID();
+    img.src = baseUrl + "?type=img" + uniqueIDParam(imgId);
+    await imgHandlers(img, "image", imgId);
+    // We don't need to append the image to the document. Doing so causes the image test to run twice.
+
+    // Test 2b: insecure media
+    var media = document.createElement("video");
+    var mediaId = uniqueID();
+    media.src = baseUrl + "?type=media" + uniqueIDParam(mediaId);
+    media.width = "320";
+    media.height = "200";
+    media.type = "video/ogg";
+    await new Promise(res => {
+      media.onloadeddata = async () => {
+        const lastRequest = await checkLastRequest();
+        is(lastRequest.uniqueID, mediaId, "UniqueID for the last request matches");
+        let message = "insecure media loaded";
+        if (lastRequest.scheme == "https") {
+          message = "secure media loaded after upgrade";
+        }
+        report("media", message);
+        res();
+      }
+      media.onerror = function() {
+        report("media", "insecure media blocked");
+        res();
+      }
+    });
+    // We don't need to append the video to the document. Doing so causes the image test to run twice.
+
+    /* Part 3: Mixed Active Tests for Image srcset */
+
+    // Test 3a: image with srcset
+    var imgA = document.createElement("img");
+    var imgAId = uniqueID();
+    imgA.srcset = baseUrl + "?type=img&subtype=imageSrcset" + uniqueIDParam(imgAId);
+    await imgHandlers(imgA, "imageSrcset", imgAId);
+
+    // Test 3b: image with srcset, using fallback from src, should still use imageset policy
+    var imgB = document.createElement("img");
+    var imgBId = uniqueID();
+    imgB.srcset = " ";
+    imgB.src = baseUrl + "?type=img&subtype=imageSrcSetFallback" + uniqueIDParam(imgBId);
+    await imgHandlers(imgB, "imageSrcsetFallback", imgBId);
+
+    // Test 3c: image in <picture>
+    var imgC = document.createElement("img");
+    var pictureC = document.createElement("picture");
+    var sourceC = document.createElement("source");
+    var sourceCId = uniqueID();
+    sourceC.srcset = baseUrl + "?type=img&subtype=imagePicture" + uniqueIDParam(sourceCId);
+    pictureC.appendChild(sourceC);
+    pictureC.appendChild(imgC);
+    await imgHandlers(imgC, "imagePicture", sourceCId);
+
+    // Test 3d: Loaded basic image switching to a <picture>, loading
+    //          same source, should still redo the request with new
+    //          policy.
+    var imgD = document.createElement("img");
+    var imgDId = uniqueID();
+    var sourceDId = uniqueID();
+    imgD.src = baseUrl + "?type=img&subtype=imageJoinPicture" + uniqueIDParam(imgDId);
+    await new Promise(res => {
+      imgD.onload = imgD.onerror = function() {
+        // Whether or not it loads, we want to now append it to a picture and observe
+        var pictureD = document.createElement("picture");
+        var sourceD = document.createElement("source");
+        sourceD.srcset = baseUrl + "?type=img&subtype=imageJoinPicture2" + uniqueIDParam(sourceDId);
+        pictureD.appendChild(sourceD);
+        pictureD.appendChild(imgD);
+        res();
+      }
+    });
+    await imgHandlers(imgD, "imageJoinPicture", sourceDId);
+
+    // Test 3e: img load from <picture> source reverts to img.src as it
+    //          is removed -- the new request should revert to mixed
+    //          display policy
+    var imgE = document.createElement("img");
+    var pictureE = document.createElement("picture");
+    var pictureEId = uniqueID();
+    var sourceE = document.createElement("source");
+    var sourceEId = uniqueID();
+    sourceE.srcset = baseUrl + "?type=img&subtype=imageLeavePicture" + uniqueIDParam(sourceEId);
+    pictureE.appendChild(sourceE);
+    pictureE.appendChild(imgE);
+    imgE.src = baseUrl + "?type=img&subtype=imageLeavePicture2" + uniqueIDParam(pictureEId);
+    await new Promise(res => {
+      imgE.onload = imgE.onerror = function() {
+        // Whether or not it loads, remove it from the picture and observe
+        pictureE.removeChild(imgE)
+        res();
+      }
+    });
+    await imgHandlers(imgE, "imageLeavePicture", pictureEId);
+  }
+
+  init();
+
+</script>
+</body>
+</html>
diff --git a/dom/security/test/mixedcontentblocker/file_main_bug803225.html b/dom/security/test/mixedcontentblocker/file_main_bug803225.html
new file mode 100644
index 0000000000..3404e54471
--- /dev/null
+++ b/dom/security/test/mixedcontentblocker/file_main_bug803225.html
@@ -0,0 +1,175 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+Tests for Mixed Content Blocker - Allowed Protocols
+https://bugzilla.mozilla.org/show_bug.cgi?id=803225
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Tests for Bug 62178</title>
+  <script src="/tests/SimpleTest/EventUtils.js"></script>
+</head>
+<body>
+<div id="testContent"></div>
+
+<!-- Test additional schemes the Mixed Content Blocker should not block
+     "about" protocol URIs that are URI_SAFE_FOR_UNTRUSTED_CONTENT (moz-safe-about; see nsAboutProtocolHandler::NewURI
+     "data",
+     "javascript",
+     "mailto",
+     "resource",
+     "wss"
+-->
+
+<script>
+  const { AppConstants } = SpecialPowers.ChromeUtils.import(
+    "resource://gre/modules/AppConstants.jsm"
+  );
+
+  //For tests that require setTimeout, set the timeout interval
+  var TIMEOUT_INTERVAL = 100;
+
+  var testContent = document.getElementById("testContent");
+
+  // Test 1 & 2: about and javascript protcols within an iframe
+  var data = Array(2,2);
+  var protocols = [
+                    ["about", ""], //When no source is specified, the frame gets a source of about:blank
+                    ["javascript", "javascript:document.open();document.write='<h1>SUCCESS</h1>';document.close();"],
+                  ];
+  for(var i=0; i < protocols.length; i++)
+  {
+    var generic_frame = document.createElement("iframe");
+    generic_frame.src = protocols[i][1];
+    generic_frame.name="generic_protocol";
+
+    generic_frame.onload = function(i) {
+      data = {"test": protocols[i][0], "msg": "resource with " + protocols[i][0] + " protocol loaded"};
+      parent.postMessage(data, "http://mochi.test:8888");
+    }.bind(generic_frame, i)
+
+    generic_frame.onerror = function(i) {
+      data = {"test": protocols[i][0], "msg": "resource with " + protocols[i][0] + " protocol did not load"};
+      parent.postMessage(data, "http://mochi.test:8888");
+    }.bind(generic_frame, i);
+
+    testContent.appendChild(generic_frame, i);
+  }
+
+  // Test 3: for resource within a script tag
+  // Note: the script we load throws an exception, but the script element's
+  // onload listener is called after we successfully fetch the script,
+  // independently of whether it throws an exception.
+  var resource_script=document.createElement("script");
+  resource_script.src = "resource://gre/modules/XPCOMUtils.sys.mjs";
+  resource_script.name = "resource_protocol";
+  resource_script.onload = function() {
+    parent.postMessage({"test": "resource", "msg": "resource with resource protocol loaded"}, "http://mochi.test:8888");
+  }
+  resource_script.onerror = function() {
+    parent.postMessage({"test": "resource", "msg": "resource with resource protocol did not load"}, "http://mochi.test:8888");
+  }
+
+  testContent.appendChild(resource_script);
+
+  // Test 4: about unsafe protocol within an iframe
+  var unsafe_about_frame = document.createElement("iframe");
+  unsafe_about_frame.src = "about:config";
+  unsafe_about_frame.name = "unsafe_about_protocol";
+  unsafe_about_frame.onload = function() {
+    parent.postMessage({"test": "unsafe_about", "msg": "resource with unsafe about protocol loaded"}, "http://mochi.test:8888");
+  }
+  unsafe_about_frame.onerror = function() {
+    parent.postMessage({"test": "unsafe_about", "msg": "resource with unsafe about protocol did not load"}, "http://mochi.test:8888");
+  }
+  testContent.appendChild(unsafe_about_frame);
+
+  // Test 5: data protocol within a script tag
+  var x = 2;
+  var newscript = document.createElement("script");
+  newscript.src= "data:text/javascript,var x = 4;";
+  newscript.onload = function() {
+    parent.postMessage({"test": "data_protocol", "msg": "resource with data protocol loaded"}, "http://mochi.test:8888");
+  }
+  newscript.onerror = function() {
+    parent.postMessage({"test": "data_protocol", "msg": "resource with data protocol did not load"}, "http://mochi.test:8888");
+  }
+  testContent.appendChild(newscript);
+
+  // Test 6: mailto protocol
+  let mm = SpecialPowers.loadChromeScript(function launchHandler() {
+    /* eslint-env mozilla/chrome-script */
+    var ioService = Cc["@mozilla.org/network/io-service;1"].
+                      getService(Ci.nsIIOService);
+
+    var webHandler = Cc["@mozilla.org/uriloader/web-handler-app;1"].
+                       createInstance(Ci.nsIWebHandlerApp);
+    webHandler.name = "Web Handler";
+    webHandler.uriTemplate = "http://example.com/tests/dom/security/test/mixedcontentblocker/file_bug803225_test_mailto.html?s=%";
+
+    Services.ppmm.addMessageListener("Test:content-ready", function contentReadyListener() {
+      Services.ppmm.removeMessageListener("Test:content-ready", contentReadyListener);
+      sendAsyncMessage("Test:content-ready-forward");
+      Services.ppmm.removeDelayedProcessScript(pScript);
+    })
+
+    var pScript = "data:,new " + function () {
+      /* eslint-env mozilla/process-script */
+      var os = Cc["@mozilla.org/observer-service;1"]
+        .getService(Ci.nsIObserverService);
+      var observer = {
+        observe(subject, topic, data) {
+        if (topic == "content-document-global-created" && data == "http://example.com") {
+           sendAsyncMessage("Test:content-ready");
+           os.removeObserver(observer, "content-document-global-created");
+        }
+      }
+      };
+      os.addObserver(observer, "content-document-global-created");
+    }
+
+    Services.ppmm.loadProcessScript(pScript, true);
+
+    var uri = ioService.newURI("mailto:foo@bar.com");
+    webHandler.launchWithURI(uri);
+  });
+
+  var mailto = false;
+
+  mm.addMessageListener("Test:content-ready-forward", function contentReadyListener() {
+    mm.removeMessageListener("Test:content-ready-forward", contentReadyListener);
+    mailto = true;
+    parent.postMessage({"test": "mailto", "msg": "resource with mailto protocol loaded"}, "http://mochi.test:8888");
+  });
+
+  function mailtoProtocolStatus() {
+    if(!mailto) {
+      //There is no onerror event associated with the WebHandler, and hence we need a setTimeout to check the status
+      setTimeout(mailtoProtocolStatus, TIMEOUT_INTERVAL);
+    }
+  }
+
+  mailtoProtocolStatus();
+
+  // Test 7: wss protocol
+  // WebSocket tests are not supported on Android Yet. Bug 1566168.
+  if (AppConstants.platform !== "android") {
+    var wss;
+    wss = new WebSocket("wss://example.com/tests/dom/security/test/mixedcontentblocker/file_main_bug803225_websocket");
+
+    var status_wss = "started";
+    wss.onopen = function(e) {
+       status_wss = "opened";
+       wss.close();
+    }
+    wss.onclose = function(e) {
+      if(status_wss == "opened") {
+        parent.postMessage({"test": "wss", "msg": "resource with wss protocol loaded"}, "http://mochi.test:8888");
+      } else {
+        parent.postMessage({"test": "wss", "msg": "resource with wss protocol did not load"}, "http://mochi.test:8888");
+      }
+    }
+  }
+</script>
+</body>
+</html>
diff --git a/dom/security/test/mixedcontentblocker/file_main_bug803225_websocket_wsh.py b/dom/security/test/mixedcontentblocker/file_main_bug803225_websocket_wsh.py
new file mode 100644
index 0000000000..b7159c742b
--- /dev/null
+++ b/dom/security/test/mixedcontentblocker/file_main_bug803225_websocket_wsh.py
@@ -0,0 +1,6 @@
+def web_socket_do_extra_handshake(request):
+    pass
+
+
+def web_socket_transfer_data(request):
+    pass
diff --git a/dom/security/test/mixedcontentblocker/file_mixed_content_auto_upgrade_display_console.html b/dom/security/test/mixedcontentblocker/file_mixed_content_auto_upgrade_display_console.html
new file mode 100644
index 0000000000..b86fbc9cbc
--- /dev/null
+++ b/dom/security/test/mixedcontentblocker/file_mixed_content_auto_upgrade_display_console.html
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 1673574 - Improve Console logging for mixed content auto upgrading</title>
+</head>
+<body>
+  <!-- The following file does in fact not exist because we only care if it shows up in the console -->
+  <img src="http://example.com/file_mixed_content_auto_upgrade_display_console.jpg">
+</body>
+</html>
diff --git a/dom/security/test/mixedcontentblocker/file_redirect.html b/dom/security/test/mixedcontentblocker/file_redirect.html
new file mode 100644
index 0000000000..99e1873791
--- /dev/null
+++ b/dom/security/test/mixedcontentblocker/file_redirect.html
@@ -0,0 +1,31 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug1402363: Test mixed content redirects</title>
+</head>
+<body>
+
+<script type="text/javascript">
+  const PATH = "https://example.com/tests/dom/security/test/mixedcontentblocker/";
+
+  // check a fetch redirect from https to https (should be allowed)
+  fetch(PATH + "file_redirect_handler.sjs?https-to-https-redirect", {
+    method: 'get'
+  }).then(function(response) {
+    window.parent.postMessage("https-to-https-loaded", "*");
+  }).catch(function(err) {
+    window.parent.postMessage("https-to-https-blocked", "*");
+  });
+
+  // check a fetch redirect from https to http (should be blocked)
+  fetch(PATH + "file_redirect_handler.sjs?https-to-http-redirect", {
+    method: 'get'
+  }).then(function(response) {
+    window.parent.postMessage("https-to-http-loaded", "*");
+  }).catch(function(err) {
+    window.parent.postMessage("https-to-http-blocked", "*");
+  });
+
+</script>
+</body>
+</html>
diff --git a/dom/security/test/mixedcontentblocker/file_redirect_handler.sjs b/dom/security/test/mixedcontentblocker/file_redirect_handler.sjs
new file mode 100644
index 0000000000..4c134c00e8
--- /dev/null
+++ b/dom/security/test/mixedcontentblocker/file_redirect_handler.sjs
@@ -0,0 +1,35 @@
+// custom *.sjs file for
+// Bug 1402363: Test Mixed Content Redirect Blocking.
+
+const URL_PATH = "example.com/tests/dom/security/test/mixedcontentblocker/";
+
+function handleRequest(request, response) {
+  response.setHeader("Cache-Control", "no-cache", false);
+  let queryStr = request.queryString;
+
+  if (queryStr === "https-to-https-redirect") {
+    response.setStatusLine("1.1", 302, "Found");
+    response.setHeader(
+      "Location",
+      "https://" + URL_PATH + "file_redirect_handler.sjs?load",
+      false
+    );
+    return;
+  }
+
+  if (queryStr === "https-to-http-redirect") {
+    response.setStatusLine("1.1", 302, "Found");
+    response.setHeader(
+      "Location",
+      "http://" + URL_PATH + "file_redirect_handler.sjs?load",
+      false
+    );
+    return;
+  }
+
+  if (queryStr === "load") {
+    response.setHeader("Content-Type", "text/html", false);
+    response.write("foo");
+    return;
+  }
+}
diff --git a/dom/security/test/mixedcontentblocker/file_server.sjs b/dom/security/test/mixedcontentblocker/file_server.sjs
new file mode 100644
index 0000000000..3270a4ce15
--- /dev/null
+++ b/dom/security/test/mixedcontentblocker/file_server.sjs
@@ -0,0 +1,131 @@
+const { NetUtil } = ChromeUtils.import("resource://gre/modules/NetUtil.jsm");
+
+function ERR(response, msg) {
+  dump("ERROR: " + msg + "\n");
+  response.write("HTTP/1.1 400 Bad Request\r\n");
+  response.write("Content-Type: text/html; charset=UTF-8\r\n");
+  response.write("Content-Length: " + msg.length + "\r\n");
+  response.write("\r\n");
+  response.write(msg);
+}
+
+function loadContentFromFile(path) {
+  // Load the content to return in the response from file.
+  // Since it's relative to the cwd of the test runner, we start there and
+  // append to get to the actual path of the file.
+  var testContentFile = Components.classes[
+    "@mozilla.org/file/directory_service;1"
+  ]
+    .getService(Components.interfaces.nsIProperties)
+    .get("CurWorkD", Components.interfaces.nsIFile);
+  var dirs = path.split("/");
+  for (var i = 0; i < dirs.length; i++) {
+    testContentFile.append(dirs[i]);
+  }
+  var testContentFileStream = Components.classes[
+    "@mozilla.org/network/file-input-stream;1"
+  ].createInstance(Components.interfaces.nsIFileInputStream);
+  testContentFileStream.init(testContentFile, -1, 0, 0);
+  var testContent = NetUtil.readInputStreamToString(
+    testContentFileStream,
+    testContentFileStream.available()
+  );
+  return testContent;
+}
+
+function handleRequest(request, response) {
+  const { scheme, host, path } = request;
+  // get the Content-Type to serve from the query string
+  var contentType = null;
+  var uniqueID = null;
+  var showLastRequest = false;
+  request.queryString.split("&").forEach(function (val) {
+    var [name, value] = val.split("=");
+    if (name == "type") {
+      contentType = unescape(value);
+    }
+    if (name == "uniqueID") {
+      uniqueID = unescape(value);
+    }
+    if (name == "lastRequest") {
+      showLastRequest = true;
+    }
+  });
+
+  // avoid confusing cache behaviors
+  response.setHeader("Cache-Control", "no-cache", false);
+
+  if (showLastRequest) {
+    response.setHeader("Content-Type", "text/html", false);
+
+    // We don't want to expose the same lastRequest multiple times.
+    var state = getState("lastRequest");
+    setState("lastRequest", "");
+
+    if (state == "") {
+      ERR(response, "No last request!");
+      return;
+    }
+
+    response.write(state);
+    return;
+  }
+
+  if (!uniqueID) {
+    ERR(response, "No uniqueID?!?");
+    return;
+  }
+
+  setState(
+    "lastRequest",
+    JSON.stringify({
+      scheme,
+      host,
+      path,
+      uniqueID,
+      contentType: contentType || "other",
+    })
+  );
+
+  switch (contentType) {
+    case "img":
+      response.setHeader("Content-Type", "image/png", false);
+      response.write(
+        loadContentFromFile("tests/image/test/mochitest/blue.png")
+      );
+      break;
+
+    case "media":
+      response.setHeader("Content-Type", "video/ogg", false);
+      response.write(loadContentFromFile("tests/dom/media/test/320x240.ogv"));
+      break;
+
+    case "iframe":
+      response.setHeader("Content-Type", "text/html", false);
+      response.write("frame content");
+      break;
+
+    case "script":
+      response.setHeader("Content-Type", "application/javascript", false);
+      break;
+
+    case "stylesheet":
+      response.setHeader("Content-Type", "text/css", false);
+      break;
+
+    case "object":
+      response.setHeader("Content-Type", "application/x-test-match", false);
+      break;
+
+    case "xhr":
+      response.setHeader("Content-Type", "text/xml", false);
+      response.setHeader("Access-Control-Allow-Origin", "https://example.com");
+      response.write('<?xml version="1.0" encoding="UTF-8" ?><test></test>');
+      break;
+
+    default:
+      response.setHeader("Content-Type", "text/html", false);
+      response.write("<html><body>Hello World</body></html>");
+      break;
+  }
+}
diff --git a/dom/security/test/mixedcontentblocker/mochitest.ini b/dom/security/test/mixedcontentblocker/mochitest.ini
new file mode 100644
index 0000000000..d94a775af9
--- /dev/null
+++ b/dom/security/test/mixedcontentblocker/mochitest.ini
@@ -0,0 +1,40 @@
+[DEFAULT]
+tags = mcb
+prefs =
+  security.mixed_content.upgrade_display_content=false
+  dom.security.https_first=false
+support-files =
+  file_bug803225_test_mailto.html
+  file_frameNavigation.html
+  file_frameNavigation_blankTarget.html
+  file_frameNavigation_grandchild.html
+  file_frameNavigation_innermost.html
+  file_frameNavigation_secure.html
+  file_frameNavigation_secure_grandchild.html
+  file_main.html
+  file_main_bug803225.html
+  file_main_bug803225_websocket_wsh.py
+  file_server.sjs
+  !/dom/media/test/320x240.ogv
+  !/image/test/mochitest/blue.png
+  file_redirect.html
+  file_redirect_handler.sjs
+  file_bug1551886.html
+
+[test_main.html]
+skip-if =
+    true
+    toolkit == 'android'
+    (verify && !debug && os == 'linux')  # Android: TIMED_OUT; bug 1402554
+    tsan  # Times out / Memory consumption, bug 1612707
+[test_bug803225.html]
+skip-if =
+  (os=='linux' && bits==32) || headless || tsan # Linux32:bug 1324870; Headless:bug 1405870; tsan:bug 1612707
+  http3
+[test_frameNavigation.html]
+skip-if =
+    true  # Bug 1424752
+[test_redirect.html]
+[test_bug1551886.html]
+skip-if =
+  http3
diff --git a/dom/security/test/mixedcontentblocker/pass.png b/dom/security/test/mixedcontentblocker/pass.png
new file mode 100644
index 0000000000..2fa1e0ac06
Binary files /dev/null and b/dom/security/test/mixedcontentblocker/pass.png differ
diff --git a/dom/security/test/mixedcontentblocker/test.ogv b/dom/security/test/mixedcontentblocker/test.ogv
new file mode 100644
index 0000000000..0f83996e5d
Binary files /dev/null and b/dom/security/test/mixedcontentblocker/test.ogv differ
diff --git a/dom/security/test/mixedcontentblocker/test.wav b/dom/security/test/mixedcontentblocker/test.wav
new file mode 100644
index 0000000000..85dc1ea904
Binary files /dev/null and b/dom/security/test/mixedcontentblocker/test.wav differ
diff --git a/dom/security/test/mixedcontentblocker/test_bug1551886.html b/dom/security/test/mixedcontentblocker/test_bug1551886.html
new file mode 100644
index 0000000000..bf128256a4
--- /dev/null
+++ b/dom/security/test/mixedcontentblocker/test_bug1551886.html
@@ -0,0 +1,33 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+<title>Bug 1551886: Opaque documents aren't considered in the mixed content blocker</title>
+<script src="/tests/SimpleTest/SimpleTest.js"></script>
+<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+
+<body>
+<script class="testbody" type="text/javascript">
+
+SimpleTest.waitForExplicitFinish();
+
+let f = document.createElement("iframe");
+f.src = "https://example.com/tests/dom/security/test/mixedcontentblocker/file_bug1551886.html";
+
+window.addEventListener("message", (event) => {
+    switch(event.data.type) {
+        case 'http':
+            is(event.data.status, "blocked", "nested load of http://example should get blocked by the MCB");
+            break
+        case 'https':
+            is(event.data.status, "loaded", "nested load of https://example should not get blocked by the MCB");
+            SimpleTest.finish();
+            break;
+    }
+});
+
+document.body.appendChild(f); 
+
+</script>
+</body>
+</html>
diff --git a/dom/security/test/mixedcontentblocker/test_bug803225.html b/dom/security/test/mixedcontentblocker/test_bug803225.html
new file mode 100644
index 0000000000..56f5e02e05
--- /dev/null
+++ b/dom/security/test/mixedcontentblocker/test_bug803225.html
@@ -0,0 +1,157 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+Testing Allowlist of Resource Scheme for Mixed Content Blocker
+https://bugzilla.mozilla.org/show_bug.cgi?id=803225
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Tests for Bug 803225</title>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+
+  <script>
+  const { AppConstants } = SpecialPowers.ChromeUtils.import(
+    "resource://gre/modules/AppConstants.jsm"
+  );
+
+  var counter = 0;
+  var settings = [ [true, true], [true, false], [false, true], [false, false] ];
+
+  var blockActive;
+  var blockDisplay;
+
+  //Cycle through 4 different preference settings.
+  function changePrefs(callback) {
+    let newPrefs = [
+      ["security.all_resource_uri_content_accessible", true], // Temporarily allow content to access all resource:// URIs.
+      ["security.mixed_content.block_display_content", settings[counter][0]],
+      ["security.mixed_content.block_active_content", settings[counter][1]]
+    ];
+
+    SpecialPowers.pushPrefEnv({"set": newPrefs}, function () {
+      blockDisplay = SpecialPowers.getBoolPref("security.mixed_content.block_display_content");
+      blockActive = SpecialPowers.getBoolPref("security.mixed_content.block_active_content");
+      counter++;
+      callback();
+    });
+  }
+
+  var testsToRun = {
+    /* https - Tests already run as part of bug 62178. */
+    about: false,
+    resource: false,
+    unsafe_about: false,
+    data_protocol: false,
+    javascript: false,
+  };
+
+  if (AppConstants.platform !== "android") {
+    // WebSocket tests are not supported on Android Yet. Bug 1566168.
+    testsToRun.wss = false;
+    testsToRun.mailto = false;
+  }
+
+  function log(msg) {
+    document.getElementById("log").textContent += "\n" + msg;
+  }
+
+  function reloadFrame() {
+    document.getElementById('framediv').innerHTML = '<iframe id="testHarness" src="https://example.com/tests/dom/security/test/mixedcontentblocker/file_main_bug803225.html"></iframe>';
+  }
+
+  function checkTestsCompleted() {
+    for (var prop in testsToRun) {
+      // some test hasn't run yet so we're not done
+      if (!testsToRun[prop])
+        return;
+    }
+    //if the testsToRun are all completed, change the pref and run the tests again until we have cycled through all the prefs.
+    if(counter < 4) {
+       for (var prop in testsToRun) {
+         testsToRun[prop] = false;
+       }
+      //call to change the preferences
+      changePrefs(function() {
+        log("\nblockDisplay set to "+blockDisplay+", blockActive set to "+blockActive+".");
+        reloadFrame();
+      });
+    }
+    else {
+      SimpleTest.finish();
+    }
+  }
+
+  var firstTest = true;
+
+  function receiveMessage(event) {
+    if(firstTest) {
+      log("blockDisplay set to "+blockDisplay+", blockActive set to "+blockActive+".");
+      firstTest = false;
+    }
+
+    log("test: "+event.data.test+", msg: "+event.data.msg + " logging message.");
+    // test that the load type matches the pref for this type of content
+    // (i.e. active vs. display)
+
+    switch(event.data.test) {
+
+      /* Mixed Script tests */
+      case "about":
+        ok(event.data.msg == "resource with about protocol loaded", "resource with about protocol did not load");
+        testsToRun.about = true;
+        break;
+
+      case "resource":
+        ok(event.data.msg == "resource with resource protocol loaded", "resource with resource protocol did not load");
+        testsToRun.resource = true;
+        break;
+
+      case "unsafe_about":
+        // This one should not load
+        ok(event.data.msg == "resource with unsafe about protocol did not load", "resource with unsafe about protocol loaded");
+        testsToRun.unsafe_about = true;
+        break;
+
+      case "data_protocol":
+        ok(event.data.msg == "resource with data protocol loaded", "resource with data protocol did not load");
+        testsToRun.data_protocol = true;
+        break;
+
+      case "javascript":
+        ok(event.data.msg == "resource with javascript protocol loaded", "resource with javascript protocol did not load");
+        testsToRun.javascript = true;
+        break;
+
+      case "wss":
+        ok(event.data.msg == "resource with wss protocol loaded", "resource with wss protocol did not load");
+        testsToRun.wss = true;
+        break;
+
+      case "mailto":
+        ok(event.data.msg == "resource with mailto protocol loaded", "resource with mailto protocol did not load");
+        testsToRun.mailto = true;
+        break;
+    }
+    checkTestsCompleted();
+  }
+
+  function startTest() {
+    //Set the first set of settings (true, true) and increment the counter.
+    changePrefs(function() {
+      // listen for a messages from the mixed content test harness
+      window.addEventListener("message", receiveMessage);
+
+      reloadFrame();
+    });
+  }
+
+  SimpleTest.waitForExplicitFinish();
+  </script>
+</head>
+
+<body onload='startTest()'>
+  <div id="framediv"></div>
+  <pre id="log"></pre>
+</body>
+</html>
diff --git a/dom/security/test/mixedcontentblocker/test_frameNavigation.html b/dom/security/test/mixedcontentblocker/test_frameNavigation.html
new file mode 100644
index 0000000000..82e3e715d2
--- /dev/null
+++ b/dom/security/test/mixedcontentblocker/test_frameNavigation.html
@@ -0,0 +1,127 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+Tests for Mixed Content Blocker
+https://bugzilla.mozilla.org/show_bug.cgi?id=840388
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Tests for Bug 840388</title>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+
+  <script>
+  var counter = 0;
+  var origBlockActive = SpecialPowers.getBoolPref("security.mixed_content.block_active_content");
+
+  SpecialPowers.setBoolPref("security.mixed_content.block_active_content", true);
+  var blockActive = SpecialPowers.getBoolPref("security.mixed_content.block_active_content");
+
+
+  var testsToRunInsecure = {
+    insecurePage_navigate_child: false,
+    insecurePage_navigate_grandchild: false,
+  };
+
+  var testsToRunSecure = {
+    securePage_navigate_child: false,
+    blankTarget: false,
+  };
+
+  function log(msg) {
+    document.getElementById("log").textContent += "\n" + msg;
+  }
+
+  var secureTestsStarted = false;
+  async function checkTestsCompleted() {
+    for (var prop in testsToRunInsecure) {
+      // some test hasn't run yet so we're not done
+      if (!testsToRunInsecure[prop])
+        return;
+    }
+    // If we are here, all the insecure tests have run.
+    // If we haven't changed the iframe to run the secure tests, change it now.
+    if (!secureTestsStarted) {
+      document.getElementById('testing_frame').src = "https://example.com/tests/dom/security/test/mixedcontentblocker/file_frameNavigation_secure.html";
+      secureTestsStarted = true;
+    }
+    for (var prop in testsToRunSecure) {
+      // some test hasn't run yet so we're not done
+      if (!testsToRunSecure[prop])
+        return;
+    }
+    //if the secure and insecure testsToRun are all completed, change the block mixed active content pref and run the tests again.
+    if(counter < 1) {
+       for (var prop in testsToRunSecure) {
+         testsToRunSecure[prop] = false;
+       }
+       for (var prop in testsToRunInsecure) {
+         testsToRunInsecure[prop] = false;
+       }
+      //call to change the preferences
+      counter++;
+      await SpecialPowers.setBoolPref("security.mixed_content.block_active_content", false);
+      blockActive = SpecialPowers.getBoolPref("security.mixed_content.block_active_content");
+      log("blockActive set to "+blockActive+".");
+      secureTestsStarted = false;
+      document.getElementById('framediv').innerHTML = '<iframe src="http://example.com/tests/dom/security/test/mixedcontentblocker/file_frameNavigation.html" id="testing_frame"></iframe>';
+    }
+    else {
+      //set the prefs back to what they were set to originally
+      SpecialPowers.setBoolPref("security.mixed_content.block_active_content", origBlockActive);
+      SimpleTest.finish();
+    }
+  }
+
+  var firstTestDebugMessage = true;
+
+  // listen for a messages from the mixed content test harness
+  window.addEventListener("message", receiveMessage);
+  function receiveMessage(event) {
+    if(firstTestDebugMessage) {
+      log("blockActive set to "+blockActive);
+      firstTestDebugMessage = false;
+    }
+
+    log("test: "+event.data.test+", msg: "+event.data.msg + ".");
+    // test that the load type matches the pref for this type of content
+    // (i.e. active vs. display)
+
+    switch(event.data.test) {
+
+      case "insecurePage_navigate_child":
+        is(event.data.msg, "navigated to insecure iframe on insecure page", "navigating to insecure iframe blocked on insecure page");
+        testsToRunInsecure.insecurePage_navigate_child = true;
+        break;
+
+      case "insecurePage_navigate_grandchild":
+        is(event.data.msg, "navigated to insecure grandchild iframe on insecure page", "navigating to insecure grandchild iframe blocked on insecure page");
+        testsToRunInsecure.insecurePage_navigate_grandchild = true;
+        break;
+
+      case "securePage_navigate_child":
+        ok(blockActive == (event.data.msg == "navigating to insecure iframe blocked on secure page"), "navigated to insecure iframe on secure page");
+        testsToRunSecure.securePage_navigate_child = true;
+        break;
+
+      case "blankTarget":
+        is(event.data.msg, "opened an http link with target=_blank from a secure page", "couldn't open an http link in a new window from a secure page");
+        testsToRunSecure.blankTarget = true;
+        break;
+
+    }
+    checkTestsCompleted();
+  }
+
+  SimpleTest.waitForExplicitFinish();
+  </script>
+</head>
+
+<body>
+  <div id="framediv">
+    <iframe src="http://example.com/tests/dom/security/test/mixedcontentblocker/file_frameNavigation.html" id="testing_frame"></iframe>
+  </div>
+
+  <pre id="log"></pre>
+</body>
+</html>
diff --git a/dom/security/test/mixedcontentblocker/test_main.html b/dom/security/test/mixedcontentblocker/test_main.html
new file mode 100644
index 0000000000..9a13a0853f
--- /dev/null
+++ b/dom/security/test/mixedcontentblocker/test_main.html
@@ -0,0 +1,231 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+Tests for Mixed Content Blocker
+https://bugzilla.mozilla.org/show_bug.cgi?id=62178
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Tests for Bug 62178</title>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+
+  <script>
+  let counter = 0;
+  // blockDisplay blockActive upgradeDisplay
+  const settings = [
+    [true, true, true],
+    [true, false, true],
+    [false, true, true],
+    [false, false, true],
+    [true, true, false],
+    [true, false, false],
+    [false, true, false],
+    [false, false, false],
+  ];
+
+  let blockActive;
+  let blockDisplay;
+  let upgradeDisplay;
+
+  //Cycle through 8 different preference settings.
+  function changePrefs(otherPrefs, callback) {
+    let basePrefs = [["security.mixed_content.block_display_content", settings[counter][0]],
+                     ["security.mixed_content.block_active_content", settings[counter][1]],
+                     ["security.mixed_content.upgrade_display_content", settings[counter][2]]];
+    let newPrefs = basePrefs.concat(otherPrefs);
+
+    SpecialPowers.pushPrefEnv({"set": newPrefs}, function () {
+      blockDisplay = SpecialPowers.getBoolPref("security.mixed_content.block_display_content");
+      blockActive = SpecialPowers.getBoolPref("security.mixed_content.block_active_content");
+      upgradeDisplay = SpecialPowers.getBoolPref("security.mixed_content.upgrade_display_content");
+      counter++;
+      callback();
+    });
+  }
+
+  let testsToRun = {
+    iframe: false,
+    image: false,
+    imageSrcset: false,
+    imageSrcsetFallback: false,
+    imagePicture: false,
+    imageJoinPicture: false,
+    imageLeavePicture: false,
+    script: false,
+    stylesheet: false,
+    object: false,
+    media: false,
+    xhr: false,
+  };
+
+  function log(msg) {
+    document.getElementById("log").textContent += "\n" + msg;
+  }
+
+  function reloadFrame() {
+    document.getElementById('framediv').innerHTML = '<iframe id="testHarness" src="https://example.com/tests/dom/security/test/mixedcontentblocker/file_main.html"></iframe>';
+  }
+
+  function checkTestsCompleted() {
+    for (var prop in testsToRun) {
+      // some test hasn't run yet so we're not done
+      if (!testsToRun[prop])
+        return;
+    }
+    //if the testsToRun are all completed, chnage the pref and run the tests again until we have cycled through all the prefs.
+    if(counter < 8) {
+       for (var prop in testsToRun) {
+         testsToRun[prop] = false;
+       }
+      //call to change the preferences
+      changePrefs([], function() {
+        log(`\nblockDisplay set to ${blockDisplay}, blockActive set to ${blockActive}, upgradeDisplay set to ${upgradeDisplay}`);
+        reloadFrame();
+      });
+    }
+    else {
+      SimpleTest.finish();
+    }
+  }
+
+  var firstTest = true;
+
+  function receiveMessage(event) {
+    if(firstTest) {
+      log(`blockActive set to ${blockActive}, blockDisplay set to ${blockDisplay}, upgradeDisplay set to ${upgradeDisplay}.`);
+      firstTest = false;
+    }
+
+    // Simple check from the iframe.
+    if (event.data.check) {
+      ok(event.data.status, event.data.msg);
+      return;
+    }
+
+    log("test: "+event.data.test+", msg: "+event.data.msg + " logging message.");
+    // test that the load type matches the pref for this type of content
+    // (i.e. active vs. display)
+
+    switch(event.data.test) {
+
+      /* Mixed Script tests */
+      case "iframe":
+        ok(blockActive == (event.data.msg == "insecure iframe blocked"), "iframe did not follow block_active_content pref");
+        testsToRun.iframe = true;
+        break;
+
+      case "object":
+        ok(blockActive == (event.data.msg == "insecure object blocked"), "object did not follow block_active_content pref");
+        testsToRun.object = true;
+        break;
+
+      case "script":
+        ok(blockActive == (event.data.msg == "insecure script blocked"), "script did not follow block_active_content pref");
+        testsToRun.script = true;
+        break;
+
+      case "stylesheet":
+        ok(blockActive == (event.data.msg == "insecure stylesheet blocked"), "stylesheet did not follow block_active_content pref");
+        testsToRun.stylesheet = true;
+        break;
+
+      case "xhr":
+        ok(blockActive == (event.data.msg == "insecure xhr blocked"), "xhr did not follow block_active_content pref");
+        testsToRun.xhr = true;
+        break;
+
+      /* Mixed Display tests */
+      case "image":
+        //test that the image load matches the pref for display content
+        if (upgradeDisplay) {
+          ok(event.data.msg == "secure image loaded after upgrade", "image did not follow upgrade_display_content pref");
+        } else {
+          ok(blockDisplay == (event.data.msg == "insecure image blocked"), "image did not follow block_display_content pref");
+        }
+        testsToRun.image = true;
+        break;
+
+      case "media":
+        if (upgradeDisplay) {
+          ok(event.data.msg == "secure media loaded after upgrade", "media did not follow upgrade_display_content pref");
+        } else {
+          ok(blockDisplay == (event.data.msg == "insecure media blocked"), "media did not follow block_display_content pref");
+        }
+        testsToRun.media = true;
+        break;
+
+      /* Images using the "imageset" policy, from <img srcset> and <picture>, do not get the mixed display exception */
+      case "imageSrcset":
+        // When blockDisplay && blockActive && upgradeDisplay are all true the request is blocked
+        // This appears to be a side effect of blockDisplay taking precedence here.
+        if (event.data.msg == "secure image loaded after upgrade") {
+          ok(upgradeDisplay, "imageSrcset did not follow upgrade_display_content pref");
+        } else {
+          ok(blockActive == (event.data.msg == "insecure image blocked"), "imageSrcset did not follow block_active_content pref");
+        }
+        testsToRun.imageSrcset = true;
+        break;
+
+      case "imageSrcsetFallback":
+        if (event.data.msg == "secure image loaded after upgrade") {
+          ok(upgradeDisplay, "imageSrcsetFallback did not follow upgrade_display_content pref");
+        } else {
+          ok(blockActive == (event.data.msg == "insecure image blocked"), "imageSrcsetFallback did not follow block_active_content pref");
+        }
+        testsToRun.imageSrcsetFallback = true;
+        break;
+
+      case "imagePicture":
+        if (event.data.msg == "secure image loaded after upgrade") {
+          ok(upgradeDisplay, "imagePicture did not follow upgrade_display_content pref");
+        } else {
+          ok(blockActive == (event.data.msg == "insecure image blocked"), "imagePicture did not follow block_active_content pref");
+        }
+        testsToRun.imagePicture = true;
+        break;
+
+      case "imageJoinPicture":
+        if (event.data.msg == "secure image loaded after upgrade") {
+          ok(upgradeDisplay, "imageJoinPicture did not follow upgrade_display_content pref");
+        } else {
+          ok(blockActive == (event.data.msg == "insecure image blocked"), "imageJoinPicture did not follow block_active_content pref");
+        }
+        testsToRun.imageJoinPicture = true;
+        break;
+
+      // Should return to mixed display mode
+      case "imageLeavePicture":
+        if (event.data.msg == "secure image loaded after upgrade") {
+          ok(upgradeDisplay, "imageLeavePicture did not follow upgrade_display_content pref");
+        } else {
+          ok(blockDisplay == (event.data.msg == "insecure image blocked"), "imageLeavePicture did not follow block_display_content pref");
+        }
+        testsToRun.imageLeavePicture = true;
+        break;
+
+    }
+    checkTestsCompleted();
+  }
+
+  function startTest() {
+    //Set the first set of mixed content settings and increment the counter.
+    changePrefs([], function() {
+      //listen for a messages from the mixed content test harness
+      window.addEventListener("message", receiveMessage);
+
+      //Kick off test
+      reloadFrame();
+    });
+  }
+
+  SimpleTest.waitForExplicitFinish();
+
+  </script>
+</head>
+
+<body onload='startTest()'>
+  <div id="framediv"></div>
+  <pre id="log"></pre>
+</body>
+</html>
diff --git a/dom/security/test/mixedcontentblocker/test_redirect.html b/dom/security/test/mixedcontentblocker/test_redirect.html
new file mode 100644
index 0000000000..3fdd4e2e7b
--- /dev/null
+++ b/dom/security/test/mixedcontentblocker/test_redirect.html
@@ -0,0 +1,45 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug1402363: Test mixed content redirects</title>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+
+<body onload='startTest()'>
+<iframe style="width:100%;height:300px;" id="testframe"></iframe>
+
+<script class="testbody" type="text/javascript">
+
+SimpleTest.waitForExplicitFinish();
+
+const PATH = "https://example.com/tests/dom/security/test/mixedcontentblocker/";
+let testcounter = 0;
+
+window.addEventListener("message", receiveMessage);
+function receiveMessage(event) {
+  if (event.data === "https-to-https-loaded") {
+    ok(true, "https to https fetch redirect should be allowed");
+  }
+  else if (event.data === "https-to-http-blocked") {
+    ok(true, "https to http fetch redirect should be blocked");
+  }
+  else {
+    ok(false, "sanity: we should never enter that branch (" + event.data + ")");
+  }
+  testcounter++;
+  if (testcounter < 2) {
+    return;
+  }
+  window.removeEventListener("message", receiveMessage);
+  SimpleTest.finish();
+}
+
+function startTest() {
+  let testframe = document.getElementById("testframe");
+  testframe.src = PATH + "file_redirect.html";
+}
+
+</script>
+</body>
+</html>
-- 
cgit v1.2.3