Add m-esr52 at 52.6.0

42 files changed, 8325 insertions, 0 deletions

diff --git a/toolkit/components/passwordmgr/test/mochitest/auth2/authenticate.sjs b/toolkit/components/passwordmgr/test/mochitest/auth2/authenticate.sjs
new file mode 100644
index 000000000..d2f650013
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/auth2/authenticate.sjs
@@ -0,0 +1,220 @@
+function handleRequest(request, response)
+{
+  try {
+    reallyHandleRequest(request, response);
+  } catch (e) {
+    response.setStatusLine("1.0", 200, "AlmostOK");
+    response.write("Error handling request: " + e);
+  }
+}
+
+
+function reallyHandleRequest(request, response) {
+  var match;
+  var requestAuth = true, requestProxyAuth = true;
+
+  // Allow the caller to drive how authentication is processed via the query.
+  // Eg, http://localhost:8888/authenticate.sjs?user=foo&realm=bar
+  // The extra ? allows the user/pass/realm checks to succeed if the name is
+  // at the beginning of the query string.
+  var query = "?" + request.queryString;
+
+  var expected_user = "", expected_pass = "", realm = "mochitest";
+  var proxy_expected_user = "", proxy_expected_pass = "", proxy_realm = "mochi-proxy";
+  var huge = false, plugin = false, anonymous = false;
+  var authHeaderCount = 1;
+  // user=xxx
+  match = /[^_]user=([^&]*)/.exec(query);
+  if (match)
+    expected_user = match[1];
+
+  // pass=xxx
+  match = /[^_]pass=([^&]*)/.exec(query);
+  if (match)
+    expected_pass = match[1];
+
+  // realm=xxx
+  match = /[^_]realm=([^&]*)/.exec(query);
+  if (match)
+    realm = match[1];
+
+  // proxy_user=xxx
+  match = /proxy_user=([^&]*)/.exec(query);
+  if (match)
+    proxy_expected_user = match[1];
+
+  // proxy_pass=xxx
+  match = /proxy_pass=([^&]*)/.exec(query);
+  if (match)
+    proxy_expected_pass = match[1];
+
+  // proxy_realm=xxx
+  match = /proxy_realm=([^&]*)/.exec(query);
+  if (match)
+    proxy_realm = match[1];
+
+  // huge=1
+  match = /huge=1/.exec(query);
+  if (match)
+    huge = true;
+
+  // plugin=1
+  match = /plugin=1/.exec(query);
+  if (match)
+    plugin = true;
+
+  // multiple=1
+  match = /multiple=([^&]*)/.exec(query);
+  if (match)
+    authHeaderCount = match[1]+0;
+
+  // anonymous=1
+  match = /anonymous=1/.exec(query);
+  if (match)
+    anonymous = true;
+
+  // Look for an authentication header, if any, in the request.
+  //
+  // EG: Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
+  // 
+  // This test only supports Basic auth. The value sent by the client is
+  // "username:password", obscured with base64 encoding.
+
+  var actual_user = "", actual_pass = "", authHeader, authPresent = false;
+  if (request.hasHeader("Authorization")) {
+    authPresent = true;
+    authHeader = request.getHeader("Authorization");
+    match = /Basic (.+)/.exec(authHeader);
+    if (match.length != 2)
+        throw new Error("Couldn't parse auth header: " + authHeader);
+
+    var userpass = base64ToString(match[1]); // no atob() :-(
+    match = /(.*):(.*)/.exec(userpass);
+    if (match.length != 3)
+        throw new Error("Couldn't decode auth header: " + userpass);
+    actual_user = match[1];
+    actual_pass = match[2];
+  } 
+
+  var proxy_actual_user = "", proxy_actual_pass = "";
+  if (request.hasHeader("Proxy-Authorization")) {
+    authHeader = request.getHeader("Proxy-Authorization");
+    match = /Basic (.+)/.exec(authHeader);
+    if (match.length != 2)
+        throw new Error("Couldn't parse auth header: " + authHeader);
+
+    var userpass = base64ToString(match[1]); // no atob() :-(
+    match = /(.*):(.*)/.exec(userpass);
+    if (match.length != 3)
+        throw new Error("Couldn't decode auth header: " + userpass);
+    proxy_actual_user = match[1];
+    proxy_actual_pass = match[2];
+  }
+
+  // Don't request authentication if the credentials we got were what we
+  // expected.
+  if (expected_user == actual_user &&
+    expected_pass == actual_pass) {
+    requestAuth = false;
+  }
+  if (proxy_expected_user == proxy_actual_user &&
+    proxy_expected_pass == proxy_actual_pass) {
+    requestProxyAuth = false;
+  }
+
+  if (anonymous) {
+    if (authPresent) {
+      response.setStatusLine("1.0", 400, "Unexpected authorization header found");
+    } else {
+      response.setStatusLine("1.0", 200, "Authorization header not found");
+    }
+  } else {
+    if (requestProxyAuth) {
+      response.setStatusLine("1.0", 407, "Proxy authentication required");
+      for (i = 0; i < authHeaderCount; ++i)
+        response.setHeader("Proxy-Authenticate", "basic realm=\"" + proxy_realm + "\"", true);
+    } else if (requestAuth) {
+      response.setStatusLine("1.0", 401, "Authentication required");
+      for (i = 0; i < authHeaderCount; ++i)
+        response.setHeader("WWW-Authenticate", "basic realm=\"" + realm + "\"", true);
+    } else {
+      response.setStatusLine("1.0", 200, "OK");
+    }
+  }
+
+  response.setHeader("Content-Type", "application/xhtml+xml", false);
+  response.write("<html xmlns='http://www.w3.org/1999/xhtml'>");
+  response.write("<p>Login: <span id='ok'>" + (requestAuth ? "FAIL" : "PASS") + "</span></p>\n");
+  response.write("<p>Proxy: <span id='proxy'>" + (requestProxyAuth ? "FAIL" : "PASS") + "</span></p>\n");
+  response.write("<p>Auth: <span id='auth'>" + authHeader + "</span></p>\n");
+  response.write("<p>User: <span id='user'>" + actual_user + "</span></p>\n");
+  response.write("<p>Pass: <span id='pass'>" + actual_pass + "</span></p>\n");
+
+  if (huge) {
+    response.write("<div style='display: none'>");
+    for (i = 0; i < 100000; i++) {
+      response.write("123456789\n");
+    }
+    response.write("</div>");
+    response.write("<span id='footnote'>This is a footnote after the huge content fill</span>");
+  }
+
+  if (plugin) {
+    response.write("<embed id='embedtest' style='width: 400px; height: 100px;' " + 
+           "type='application/x-test'></embed>\n");
+  }
+
+  response.write("</html>");
+}
+
+
+// base64 decoder
+//
+// Yoinked from extensions/xml-rpc/src/nsXmlRpcClient.js because btoa()
+// doesn't seem to exist. :-(
+/* Convert Base64 data to a string */
+const toBinaryTable = [
+    -1,-1,-1,-1, -1,-1,-1,-1, -1,-1,-1,-1, -1,-1,-1,-1,
+    -1,-1,-1,-1, -1,-1,-1,-1, -1,-1,-1,-1, -1,-1,-1,-1,
+    -1,-1,-1,-1, -1,-1,-1,-1, -1,-1,-1,62, -1,-1,-1,63,
+    52,53,54,55, 56,57,58,59, 60,61,-1,-1, -1, 0,-1,-1,
+    -1, 0, 1, 2,  3, 4, 5, 6,  7, 8, 9,10, 11,12,13,14,
+    15,16,17,18, 19,20,21,22, 23,24,25,-1, -1,-1,-1,-1,
+    -1,26,27,28, 29,30,31,32, 33,34,35,36, 37,38,39,40,
+    41,42,43,44, 45,46,47,48, 49,50,51,-1, -1,-1,-1,-1
+];
+const base64Pad = '=';
+
+function base64ToString(data) {
+
+    var result = '';
+    var leftbits = 0; // number of bits decoded, but yet to be appended
+    var leftdata = 0; // bits decoded, but yet to be appended
+
+    // Convert one by one.
+    for (var i = 0; i < data.length; i++) {
+        var c = toBinaryTable[data.charCodeAt(i) & 0x7f];
+        var padding = (data[i] == base64Pad);
+        // Skip illegal characters and whitespace
+        if (c == -1) continue;
+        
+        // Collect data into leftdata, update bitcount
+        leftdata = (leftdata << 6) | c;
+        leftbits += 6;
+
+        // If we have 8 or more bits, append 8 bits to the result
+        if (leftbits >= 8) {
+            leftbits -= 8;
+            // Append if not padding.
+            if (!padding)
+                result += String.fromCharCode((leftdata >> leftbits) & 0xff);
+            leftdata &= (1 << leftbits) - 1;
+        }
+    }
+
+    // If there are any bits left, the base64 string was corrupted
+    if (leftbits)
+        throw Components.Exception('Corrupted base64 string');
+
+    return result;
+}
diff --git a/toolkit/components/passwordmgr/test/mochitest/mochitest.ini b/toolkit/components/passwordmgr/test/mochitest/mochitest.ini
new file mode 100644
index 000000000..a4170d7e0
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/mochitest.ini
@@ -0,0 +1,69 @@
+[DEFAULT]
+support-files =
+  ../../../prompts/test/chromeScript.js
+  ../../../prompts/test/prompt_common.js
+  ../../../satchel/test/parent_utils.js
+  ../../../satchel/test/satchel_common.js
+  ../authenticate.sjs
+  ../blank.html
+  ../browser/form_autofocus_js.html
+  ../browser/form_basic.html
+  ../browser/form_cross_origin_secure_action.html
+  ../pwmgr_common.js
+  auth2/authenticate.sjs
+
+[test_autocomplete_https_upgrade.html]
+skip-if = toolkit == 'android' # autocomplete
+[test_autofill_https_upgrade.html]
+skip-if = toolkit == 'android' # Bug 1259768
+[test_autofill_password-only.html]
+[test_autofocus_js.html]
+skip-if = toolkit == 'android' # autocomplete
+[test_basic_form.html]
+[test_basic_form_0pw.html]
+[test_basic_form_1pw.html]
+[test_basic_form_1pw_2.html]
+[test_basic_form_2pw_1.html]
+[test_basic_form_2pw_2.html]
+[test_basic_form_3pw_1.html]
+[test_basic_form_autocomplete.html]
+skip-if = toolkit == 'android' # android:autocomplete.
+[test_insecure_form_field_autocomplete.html]
+skip-if = toolkit == 'android' # android:autocomplete.
+[test_password_field_autocomplete.html]
+skip-if = toolkit == 'android' # android:autocomplete.
+[test_insecure_form_field_no_saved_login.html]
+skip-if = toolkit == 'android' || os == 'linux' # android:autocomplete., linux: bug 1325778
+[test_basic_form_html5.html]
+[test_basic_form_pwevent.html]
+[test_basic_form_pwonly.html]
+[test_bug_627616.html]
+skip-if = toolkit == 'android' # Tests desktop prompts
+[test_bug_776171.html]
+[test_case_differences.html]
+skip-if = toolkit == 'android' # autocomplete
+[test_form_action_1.html]
+[test_form_action_2.html]
+[test_form_action_javascript.html]
+[test_formless_autofill.html]
+[test_formless_submit.html]
+[test_formless_submit_navigation.html]
+[test_formless_submit_navigation_negative.html]
+[test_input_events.html]
+[test_input_events_for_identical_values.html]
+[test_maxlength.html]
+[test_passwords_in_type_password.html]
+[test_prompt.html]
+skip-if = os == "linux" || toolkit == 'android' # Tests desktop prompts
+[test_prompt_http.html]
+skip-if = os == "linux" || toolkit == 'android' # Tests desktop prompts
+[test_prompt_noWindow.html]
+skip-if = e10s || toolkit == 'android' # Tests desktop prompts. e10s: bug 1217876
+[test_prompt_promptAuth.html]
+skip-if = os == "linux" || toolkit == 'android' # Tests desktop prompts
+[test_prompt_promptAuth_proxy.html]
+skip-if = e10s || os == "linux" || toolkit == 'android' # Tests desktop prompts
+[test_recipe_login_fields.html]
+[test_username_focus.html]
+skip-if = toolkit == 'android' # android:autocomplete.
+[test_xhr_2.html]
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_autocomplete_https_upgrade.html b/toolkit/components/passwordmgr/test/mochitest/test_autocomplete_https_upgrade.html
new file mode 100644
index 000000000..7d5725322
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_autocomplete_https_upgrade.html
@@ -0,0 +1,218 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test autocomplete on an HTTPS page using upgraded HTTP logins</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SpawnTask.js"></script>
+  <script type="text/javascript" src="satchel_common.js"></script>
+  <script type="text/javascript" src="pwmgr_common.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<script>
+const chromeScript = runChecksAfterCommonInit(false);
+
+runInParent(function addLogins() {
+  const { classes: Cc, interfaces: Ci, utils: Cu } = Components;
+  Cu.import("resource://gre/modules/Services.jsm");
+
+  // Create some logins just for this form, since we'll be deleting them.
+  let nsLoginInfo = Components.Constructor("@mozilla.org/login-manager/loginInfo;1",
+                                           Ci.nsILoginInfo, "init");
+
+  // We have two actual HTTPS to avoid autofill before the schemeUpgrades pref flips to true.
+  let login0 = new nsLoginInfo("https://example.org", "https://example.org", null,
+                               "name", "pass", "uname", "pword");
+
+  let login1 = new nsLoginInfo("https://example.org", "https://example.org", null,
+                               "name1", "pass1", "uname", "pword");
+
+  // Same as above but HTTP instead of HTTPS (to test de-duping)
+  let login2 = new nsLoginInfo("http://example.org", "http://example.org", null,
+                               "name1", "passHTTP", "uname", "pword");
+
+  // Different HTTP login to upgrade with secure formSubmitURL
+  let login3 = new nsLoginInfo("http://example.org", "https://example.org", null,
+                               "name2", "passHTTPtoHTTPS", "uname", "pword");
+
+  try {
+    Services.logins.addLogin(login0);
+    Services.logins.addLogin(login1);
+    Services.logins.addLogin(login2);
+    Services.logins.addLogin(login3);
+  } catch (e) {
+    assert.ok(false, "addLogin threw: " + e);
+  }
+});
+</script>
+<p id="display"></p>
+
+<!-- we presumably can't hide the content for this test. -->
+<div id="content">
+  <iframe src="https://example.org/tests/toolkit/components/passwordmgr/test/mochitest/form_basic.html"></iframe>
+</div>
+
+<pre id="test">
+<script class="testbody" type="text/javascript">
+const shiftModifier = SpecialPowers.Ci.nsIDOMEvent.SHIFT_MASK;
+
+let iframe = SpecialPowers.wrap(document.getElementsByTagName("iframe")[0]);
+let iframeDoc;
+let uname;
+let pword;
+
+// Restore the form to the default state.
+function restoreForm() {
+  pword.focus();
+  uname.value = "";
+  pword.value = "";
+  uname.focus();
+}
+
+// Check for expected username/password in form.
+function checkACForm(expectedUsername, expectedPassword) {
+  let formID = uname.parentNode.id;
+  is(uname.value, expectedUsername, "Checking " + formID + " username");
+  is(pword.value, expectedPassword, "Checking " + formID + " password");
+}
+
+add_task(function* setup() {
+  yield SpecialPowers.pushPrefEnv({"set": [["signon.schemeUpgrades", true]]});
+
+  yield new Promise(resolve => {
+    iframe.addEventListener("load", function onLoad() {
+      iframe.removeEventListener("load", onLoad);
+      resolve();
+    });
+  });
+
+  iframeDoc = iframe.contentDocument;
+  uname = iframeDoc.getElementById("form-basic-username");
+  pword = iframeDoc.getElementById("form-basic-password");
+});
+
+add_task(function* test_empty_first_entry() {
+  // Make sure initial form is empty.
+  checkACForm("", "");
+  // Trigger autocomplete popup
+  restoreForm();
+  let popupState = yield getPopupState();
+  is(popupState.open, false, "Check popup is initially closed");
+  let shownPromise = promiseACShown();
+  doKey("down");
+  let results = yield shownPromise;
+  popupState = yield getPopupState();
+  is(popupState.selectedIndex, -1, "Check no entries are selected");
+  checkArrayValues(results, ["name", "name1", "name2"], "initial");
+
+  // Check first entry
+  let index0Promise = notifySelectedIndex(0);
+  doKey("down");
+  yield index0Promise;
+  checkACForm("", ""); // value shouldn't update
+  doKey("return"); // not "enter"!
+  yield promiseFormsProcessed();
+  checkACForm("name", "pass");
+});
+
+add_task(function* test_empty_second_entry() {
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+  doKey("down"); // first
+  doKey("down"); // second
+  doKey("return"); // not "enter"!
+  yield promiseFormsProcessed();
+  checkACForm("name1", "pass1");
+});
+
+add_task(function* test_search() {
+  restoreForm();
+  let shownPromise = promiseACShown();
+  // We need to blur for the autocomplete controller to notice the forced value below.
+  uname.blur();
+  uname.value = "name";
+  uname.focus();
+  sendChar("1");
+  doKey("down"); // open
+  let results = yield shownPromise;
+  checkArrayValues(results, ["name1"], "check result deduping for 'name1'");
+  doKey("down"); // first
+  doKey("return"); // not "enter"!
+  yield promiseFormsProcessed();
+  checkACForm("name1", "pass1");
+
+  let popupState = yield getPopupState();
+  is(popupState.open, false, "Check popup is now closed");
+});
+
+add_task(function* test_delete_first_entry() {
+  restoreForm();
+  uname.focus();
+  let shownPromise = promiseACShown();
+  doKey("down");
+  yield shownPromise;
+
+  let index0Promise = notifySelectedIndex(0);
+  doKey("down");
+  yield index0Promise;
+
+  let deletionPromise = promiseStorageChanged(["removeLogin"]);
+  // On OS X, shift-backspace and shift-delete work, just delete does not.
+  // On Win/Linux, shift-backspace does not work, delete and shift-delete do.
+  doKey("delete", shiftModifier);
+  yield deletionPromise;
+  checkACForm("", "");
+
+  let results = yield notifyMenuChanged(2, "name1");
+
+  checkArrayValues(results, ["name1", "name2"], "two should remain after deleting the first");
+  let popupState = yield getPopupState();
+  is(popupState.open, true, "Check popup stays open after deleting");
+  doKey("escape");
+  popupState = yield getPopupState();
+  is(popupState.open, false, "Check popup closed upon ESC");
+});
+
+add_task(function* test_delete_duplicate_entry() {
+  restoreForm();
+  uname.focus();
+  let shownPromise = promiseACShown();
+  doKey("down");
+  yield shownPromise;
+
+  let index0Promise = notifySelectedIndex(0);
+  doKey("down");
+  yield index0Promise;
+
+  let deletionPromise = promiseStorageChanged(["removeLogin"]);
+  // On OS X, shift-backspace and shift-delete work, just delete does not.
+  // On Win/Linux, shift-backspace does not work, delete and shift-delete do.
+  doKey("delete", shiftModifier);
+  yield deletionPromise;
+  checkACForm("", "");
+
+  is(LoginManager.countLogins("http://example.org", "http://example.org", null), 1,
+     "Check that the HTTP login remains");
+  is(LoginManager.countLogins("https://example.org", "https://example.org", null), 0,
+     "Check that the HTTPS login was deleted");
+
+  // Two menu items should remain as the HTTPS login should have been deleted but
+  // the HTTP would remain.
+  let results = yield notifyMenuChanged(1, "name2");
+
+  checkArrayValues(results, ["name2"], "one should remain after deleting the HTTPS name1");
+  let popupState = yield getPopupState();
+  is(popupState.open, true, "Check popup stays open after deleting");
+  doKey("escape");
+  popupState = yield getPopupState();
+  is(popupState.open, false, "Check popup closed upon ESC");
+});
+
+</script>
+</pre>
+</body>
+</html>
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_autofill_https_upgrade.html b/toolkit/components/passwordmgr/test/mochitest/test_autofill_https_upgrade.html
new file mode 100644
index 000000000..ee1424002
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_autofill_https_upgrade.html
@@ -0,0 +1,117 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test autocomplete on an HTTPS page using upgraded HTTP logins</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SpawnTask.js"></script>
+  <script type="text/javascript" src="satchel_common.js"></script>
+  <script type="text/javascript" src="pwmgr_common.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<script>
+const MISSING_ACTION_PATH = TESTS_DIR + "mochitest/form_basic.html";
+const CROSS_ORIGIN_SECURE_PATH = TESTS_DIR + "mochitest/form_cross_origin_secure_action.html";
+
+const chromeScript = runChecksAfterCommonInit(false);
+
+let nsLoginInfo = SpecialPowers.wrap(SpecialPowers.Components).Constructor("@mozilla.org/login-manager/loginInfo;1",
+SpecialPowers.Ci.nsILoginInfo,
+"init");
+</script>
+<p id="display"></p>
+
+<!-- we presumably can't hide the content for this test. -->
+<div id="content">
+  <iframe></iframe>
+</div>
+
+<pre id="test">
+<script class="testbody" type="text/javascript">
+let iframe = SpecialPowers.wrap(document.getElementsByTagName("iframe")[0]);
+
+// Check for expected username/password in form.
+function checkACForm(expectedUsername, expectedPassword) {
+  let iframeDoc = iframe.contentDocument;
+  let uname = iframeDoc.getElementById("form-basic-username");
+  let pword = iframeDoc.getElementById("form-basic-password");
+  let formID = uname.parentNode.id;
+  is(uname.value, expectedUsername, "Checking " + formID + " username");
+  is(pword.value, expectedPassword, "Checking " + formID + " password");
+}
+function* prepareLoginsAndProcessForm(url, logins = []) {
+  LoginManager.removeAllLogins();
+
+  let dates = Date.now();
+  for (let login of logins) {
+    SpecialPowers.do_QueryInterface(login, SpecialPowers.Ci.nsILoginMetaInfo);
+    // Force all dates to be the same so they don't affect things like deduping.
+    login.timeCreated = login.timePasswordChanged = login.timeLastUsed = dates;
+    LoginManager.addLogin(login);
+  }
+
+  iframe.src = url;
+  yield promiseFormsProcessed();
+}
+
+add_task(function* setup() {
+  yield SpecialPowers.pushPrefEnv({"set": [["signon.schemeUpgrades", true]]});
+});
+
+add_task(function* test_simpleNoDupesNoAction() {
+  yield prepareLoginsAndProcessForm("https://example.com" + MISSING_ACTION_PATH, [
+    new nsLoginInfo("http://example.com", "http://example.com", null,
+                    "name2", "pass2", "uname", "pword"),
+  ]);
+
+  checkACForm("name2", "pass2");
+});
+
+add_task(function* test_simpleNoDupesUpgradeOriginAndAction() {
+  yield prepareLoginsAndProcessForm("https://example.com" + CROSS_ORIGIN_SECURE_PATH, [
+    new nsLoginInfo("http://example.com", "http://another.domain", null,
+                    "name2", "pass2", "uname", "pword"),
+  ]);
+
+  checkACForm("name2", "pass2");
+});
+
+add_task(function* test_simpleNoDupesUpgradeOriginOnly() {
+  yield prepareLoginsAndProcessForm("https://example.com" + CROSS_ORIGIN_SECURE_PATH, [
+    new nsLoginInfo("http://example.com", "https://another.domain", null,
+                    "name2", "pass2", "uname", "pword"),
+  ]);
+
+  checkACForm("name2", "pass2");
+});
+
+add_task(function* test_simpleNoDupesUpgradeActionOnly() {
+  yield prepareLoginsAndProcessForm("https://example.com" + CROSS_ORIGIN_SECURE_PATH, [
+    new nsLoginInfo("https://example.com", "http://another.domain", null,
+                    "name2", "pass2", "uname", "pword"),
+  ]);
+
+  checkACForm("name2", "pass2");
+});
+
+add_task(function* test_dedupe() {
+  yield prepareLoginsAndProcessForm("https://example.com" + MISSING_ACTION_PATH, [
+    new nsLoginInfo("https://example.com", "https://example.com", null,
+                    "name1", "passHTTPStoHTTPS", "uname", "pword"),
+    new nsLoginInfo("http://example.com", "http://example.com", null,
+                    "name1", "passHTTPtoHTTP", "uname", "pword"),
+    new nsLoginInfo("http://example.com", "https://example.com", null,
+                    "name1", "passHTTPtoHTTPS", "uname", "pword"),
+    new nsLoginInfo("https://example.com", "http://example.com", null,
+                    "name1", "passHTTPStoHTTP", "uname", "pword"),
+  ]);
+
+  checkACForm("name1", "passHTTPStoHTTPS");
+});
+
+</script>
+</pre>
+</body>
+</html>
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_autofill_password-only.html b/toolkit/components/passwordmgr/test/mochitest/test_autofill_password-only.html
new file mode 100644
index 000000000..983356371
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_autofill_password-only.html
@@ -0,0 +1,143 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test password-only forms should prefer a password-only login when present</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="pwmgr_common.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+Login Manager test: Bug 444968
+<script>
+let pwmgrCommonScript = runInParent(SimpleTest.getTestFileURL("pwmgr_common.js"));
+pwmgrCommonScript.sendSyncMessage("setupParent", { selfFilling: true });
+
+SimpleTest.waitForExplicitFinish();
+
+let chromeScript = runInParent(function chromeSetup() {
+  const { classes: Cc, interfaces: Ci, results: Cr, utils: Cu } = Components;
+  let pwmgr = Cc["@mozilla.org/login-manager;1"].getService(Ci.nsILoginManager);
+
+  let login1A  = Cc["@mozilla.org/login-manager/loginInfo;1"].
+                 createInstance(Ci.nsILoginInfo);
+  let login1B  = Cc["@mozilla.org/login-manager/loginInfo;1"].
+                 createInstance(Ci.nsILoginInfo);
+  let login2A  = Cc["@mozilla.org/login-manager/loginInfo;1"].
+                 createInstance(Ci.nsILoginInfo);
+  let login2B  = Cc["@mozilla.org/login-manager/loginInfo;1"].
+                 createInstance(Ci.nsILoginInfo);
+  let login2C  = Cc["@mozilla.org/login-manager/loginInfo;1"].
+                 createInstance(Ci.nsILoginInfo);
+
+  login1A.init("http://mochi.test:8888", "http://bug444968-1", null,
+               "testuser1A", "testpass1A", "", "");
+  login1B.init("http://mochi.test:8888", "http://bug444968-1", null,
+               "", "testpass1B", "", "");
+
+  login2A.init("http://mochi.test:8888", "http://bug444968-2", null,
+               "testuser2A", "testpass2A", "", "");
+  login2B.init("http://mochi.test:8888", "http://bug444968-2", null,
+               "", "testpass2B", "", "");
+  login2C.init("http://mochi.test:8888", "http://bug444968-2", null,
+               "testuser2C", "testpass2C", "", "");
+
+  pwmgr.addLogin(login1A);
+  pwmgr.addLogin(login1B);
+  pwmgr.addLogin(login2A);
+  pwmgr.addLogin(login2B);
+  pwmgr.addLogin(login2C);
+
+  addMessageListener("removeLogins", function removeLogins() {
+    pwmgr.removeLogin(login1A);
+    pwmgr.removeLogin(login1B);
+    pwmgr.removeLogin(login2A);
+    pwmgr.removeLogin(login2B);
+    pwmgr.removeLogin(login2C);
+  });
+});
+
+SimpleTest.registerCleanupFunction(() => chromeScript.sendSyncMessage("removeLogins"));
+
+registerRunTests();
+</script>
+
+<p id="display"></p>
+<div id="content" style="display: none">
+  <!-- first 3 forms have matching user+pass and pass-only logins -->
+
+  <!-- user+pass form. -->
+  <form id="form1" action="http://bug444968-1">
+    <input  type="text"     name="uname">
+    <input  type="password" name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+  <!-- password-only form. -->
+  <form id="form2" action="http://bug444968-1">
+    <input  type="password" name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+  <!-- user+pass form, username prefilled -->
+  <form id="form3" action="http://bug444968-1">
+    <input  type="text"     name="uname" value="testuser1A">
+    <input  type="password" name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+
+  <!-- next 4 forms have matching user+pass (2x) and pass-only (1x) logins -->
+
+  <!-- user+pass form. -->
+  <form id="form4" action="http://bug444968-2">
+    <input  type="text"     name="uname">
+    <input  type="password" name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+  <!-- password-only form. -->
+  <form id="form5" action="http://bug444968-2">
+    <input  type="password" name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+  <!-- user+pass form, username prefilled -->
+  <form id="form6" action="http://bug444968-2">
+    <input  type="text"     name="uname" value="testuser2A">
+    <input  type="password" name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+  <!-- user+pass form, username prefilled -->
+  <form id="form7" action="http://bug444968-2">
+    <input  type="text"     name="uname" value="testuser2C">
+    <input  type="password" name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+</div>
+<pre id="test">
+<script class="testbody" type="text/javascript">
+
+/* Test for Login Manager: 444968 (password-only forms should prefer a
+ * password-only login when present )
+ */
+function startTest() {
+  checkForm(1, "testuser1A", "testpass1A");
+  checkForm(2, "testpass1B");
+  checkForm(3, "testuser1A", "testpass1A");
+
+  checkUnmodifiedForm(4); // 2 logins match
+  checkForm(5, "testpass2B");
+  checkForm(6, "testuser2A", "testpass2A");
+  checkForm(7, "testuser2C", "testpass2C");
+
+  SimpleTest.finish();
+}
+
+window.addEventListener("runTests", startTest);
+</script>
+</pre>
+</body>
+</html>
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_autofocus_js.html b/toolkit/components/passwordmgr/test/mochitest/test_autofocus_js.html
new file mode 100644
index 000000000..2ce3293dd
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_autofocus_js.html
@@ -0,0 +1,115 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test login autocomplete is activated when focused by js on load</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SpawnTask.js"></script>
+  <script type="text/javascript" src="satchel_common.js"></script>
+  <script type="text/javascript" src="pwmgr_common.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<script>
+const chromeScript = runChecksAfterCommonInit(false);
+
+runInParent(function addLogins() {
+  const { classes: Cc, interfaces: Ci, utils: Cu } = Components;
+  Cu.import("resource://gre/modules/Services.jsm");
+
+  // Create some logins just for this form, since we'll be deleting them.
+  let nsLoginInfo = Components.Constructor("@mozilla.org/login-manager/loginInfo;1",
+                                           Ci.nsILoginInfo, "init");
+
+  let login0 = new nsLoginInfo("https://example.org", "https://example.org", null,
+                               "name", "pass", "uname", "pword");
+
+  let login1 = new nsLoginInfo("https://example.org", "https://example.org", null,
+                               "name1", "pass1", "uname", "pword");
+
+  try {
+    Services.logins.addLogin(login0);
+    Services.logins.addLogin(login1);
+  } catch (e) {
+    assert.ok(false, "addLogin threw: " + e);
+  }
+});
+</script>
+<p id="display"></p>
+
+<div id="content">
+  <iframe src="https://example.org/tests/toolkit/components/passwordmgr/test/mochitest/form_autofocus_js.html"></iframe>
+</div>
+
+<pre id="test">
+<script class="testbody" type="text/javascript">
+
+let iframe = SpecialPowers.wrap(document.getElementsByTagName("iframe")[0]);
+let iframeDoc;
+
+add_task(function* setup() {
+  yield new Promise(resolve => {
+    iframe.addEventListener("load", function onLoad() {
+      iframe.removeEventListener("load", onLoad);
+      resolve();
+    });
+  });
+
+  iframeDoc = iframe.contentDocument;
+
+  SimpleTest.requestFlakyTimeout("Giving a chance for the unexpected popupshown to occur");
+});
+
+add_task(function* test_initial_focus() {
+  let results = yield notifyMenuChanged(2, "name");
+  checkArrayValues(results, ["name", "name1"], "Two results");
+  doKey("down");
+  doKey("return");
+  yield promiseFormsProcessed();
+  is(iframeDoc.getElementById("form-basic-password").value, "pass", "Check first password filled");
+  let popupState = yield getPopupState();
+  is(popupState.open, false, "Check popup is now closed");
+});
+
+// This depends on the filling from the previous test.
+add_task(function* test_not_reopened_if_filled() {
+  listenForUnexpectedPopupShown();
+  let usernameField = iframeDoc.getElementById("form-basic-username");
+  usernameField.focus();
+  info("Waiting to see if a popupshown occurs");
+  yield new Promise(resolve => setTimeout(resolve, 1000));
+
+  // cleanup
+  gPopupShownExpected = true;
+  iframeDoc.getElementById("form-basic-submit").focus();
+});
+
+add_task(function* test_reopened_after_edit_not_matching_saved() {
+  let usernameField = iframeDoc.getElementById("form-basic-username");
+  usernameField.value = "nam";
+  let shownPromise = promiseACShown();
+  usernameField.focus();
+  yield shownPromise;
+  iframeDoc.getElementById("form-basic-submit").focus();
+});
+
+add_task(function* test_not_reopened_after_selecting() {
+  let formFillController = SpecialPowers.Cc["@mozilla.org/satchel/form-fill-controller;1"].
+                           getService(SpecialPowers.Ci.nsIFormFillController);
+  let usernameField = iframeDoc.getElementById("form-basic-username");
+  usernameField.value = "";
+  iframeDoc.getElementById("form-basic-password").value = "";
+  listenForUnexpectedPopupShown();
+  formFillController.markAsLoginManagerField(usernameField);
+  info("Waiting to see if a popupshown occurs");
+  yield new Promise(resolve => setTimeout(resolve, 1000));
+
+  // Cleanup
+  gPopupShownExpected = true;
+});
+
+</script>
+</pre>
+</body>
+</html>
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_basic_form.html b/toolkit/components/passwordmgr/test/mochitest/test_basic_form.html
new file mode 100644
index 000000000..3c38343a5
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_basic_form.html
@@ -0,0 +1,44 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test basic autofill</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="pwmgr_common.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+Login Manager test: simple form fill
+
+<script>
+runChecksAfterCommonInit(startTest);
+
+/** Test for Login Manager: form fill, multiple forms. **/
+
+function startTest() {
+  is($_(1, "uname").value, "testuser", "Checking for filled username");
+  is($_(1, "pword").value, "testpass", "Checking for filled password");
+
+  SimpleTest.finish();
+}
+</script>
+
+<p id="display"></p>
+
+<div id="content" style="display: none">
+
+  <form id="form1" action="formtest.js">
+    <p>This is form 1.</p>
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+</div>
+
+<pre id="test"></pre>
+</body>
+</html>
+
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_basic_form_0pw.html b/toolkit/components/passwordmgr/test/mochitest/test_basic_form_0pw.html
new file mode 100644
index 000000000..0b416673b
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_basic_form_0pw.html
@@ -0,0 +1,72 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test forms with no password fields</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="pwmgr_common.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+Login Manager test: forms with no password fields
+<p id="display"></p>
+
+<div id="content" style="display: none">
+
+  <!-- Form with no user field or password field -->
+  <form id="form1" action="formtest.js">
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+  <!-- Form with no user field or password field, but one other field -->
+  <form id="form2" action="formtest.js">
+    <input  type="checkbox">
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+  <!-- Form with no user field or password field, but one other field -->
+  <form id="form3" action="formtest.js">
+    <input  type="checkbox" name="uname" value="">
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+  <!-- Form with a text field, but no password field -->
+  <form id="form4" action="formtest.js">
+    <input  type="text"       name="yyyyy">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+  <!-- Form with a user field, but no password field -->
+  <form id="form5" action="formtest.js">
+    <input  type="text"       name="uname">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+</div>
+
+<pre id="test">
+<script class="testbody" type="text/javascript">
+
+/** Test for Login Manager: form fill, no password fields. **/
+
+function startTest() {
+  is($_(3, "uname").value, "", "Checking for unfilled checkbox (form 3)");
+  is($_(4, "yyyyy").value, "", "Checking for unfilled text field (form 4)");
+  is($_(5, "uname").value, "", "Checking for unfilled text field (form 5)");
+
+  SimpleTest.finish();
+}
+
+runChecksAfterCommonInit(startTest);
+</script>
+</pre>
+</body>
+</html>
+
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_basic_form_1pw.html b/toolkit/components/passwordmgr/test/mochitest/test_basic_form_1pw.html
new file mode 100644
index 000000000..3937fad4b
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_basic_form_1pw.html
@@ -0,0 +1,167 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test autofill for forms with 1 password field</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="pwmgr_common.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+Login Manager test: forms with 1 password field
+<script>
+runChecksAfterCommonInit(() => startTest());
+</script>
+<p id="display"></p>
+
+<div id="content" style="display: none">
+
+<!-- no username fields -->
+
+<form id='form1' action='formtest.js'> 1
+    <!-- Blank, so fill in the password -->
+    <input type='password' name='pname' value=''>
+    <button type='submit'>Submit</button>
+</form>
+
+<form id='form2' action='formtest.js'> 2
+    <!-- Already contains the password, so nothing to do. -->
+    <input type='password' name='pname' value='testpass'>
+    <button type='submit'>Submit</button>
+</form>
+
+<form id='form3' action='formtest.js'> 3
+    <!-- Contains unknown password, so don't change it -->
+    <input type='password' name='pname' value='xxxxxxxx'>
+    <button type='submit'>Submit</button>
+</form>
+
+
+<!-- username fields -->
+
+<form id='form4' action='formtest.js'> 4
+    <!-- Blanks, so fill in login -->
+    <input type='text'     name='uname' value=''>
+    <input type='password' name='pname' value=''>
+    <button type='submit'>Submit</button>
+</form>
+
+<form id='form5' action='formtest.js'> 5
+    <!-- Username already set, so fill in password -->
+    <input type='text'     name='uname' value='testuser'>
+    <input type='password' name='pname' value=''>
+    <button type='submit'>Submit</button>
+</form>
+
+<form id='form6' action='formtest.js'> 6
+    <!-- Unknown username, so don't fill in password -->
+    <input type='text'     name='uname' value='xxxxxxxx'>
+    <input type='password' name='pname' value=''>
+    <button type='submit'>Submit</button>
+</form>
+
+<form id='form7' action='formtest.js'> 7
+    <!-- Password already set, could fill in username but that's weird so we don't -->
+    <input type='text'     name='uname' value=''>
+    <input type='password' name='pname' value='testpass'>
+    <button type='submit'>Submit</button>
+</form>
+
+<form id='form8' action='formtest.js'> 8
+    <!-- Unknown password, so don't fill in a username -->
+    <input type='text'     name='uname' value=''>
+    <input type='password' name='pname' value='xxxxxxxx'>
+    <button type='submit'>Submit</button>
+</form>
+
+
+
+<!-- extra text fields -->
+
+<form id='form9' action='formtest.js'> 9
+    <!-- text field _after_ password should never be treated as a username field -->
+    <input type='password' name='pname' value=''>
+    <input type='text'     name='uname' value=''>
+    <button type='submit'>Submit</button>
+</form>
+
+<form id='form10' action='formtest.js'> 10
+    <!-- only the first text field before the password should be for username -->
+    <input type='text'     name='other' value=''>
+    <input type='text'     name='uname' value=''>
+    <input type='password' name='pname' value=''>
+    <button type='submit'>Submit</button>
+</form>
+
+<form id='form11' action='formtest.js'> 11
+    <!-- variation just to make sure extra text field is still ignored -->
+    <input type='text'     name='uname' value=''>
+    <input type='password' name='pname' value=''>
+    <input type='text'     name='other' value=''>
+    <button type='submit'>Submit</button>
+</form>
+
+
+
+<!-- same as last bunch, but with xxxx in the extra field. -->
+
+<form id='form12' action='formtest.js'> 12
+    <!-- text field _after_ password should never be treated as a username field -->
+    <input type='password' name='pname' value=''>
+    <input type='text'     name='uname' value='xxxxxxxx'>
+    <button type='submit'>Submit</button>
+</form>
+
+<form id='form13' action='formtest.js'> 13
+    <!-- only the first text field before the password should be for username -->
+    <input type='text'     name='other' value='xxxxxxxx'>
+    <input type='text'     name='uname' value=''>
+    <input type='password' name='pname' value=''>
+    <button type='submit'>Submit</button>
+</form>
+
+<form id='form14' action='formtest.js'> 14
+    <!-- variation just to make sure extra text field is still ignored -->
+    <input type='text'     name='uname' value=''>
+    <input type='password' name='pname' value=''>
+    <input type='text'     name='other' value='xxxxxxxx'>
+    <button type='submit'>Submit</button>
+</form>
+
+
+</div>
+
+<pre id="test">
+<script class="testbody" type="text/javascript">
+
+/** Test for Login Manager: simple form fill **/
+
+function startTest() {
+    var f = 1;
+
+    // 1-3
+    checkForm(f++, "testpass");
+    checkForm(f++, "testpass");
+    checkForm(f++, "xxxxxxxx");
+
+    // 4-8
+    checkForm(f++, "testuser", "testpass");
+    checkForm(f++, "testuser", "testpass");
+    checkForm(f++, "xxxxxxxx", "");
+    checkForm(f++, "",         "testpass");
+    checkForm(f++, "",         "xxxxxxxx");
+
+    // 9-14
+    checkForm(f++, "testpass", "");
+    checkForm(f++, "",         "testuser", "testpass");
+    checkForm(f++, "testuser", "testpass", "");
+    checkForm(f++, "testpass", "xxxxxxxx");
+    checkForm(f++, "xxxxxxxx", "testuser", "testpass");
+    checkForm(f++, "testuser", "testpass", "xxxxxxxx");
+
+    SimpleTest.finish();
+}
+</script>
+</pre>
+</body>
+</html>
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_basic_form_1pw_2.html b/toolkit/components/passwordmgr/test/mochitest/test_basic_form_1pw_2.html
new file mode 100644
index 000000000..0f6566b9c
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_basic_form_1pw_2.html
@@ -0,0 +1,109 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test forms with 1 password field, part 2</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="pwmgr_common.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+Login Manager test: forms with 1 password field, part 2
+<script>
+runChecksAfterCommonInit(() => startTest());
+</script>
+<p id="display"></p>
+
+<div id="content" style="display: none">
+
+<form id='form1' action='formtest.js'> 1
+    <input type='password' name='pname' value=''>
+    <button type='submit'>Submit</button>
+</form>
+
+<form id='form2' action='formtest.js'> 2
+    <input type='password' name='pname' value='' disabled>
+    <button type='submit'>Submit</button>
+</form>
+
+<form id='form3' action='formtest.js'> 3
+    <input type='password' name='pname' value='' readonly>
+    <button type='submit'>Submit</button>
+</form>
+
+<form id='form4' action='formtest.js'> 4
+    <input type='text'     name='uname' value=''>
+    <input type='password' name='pname' value=''>
+    <button type='submit'>Submit</button>
+</form>
+
+<form id='form5' action='formtest.js'> 5
+    <input type='text'     name='uname' value='' disabled>
+    <input type='password' name='pname' value=''>
+    <button type='submit'>Submit</button>
+</form>
+
+<form id='form6' action='formtest.js'> 6
+    <input type='text'     name='uname' value='' readonly>
+    <input type='password' name='pname' value=''>
+    <button type='submit'>Submit</button>
+</form>
+
+<form id='form7' action='formtest.js'> 7
+    <input type='text'     name='uname' value=''>
+    <input type='password' name='pname' value='' disabled>
+    <button type='submit'>Submit</button>
+</form>
+
+<form id='form8' action='formtest.js'> 8
+    <input type='text'     name='uname' value=''>
+    <input type='password' name='pname' value='' readonly>
+    <button type='submit'>Submit</button>
+</form>
+
+<form id='form9' action='formtest.js'> 9
+    <input type='text'     name='uname' value='TESTUSER'>
+    <input type='password' name='pname' value=''>
+    <button type='submit'>Submit</button>
+</form>
+
+<form id='form10' action='formtest.js'> 10
+    <input type='text'     name='uname' value='TESTUSER' readonly>
+    <input type='password' name='pname' value=''>
+    <button type='submit'>Submit</button>
+</form>
+
+<form id='form11' action='formtest.js'> 11
+    <input type='text'     name='uname' value='TESTUSER' disabled>
+    <input type='password' name='pname' value=''>
+    <button type='submit'>Submit</button>
+</form>
+
+</div>
+
+<pre id="test">
+<script class="testbody" type="text/javascript">
+
+/** Test for Login Manager: simple form fill, part 2 **/
+
+function startTest() {
+    var f;
+
+    // Test various combinations of disabled/readonly inputs
+    checkForm(1, "testpass"); // control
+    checkUnmodifiedForm(2);
+    checkUnmodifiedForm(3);
+    checkForm(4, "testuser", "testpass"); // control
+    for (f = 5;  f <= 8;  f++) { checkUnmodifiedForm(f); }
+    // Test case-insensitive comparison of username field
+    checkForm(9, "testuser", "testpass");
+    checkForm(10, "TESTUSER", "testpass");
+    checkForm(11, "TESTUSER", "testpass");
+
+    SimpleTest.finish();
+}
+</script>
+</pre>
+</body>
+</html>
+
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_basic_form_2pw_1.html b/toolkit/components/passwordmgr/test/mochitest/test_basic_form_2pw_1.html
new file mode 100644
index 000000000..128ffca7c
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_basic_form_2pw_1.html
@@ -0,0 +1,187 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test autofill for forms with 2 password fields</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="pwmgr_common.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+Login Manager test: forms with 2 password fields
+<script>
+runChecksAfterCommonInit(() => startTest());
+</script>
+<p id="display"></p>
+
+<div id="content" style="display: none">
+
+
+<!-- no username fields -->
+
+<form id='form1' action='formtest.js'> 1
+    <!-- simple form, fill in first pw -->
+    <input type='password' name='pname' value=''>
+    <input type='password' name='qname' value=''>
+    <button type='submit'>Submit</button>
+</form>
+
+<form id='form2' action='formtest.js'> 2
+    <!-- same but reverse pname and qname, field names are ignored. -->
+    <input type='password' name='qname' value=''>
+    <input type='password' name='pname' value=''>
+    <button type='submit'>Submit</button>
+</form>
+
+<form id='form3' action='formtest.js'> 3
+    <!-- text field after password fields should be ignored, no username. -->
+    <input type='password' name='pname' value=''>
+    <input type='password' name='qname' value=''>
+    <input type='text'     name='uname' value=''>
+    <button type='submit'>Submit</button>
+</form>
+
+<form id='form4' action='formtest.js'> 4
+    <!-- nothing to do, password already present -->
+    <input type='password' name='pname' value='testpass'>
+    <input type='password' name='qname' value=''>
+    <button type='submit'>Submit</button>
+</form>
+
+<form id='form5' action='formtest.js'> 5
+    <!-- don't clobber an existing unrecognized password -->
+    <input type='password' name='pname' value='xxxxxxxx'>
+    <input type='password' name='qname' value=''>
+    <button type='submit'>Submit</button>
+</form>
+
+<form id='form6' action='formtest.js'> 6
+    <!-- fill in first field, 2nd field shouldn't be touched anyway. -->
+    <input type='password' name='pname' value=''>
+    <input type='password' name='qname' value='xxxxxxxx'>
+    <button type='submit'>Submit</button>
+</form>
+
+
+
+<!-- with username fields -->
+
+
+
+<form id='form7' action='formtest.js'> 7
+    <!-- simple form, should fill in username and first pw -->
+    <input type='text'     name='uname' value=''>
+    <input type='password' name='pname' value=''>
+    <input type='password' name='qname' value=''>
+    <button type='submit'>Submit</button>
+</form>
+
+<form id='form8' action='formtest.js'> 8
+    <!-- reverse pname and qname, field names are ignored. -->
+    <input type='text'     name='uname' value=''>
+    <input type='password' name='qname' value=''>
+    <input type='password' name='pname' value=''>
+    <button type='submit'>Submit</button>
+</form>
+
+<form id='form9' action='formtest.js'> 9
+    <!-- username already filled, so just fill first password -->
+    <input type='text'     name='uname' value='testuser'>
+    <input type='password' name='pname' value=''>
+    <input type='password' name='qname' value=''>
+    <button type='submit'>Submit</button>
+</form>
+
+<form id='form10' action='formtest.js'> 10
+    <!-- unknown username, don't fill in a password -->
+    <input type='text'     name='uname' value='xxxxxxxx'>
+    <input type='password' name='pname' value=''>
+    <input type='password' name='qname' value=''>
+    <button type='submit'>Submit</button>
+</form>
+
+<form id='form11' action='formtest.js'> 11
+    <!-- don't clobber unknown password -->
+    <input type='text'     name='uname' value='testuser'>
+    <input type='password' name='pname' value='xxxxxxxx'>
+    <input type='password' name='qname' value=''>
+    <button type='submit'>Submit</button>
+</form>
+
+<form id='form12' action='formtest.js'> 12
+    <!-- fill in 1st pass, don't clobber 2nd pass -->
+    <input type='text'     name='uname' value='testuser'>
+    <input type='password' name='pname' value=''>
+    <input type='password' name='qname' value='xxxxxxxx'>
+    <button type='submit'>Submit</button>
+</form>
+
+<form id='form13' action='formtest.js'> 13
+    <!-- nothing to do, user and pass prefilled. life is easy. -->
+    <input type='text'     name='uname' value='testuser'>
+    <input type='password' name='pname' value='testpass'>
+    <input type='password' name='qname' value=''>
+    <button type='submit'>Submit</button>
+</form>
+
+<form id='form14' action='formtest.js'> 14
+    <!-- shouldn't fill in username because 1st pw field is unknown. -->
+    <input type='text'     name='uname' value=''>
+    <input type='password' name='pname' value='xxxxxxxx'>
+    <input type='password' name='qname' value='testpass'>
+    <button type='submit'>Submit</button>
+</form>
+
+<form id='form15' action='formtest.js'> 15
+    <!-- textfield in the middle of pw fields should be ignored -->
+    <input type='password' name='pname' value=''>
+    <input type='text'     name='uname' value=''>
+    <input type='password' name='qname' value=''>
+    <button type='submit'>Submit</button>
+</form>
+
+<form id='form16' action='formtest.js'> 16
+    <!-- same, and don't clobber existing unknown password -->
+    <input type='password' name='pname' value='xxxxxxxx'>
+    <input type='text'     name='uname' value=''>
+    <input type='password' name='qname' value=''>
+    <button type='submit'>Submit</button>
+</form>
+
+
+</div>
+
+<pre id="test">
+<script class="testbody" type="text/javascript">
+
+/** Test for Login Manager: simple form fill **/
+
+function startTest() {
+    var f = 1;
+
+    // 1-6 no username
+    checkForm(f++, "testpass", "");
+    checkForm(f++, "testpass", "");
+    checkForm(f++, "testpass", "", "");
+    checkForm(f++, "testpass", "");
+    checkForm(f++, "xxxxxxxx", "");
+    checkForm(f++, "testpass", "xxxxxxxx");
+
+    // 7-15 with username
+    checkForm(f++, "testuser", "testpass", "");
+    checkForm(f++, "testuser", "testpass", "");
+    checkForm(f++, "testuser", "testpass", "");
+    checkForm(f++, "xxxxxxxx", "", "");
+    checkForm(f++, "testuser", "xxxxxxxx", "");
+    checkForm(f++, "testuser", "testpass", "xxxxxxxx");
+    checkForm(f++, "testuser", "testpass", "");
+    checkForm(f++, "",         "xxxxxxxx", "testpass");
+    checkForm(f++, "testpass", "",         "");
+    checkForm(f++, "xxxxxxxx", "",         "");
+
+    SimpleTest.finish();
+}
+</script>
+</pre>
+</body>
+</html>
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_basic_form_2pw_2.html b/toolkit/components/passwordmgr/test/mochitest/test_basic_form_2pw_2.html
new file mode 100644
index 000000000..eba811cf9
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_basic_form_2pw_2.html
@@ -0,0 +1,105 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for form fill with 2 password fields</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="pwmgr_common.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+Login Manager test: form fill, 2 password fields
+<p id="display"></p>
+
+<pre id="test">
+<script class="testbody" type="text/javascript">
+
+/** Test for Login Manager: form fill, 2 password fields **/
+
+/*
+ * If a form has two password fields, other things may be going on....
+ *
+ * 1 - The user might be creating a new login (2nd field for typo checking)
+ * 2 - The user is changing a password (old and new password each have field)
+ *
+ * This test is for case #1.
+ */
+
+var numSubmittedForms = 0;
+var numStartingLogins = 0;
+
+function startTest() {
+  // Check for unfilled forms
+  is($_(1, "uname").value, "", "Checking username 1");
+  is($_(1, "pword").value, "", "Checking password 1A");
+  is($_(1, "qword").value, "", "Checking password 1B");
+
+  // Fill in the username and password fields, for account creation.
+  // Form 1
+  $_(1, "uname").value = "newuser1";
+  $_(1, "pword").value = "newpass1";
+  $_(1, "qword").value = "newpass1";
+
+  var button = getFormSubmitButton(1);
+
+  todo(false, "form submission disabled, can't auto-accept dialog yet");
+  SimpleTest.finish();
+}
+
+
+// Called by each form's onsubmit handler.
+function checkSubmit(formNum) {
+  numSubmittedForms++;
+
+  // End the test at the last form.
+  if (formNum == 999) {
+    is(numSubmittedForms, 999, "Ensuring all forms submitted for testing.");
+
+    var numEndingLogins = LoginManager.countLogins("", "", "");
+
+    ok(numEndingLogins > 0, "counting logins at end");
+    is(numStartingLogins, numEndingLogins + 222, "counting logins at end");
+
+    SimpleTest.finish();
+    return false; // return false to cancel current form submission
+  }
+
+  // submit the next form.
+  var button = getFormSubmitButton(formNum + 1);
+  button.click();
+
+  return false; // return false to cancel current form submission
+}
+
+
+function getFormSubmitButton(formNum) {
+  var form = $("form" + formNum); // by id, not name
+  ok(form != null, "getting form " + formNum);
+
+  // we can't just call form.submit(), because that doesn't seem to
+  // invoke the form onsubmit handler.
+  var button = form.firstChild;
+  while (button && button.type != "submit") { button = button.nextSibling; }
+  ok(button != null, "getting form submit button");
+
+  return button;
+}
+
+runChecksAfterCommonInit(startTest);
+
+</script>
+</pre>
+<div id="content" style="display: none">
+  <form id="form1" onsubmit="return checkSubmit(1)" action="http://newuser.com">
+    <input  type="text"     name="uname">
+    <input  type="password" name="pword">
+    <input  type="password" name="qword">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+</div>
+
+</body>
+</html>
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_basic_form_3pw_1.html b/toolkit/components/passwordmgr/test/mochitest/test_basic_form_3pw_1.html
new file mode 100644
index 000000000..30b5a319f
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_basic_form_3pw_1.html
@@ -0,0 +1,177 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test autofill for forms with 3 password fields</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="pwmgr_common.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+Login Manager test: forms with 3 password fields (form filling)
+<script>
+runChecksAfterCommonInit(() => startTest());
+</script>
+<p id="display"></p>
+
+<div id="content" style="display: none">
+  <p>The next three forms are <b>user/pass/passB/passC</b>, as all-empty, preuser(only), and preuser/pass</p>
+  <form id="form1" action="formtest.js">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword">
+    <input  type="password"   name="qword">
+    <input  type="password"   name="rword">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+  <form id="form2" action="formtest.js">
+    <input  type="text"       name="uname"  value="testuser">
+    <input  type="password"   name="pword">
+    <input  type="password"   name="qword">
+    <input  type="password"   name="rword">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+  <form id="form3" action="formtest.js">
+    <input  type="text"       name="uname"  value="testuser">
+    <input  type="password"   name="pword"  value="testpass">
+    <input  type="password"   name="qword">
+    <input  type="password"   name="rword">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+
+  <p>The next three forms are <b>user/passB/pass/passC</b>, as all-empty, preuser(only), and preuser/pass</p>
+  <form id="form4" action="formtest.js">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="qword">
+    <input  type="password"   name="pword">
+    <input  type="password"   name="rword">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+  <form id="form5" action="formtest.js">
+    <input  type="text"       name="uname"  value="testuser">
+    <input  type="password"   name="qword">
+    <input  type="password"   name="pword">
+    <input  type="password"   name="rword">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+  <form id="form6" action="formtest.js">
+    <input  type="text"       name="uname"  value="testuser">
+    <input  type="password"   name="qword">
+    <input  type="password"   name="pword"  value="testpass">
+    <input  type="password"   name="rword">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+  <p>The next three forms are <b>user/passB/passC/pass</b>, as all-empty, preuser(only), and preuser/pass</p>
+  <form id="form7" action="formtest.js">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="qword">
+    <input  type="password"   name="rword">
+    <input  type="password"   name="pword">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+  <form id="form8" action="formtest.js">
+    <input  type="text"       name="uname"  value="testuser">
+    <input  type="password"   name="qword">
+    <input  type="password"   name="rword">
+    <input  type="password"   name="pword">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+  <form id="form9" action="formtest.js">
+    <input  type="text"       name="uname"  value="testuser">
+    <input  type="password"   name="qword">
+    <input  type="password"   name="rword">
+    <input  type="password"   name="pword"  value="testpass">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+</div>
+
+<pre id="test">
+<script class="testbody" type="text/javascript">
+
+/** Test for Login Manager: form fill, 3 password fields **/
+
+// Test to make sure 3-password forms are filled properly.
+
+function startTest() {
+  // Check form 1
+  is($_(1, "uname").value, "testuser", "Checking username 1");
+  is($_(1, "pword").value, "testpass", "Checking password 1");
+  is($_(1, "qword").value, "",         "Checking password 1 (q)");
+  is($_(1, "rword").value, "",         "Checking password 1 (r)");
+  // Check form 2
+  is($_(2, "uname").value, "testuser", "Checking username 2");
+  is($_(2, "pword").value, "testpass", "Checking password 2");
+  is($_(2, "qword").value, "",         "Checking password 2 (q)");
+  is($_(2, "rword").value, "",         "Checking password 2 (r)");
+  // Check form 3
+  is($_(3, "uname").value, "testuser", "Checking username 3");
+  is($_(3, "pword").value, "testpass", "Checking password 3");
+  is($_(3, "qword").value, "",         "Checking password 3 (q)");
+  is($_(3, "rword").value, "",         "Checking password 3 (r)");
+
+  // Check form 4
+  is($_(4, "uname").value, "testuser", "Checking username 4");
+  todo_is($_(4, "qword").value, "",         "Checking password 4 (q)");
+  todo_is($_(4, "pword").value, "testpass", "Checking password 4");
+  is($_(4, "rword").value, "",         "Checking password 4 (r)");
+  // Check form 5
+  is($_(5, "uname").value, "testuser", "Checking username 5");
+  todo_is($_(5, "qword").value, "",         "Checking password 5 (q)");
+  todo_is($_(5, "pword").value, "testpass", "Checking password 5");
+  is($_(5, "rword").value, "",         "Checking password 5 (r)");
+  // Check form 6
+  is($_(6, "uname").value, "testuser", "Checking username 6");
+  todo_is($_(6, "qword").value, "",         "Checking password 6 (q)");
+  is($_(6, "pword").value, "testpass", "Checking password 6");
+  is($_(6, "rword").value, "",         "Checking password 6 (r)");
+
+  // Check form 7
+  is($_(7, "uname").value, "testuser", "Checking username 7");
+  todo_is($_(7, "qword").value, "",         "Checking password 7 (q)");
+  is($_(7, "rword").value, "",         "Checking password 7 (r)");
+  todo_is($_(7, "pword").value, "testpass", "Checking password 7");
+  // Check form 8
+  is($_(8, "uname").value, "testuser", "Checking username 8");
+  todo_is($_(8, "qword").value, "",         "Checking password 8 (q)");
+  is($_(8, "rword").value, "",         "Checking password 8 (r)");
+  todo_is($_(8, "pword").value, "testpass", "Checking password 8");
+  // Check form 9
+  is($_(9, "uname").value, "testuser", "Checking username 9");
+  todo_is($_(9, "qword").value, "",         "Checking password 9 (q)");
+  is($_(9, "rword").value, "",         "Checking password 9 (r)");
+  is($_(9, "pword").value, "testpass", "Checking password 9");
+
+  // TODO: as with the 2-password cases, add tests to check for creating new
+  // logins and changing passwords.
+  SimpleTest.finish();
+}
+</script>
+</pre>
+</body>
+</html>
+
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_basic_form_autocomplete.html b/toolkit/components/passwordmgr/test/mochitest/test_basic_form_autocomplete.html
new file mode 100644
index 000000000..0eee8e696
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_basic_form_autocomplete.html
@@ -0,0 +1,859 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test basic login autocomplete</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SpawnTask.js"></script>
+  <script type="text/javascript" src="satchel_common.js"></script>
+  <script type="text/javascript" src="pwmgr_common.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+Login Manager test: multiple login autocomplete
+
+<script>
+var chromeScript = runChecksAfterCommonInit();
+
+var setupScript = runInParent(function setup() {
+  const { classes: Cc, interfaces: Ci, utils: Cu } = Components;
+  Cu.import("resource://gre/modules/Services.jsm");
+
+  // Create some logins just for this form, since we'll be deleting them.
+  var nsLoginInfo = Components.Constructor("@mozilla.org/login-manager/loginInfo;1",
+                                           Ci.nsILoginInfo, "init");
+  assert.ok(nsLoginInfo != null, "nsLoginInfo constructor");
+
+  // login0 has no username, so should be filtered out from the autocomplete list.
+  var login0 = new nsLoginInfo("http://mochi.test:8888", "http://autocomplete:8888", null,
+                               "", "user0pass", "", "pword");
+
+  var login1 = new nsLoginInfo("http://mochi.test:8888", "http://autocomplete:8888", null,
+                               "tempuser1", "temppass1", "uname", "pword");
+
+  var login2 = new nsLoginInfo("http://mochi.test:8888", "http://autocomplete:8888", null,
+                               "testuser2", "testpass2", "uname", "pword");
+
+  var login3 = new nsLoginInfo("http://mochi.test:8888", "http://autocomplete:8888", null,
+                               "testuser3", "testpass3", "uname", "pword");
+
+  var login4 = new nsLoginInfo("http://mochi.test:8888", "http://autocomplete:8888", null,
+                               "zzzuser4", "zzzpass4", "uname", "pword");
+
+  // login 5 only used in the single-user forms
+  var login5 = new nsLoginInfo("http://mochi.test:8888", "http://autocomplete2", null,
+                               "singleuser5", "singlepass5", "uname", "pword");
+
+  var login6A = new nsLoginInfo("http://mochi.test:8888", "http://autocomplete3", null,
+                                "form7user1", "form7pass1", "uname", "pword");
+  var login6B = new nsLoginInfo("http://mochi.test:8888", "http://autocomplete3", null,
+                                "form7user2", "form7pass2", "uname", "pword");
+
+  var login7  = new nsLoginInfo("http://mochi.test:8888", "http://autocomplete4", null,
+                                "form8user", "form8pass", "uname", "pword");
+
+  var login8A = new nsLoginInfo("http://mochi.test:8888", "http://autocomplete5", null,
+                                "form9userAB", "form9pass", "uname", "pword");
+  var login8B = new nsLoginInfo("http://mochi.test:8888", "http://autocomplete5", null,
+                                "form9userAAB", "form9pass", "uname", "pword");
+  var login8C = new nsLoginInfo("http://mochi.test:8888", "http://autocomplete5", null,
+                                "form9userAABzz", "form9pass", "uname", "pword");
+
+  var login10 = new nsLoginInfo("http://mochi.test:8888", "http://autocomplete7", null,
+                                "testuser10", "testpass10", "uname", "pword");
+
+
+  // try/catch in case someone runs the tests manually, twice.
+  try {
+    Services.logins.addLogin(login0);
+    Services.logins.addLogin(login1);
+    Services.logins.addLogin(login2);
+    Services.logins.addLogin(login3);
+    Services.logins.addLogin(login4);
+    Services.logins.addLogin(login5);
+    Services.logins.addLogin(login6A);
+    Services.logins.addLogin(login6B);
+    Services.logins.addLogin(login7);
+    Services.logins.addLogin(login8A);
+    Services.logins.addLogin(login8B);
+    // login8C is added later
+    Services.logins.addLogin(login10);
+  } catch (e) {
+    assert.ok(false, "addLogin threw: " + e);
+  }
+
+  addMessageListener("addLogin", loginVariableName => {
+    let login = eval(loginVariableName);
+    assert.ok(!!login, "Login to add is defined: " + loginVariableName);
+    Services.logins.addLogin(login);
+  });
+  addMessageListener("removeLogin", loginVariableName => {
+    let login = eval(loginVariableName);
+    assert.ok(!!login, "Login to delete is defined: " + loginVariableName);
+    Services.logins.removeLogin(login);
+  });
+});
+</script>
+<p id="display"></p>
+
+<!-- we presumably can't hide the content for this test. -->
+<div id="content">
+
+  <!-- form1 tests multiple matching logins -->
+  <form id="form1" action="http://autocomplete:8888/formtest.js" onsubmit="return false;">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+  <!-- other forms test single logins, with autocomplete=off set -->
+  <form id="form2" action="http://autocomplete2" onsubmit="return false;">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword" autocomplete="off">
+    <button type="submit">Submit</button>
+  </form>
+
+  <form id="form3" action="http://autocomplete2" onsubmit="return false;">
+    <input  type="text"       name="uname" autocomplete="off">
+    <input  type="password"   name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+  <form id="form4" action="http://autocomplete2" onsubmit="return false;" autocomplete="off">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+  <form id="form5" action="http://autocomplete2" onsubmit="return false;">
+    <input  type="text"       name="uname" autocomplete="off">
+    <input  type="password"   name="pword" autocomplete="off">
+    <button type="submit">Submit</button>
+  </form>
+
+  <!-- control -->
+  <form id="form6" action="http://autocomplete2" onsubmit="return false;">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+  <!-- This form will be manipulated to insert a different username field. -->
+  <form id="form7" action="http://autocomplete3" onsubmit="return false;">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+  <!-- test for no autofill after onblur with blank username -->
+  <form id="form8" action="http://autocomplete4" onsubmit="return false;">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+  <!-- test autocomplete dropdown -->
+  <form id="form9" action="http://autocomplete5" onsubmit="return false;">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+  <!-- test for onUsernameInput recipe testing -->
+  <form id="form11" action="http://autocomplete7" onsubmit="return false;">
+    <input  type="text"   name="1">
+    <input  type="text"   name="2">
+    <button type="submit">Submit</button>
+  </form>
+
+  <!-- tests <form>-less autocomplete -->
+  <div id="form12">
+     <input  type="text"       name="uname" id="uname">
+     <input  type="password"   name="pword" id="pword">
+     <button type="submit">Submit</button>
+   </div>
+</div>
+
+<pre id="test">
+<script class="testbody" type="text/javascript">
+
+/** Test for Login Manager: multiple login autocomplete. **/
+
+var uname = $_(1, "uname");
+var pword = $_(1, "pword");
+const shiftModifier = SpecialPowers.Ci.nsIDOMEvent.SHIFT_MASK;
+
+// Restore the form to the default state.
+function restoreForm() {
+  uname.value = "";
+  pword.value = "";
+  uname.focus();
+}
+
+// Check for expected username/password in form.
+function checkACForm(expectedUsername, expectedPassword) {
+  var formID = uname.parentNode.id;
+  is(uname.value, expectedUsername, "Checking " + formID + " username is: " + expectedUsername);
+  is(pword.value, expectedPassword, "Checking " + formID + " password is: " + expectedPassword);
+}
+
+function sendFakeAutocompleteEvent(element) {
+  var acEvent = document.createEvent("HTMLEvents");
+  acEvent.initEvent("DOMAutoComplete", true, false);
+  element.dispatchEvent(acEvent);
+}
+
+function spinEventLoop() {
+  return Promise.resolve();
+}
+
+add_task(function* setup() {
+  yield SpecialPowers.pushPrefEnv({"set": [["security.insecure_field_warning.contextual.enabled", false],
+                                           ["signon.autofillForms.http", true]]});
+  listenForUnexpectedPopupShown();
+});
+
+add_task(function* test_form1_initial_empty() {
+  yield SimpleTest.promiseFocus(window);
+
+  // Make sure initial form is empty.
+  checkACForm("", "");
+  let popupState = yield getPopupState();
+  is(popupState.open, false, "Check popup is initially closed");
+});
+
+add_task(function* test_form1_menuitems() {
+  yield SimpleTest.promiseFocus(window);
+  // Trigger autocomplete popup
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  let results = yield shownPromise;
+
+  let popupState = yield getPopupState();
+  is(popupState.selectedIndex, -1, "Check no entries are selected upon opening");
+
+  let expectedMenuItems = ["tempuser1",
+                           "testuser2",
+                           "testuser3",
+                           "zzzuser4"];
+  checkArrayValues(results, expectedMenuItems, "Check all menuitems are displayed correctly.");
+
+  checkACForm("", ""); // value shouldn't update just by selecting
+  doKey("return"); // not "enter"!
+  yield spinEventLoop(); // let focus happen
+  checkACForm("", "");
+});
+
+add_task(function* test_form1_first_entry() {
+  yield SimpleTest.promiseFocus(window);
+  // Trigger autocomplete popup
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  let popupState = yield getPopupState();
+  is(popupState.selectedIndex, -1, "Check no entries are selected upon opening");
+
+  doKey("down"); // first
+  checkACForm("", ""); // value shouldn't update just by selecting
+  doKey("return"); // not "enter"!
+  yield promiseFormsProcessed();
+  checkACForm("tempuser1", "temppass1");
+});
+
+add_task(function* test_form1_second_entry() {
+  // Trigger autocomplete popup
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  doKey("down"); // first
+  doKey("down"); // second
+  doKey("return"); // not "enter"!
+  yield promiseFormsProcessed();
+  checkACForm("testuser2", "testpass2");
+});
+
+add_task(function* test_form1_third_entry() {
+  // Trigger autocomplete popup
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  doKey("down"); // first
+  doKey("down"); // second
+  doKey("down"); // third
+  doKey("return");
+  yield promiseFormsProcessed();
+  checkACForm("testuser3", "testpass3");
+});
+
+add_task(function* test_form1_fourth_entry() {
+  // Trigger autocomplete popup
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  doKey("down"); // first
+  doKey("down"); // second
+  doKey("down"); // third
+  doKey("down"); // fourth
+  doKey("return");
+  yield promiseFormsProcessed();
+  checkACForm("zzzuser4", "zzzpass4");
+});
+
+add_task(function* test_form1_wraparound_first_entry() {
+  // Trigger autocomplete popup
+  restoreForm();
+  yield spinEventLoop(); // let focus happen
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  doKey("down"); // first
+  doKey("down"); // second
+  doKey("down"); // third
+  doKey("down"); // fourth
+  doKey("down"); // deselects
+  doKey("down"); // first
+  doKey("return");
+  yield promiseFormsProcessed();
+  checkACForm("tempuser1", "temppass1");
+});
+
+add_task(function* test_form1_wraparound_up_last_entry() {
+  // Trigger autocomplete popup
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  doKey("up"); // last (fourth)
+  doKey("return");
+  yield promiseFormsProcessed();
+  checkACForm("zzzuser4", "zzzpass4");
+});
+
+add_task(function* test_form1_wraparound_down_up_up() {
+  // Trigger autocomplete popup
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  doKey("down"); // select first entry
+  doKey("up");   // selects nothing!
+  doKey("up");   // select last entry
+  doKey("return");
+  yield promiseFormsProcessed();
+  checkACForm("zzzuser4", "zzzpass4");
+});
+
+add_task(function* test_form1_wraparound_up_last() {
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  doKey("down");
+  doKey("up"); // deselects
+  doKey("up"); // last entry
+  doKey("up");
+  doKey("up");
+  doKey("up"); // first entry
+  doKey("up"); // deselects
+  doKey("up"); // last entry
+  doKey("return");
+  yield promiseFormsProcessed();
+  checkACForm("zzzuser4", "zzzpass4");
+});
+
+add_task(function* test_form1_fill_username_without_autofill_right() {
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  // Set first entry w/o triggering autocomplete
+  doKey("down"); // first
+  doKey("right");
+  yield spinEventLoop();
+  checkACForm("tempuser1", ""); // empty password
+});
+
+add_task(function* test_form1_fill_username_without_autofill_left() {
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  // Set first entry w/o triggering autocomplete
+  doKey("down"); // first
+  doKey("left");
+  checkACForm("tempuser1", ""); // empty password
+});
+
+add_task(function* test_form1_pageup_first() {
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  // Check first entry (page up)
+  doKey("down"); // first
+  doKey("down"); // second
+  doKey("page_up"); // first
+  doKey("return");
+  yield promiseFormsProcessed();
+  checkACForm("tempuser1", "temppass1");
+});
+
+add_task(function* test_form1_pagedown_last() {
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  /* test 13 */
+  // Check last entry (page down)
+  doKey("down"); // first
+  doKey("page_down"); // last
+  doKey("return");
+  yield promiseFormsProcessed();
+  checkACForm("zzzuser4", "zzzpass4");
+});
+
+add_task(function* test_form1_untrusted_event() {
+  restoreForm();
+  yield spinEventLoop();
+
+  // Send a fake (untrusted) event.
+  checkACForm("", "");
+  uname.value = "zzzuser4";
+  sendFakeAutocompleteEvent(uname);
+  yield spinEventLoop();
+  checkACForm("zzzuser4", "");
+});
+
+add_task(function* test_form1_delete() {
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  // XXX tried sending character "t" before/during dropdown to test
+  // filtering, but had no luck. Seemed like the character was getting lost.
+  // Setting uname.value didn't seem to work either. This works with a human
+  // driver, so I'm not sure what's up.
+
+  // Delete the first entry (of 4), "tempuser1"
+  doKey("down");
+  var numLogins;
+  numLogins = LoginManager.countLogins("http://mochi.test:8888", "http://autocomplete:8888", null);
+  is(numLogins, 5, "Correct number of logins before deleting one");
+
+  let countChangedPromise = notifyMenuChanged(3);
+  var deletionPromise = promiseStorageChanged(["removeLogin"]);
+  // On OS X, shift-backspace and shift-delete work, just delete does not.
+  // On Win/Linux, shift-backspace does not work, delete and shift-delete do.
+  doKey("delete", shiftModifier);
+  yield deletionPromise;
+
+  checkACForm("", "");
+  numLogins = LoginManager.countLogins("http://mochi.test:8888", "http://autocomplete:8888", null);
+  is(numLogins, 4, "Correct number of logins after deleting one");
+  yield countChangedPromise;
+  doKey("return");
+  yield promiseFormsProcessed();
+  checkACForm("testuser2", "testpass2");
+});
+
+add_task(function* test_form1_first_after_deletion() {
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  // Check the new first entry (of 3)
+  doKey("down");
+  doKey("return");
+  yield promiseFormsProcessed();
+  checkACForm("testuser2", "testpass2");
+});
+
+add_task(function* test_form1_delete_second() {
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  // Delete the second entry (of 3), "testuser3"
+  doKey("down");
+  doKey("down");
+  doKey("delete", shiftModifier);
+  checkACForm("", "");
+  numLogins = LoginManager.countLogins("http://mochi.test:8888", "http://autocomplete:8888", null);
+  is(numLogins, 3, "Correct number of logins after deleting one");
+  doKey("return");
+  yield promiseFormsProcessed();
+  checkACForm("zzzuser4", "zzzpass4");
+});
+
+add_task(function* test_form1_first_after_deletion2() {
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  // Check the new first entry (of 2)
+  doKey("down");
+  doKey("return");
+  yield promiseFormsProcessed();
+  checkACForm("testuser2", "testpass2");
+});
+
+add_task(function* test_form1_delete_last() {
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  /* test 54 */
+  // Delete the last entry (of 2), "zzzuser4"
+  doKey("down");
+  doKey("down");
+  doKey("delete", shiftModifier);
+  checkACForm("", "");
+  numLogins = LoginManager.countLogins("http://mochi.test:8888", "http://autocomplete:8888", null);
+  is(numLogins, 2, "Correct number of logins after deleting one");
+  doKey("return");
+  yield promiseFormsProcessed();
+  checkACForm("testuser2", "testpass2");
+});
+
+add_task(function* test_form1_first_after_3_deletions() {
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  // Check the only remaining entry
+  doKey("down");
+  doKey("return");
+  yield promiseFormsProcessed();
+  checkACForm("testuser2", "testpass2");
+});
+
+add_task(function* test_form1_check_only_entry_remaining() {
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  /* test 56 */
+  // Delete the only remaining entry, "testuser2"
+  doKey("down");
+  doKey("delete", shiftModifier);
+  checkACForm("", "");
+  numLogins = LoginManager.countLogins("http://mochi.test:8888", "http://autocomplete:8888", null);
+  is(numLogins, 1, "Correct number of logins after deleting one");
+
+  // remove the login that's not shown in the list.
+  setupScript.sendSyncMessage("removeLogin", "login0");
+});
+
+/* Tests for single-user forms for ignoring autocomplete=off */
+add_task(function* test_form2() {
+  // Turn our attention to form2
+  uname = $_(2, "uname");
+  pword = $_(2, "pword");
+  checkACForm("singleuser5", "singlepass5");
+
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  // Check first entry
+  doKey("down");
+  checkACForm("", ""); // value shouldn't update
+  doKey("return"); // not "enter"!
+  yield promiseFormsProcessed();
+  checkACForm("singleuser5", "singlepass5");
+});
+
+add_task(function* test_form3() {
+  uname = $_(3, "uname");
+  pword = $_(3, "pword");
+  checkACForm("singleuser5", "singlepass5");
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  // Check first entry
+  doKey("down");
+  checkACForm("", ""); // value shouldn't update
+  doKey("return"); // not "enter"!
+  yield promiseFormsProcessed();
+  checkACForm("singleuser5", "singlepass5");
+});
+
+add_task(function* test_form4() {
+  uname = $_(4, "uname");
+  pword = $_(4, "pword");
+  checkACForm("singleuser5", "singlepass5");
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  // Check first entry
+  doKey("down");
+  checkACForm("", ""); // value shouldn't update
+  doKey("return"); // not "enter"!
+  yield promiseFormsProcessed();
+  checkACForm("singleuser5", "singlepass5");
+});
+
+add_task(function* test_form5() {
+  uname = $_(5, "uname");
+  pword = $_(5, "pword");
+  checkACForm("singleuser5", "singlepass5");
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  // Check first entry
+  doKey("down");
+  checkACForm("", ""); // value shouldn't update
+  doKey("return"); // not "enter"!
+  yield promiseFormsProcessed();
+  checkACForm("singleuser5", "singlepass5");
+});
+
+add_task(function* test_form6() {
+  // (this is a control, w/o autocomplete=off, to ensure the login
+  // that was being suppressed would have been filled in otherwise)
+  uname = $_(6, "uname");
+  pword = $_(6, "pword");
+  checkACForm("singleuser5", "singlepass5");
+});
+
+add_task(function* test_form6_changeUsername() {
+  // Test that the password field remains filled in after changing
+  // the username.
+  uname.focus();
+  doKey("right");
+  sendChar("X");
+  // Trigger the 'blur' event on uname
+  pword.focus();
+  yield spinEventLoop();
+  checkACForm("singleuser5X", "singlepass5");
+
+  setupScript.sendSyncMessage("removeLogin", "login5");
+});
+
+add_task(function* test_form7() {
+  uname = $_(7, "uname");
+  pword = $_(7, "pword");
+  checkACForm("", "");
+
+  // Insert a new username field into the form. We'll then make sure
+  // that invoking the autocomplete doesn't try to fill the form.
+  var newField = document.createElement("input");
+  newField.setAttribute("type", "text");
+  newField.setAttribute("name", "uname2");
+  pword.parentNode.insertBefore(newField, pword);
+  is($_(7, "uname2").value, "", "Verifying empty uname2");
+
+  // Delete login6B. It was created just to prevent filling in a login
+  // automatically, removing it makes it more likely that we'll catch a
+  // future regression with form filling here.
+  setupScript.sendSyncMessage("removeLogin", "login6B");
+});
+
+add_task(function* test_form7_2() {
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  // Check first entry
+  doKey("down");
+  checkACForm("", ""); // value shouldn't update
+  doKey("return"); // not "enter"!
+  // The form changes, so we expect the old username field to get the
+  // selected autocomplete value, but neither the new username field nor
+  // the password field should have any values filled in.
+  yield spinEventLoop();
+  checkACForm("form7user1", "");
+  is($_(7, "uname2").value, "", "Verifying empty uname2");
+  restoreForm(); // clear field, so reloading test doesn't fail
+
+  setupScript.sendSyncMessage("removeLogin", "login6A");
+});
+
+add_task(function* test_form8() {
+  uname = $_(8, "uname");
+  pword = $_(8, "pword");
+  checkACForm("form8user", "form8pass");
+  restoreForm();
+});
+
+add_task(function* test_form8_blur() {
+  checkACForm("", "");
+  // Focus the previous form to trigger a blur.
+  $_(7, "uname").focus();
+});
+
+add_task(function* test_form8_2() {
+  checkACForm("", "");
+  restoreForm();
+});
+
+add_task(function* test_form8_3() {
+  checkACForm("", "");
+  setupScript.sendSyncMessage("removeLogin", "login7");
+});
+
+add_task(function* test_form9_filtering() {
+  // Turn our attention to form9 to test the dropdown - bug 497541
+  uname = $_(9, "uname");
+  pword = $_(9, "pword");
+  uname.focus();
+  let shownPromise = promiseACShown();
+  sendString("form9userAB");
+  yield shownPromise;
+
+  checkACForm("form9userAB", "");
+  uname.focus();
+  doKey("left");
+  shownPromise = promiseACShown();
+  sendChar("A");
+  let results = yield shownPromise;
+
+  checkACForm("form9userAAB", "");
+  checkArrayValues(results, ["form9userAAB"], "Check dropdown is updated after inserting 'A'");
+  doKey("down");
+  doKey("return");
+  yield promiseFormsProcessed();
+  checkACForm("form9userAAB", "form9pass");
+});
+
+add_task(function* test_form9_autocomplete_cache() {
+  // Note that this addLogin call will only be seen by the autocomplete
+  // attempt for the sendChar if we do not successfully cache the
+  // autocomplete results.
+  setupScript.sendSyncMessage("addLogin", "login8C");
+  uname.focus();
+  let promise0 = notifyMenuChanged(0);
+  sendChar("z");
+  yield promise0;
+  let popupState = yield getPopupState();
+  is(popupState.open, false, "Check popup shouldn't open");
+
+  // check that empty results are cached - bug 496466
+  promise0 = notifyMenuChanged(0);
+  sendChar("z");
+  yield promise0;
+  popupState = yield getPopupState();
+  is(popupState.open, false, "Check popup stays closed due to cached empty result");
+});
+
+add_task(function* test_form11_recipes() {
+  yield loadRecipes({
+    siteRecipes: [{
+      "hosts": ["mochi.test:8888"],
+      "usernameSelector": "input[name='1']",
+      "passwordSelector": "input[name='2']"
+    }],
+  });
+  uname = $_(11, "1");
+  pword = $_(11, "2");
+
+  // First test DOMAutocomplete
+  // Switch the password field to type=password so _fillForm marks the username
+  // field for autocomplete.
+  pword.type = "password";
+  yield promiseFormsProcessed();
+  restoreForm();
+  checkACForm("", "");
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  doKey("down");
+  checkACForm("", ""); // value shouldn't update
+  doKey("return"); // not "enter"!
+  yield promiseFormsProcessed();
+  checkACForm("testuser10", "testpass10");
+
+  // Now test recipes with blur on the username field.
+  restoreForm();
+  checkACForm("", "");
+  uname.value = "testuser10";
+  checkACForm("testuser10", "");
+  doKey("tab");
+  yield promiseFormsProcessed();
+  checkACForm("testuser10", "testpass10");
+  yield resetRecipes();
+});
+
+add_task(function* test_form12_formless() {
+  // Test form-less autocomplete
+  uname = $_(12, "uname");
+  pword = $_(12, "pword");
+  restoreForm();
+  checkACForm("", "");
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  // Trigger autocomplete
+  doKey("down");
+  checkACForm("", ""); // value shouldn't update
+  let processedPromise = promiseFormsProcessed();
+  doKey("return"); // not "enter"!
+  yield processedPromise;
+  checkACForm("testuser", "testpass");
+});
+
+add_task(function* test_form12_open_on_trusted_focus() {
+  uname = $_(12, "uname");
+  pword = $_(12, "pword");
+  uname.value = "";
+  pword.value = "";
+
+  // Move focus to the password field so we can test the first click on the
+  // username field.
+  pword.focus();
+  checkACForm("", "");
+  const firePrivEventPromise = new Promise((resolve) => {
+    uname.addEventListener("click", (e) => {
+      ok(e.isTrusted, "Ensure event is trusted");
+      resolve();
+    });
+  });
+  const shownPromise = promiseACShown();
+  synthesizeMouseAtCenter(uname, {});
+  yield firePrivEventPromise;
+  yield shownPromise;
+  doKey("down");
+  const processedPromise = promiseFormsProcessed();
+  doKey("return"); // not "enter"!
+  yield processedPromise;
+  checkACForm("testuser", "testpass");
+});
+</script>
+</pre>
+</body>
+</html>
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_basic_form_html5.html b/toolkit/components/passwordmgr/test/mochitest/test_basic_form_html5.html
new file mode 100644
index 000000000..40e322afd
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_basic_form_html5.html
@@ -0,0 +1,164 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for html5 input types (email, tel, url, etc.)</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="pwmgr_common.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+Login Manager test: html5 input types (email, tel, url, etc.)
+<script>
+runChecksAfterCommonInit(() => startTest());
+
+runInParent(function setup() {
+  const { classes: Cc, interfaces: Ci, results: Cr, utils: Cu } = Components;
+  let pwmgr = Cc["@mozilla.org/login-manager;1"].
+              getService(Ci.nsILoginManager);
+
+  login1 = Cc["@mozilla.org/login-manager/loginInfo;1"].
+           createInstance(Ci.nsILoginInfo);
+  login2 = Cc["@mozilla.org/login-manager/loginInfo;1"].
+           createInstance(Ci.nsILoginInfo);
+  login3 = Cc["@mozilla.org/login-manager/loginInfo;1"].
+           createInstance(Ci.nsILoginInfo);
+  login4 = Cc["@mozilla.org/login-manager/loginInfo;1"].
+           createInstance(Ci.nsILoginInfo);
+
+  login1.init("http://mochi.test:8888", "http://bug600551-1", null,
+              "testuser@example.com", "testpass1", "", "");
+  login2.init("http://mochi.test:8888", "http://bug600551-2", null,
+              "555-555-5555", "testpass2", "", "");
+  login3.init("http://mochi.test:8888", "http://bug600551-3", null,
+              "http://mozilla.org", "testpass3", "", "");
+  login4.init("http://mochi.test:8888", "http://bug600551-4", null,
+              "123456789", "testpass4", "", "");
+
+  pwmgr.addLogin(login1);
+  pwmgr.addLogin(login2);
+  pwmgr.addLogin(login3);
+  pwmgr.addLogin(login4);
+});
+</script>
+
+<p id="display"></p>
+<div id="content" style="display: none">
+
+  <form id="form1" action="http://bug600551-1">
+    <input  type="email"    name="uname">
+    <input  type="password" name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+  <form id="form2" action="http://bug600551-2">
+    <input  type="tel"      name="uname">
+    <input  type="password" name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+  <form id="form3" action="http://bug600551-3">
+    <input  type="url"      name="uname">
+    <input  type="password" name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+  <form id="form4" action="http://bug600551-4">
+    <input  type="number"   name="uname">
+    <input  type="password" name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+  <!-- The following forms should not be filled with usernames -->
+  <form id="form5" action="formtest.js">
+    <input  type="search"   name="uname">
+    <input  type="password" name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+  <form id="form6" action="formtest.js">
+    <input  type="datetime" name="uname">
+    <input  type="password" name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+  <form id="form7" action="formtest.js">
+    <input  type="date"     name="uname">
+    <input  type="password" name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+  <form id="form8" action="formtest.js">
+    <input  type="month" name="uname">
+    <input  type="password" name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+  <form id="form9" action="formtest.js">
+    <input  type="week"     name="uname">
+    <input  type="password" name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+  <form id="form10" action="formtest.js">
+    <input  type="time"     name="uname">
+    <input  type="password" name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+  <form id="form11" action="formtest.js">
+    <input  type="datetime-local" name="uname">
+    <input  type="password"       name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+  <form id="form12" action="formtest.js">
+    <input  type="range"    name="uname">
+    <input  type="password" name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+  <form id="form13" action="formtest.js">
+    <input  type="color"    name="uname">
+    <input  type="password" name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+
+</div>
+<pre id="test">
+<script class="testbody" type="text/javascript">
+
+/* Test for Login Manager: 600551
+  (Password manager not working with input type=email)
+ */
+function startTest() {
+  checkForm(1, "testuser@example.com", "testpass1");
+  checkForm(2, "555-555-5555", "testpass2");
+  checkForm(3, "http://mozilla.org", "testpass3");
+  checkForm(4, "123456789", "testpass4");
+
+  is($_(5, "uname").value, "", "type=search should not be considered a username");
+
+  is($_(6, "uname").value, "", "type=datetime should not be considered a username");
+
+  is($_(7, "uname").value, "", "type=date should not be considered a username");
+
+  is($_(8, "uname").value, "", "type=month should not be considered a username");
+
+  is($_(9, "uname").value, "", "type=week should not be considered a username");
+
+  is($_(10, "uname").value, "", "type=time should not be considered a username");
+
+  is($_(11, "uname").value, "", "type=datetime-local should not be considered a username");
+
+  is($_(12, "uname").value, "50", "type=range should not be considered a username");
+
+  is($_(13, "uname").value, "#000000", "type=color should not be considered a username");
+
+  SimpleTest.finish();
+}
+</script>
+</pre>
+</body>
+</html>
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_basic_form_pwevent.html b/toolkit/components/passwordmgr/test/mochitest/test_basic_form_pwevent.html
new file mode 100644
index 000000000..e0a2883c8
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_basic_form_pwevent.html
@@ -0,0 +1,55 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=355063
+-->
+<head>
+  <meta charset="utf-8"/>
+  <title>Test for Bug 355063</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+  <script type="text/javascript" src="pwmgr_common.js"></script>
+  <script type="application/javascript">
+  /** Test for Bug 355063 **/
+
+  runChecksAfterCommonInit(function startTest() {
+    info("startTest");
+    // Password Manager's own listener should always have been added first, so
+    // the test's listener should be called after the pwmgr's listener fills in
+    // a login.
+    //
+    SpecialPowers.addChromeEventListener("DOMFormHasPassword", function eventFired() {
+      SpecialPowers.removeChromeEventListener("DOMFormHasPassword", eventFired);
+      var passField = $("p1");
+      passField.addEventListener("input", checkForm);
+    });
+    addForm();
+  });
+
+  function addForm() {
+    info("addForm");
+    var c = document.getElementById("content");
+    c.innerHTML = "<form id=form1>form1: <input id=u1><input type=password id=p1></form><br>";
+  }
+
+  function checkForm() {
+    info("checkForm");
+    var userField = document.getElementById("u1");
+    var passField = document.getElementById("p1");
+    is(userField.value, "testuser", "checking filled username");
+    is(passField.value, "testpass", "checking filled password");
+
+    SimpleTest.finish();
+  }
+</script>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=355063">Mozilla Bug 355063</a>
+<p id="display"></p>
+<div id="content">
+forms go here!
+</div>
+<pre id="test">
+</pre>
+</body>
+</html>
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_basic_form_pwonly.html b/toolkit/components/passwordmgr/test/mochitest/test_basic_form_pwonly.html
new file mode 100644
index 000000000..40fec8c46
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_basic_form_pwonly.html
@@ -0,0 +1,213 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test forms and logins without a username</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="pwmgr_common.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+Login Manager test: forms and logins without a username.
+<script>
+runChecksAfterCommonInit(() => startTest());
+runInParent(() => {
+  const { classes: Cc, interfaces: Ci, results: Cr, utils: Cu } = Components;
+  var pwmgr = Cc["@mozilla.org/login-manager;1"]
+              .getService(Ci.nsILoginManager);
+
+  var nsLoginInfo = Components.Constructor("@mozilla.org/login-manager/loginInfo;1", Ci.nsILoginInfo);
+
+  // pwlogin1 uses a unique formSubmitURL, to check forms where no other logins
+  // will apply. pwlogin2 uses the normal formSubmitURL, so that we can test
+  // forms with a mix of username and non-username logins that might apply.
+  //
+  // Note: pwlogin2 is deleted at the end of the test.
+
+  pwlogin1 = new nsLoginInfo();
+  pwlogin2 = new nsLoginInfo();
+
+  pwlogin1.init("http://mochi.test:8888", "http://mochi.test:1111", null,
+                "", "1234", "uname", "pword");
+
+  pwlogin2.init("http://mochi.test:8888", "http://mochi.test:8888", null,
+                "", "1234", "uname", "pword");
+
+
+  pwmgr.addLogin(pwlogin1);
+  pwmgr.addLogin(pwlogin2);
+});
+</script>
+<p id="display"></p>
+
+<div id="content" style="display: none">
+
+
+<!-- simple form: no username field, 1 password field -->
+<form id='form1' action='http://mochi.test:1111/formtest.js'> 1
+    <input type='password' name='pname' value=''>
+
+    <button type='submit'>Submit</button>
+    <button type='reset'> Reset </button>
+</form>
+
+<!-- simple form: no username field, 2 password fields -->
+<form id='form2' action='http://mochi.test:1111/formtest.js'> 2
+    <input type='password' name='pname1' value=''>
+    <input type='password' name='pname2' value=''>
+
+    <button type='submit'>Submit</button>
+    <button type='reset'> Reset </button>
+</form>
+
+<!-- simple form: no username field, 3 password fields -->
+<form id='form3' action='http://mochi.test:1111/formtest.js'> 3
+    <input type='password' name='pname1' value=''>
+    <input type='password' name='pname2' value=''>
+    <input type='password' name='pname3' value=''>
+
+    <button type='submit'>Submit</button>
+    <button type='reset'> Reset </button>
+</form>
+
+<!-- 4 password fields, should be ignored. -->
+<form id='form4' action='http://mochi.test:1111/formtest.js'> 4
+    <input type='password' name='pname1' value=''>
+    <input type='password' name='pname2' value=''>
+    <input type='password' name='pname3' value=''>
+    <input type='password' name='pname4' value=''>
+
+    <button type='submit'>Submit</button>
+    <button type='reset'> Reset </button>
+</form>
+
+
+
+<!-- 1 username field -->
+<form id='form5' action='http://mochi.test:1111/formtest.js'> 5
+    <input type='text'     name='uname' value=''>
+    <input type='password' name='pname' value=''>
+
+    <button type='submit'>Submit</button>
+    <button type='reset'> Reset </button>
+</form>
+
+
+<!-- 1 username field, with a value set -->
+<form id='form6' action='http://mochi.test:1111/formtest.js'> 6
+    <input type='text'     name='uname' value='someuser'>
+    <input type='password' name='pname' value=''>
+
+    <button type='submit'>Submit</button>
+    <button type='reset'> Reset </button>
+</form>
+
+
+
+<!--
+(The following forms have 2 potentially-matching logins, on is
+password-only, the other is username+password)
+-->
+
+
+
+<!-- 1 username field, with value set. Fill in the matching U+P login -->
+<form id='form7' action='formtest.js'> 7
+    <input type='text'     name='uname' value='testuser'>
+    <input type='password' name='pname' value=''>
+
+    <button type='submit'>Submit</button>
+    <button type='reset'> Reset </button>
+</form>
+
+<!-- 1 username field, with value set. Don't fill in U+P login-->
+<form id='form8' action='formtest.js'> 8
+    <input type='text'     name='uname' value='someuser'>
+    <input type='password' name='pname' value=''>
+
+    <button type='submit'>Submit</button>
+    <button type='reset'> Reset </button>
+</form>
+
+
+
+<!-- 1 username field, too small for U+P login -->
+<form id='form9' action='formtest.js'> 9
+    <input type='text'     name='uname' value='' maxlength="4">
+    <input type='password' name='pname' value=''>
+
+    <button type='submit'>Submit</button>
+    <button type='reset'> Reset </button>
+</form>
+
+<!-- 1 username field, too small for U+P login -->
+<form id='form10' action='formtest.js'> 10
+    <input type='text'     name='uname' value='' maxlength="0">
+    <input type='password' name='pname' value=''>
+
+    <button type='submit'>Submit</button>
+    <button type='reset'> Reset </button>
+</form>
+
+<!-- 1 username field, too small for U+P login -->
+<form id='form11' action='formtest.js'> 11
+    <input type='text'     name='uname' value=''>
+    <input type='password' name='pname' value='' maxlength="4">
+
+    <button type='submit'>Submit</button>
+    <button type='reset'> Reset </button>
+</form>
+
+<!-- 1 username field, too small for either login -->
+<form id='form12' action='formtest.js'> 12
+    <input type='text'     name='uname' value=''>
+    <input type='password' name='pname' value='' maxlength="1">
+
+    <button type='submit'>Submit</button>
+    <button type='reset'> Reset </button>
+</form>
+
+<!-- 1 username field, too small for either login -->
+<form id='form13' action='formtest.js'> 13
+    <input type='text'     name='uname' value=''>
+    <input type='password' name='pname' value='' maxlength="0">
+
+    <button type='submit'>Submit</button>
+    <button type='reset'> Reset </button>
+</form>
+
+
+
+</div>
+
+<pre id="test">
+<script class="testbody" type="text/javascript">
+
+/** Test for Login Manager: password-only logins **/
+function startTest() {
+
+    checkForm(1, "1234");
+    checkForm(2, "1234", "");
+    checkForm(3, "1234", "", "");
+    checkUnmodifiedForm(4);
+
+    checkForm(5, "", "1234");
+    checkForm(6, "someuser", "");
+
+    checkForm(7, "testuser", "testpass");
+    checkForm(8, "someuser", "");
+
+    checkForm(9, "", "1234");
+    checkForm(10, "", "1234");
+    checkForm(11, "", "1234");
+
+    checkUnmodifiedForm(12);
+    checkUnmodifiedForm(13);
+
+    SimpleTest.finish();
+}
+</script>
+</pre>
+</body>
+</html>
+
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_bug_627616.html b/toolkit/components/passwordmgr/test/mochitest/test_bug_627616.html
new file mode 100644
index 000000000..ad4a41cdb
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_bug_627616.html
@@ -0,0 +1,145 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test bug 627616 related to proxy authentication</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="pwmgr_common.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<script class="testbody" type="text/javascript">
+    SimpleTest.waitForExplicitFinish();
+
+    var Ci = SpecialPowers.Ci;
+
+    function makeXHR(expectedStatus, expectedText, extra) {
+      var xhr =  new XMLHttpRequest();
+      xhr.open("GET", "authenticate.sjs?" +
+                      "proxy_user=proxy_user&" +
+                      "proxy_pass=proxy_pass&" +
+                      "proxy_realm=proxy_realm&" +
+                      "user=user1name&" +
+                      "pass=user1pass&" +
+                      "realm=mochirealm&" +
+                      extra || "");
+      xhr.onloadend = function() {
+        is(xhr.status, expectedStatus, "xhr.status");
+        is(xhr.statusText, expectedText, "xhr.statusText");
+        runNextTest();
+      };
+      return xhr;
+    }
+
+    function testNonAnonymousCredentials() {
+      var xhr = makeXHR(200, "OK");
+      xhr.send();
+    }
+
+    function testAnonymousCredentials() {
+      // Test that an anonymous request correctly performs proxy authentication
+      var xhr = makeXHR(401, "Authentication required");
+      SpecialPowers.wrap(xhr).channel.loadFlags |= Ci.nsIChannel.LOAD_ANONYMOUS;
+      xhr.send();
+    }
+
+    function testAnonymousNoAuth() {
+      // Next, test that an anonymous request still does not include any non-proxy
+      // authentication headers.
+      var xhr = makeXHR(200, "Authorization header not found", "anonymous=1");
+      SpecialPowers.wrap(xhr).channel.loadFlags |= Ci.nsIChannel.LOAD_ANONYMOUS;
+      xhr.send();
+    }
+
+    var gExpectedDialogs = 0;
+    var gCurrentTest;
+    function runNextTest() {
+      is(gExpectedDialogs, 0, "received expected number of auth dialogs");
+      mm.sendAsyncMessage("prepareForNextTest");
+      mm.addMessageListener("prepareForNextTestDone", function prepared(msg) {
+        mm.removeMessageListener("prepareForNextTestDone", prepared);
+        if (pendingTests.length > 0) {
+          ({expectedDialogs: gExpectedDialogs,
+            test: gCurrentTest} = pendingTests.shift());
+          gCurrentTest.call(this);
+        } else {
+          mm.sendAsyncMessage("cleanup");
+          mm.addMessageListener("cleanupDone", () => {
+            // mm.destroy() is called as a cleanup function by runInParent(), no
+            // need to do it here.
+            SimpleTest.finish();
+          });
+        }
+      });
+    }
+
+    var pendingTests = [{expectedDialogs: 2, test: testNonAnonymousCredentials},
+                        {expectedDialogs: 1, test: testAnonymousCredentials},
+                        {expectedDialogs: 0, test: testAnonymousNoAuth}];
+
+    let mm = runInParent(() => {
+      const { classes: parentCc, interfaces: parentCi, utils: parentCu } = Components;
+
+      parentCu.import("resource://gre/modules/Services.jsm");
+      parentCu.import("resource://gre/modules/NetUtil.jsm");
+      parentCu.import("resource://gre/modules/Timer.jsm");
+      parentCu.import("resource://gre/modules/XPCOMUtils.jsm");
+
+      let channel = NetUtil.newChannel({
+        uri: "http://example.com",
+        loadUsingSystemPrincipal: true
+      });
+
+      let pps = parentCc["@mozilla.org/network/protocol-proxy-service;1"].
+                getService(parentCi.nsIProtocolProxyService);
+      pps.asyncResolve(channel, 0, {
+        onProxyAvailable(req, uri, pi, status) {
+          let mozproxy = "moz-proxy://" + pi.host + ":" + pi.port;
+          let login = parentCc["@mozilla.org/login-manager/loginInfo;1"].
+                      createInstance(parentCi.nsILoginInfo);
+          login.init(mozproxy, null, "proxy_realm", "proxy_user", "proxy_pass",
+                     "", "");
+          Services.logins.addLogin(login);
+
+          let login2 = parentCc["@mozilla.org/login-manager/loginInfo;1"].
+                       createInstance(parentCi.nsILoginInfo);
+          login2.init("http://mochi.test:8888", null, "mochirealm", "user1name",
+                       "user1pass", "", "");
+          Services.logins.addLogin(login2);
+
+          sendAsyncMessage("setupDone");
+        },
+        QueryInterface: XPCOMUtils.generateQI([parentCi.nsIProtocolProxyCallback]),
+      });
+
+      addMessageListener("prepareForNextTest", message => {
+        parentCc["@mozilla.org/network/http-auth-manager;1"].
+          getService(parentCi.nsIHttpAuthManager).
+          clearAll();
+        sendAsyncMessage("prepareForNextTestDone");
+      });
+
+      let dialogObserverTopic = "common-dialog-loaded";
+
+      function dialogObserver(subj, topic, data) {
+        subj.Dialog.ui.prompt.document.documentElement.acceptDialog();
+        sendAsyncMessage("promptAccepted");
+      }
+
+      Services.obs.addObserver(dialogObserver, dialogObserverTopic, false);
+
+      addMessageListener("cleanup", message => {
+        Services.obs.removeObserver(dialogObserver, dialogObserverTopic);
+        sendAsyncMessage("cleanupDone");
+      });
+    });
+
+    mm.addMessageListener("promptAccepted", msg => {
+      gExpectedDialogs--;
+    });
+    mm.addMessageListener("setupDone", msg => {
+      runNextTest();
+    });
+</script>
+</body>
+</html>
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_bug_776171.html b/toolkit/components/passwordmgr/test/mochitest/test_bug_776171.html
new file mode 100644
index 000000000..4ad08bee2
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_bug_776171.html
@@ -0,0 +1,56 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=776171
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 776171 related to HTTP auth</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="pwmgr_common.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body onload="startTest()">
+<script class="testbody" type="text/javascript">
+
+/**
+ * This test checks we correctly ignore authentication entry
+ * for a subpath and use creds from the URL when provided when XHR
+ * is used with filled user name and password.
+ *
+ * 1. connect auth2/authenticate.sjs that expects user1:pass1 password
+ * 2. connect a dummy URL at the same path
+ * 3. connect authenticate.sjs that again expects user1:pass1 password
+ *    in this case, however, we have an entry without an identity
+ *    for this path (that is a parent for auth2 path in the first step)
+ */
+
+SimpleTest.waitForExplicitFinish();
+
+function doxhr(URL, user, pass, next) {
+  var xhr = new XMLHttpRequest();
+  if (user && pass)
+    xhr.open("POST", URL, true, user, pass);
+  else
+    xhr.open("POST", URL, true);
+  xhr.onload = function() {
+    is(xhr.status, 200, "Got status 200");
+    next();
+  };
+  xhr.onerror = function() {
+    ok(false, "request passed");
+    finishTest();
+  };
+  xhr.send();
+}
+
+function startTest() {
+  doxhr("auth2/authenticate.sjs?user=user1&pass=pass1&realm=realm1", "user1", "pass1", function() {
+    doxhr("auth2", null, null, function() {
+      doxhr("authenticate.sjs?user=user1&pass=pass1&realm=realm1", "user1", "pass1", SimpleTest.finish);
+    });
+  });
+}
+</script>
+</body>
+</html>
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_case_differences.html b/toolkit/components/passwordmgr/test/mochitest/test_case_differences.html
new file mode 100644
index 000000000..316f59da7
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_case_differences.html
@@ -0,0 +1,147 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test autocomplete due to multiple matching logins</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SpawnTask.js"></script>
+  <script type="text/javascript" src="satchel_common.js"></script>
+  <script type="text/javascript" src="pwmgr_common.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+Login Manager test: autocomplete due to multiple matching logins
+
+<script>
+runChecksAfterCommonInit(false);
+
+SpecialPowers.loadChromeScript(function addLogins() {
+  const { classes: Cc, interfaces: Ci, utils: Cu } = Components;
+  Cu.import("resource://gre/modules/Services.jsm");
+
+  // Create some logins just for this form, since we'll be deleting them.
+  var nsLoginInfo = Components.Constructor("@mozilla.org/login-manager/loginInfo;1",
+                                           Ci.nsILoginInfo, "init");
+
+  var login0 = new nsLoginInfo("http://mochi.test:8888", "http://autocomplete:8888", null,
+                               "name", "pass", "uname", "pword");
+
+  var login1 = new nsLoginInfo("http://mochi.test:8888", "http://autocomplete:8888", null,
+                               "Name", "Pass", "uname", "pword");
+
+  var login2 = new nsLoginInfo("http://mochi.test:8888", "http://autocomplete:8888", null,
+                               "USER", "PASS", "uname", "pword");
+
+  try {
+    Services.logins.addLogin(login0);
+    Services.logins.addLogin(login1);
+    Services.logins.addLogin(login2);
+  } catch (e) {
+    assert.ok(false, "addLogin threw: " + e);
+  }
+});
+</script>
+<p id="display"></p>
+
+<!-- we presumably can't hide the content for this test. -->
+<div id="content">
+
+  <!-- form1 tests multiple matching logins -->
+  <form id="form1" action="http://autocomplete:8888/formtest.js" onsubmit="return false;">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+</div>
+
+<pre id="test">
+<script class="testbody" type="text/javascript">
+
+/** Test for Login Manager: autocomplete due to multiple matching logins **/
+
+var uname = $_(1, "uname");
+var pword = $_(1, "pword");
+
+// Restore the form to the default state.
+function restoreForm() {
+    uname.value = "";
+    pword.value = "";
+    uname.focus();
+}
+
+// Check for expected username/password in form.
+function checkACForm(expectedUsername, expectedPassword) {
+  var formID = uname.parentNode.id;
+  is(uname.value, expectedUsername, "Checking " + formID + " username");
+  is(pword.value, expectedPassword, "Checking " + formID + " password");
+}
+
+add_task(function* test_empty_first_entry() {
+  /* test 1 */
+  // Make sure initial form is empty.
+  checkACForm("", "");
+  // Trigger autocomplete popup
+  restoreForm();
+  let popupState = yield getPopupState();
+  is(popupState.open, false, "Check popup is initially closed");
+  let shownPromise = promiseACShown();
+  doKey("down");
+  let results = yield shownPromise;
+  popupState = yield getPopupState();
+  is(popupState.selectedIndex, -1, "Check no entries are selected");
+  checkArrayValues(results, ["name", "Name", "USER"], "initial");
+
+  // Check first entry
+  let index0Promise = notifySelectedIndex(0);
+  doKey("down");
+  yield index0Promise;
+  checkACForm("", ""); // value shouldn't update
+  doKey("return"); // not "enter"!
+  yield promiseFormsProcessed();
+  checkACForm("name", "pass");
+});
+
+add_task(function* test_empty_second_entry() {
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+  doKey("down"); // first
+  doKey("down"); // second
+  doKey("return"); // not "enter"!
+  yield promiseFormsProcessed();
+  checkACForm("Name", "Pass");
+});
+
+add_task(function* test_empty_third_entry() {
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+  doKey("down"); // first
+  doKey("down"); // second
+  doKey("down"); // third
+  doKey("return");
+  yield promiseFormsProcessed();
+  checkACForm("USER", "PASS");
+});
+
+add_task(function* test_preserve_matching_username_case() {
+  restoreForm();
+  uname.value = "user";
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  // Check that we don't clobber user-entered text when tabbing away
+  // (even with no autocomplete entry selected)
+  doKey("tab");
+  yield promiseFormsProcessed();
+  checkACForm("user", "PASS");
+});
+</script>
+</pre>
+</body>
+</html>
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_form_action_1.html b/toolkit/components/passwordmgr/test/mochitest/test_form_action_1.html
new file mode 100644
index 000000000..430081b3a
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_form_action_1.html
@@ -0,0 +1,137 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for considering form action</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="pwmgr_common.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+Login Manager test: Bug 360493
+<script>
+runChecksAfterCommonInit(() => startTest());
+</script>
+<p id="display"></p>
+<div id="content" style="display: none">
+
+  <!-- normal form with normal relative action. -->
+  <form id="form1" action="formtest.js">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+  <!-- fully specify the action URL -->
+  <form id="form2" action="http://mochi.test:8888/tests/toolkit/components/passwordmgr/test/formtest.js">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+  <!-- fully specify the action URL, and change the path -->
+  <form id="form3" action="http://mochi.test:8888/zomg/wtf/bbq/passwordmgr/test/formtest.js">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+  <!-- fully specify the action URL, and change the path and filename -->
+  <form id="form4" action="http://mochi.test:8888/zomg/wtf/bbq/passwordmgr/test/not_a_test.js">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+  <!-- specify the action URL relative to the current document-->
+  <form id="form5" action="./formtest.js">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+  <!-- specify the action URL relative to the current server -->
+  <form id="form6" action="/tests/toolkit/components/passwordmgr/test/formtest.js">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+  <!-- Change the method from get to post -->
+  <form id="form7" action="formtest.js" method="POST">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+  <!-- Blank action URL specified -->
+  <form id="form8" action="">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+  <!-- |action| attribute entirely missing -->
+  <form id="form9" >
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+  <!-- action url as javascript -->
+  <form id="form10" action="javascript:alert('this form is not submitted so this alert should not be invoked');">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+  <!-- TODO: action=IP.ADDRESS instead of HOSTNAME? -->
+  <!-- TODO: test with |base href="http://othersite//"| ? -->
+</div>
+<pre id="test">
+<script class="testbody" type="text/javascript">
+
+/** Test for Login Manager: 360493 (Cross-Site Forms + Password
+    Manager = Security Failure) **/
+
+// This test is designed to make sure variations on the form's |action|
+// and |method| continue to work with the fix for 360493.
+
+function startTest() {
+  for (var i = 1; i <= 9; i++) {
+    // Check form i
+    is($_(i, "uname").value, "testuser", "Checking for filled username " + i);
+    is($_(i, "pword").value, "testpass", "Checking for filled password " + i);
+  }
+
+  // The login's formSubmitURL isn't "javascript:", so don't fill it in.
+  isnot($_(10, "uname"), "testuser", "Checking username w/ JS action URL");
+  isnot($_(10, "pword"), "testpass", "Checking password w/ JS action URL");
+
+  SimpleTest.finish();
+}
+</script>
+</pre>
+</body>
+</html>
+
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_form_action_2.html b/toolkit/components/passwordmgr/test/mochitest/test_form_action_2.html
new file mode 100644
index 000000000..0f0056de0
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_form_action_2.html
@@ -0,0 +1,170 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for considering form action</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="pwmgr_common.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+Login Manager test: Bug 360493
+<script>
+runChecksAfterCommonInit(() => startTest());
+</script>
+<p id="display"></p>
+<div id="content" style="display: none">
+
+  <!-- The tests in this page exercise things that shouldn't work. -->
+
+  <!-- Change port # of action URL from 8888 to 7777 -->
+  <form id="form1" action="http://localhost:7777/tests/toolkit/components/passwordmgr/test/formtest.js">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+  <!-- No port # in action URL -->
+  <form id="form2" action="http://localhost/tests/toolkit/components/passwordmgr/test/formtest.js">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+  <!-- Change protocol from http:// to ftp://, include the expected 8888 port # -->
+  <form id="form3" action="ftp://localhost:8888/tests/toolkit/components/passwordmgr/test/formtest.js">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+  <!-- Change protocol from http:// to ftp://, no port # specified -->
+  <form id="form4" action="ftp://localhost/tests/toolkit/components/passwordmgr/test/formtest.js">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+  <!-- Try a weird URL. -->
+  <form id="form5" action="about:blank">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+  <!-- Try a weird URL. (If the normal embedded action URL doesn't work, that should mean other URLs won't either) -->
+  <form id="form6" action="view-source:http://localhost:8888/tests/toolkit/components/passwordmgr/test/formtest.js">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+  <!-- Try a weird URL. -->
+  <form id="form7" action="view-source:formtest.js">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+  <!-- Action URL points to a different host (this is the archetypical exploit) -->
+  <form id="form8" action="http://www.cnn.com/">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+  <!-- Action URL points to a different host, user field prefilled -->
+  <form id="form9" action="http://www.cnn.com/">
+    <input  type="text"       name="uname" value="testuser">
+    <input  type="password"   name="pword">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+  <!-- Try wrapping a evil form around a good form, to see if we can confuse the parser. -->
+  <form id="form10-A" action="http://www.cnn.com/">
+   <form id="form10-B" action="formtest.js">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword">
+
+    <button type="submit">Submit (inner)</button>
+    <button type="reset"> Reset  (inner)</button>
+   </form>
+   <button type="submit" id="neutered_submit10">Submit (outer)</button>
+   <button type="reset">Reset (outer)</button>
+  </form>
+
+  <!-- Try wrapping a good form around an evil form, to see if we can confuse the parser. -->
+  <form id="form11-A" action="formtest.js">
+   <form id="form11-B" action="http://www.cnn.com/">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword">
+
+    <button type="submit">Submit (inner)</button>
+    <button type="reset"> Reset  (inner)</button>
+   </form>
+   <button type="submit" id="neutered_submit11">Submit (outer)</button>
+   <button type="reset">Reset (outer)</button>
+  </form>
+
+<!-- TODO: probably should have some accounts which have no port # in the action url. JS too. And different host/proto. -->
+<!-- TODO: www.site.com vs. site.com? -->
+<!-- TODO: foo.site.com vs. bar.site.com? -->
+
+</div>
+<pre id="test">
+<script class="testbody" type="text/javascript">
+
+/** Test for Login Manager: 360493 (Cross-Site Forms + Password Manager = Security Failure) **/
+
+function startTest() {
+  for (var i = 1; i <= 8; i++) {
+    // Check form i
+    is($_(i, "uname").value, "", "Checking for unfilled username " + i);
+    is($_(i, "pword").value, "", "Checking for unfilled password " + i);
+  }
+
+  is($_(9, "uname").value, "testuser", "Checking for unmodified username 9");
+  is($_(9, "pword").value, "",         "Checking for unfilled password 9");
+
+  is($_("10-A", "uname").value, "", "Checking for unfilled username 10A");
+  is($_("10-A", "pword").value, "", "Checking for unfilled password 10A");
+
+  // The DOM indicates this form could be filled, as the evil inner form
+  // is discarded. And yet pwmgr seems not to fill it. Not sure why.
+  todo(false, "Mangled form combo not being filled when maybe it could be?");
+  is($_("11-A", "uname").value, "testuser", "Checking filled username 11A");
+  is($_("11-A", "pword").value, "testpass", "Checking filled password 11A");
+
+  // Verify this by making sure there are no extra forms in the document, and
+  // that the submit button for the neutered forms don't do anything.
+  // If the test finds extra forms the submit() causes the test to timeout, then
+  // there may be a security issue.
+  is(document.forms.length,  11,  "Checking for unexpected forms");
+  $("neutered_submit10").click();
+  $("neutered_submit11").click();
+
+  SimpleTest.finish();
+}
+</script>
+</pre>
+</body>
+</html>
+
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_form_action_javascript.html b/toolkit/components/passwordmgr/test/mochitest/test_form_action_javascript.html
new file mode 100644
index 000000000..d37e92c40
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_form_action_javascript.html
@@ -0,0 +1,52 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test forms with a JS submit action</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="pwmgr_common.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+Login Manager test: form with JS submit action
+<script>
+runChecksAfterCommonInit(() => startTest());
+
+runInParent(function setup() {
+  const { classes: Cc, interfaces: Ci, results: Cr, utils: Cu } = Components;
+  Cu.import("resource://gre/modules/Services.jsm");
+
+  let jslogin = Cc["@mozilla.org/login-manager/loginInfo;1"].createInstance(Ci.nsILoginInfo);
+  jslogin.init("http://mochi.test:8888", "javascript:", null,
+              "jsuser", "jspass123", "uname", "pword");
+  Services.logins.addLogin(jslogin);
+});
+
+/** Test for Login Manager: JS action URL **/
+
+function startTest() {
+    checkForm(1, "jsuser", "jspass123");
+
+    SimpleTest.finish();
+}
+</script>
+
+<p id="display"></p>
+
+<div id="content" style="display: none">
+
+
+<form id='form1' action='javascript:alert("never shows")'> 1
+    <input name="uname">
+    <input name="pword" type="password">
+
+    <button type='submit'>Submit</button>
+    <button type='reset'> Reset </button>
+</form>
+
+</div>
+
+<pre id="test"></pre>
+</body>
+</html>
+
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_formless_autofill.html b/toolkit/components/passwordmgr/test/mochitest/test_formless_autofill.html
new file mode 100644
index 000000000..6263c818d
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_formless_autofill.html
@@ -0,0 +1,147 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test autofilling of fields outside of a form</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SpawnTask.js"></script>
+  <script src="pwmgr_common.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<script type="application/javascript;version=1.8">
+let chromeScript = runInParent(SimpleTest.getTestFileURL("pwmgr_common.js"));
+
+document.addEventListener("DOMContentLoaded", () => {
+  document.getElementById("loginFrame").addEventListener("load", (evt) => {
+    // Tell the parent to setup test logins.
+    chromeScript.sendAsyncMessage("setupParent", { selfFilling: true });
+  });
+});
+
+let doneSetupPromise = new Promise(resolve => {
+  // When the setup is done, load a recipe for this test.
+  chromeScript.addMessageListener("doneSetup", function doneSetup() {
+    resolve();
+  });
+});
+
+add_task(function* setup() {
+  info("Waiting for loads and setup");
+  yield doneSetupPromise;
+
+  yield loadRecipes({
+    siteRecipes: [{
+      hosts: ["mochi.test:8888"],
+      usernameSelector: "input[name='recipeuname']",
+      passwordSelector: "input[name='recipepword']",
+    }],
+  });
+});
+
+
+const DEFAULT_ORIGIN = "http://mochi.test:8888";
+const TESTCASES = [
+  {
+    // Inputs
+    document: `<input type=password>`,
+
+    // Expected outputs
+    expectedInputValues: ["testpass"],
+  },
+  {
+    document: `<input>
+      <input type=password>`,
+    expectedInputValues: ["testuser", "testpass"],
+  },
+  {
+    document: `<input>
+      <input type=password>
+      <input type=password>`,
+    expectedInputValues: ["testuser", "testpass", ""],
+  },
+  {
+    document: `<input>
+      <input type=password>
+      <input type=password>
+      <input type=password>`,
+    expectedInputValues: ["testuser", "testpass", "", ""],
+  },
+  {
+    document: `<input>
+      <input type=password form="form1">
+      <input type=password>
+      <form id="form1">
+        <input>
+        <input type=password>
+      </form>`,
+    expectedFormCount: 2,
+    expectedInputValues: ["testuser", "testpass", "testpass", "", ""],
+  },
+  {
+    document: `<!-- formless password field selector recipe test -->
+      <input>
+      <input type=password>
+      <input>
+      <input type=password name="recipepword">`,
+    expectedInputValues: ["", "", "testuser", "testpass"],
+  },
+  {
+    document: `<!-- formless username and password field selector recipe test -->
+      <input name="recipeuname">
+      <input>
+      <input type=password>
+      <input type=password name="recipepword">`,
+    expectedInputValues: ["testuser", "", "", "testpass"],
+  },
+  {
+    document: `<!-- form and formless recipe field selector test -->
+      <input name="recipeuname">
+      <input>
+      <input type=password form="form1"> <!-- not filled since recipe affects both FormLikes -->
+      <input type=password>
+      <input type=password name="recipepword">
+      <form id="form1">
+        <input>
+        <input type=password>
+      </form>`,
+    expectedFormCount: 2,
+    expectedInputValues: ["testuser", "", "", "", "testpass", "", ""],
+  },
+];
+
+add_task(function* test() {
+  let loginFrame = document.getElementById("loginFrame");
+  let frameDoc = loginFrame.contentWindow.document;
+
+  for (let tc of TESTCASES) {
+    info("Starting testcase: " + JSON.stringify(tc));
+
+    let numFormLikesExpected = tc.expectedFormCount || 1;
+
+    let processedFormPromise = promiseFormsProcessed(numFormLikesExpected);
+
+    frameDoc.documentElement.innerHTML = tc.document;
+    info("waiting for " + numFormLikesExpected + " processed form(s)");
+    yield processedFormPromise;
+
+    let testInputs = frameDoc.documentElement.querySelectorAll("input");
+    is(testInputs.length, tc.expectedInputValues.length, "Check number of inputs");
+    for (let i = 0; i < tc.expectedInputValues.length; i++) {
+      let expectedValue = tc.expectedInputValues[i];
+      is(testInputs[i].value, expectedValue,
+         "Check expected input value " + i + ": " + expectedValue);
+    }
+  }
+});
+
+</script>
+
+<p id="display"></p>
+
+<div id="content">
+  <iframe id="loginFrame" src="http://mochi.test:8888/tests/toolkit/components/passwordmgr/test/blank.html"></iframe>
+</div>
+<pre id="test"></pre>
+</body>
+</html>
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_formless_submit.html b/toolkit/components/passwordmgr/test/mochitest/test_formless_submit.html
new file mode 100644
index 000000000..468da1e7f
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_formless_submit.html
@@ -0,0 +1,183 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test capturing of fields outside of a form</title>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script src="/tests/SimpleTest/SpawnTask.js"></script>
+  <script src="pwmgr_common.js"></script>
+  <link rel="stylesheet" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<script type="application/javascript;version=1.8">
+const LMCBackstagePass = SpecialPowers.Cu.import("resource://gre/modules/LoginManagerContent.jsm");
+const { LoginManagerContent, LoginFormFactory } = LMCBackstagePass;
+
+let chromeScript = runInParent(SimpleTest.getTestFileURL("pwmgr_common.js"));
+
+let loadPromise = new Promise(resolve => {
+  document.addEventListener("DOMContentLoaded", () => {
+    document.getElementById("loginFrame").addEventListener("load", (evt) => {
+      resolve();
+    });
+  });
+});
+
+add_task(function* setup() {
+  info("Waiting for page and frame loads");
+  yield loadPromise;
+
+  yield loadRecipes({
+    siteRecipes: [{
+      hosts: ["mochi.test:8888"],
+      usernameSelector: "input[name='recipeuname']",
+      passwordSelector: "input[name='recipepword']",
+    }],
+  });
+});
+
+const DEFAULT_ORIGIN = "http://mochi.test:8888";
+const TESTCASES = [
+  {
+    // Inputs
+    document: `<input type=password value="pass1">`,
+    inputIndexForFormLike: 0,
+
+    // Expected outputs similar to RemoteLogins:onFormSubmit
+    hostname: DEFAULT_ORIGIN,
+    formSubmitURL: DEFAULT_ORIGIN,
+    usernameFieldValue: null,
+    newPasswordFieldValue: "pass1",
+    oldPasswordFieldValue: null,
+  },
+  {
+    document: `<input value="user1">
+      <input type=password value="pass1">`,
+    inputIndexForFormLike: 0,
+    hostname: DEFAULT_ORIGIN,
+    formSubmitURL: DEFAULT_ORIGIN,
+    usernameFieldValue: "user1",
+    newPasswordFieldValue: "pass1",
+    oldPasswordFieldValue: null,
+  },
+  {
+    document: `<input value="user1">
+      <input type=password value="pass1">`,
+    inputIndexForFormLike: 1,
+    hostname: DEFAULT_ORIGIN,
+    formSubmitURL: DEFAULT_ORIGIN,
+    usernameFieldValue: "user1",
+    newPasswordFieldValue: "pass1",
+    oldPasswordFieldValue: null,
+  },
+  {
+    document: `<input value="user1">
+      <input type=password value="pass1">
+      <input type=password value="pass2">`,
+    inputIndexForFormLike: 2,
+    hostname: DEFAULT_ORIGIN,
+    formSubmitURL: DEFAULT_ORIGIN,
+    usernameFieldValue: "user1",
+    newPasswordFieldValue: "pass2",
+    oldPasswordFieldValue: "pass1",
+  },
+  {
+    document: `<input value="user1">
+      <input type=password value="pass1">
+      <input type=password value="pass2">
+      <input type=password value="pass2">`,
+    inputIndexForFormLike: 3,
+    hostname: DEFAULT_ORIGIN,
+    formSubmitURL: DEFAULT_ORIGIN,
+    usernameFieldValue: "user1",
+    newPasswordFieldValue: "pass2",
+    oldPasswordFieldValue: "pass1",
+  },
+  {
+    document: `<input value="user1">
+      <input type=password value="user2" form="form1">
+      <input type=password value="pass1">
+      <form id="form1">
+        <input value="user3">
+        <input type=password value="pass2">
+      </form>`,
+    inputIndexForFormLike: 2,
+    hostname: DEFAULT_ORIGIN,
+    formSubmitURL: DEFAULT_ORIGIN,
+    usernameFieldValue: "user1",
+    newPasswordFieldValue: "pass1",
+    oldPasswordFieldValue: null,
+  },
+  {
+    document: `<!-- recipe field override -->
+      <input name="recipeuname" value="username from recipe">
+      <input value="default field username">
+      <input type=password value="pass1">
+      <input name="recipepword" type=password value="pass2">`,
+    inputIndexForFormLike: 2,
+    hostname: DEFAULT_ORIGIN,
+    formSubmitURL: DEFAULT_ORIGIN,
+    usernameFieldValue: "username from recipe",
+    newPasswordFieldValue: "pass2",
+    oldPasswordFieldValue: null,
+  },
+];
+
+function getSubmitMessage() {
+  info("getSubmitMessage");
+  return new Promise((resolve, reject) => {
+    chromeScript.addMessageListener("formSubmissionProcessed", function processed(...args) {
+      info("got formSubmissionProcessed");
+      chromeScript.removeMessageListener("formSubmissionProcessed", processed);
+      resolve(...args);
+    });
+  });
+}
+
+add_task(function* test() {
+  let loginFrame = document.getElementById("loginFrame");
+  let frameDoc = loginFrame.contentWindow.document;
+
+  for (let tc of TESTCASES) {
+    info("Starting testcase: " + JSON.stringify(tc));
+    frameDoc.documentElement.innerHTML = tc.document;
+    let inputForFormLike = frameDoc.querySelectorAll("input")[tc.inputIndexForFormLike];
+
+    let formLike = LoginFormFactory.createFromField(inputForFormLike);
+
+    info("Calling _onFormSubmit with FormLike");
+    let processedPromise = getSubmitMessage();
+    LoginManagerContent._onFormSubmit(formLike);
+
+    let submittedResult = yield processedPromise;
+
+    // Check data sent via RemoteLogins:onFormSubmit
+    is(submittedResult.hostname, tc.hostname, "Check hostname");
+    is(submittedResult.formSubmitURL, tc.formSubmitURL, "Check formSubmitURL");
+
+    if (tc.usernameFieldValue === null) {
+      is(submittedResult.usernameField, tc.usernameFieldValue, "Check usernameField");
+    } else {
+      is(submittedResult.usernameField.value, tc.usernameFieldValue, "Check usernameField");
+    }
+
+    is(submittedResult.newPasswordField.value, tc.newPasswordFieldValue, "Check newPasswordFieldValue");
+
+    if (tc.oldPasswordFieldValue === null) {
+      is(submittedResult.oldPasswordField, tc.oldPasswordFieldValue, "Check oldPasswordFieldValue");
+    } else {
+      is(submittedResult.oldPasswordField.value, tc.oldPasswordFieldValue, "Check oldPasswordFieldValue");
+    }
+  }
+});
+
+</script>
+
+<p id="display"></p>
+
+<div id="content">
+  <iframe id="loginFrame" src="http://mochi.test:8888/tests/toolkit/components/passwordmgr/test/blank.html"></iframe>
+</div>
+<pre id="test"></pre>
+</body>
+</html>
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_formless_submit_navigation.html b/toolkit/components/passwordmgr/test/mochitest/test_formless_submit_navigation.html
new file mode 100644
index 000000000..b07d0886c
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_formless_submit_navigation.html
@@ -0,0 +1,191 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test capturing of fields outside of a form due to navigation</title>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script src="/tests/SimpleTest/SpawnTask.js"></script>
+  <script src="pwmgr_common.js"></script>
+  <link rel="stylesheet" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<script type="application/javascript;version=1.8">
+const LMCBackstagePass = SpecialPowers.Cu.import("resource://gre/modules/LoginManagerContent.jsm");
+const { LoginManagerContent, LoginFormFactory } = LMCBackstagePass;
+
+let chromeScript = runInParent(SimpleTest.getTestFileURL("pwmgr_common.js"));
+
+let loadPromise = new Promise(resolve => {
+  document.addEventListener("DOMContentLoaded", () => {
+    document.getElementById("loginFrame").addEventListener("load", (evt) => {
+      resolve();
+    });
+  });
+});
+
+add_task(function* setup() {
+  yield SpecialPowers.pushPrefEnv({
+    set: [
+      ["signon.formlessCapture.enabled", true],
+    ],
+  });
+
+  info("Waiting for page and frame loads");
+  yield loadPromise;
+
+  yield loadRecipes({
+    siteRecipes: [{
+      hosts: ["test1.mochi.test:8888"],
+      usernameSelector: "input[name='recipeuname']",
+      passwordSelector: "input[name='recipepword']",
+    }],
+  });
+});
+
+const DEFAULT_ORIGIN = "http://test1.mochi.test:8888";
+const SCRIPTS = {
+  PUSHSTATE: `history.pushState({}, "Pushed state", "?pushed");`,
+  WINDOW_LOCATION: `window.location = "data:text/html;charset=utf-8,window.location";`,
+};
+const TESTCASES = [
+  {
+    // Inputs
+    document: `<input type=password value="pass1">`,
+
+    // Expected outputs similar to RemoteLogins:onFormSubmit
+    hostname: DEFAULT_ORIGIN,
+    formSubmitURL: DEFAULT_ORIGIN,
+    usernameFieldValue: null,
+    newPasswordFieldValue: "pass1",
+    oldPasswordFieldValue: null,
+  },
+  {
+    document: `<input value="user1">
+      <input type=password value="pass1">`,
+
+    hostname: DEFAULT_ORIGIN,
+    formSubmitURL: DEFAULT_ORIGIN,
+    usernameFieldValue: "user1",
+    newPasswordFieldValue: "pass1",
+    oldPasswordFieldValue: null,
+  },
+  {
+    document: `<input value="user1">
+      <input type=password value="pass1">
+      <input type=password value="pass2">`,
+
+    hostname: DEFAULT_ORIGIN,
+    formSubmitURL: DEFAULT_ORIGIN,
+    usernameFieldValue: "user1",
+    newPasswordFieldValue: "pass2",
+    oldPasswordFieldValue: "pass1",
+  },
+  {
+    document: `<input value="user1">
+      <input type=password value="pass1">
+      <input type=password value="pass2">
+      <input type=password value="pass2">`,
+
+    hostname: DEFAULT_ORIGIN,
+    formSubmitURL: DEFAULT_ORIGIN,
+    usernameFieldValue: "user1",
+    newPasswordFieldValue: "pass2",
+    oldPasswordFieldValue: "pass1",
+  },
+  {
+    document: `<input value="user1">
+      <input type=password value="user2" form="form1">
+      <input type=password value="pass1">
+      <form id="form1">
+        <input value="user3">
+        <input type=password value="pass2">
+      </form>`,
+
+    hostname: DEFAULT_ORIGIN,
+    formSubmitURL: DEFAULT_ORIGIN,
+    usernameFieldValue: "user1",
+    newPasswordFieldValue: "pass1",
+    oldPasswordFieldValue: null,
+  },
+  {
+    document: `<!-- recipe field override -->
+      <input name="recipeuname" value="username from recipe">
+      <input value="default field username">
+      <input type=password value="pass1">
+      <input name="recipepword" type=password value="pass2">`,
+
+    hostname: DEFAULT_ORIGIN,
+    formSubmitURL: DEFAULT_ORIGIN,
+    usernameFieldValue: "username from recipe",
+    newPasswordFieldValue: "pass2",
+    oldPasswordFieldValue: null,
+  },
+];
+
+function getSubmitMessage() {
+  info("getSubmitMessage");
+  return new Promise((resolve, reject) => {
+    chromeScript.addMessageListener("formSubmissionProcessed", function processed(...args) {
+      info("got formSubmissionProcessed");
+      chromeScript.removeMessageListener("formSubmissionProcessed", processed);
+      resolve(...args);
+    });
+  });
+}
+
+add_task(function* test() {
+  let loginFrame = document.getElementById("loginFrame");
+
+  for (let tc of TESTCASES) {
+    for (let scriptName of Object.keys(SCRIPTS)) {
+      info("Starting testcase with script " + scriptName + ": " + JSON.stringify(tc));
+      let loadedPromise = new Promise((resolve) => {
+        loginFrame.addEventListener("load", function frameLoaded() {
+          loginFrame.removeEventListener("load", frameLoaded);
+          resolve();
+        });
+      });
+      loginFrame.src = DEFAULT_ORIGIN + "/tests/toolkit/components/passwordmgr/test/mochitest/blank.html";
+      yield loadedPromise;
+
+      let frameDoc = SpecialPowers.wrap(loginFrame.contentWindow).document;
+      frameDoc.documentElement.innerHTML = tc.document;
+      // Wait for the form to be processed before trying to submit.
+      yield promiseFormsProcessed();
+      let processedPromise = getSubmitMessage();
+      info("Running " + scriptName + " script to cause a submission");
+      frameDoc.defaultView.eval(SCRIPTS[scriptName]);
+
+      let submittedResult = yield processedPromise;
+
+      // Check data sent via RemoteLogins:onFormSubmit
+      is(submittedResult.hostname, tc.hostname, "Check hostname");
+      is(submittedResult.formSubmitURL, tc.formSubmitURL, "Check formSubmitURL");
+
+      if (tc.usernameFieldValue === null) {
+        is(submittedResult.usernameField, tc.usernameFieldValue, "Check usernameField");
+      } else {
+        is(submittedResult.usernameField.value, tc.usernameFieldValue, "Check usernameField");
+      }
+
+      is(submittedResult.newPasswordField.value, tc.newPasswordFieldValue, "Check newPasswordFieldValue");
+
+      if (tc.oldPasswordFieldValue === null) {
+        is(submittedResult.oldPasswordField, tc.oldPasswordFieldValue, "Check oldPasswordFieldValue");
+      } else {
+        is(submittedResult.oldPasswordField.value, tc.oldPasswordFieldValue, "Check oldPasswordFieldValue");
+      }
+    }
+  }
+});
+
+</script>
+
+<p id="display"></p>
+
+<div id="content">
+  <iframe id="loginFrame" src="http://test1.mochi.test:8888/tests/toolkit/components/passwordmgr/test/mochitest/blank.html"></iframe>
+</div>
+<pre id="test"></pre>
+</body>
+</html>
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_formless_submit_navigation_negative.html b/toolkit/components/passwordmgr/test/mochitest/test_formless_submit_navigation_negative.html
new file mode 100644
index 000000000..4283f128c
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_formless_submit_navigation_negative.html
@@ -0,0 +1,121 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test no capturing of fields outside of a form due to navigation</title>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script src="/tests/SimpleTest/SpawnTask.js"></script>
+  <script src="pwmgr_common.js"></script>
+  <link rel="stylesheet" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<script type="application/javascript;version=1.8">
+const LMCBackstagePass = SpecialPowers.Cu.import("resource://gre/modules/LoginManagerContent.jsm");
+const { LoginManagerContent, LoginFormFactory } = LMCBackstagePass;
+
+SimpleTest.requestFlakyTimeout("Testing that a message doesn't arrive");
+
+let chromeScript = runInParent(SimpleTest.getTestFileURL("pwmgr_common.js"));
+
+let loadPromise = new Promise(resolve => {
+  document.addEventListener("DOMContentLoaded", () => {
+    document.getElementById("loginFrame").addEventListener("load", (evt) => {
+      resolve();
+    });
+  });
+});
+
+function submissionProcessed(...args) {
+  ok(false, "No formSubmissionProcessed should occur in this test");
+  info("got: " + JSON.stringify(args));
+}
+
+add_task(function* setup() {
+  yield SpecialPowers.pushPrefEnv({
+    set: [
+      ["signon.formlessCapture.enabled", true],
+    ],
+  });
+
+  info("Waiting for page and frame loads");
+  yield loadPromise;
+
+  chromeScript.addMessageListener("formSubmissionProcessed", submissionProcessed);
+
+  SimpleTest.registerCleanupFunction(() => {
+    chromeScript.removeMessageListener("formSubmissionProcessed", submissionProcessed);
+  });
+});
+
+const DEFAULT_ORIGIN = "http://test1.mochi.test:8888";
+const SCRIPTS = {
+  PUSHSTATE: `history.pushState({}, "Pushed state", "?pushed");`,
+  WINDOW_LOCATION: `window.location = "data:text/html;charset=utf-8,window.location";`,
+  WINDOW_LOCATION_RELOAD: `window.location.reload();`,
+  HISTORY_BACK: `history.back();`,
+  HISTORY_GO_MINUS1: `history.go(-1);`,
+};
+const TESTCASES = [
+  // Begin test cases that shouldn't trigger capture.
+  {
+    // For now we don't trigger upon navigation if <form> is used.
+    document: `<form><input type=password value="pass1"></form>`,
+  },
+  {
+    // Empty password field
+    document: `<input type=password value="">`,
+  },
+  {
+    // Test with an input that would normally be captured but with SCRIPTS that
+    // shouldn't trigger capture.
+    document: `<input type=password value="pass2">`,
+    wouldCapture: true,
+  },
+];
+
+add_task(function* test() {
+  let loginFrame = document.getElementById("loginFrame");
+
+  for (let tc of TESTCASES) {
+    for (let scriptName of Object.keys(SCRIPTS)) {
+      if (tc.wouldCapture && ["PUSHSTATE", "WINDOW_LOCATION"].includes(scriptName)) {
+        // Don't run scripts that should actually capture for this testcase.
+        continue;
+      }
+
+      info("Starting testcase with script " + scriptName + ": " + JSON.stringify(tc));
+      let loadedPromise = new Promise((resolve) => {
+        loginFrame.addEventListener("load", function frameLoaded() {
+          loginFrame.removeEventListener("load", frameLoaded);
+          resolve();
+        });
+      });
+      loginFrame.src = DEFAULT_ORIGIN + "/tests/toolkit/components/passwordmgr/test/mochitest/blank.html";
+      yield loadedPromise;
+
+      let frameDoc = SpecialPowers.wrap(loginFrame.contentWindow).document;
+      frameDoc.documentElement.innerHTML = tc.document;
+
+      // Wait for the form to be processed before trying to submit.
+      yield promiseFormsProcessed();
+
+      info("Running " + scriptName + " script to check for a submission");
+      frameDoc.defaultView.eval(SCRIPTS[scriptName]);
+
+      // Wait for 5000ms to see if the promise above resolves.
+      yield new Promise(resolve => setTimeout(resolve, 5000));
+      ok(true, "Done waiting for captures");
+    }
+  }
+});
+
+</script>
+
+<p id="display"></p>
+
+<div id="content">
+  <iframe id="loginFrame" src="http://test1.mochi.test:8888/tests/toolkit/components/passwordmgr/test/mochitest/blank.html"></iframe>
+</div>
+<pre id="test"></pre>
+</body>
+</html>
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_input_events.html b/toolkit/components/passwordmgr/test/mochitest/test_input_events.html
new file mode 100644
index 000000000..0e77956d8
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_input_events.html
@@ -0,0 +1,96 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for input events in Login Manager</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="pwmgr_common.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body onload="onNewEvent(event)">
+Login Manager test: input events should fire.
+
+<script>
+runChecksAfterCommonInit();
+
+SimpleTest.requestFlakyTimeout("untriaged");
+
+/** Test for Login Manager: form fill, should get input events. **/
+
+var usernameInputFired = false;
+var passwordInputFired = false;
+var usernameChangeFired = false;
+var passwordChangeFired = false;
+var onloadFired = false;
+
+function onNewEvent(e) {
+  info("Got " + e.type + " event.");
+  if (e.type == "load") {
+    onloadFired = true;
+  } else if (e.type == "input") {
+    if (e.target.name == "uname") {
+      is(e.target.value, "testuser", "Should get 'testuser' as username");
+      ok(!usernameInputFired, "Should not have gotten an input event for the username field yet.");
+      usernameInputFired = true;
+    } else if (e.target.name == "pword") {
+      is(e.target.value, "testpass", "Should get 'testpass' as password");
+      ok(!passwordInputFired, "Should not have gotten an input event for the password field yet.");
+      passwordInputFired = true;
+    }
+  } else if (e.type == "change") {
+    if (e.target.name == "uname") {
+      is(e.target.value, "testuser", "Should get 'testuser' as username");
+      ok(usernameInputFired, "Should get input event before change event for username field.");
+      ok(!usernameChangeFired, "Should not have gotten a change event for the username field yet.");
+      usernameChangeFired = true;
+    } else if (e.target.name == "pword") {
+      is(e.target.value, "testpass", "Should get 'testpass' as password");
+      ok(passwordInputFired, "Should get input event before change event for password field.");
+      ok(!passwordChangeFired, "Should not have gotten a change event for the password field yet.");
+      passwordChangeFired = true;
+    }
+  }
+  if (onloadFired && usernameInputFired && passwordInputFired && usernameChangeFired && passwordChangeFired) {
+    ok(true, "All events fired as expected, we're done.");
+    SimpleTest.finish();
+  }
+}
+
+SimpleTest.registerCleanupFunction(function cleanup() {
+  clearTimeout(timeout);
+  $_(1, "uname").removeAttribute("oninput");
+  $_(1, "pword").removeAttribute("oninput");
+  $_(1, "uname").removeAttribute("onchange");
+  $_(1, "pword").removeAttribute("onchange");
+  document.body.removeAttribute("onload");
+});
+
+var timeout = setTimeout(function() {
+  ok(usernameInputFired, "Username input event should have fired by now.");
+  ok(passwordInputFired, "Password input event should have fired by now.");
+  ok(usernameChangeFired, "Username change event should have fired by now.");
+  ok(passwordChangeFired, "Password change event should have fired by now.");
+  ok(onloadFired, "Window load event should have fired by now.");
+  ok(false, "Not all events fired yet.");
+  SimpleTest.finish();
+}, 10000);
+
+</script>
+
+<p id="display"></p>
+
+<div id="content" style="display: none">
+
+  <form id="form1" action="formtest.js">
+    <p>This is form 1.</p>
+    <input  type="text"       name="uname" oninput="onNewEvent(event)" onchange="onNewEvent(event)">
+    <input  type="password"   name="pword" oninput="onNewEvent(event)" onchange="onNewEvent(event)">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+</div>
+<pre id="test"></pre>
+</body>
+</html>
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_input_events_for_identical_values.html b/toolkit/components/passwordmgr/test/mochitest/test_input_events_for_identical_values.html
new file mode 100644
index 000000000..d058a87f9
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_input_events_for_identical_values.html
@@ -0,0 +1,51 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for input events in Login Manager when username/password are filled in already</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
+  <script type="text/javascript" src="pwmgr_common.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body onload="onNewEvent(event)">
+Login Manager test: input events should fire.
+
+<script>
+runChecksAfterCommonInit();
+
+SimpleTest.requestFlakyTimeout("untriaged");
+
+/** Test for Login Manager: form fill when form is already filled, should not get input events. **/
+
+var onloadFired = false;
+
+function onNewEvent(e) {
+  console.error("Got " + e.type + " event.");
+  if (e.type == "load") {
+    onloadFired = true;
+    $_(1, "uname").focus();
+    sendKey("Tab");
+  } else {
+    ok(false, "Got an input event for " + e.target.name + " field, which shouldn't happen.");
+  }
+}
+</script>
+
+<p id="display"></p>
+
+<div id="content">
+
+  <form id="form1" action="formtest.js">
+    <p>This is form 1.</p>
+    <input  type="text"       name="uname" oninput="onNewEvent(event)" value="testuser">
+    <input  type="password"   name="pword" oninput="onNewEvent(event)" onfocus="setTimeout(function() { SimpleTest.finish() }, 1000);" value="testpass">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+</div>
+<pre id="test"></pre>
+</body>
+</html>
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_insecure_form_field_autocomplete.html b/toolkit/components/passwordmgr/test/mochitest/test_insecure_form_field_autocomplete.html
new file mode 100644
index 000000000..c5d0a44fa
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_insecure_form_field_autocomplete.html
@@ -0,0 +1,861 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test insecure form field autocomplete</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SpawnTask.js"></script>
+  <script type="text/javascript" src="satchel_common.js"></script>
+  <script type="text/javascript" src="pwmgr_common.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+
+<script>
+var chromeScript = runChecksAfterCommonInit();
+
+var setupScript = runInParent(function setup() {
+  const { classes: Cc, interfaces: Ci, utils: Cu } = Components;
+  Cu.import("resource://gre/modules/Services.jsm");
+
+  // Create some logins just for this form, since we'll be deleting them.
+  var nsLoginInfo = Components.Constructor("@mozilla.org/login-manager/loginInfo;1",
+                                           Ci.nsILoginInfo, "init");
+  assert.ok(nsLoginInfo != null, "nsLoginInfo constructor");
+
+  // login0 has no username, so should be filtered out from the autocomplete list.
+  var login0 = new nsLoginInfo("http://mochi.test:8888", "http://autocomplete:8888", null,
+                               "", "user0pass", "", "pword");
+
+  var login1 = new nsLoginInfo("http://mochi.test:8888", "http://autocomplete:8888", null,
+                               "tempuser1", "temppass1", "uname", "pword");
+
+  var login2 = new nsLoginInfo("http://mochi.test:8888", "http://autocomplete:8888", null,
+                               "testuser2", "testpass2", "uname", "pword");
+
+  var login3 = new nsLoginInfo("http://mochi.test:8888", "http://autocomplete:8888", null,
+                               "testuser3", "testpass3", "uname", "pword");
+
+  var login4 = new nsLoginInfo("http://mochi.test:8888", "http://autocomplete:8888", null,
+                               "zzzuser4", "zzzpass4", "uname", "pword");
+
+  // login 5 only used in the single-user forms
+  var login5 = new nsLoginInfo("http://mochi.test:8888", "http://autocomplete2", null,
+                               "singleuser5", "singlepass5", "uname", "pword");
+
+  var login6A = new nsLoginInfo("http://mochi.test:8888", "http://autocomplete3", null,
+                                "form7user1", "form7pass1", "uname", "pword");
+  var login6B = new nsLoginInfo("http://mochi.test:8888", "http://autocomplete3", null,
+                                "form7user2", "form7pass2", "uname", "pword");
+
+  var login7  = new nsLoginInfo("http://mochi.test:8888", "http://autocomplete4", null,
+                                "form8user", "form8pass", "uname", "pword");
+
+  var login8A = new nsLoginInfo("http://mochi.test:8888", "http://autocomplete5", null,
+                                "form9userAB", "form9pass", "uname", "pword");
+  var login8B = new nsLoginInfo("http://mochi.test:8888", "http://autocomplete5", null,
+                                "form9userAAB", "form9pass", "uname", "pword");
+  var login8C = new nsLoginInfo("http://mochi.test:8888", "http://autocomplete5", null,
+                                "form9userAABzz", "form9pass", "uname", "pword");
+
+  var login10 = new nsLoginInfo("http://mochi.test:8888", "http://autocomplete7", null,
+                                "testuser10", "testpass10", "uname", "pword");
+
+
+  // try/catch in case someone runs the tests manually, twice.
+  try {
+    Services.logins.addLogin(login0);
+    Services.logins.addLogin(login1);
+    Services.logins.addLogin(login2);
+    Services.logins.addLogin(login3);
+    Services.logins.addLogin(login4);
+    Services.logins.addLogin(login5);
+    Services.logins.addLogin(login6A);
+    Services.logins.addLogin(login6B);
+    Services.logins.addLogin(login7);
+    Services.logins.addLogin(login8A);
+    Services.logins.addLogin(login8B);
+    // login8C is added later
+    Services.logins.addLogin(login10);
+  } catch (e) {
+    assert.ok(false, "addLogin threw: " + e);
+  }
+
+  addMessageListener("addLogin", loginVariableName => {
+    let login = eval(loginVariableName);
+    assert.ok(!!login, "Login to add is defined: " + loginVariableName);
+    Services.logins.addLogin(login);
+  });
+  addMessageListener("removeLogin", loginVariableName => {
+    let login = eval(loginVariableName);
+    assert.ok(!!login, "Login to delete is defined: " + loginVariableName);
+    Services.logins.removeLogin(login);
+  });
+});
+</script>
+<p id="display"></p>
+
+<!-- we presumably can't hide the content for this test. -->
+<div id="content">
+
+  <!-- form1 tests multiple matching logins -->
+  <form id="form1" action="http://autocomplete:8888/formtest.js" onsubmit="return false;">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+  <!-- other forms test single logins, with autocomplete=off set -->
+  <form id="form2" action="http://autocomplete2" onsubmit="return false;">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword" autocomplete="off">
+    <button type="submit">Submit</button>
+  </form>
+
+  <form id="form3" action="http://autocomplete2" onsubmit="return false;">
+    <input  type="text"       name="uname" autocomplete="off">
+    <input  type="password"   name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+  <form id="form4" action="http://autocomplete2" onsubmit="return false;" autocomplete="off">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+  <form id="form5" action="http://autocomplete2" onsubmit="return false;">
+    <input  type="text"       name="uname" autocomplete="off">
+    <input  type="password"   name="pword" autocomplete="off">
+    <button type="submit">Submit</button>
+  </form>
+
+  <!-- control -->
+  <form id="form6" action="http://autocomplete2" onsubmit="return false;">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+  <!-- This form will be manipulated to insert a different username field. -->
+  <form id="form7" action="http://autocomplete3" onsubmit="return false;">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+  <!-- test for no autofill after onblur with blank username -->
+  <form id="form8" action="http://autocomplete4" onsubmit="return false;">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+  <!-- test autocomplete dropdown -->
+  <form id="form9" action="http://autocomplete5" onsubmit="return false;">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+  <!-- test for onUsernameInput recipe testing -->
+  <form id="form11" action="http://autocomplete7" onsubmit="return false;">
+    <input  type="text"   name="1">
+    <input  type="text"   name="2">
+    <button type="submit">Submit</button>
+  </form>
+
+  <!-- tests <form>-less autocomplete -->
+  <div id="form12">
+     <input  type="text"       name="uname" id="uname">
+     <input  type="password"   name="pword" id="pword">
+     <button type="submit">Submit</button>
+   </div>
+</div>
+
+<pre id="test">
+<script class="testbody" type="text/javascript">
+
+/** Test for Login Manager: multiple login autocomplete. **/
+
+var uname = $_(1, "uname");
+var pword = $_(1, "pword");
+const shiftModifier = SpecialPowers.Ci.nsIDOMEvent.SHIFT_MASK;
+
+// Restore the form to the default state.
+function restoreForm() {
+  uname.value = "";
+  pword.value = "";
+  uname.focus();
+}
+
+// Check for expected username/password in form.
+function checkACForm(expectedUsername, expectedPassword) {
+  var formID = uname.parentNode.id;
+  is(uname.value, expectedUsername, "Checking " + formID + " username is: " + expectedUsername);
+  is(pword.value, expectedPassword, "Checking " + formID + " password is: " + expectedPassword);
+}
+
+function sendFakeAutocompleteEvent(element) {
+  var acEvent = document.createEvent("HTMLEvents");
+  acEvent.initEvent("DOMAutoComplete", true, false);
+  element.dispatchEvent(acEvent);
+}
+
+function spinEventLoop() {
+  return Promise.resolve();
+}
+
+add_task(function* setup() {
+  yield SpecialPowers.pushPrefEnv({"set": [["security.insecure_field_warning.contextual.enabled", true],
+                                           ["signon.autofillForms.http", true]]});
+  listenForUnexpectedPopupShown();
+});
+
+add_task(function* test_form1_initial_empty() {
+  yield SimpleTest.promiseFocus(window);
+
+  // Make sure initial form is empty.
+  checkACForm("", "");
+  let popupState = yield getPopupState();
+  is(popupState.open, false, "Check popup is initially closed");
+});
+
+add_task(function* test_form1_warning_entry() {
+  yield SimpleTest.promiseFocus(window);
+  // Trigger autocomplete popup
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  let results = yield shownPromise;
+
+  let popupState = yield getPopupState();
+  is(popupState.selectedIndex, -1, "Check no entries are selected upon opening");
+
+  let expectedMenuItems = ["This connection is not secure. Logins entered here could be compromised. Learn More",
+                           "tempuser1",
+                           "testuser2",
+                           "testuser3",
+                           "zzzuser4"];
+  checkArrayValues(results, expectedMenuItems, "Check all menuitems are displayed correctly.");
+
+  doKey("down"); // select insecure warning
+  checkACForm("", ""); // value shouldn't update just by selecting
+  doKey("return"); // not "enter"!
+  yield spinEventLoop(); // let focus happen
+  checkACForm("", "");
+});
+
+add_task(function* test_form1_first_entry() {
+  yield SimpleTest.promiseFocus(window);
+  // Trigger autocomplete popup
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  let popupState = yield getPopupState();
+  is(popupState.selectedIndex, -1, "Check no entries are selected upon opening");
+
+  doKey("down"); // skip insecure warning
+  doKey("down"); // first
+  checkACForm("", ""); // value shouldn't update just by selecting
+  doKey("return"); // not "enter"!
+  yield promiseFormsProcessed();
+  checkACForm("tempuser1", "temppass1");
+});
+
+add_task(function* test_form1_second_entry() {
+  // Trigger autocomplete popup
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  doKey("down"); // skip insecure warning
+  doKey("down"); // first
+  doKey("down"); // second
+  doKey("return"); // not "enter"!
+  yield promiseFormsProcessed();
+  checkACForm("testuser2", "testpass2");
+});
+
+add_task(function* test_form1_third_entry() {
+  // Trigger autocomplete popup
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  doKey("down"); // skip insecure warning
+  doKey("down"); // first
+  doKey("down"); // second
+  doKey("down"); // third
+  doKey("return");
+  yield promiseFormsProcessed();
+  checkACForm("testuser3", "testpass3");
+});
+
+add_task(function* test_form1_fourth_entry() {
+  // Trigger autocomplete popup
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  doKey("down"); // skip insecure warning
+  doKey("down"); // first
+  doKey("down"); // second
+  doKey("down"); // third
+  doKey("down"); // fourth
+  doKey("return");
+  yield promiseFormsProcessed();
+  checkACForm("zzzuser4", "zzzpass4");
+});
+
+add_task(function* test_form1_wraparound_first_entry() {
+  // Trigger autocomplete popup
+  restoreForm();
+  yield spinEventLoop(); // let focus happen
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  doKey("down"); // skip insecure warning
+  doKey("down"); // first
+  doKey("down"); // second
+  doKey("down"); // third
+  doKey("down"); // fourth
+  doKey("down"); // deselects
+  doKey("down"); // skip insecure warning
+  doKey("down"); // first
+  doKey("return");
+  yield promiseFormsProcessed();
+  checkACForm("tempuser1", "temppass1");
+});
+
+add_task(function* test_form1_wraparound_up_last_entry() {
+  // Trigger autocomplete popup
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  doKey("up"); // last (fourth)
+  doKey("return");
+  yield promiseFormsProcessed();
+  checkACForm("zzzuser4", "zzzpass4");
+});
+
+add_task(function* test_form1_wraparound_down_up_up() {
+  // Trigger autocomplete popup
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  doKey("down"); // select first entry
+  doKey("up");   // selects nothing!
+  doKey("up");   // select last entry
+  doKey("return");
+  yield promiseFormsProcessed();
+  checkACForm("zzzuser4", "zzzpass4");
+});
+
+add_task(function* test_form1_wraparound_up_last() {
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  doKey("down");
+  doKey("up"); // deselects
+  doKey("up"); // last entry
+  doKey("up");
+  doKey("up");
+  doKey("up"); // skip insecure warning
+  doKey("up"); // first entry
+  doKey("up"); // deselects
+  doKey("up"); // last entry
+  doKey("return");
+  yield promiseFormsProcessed();
+  checkACForm("zzzuser4", "zzzpass4");
+});
+
+add_task(function* test_form1_fill_username_without_autofill_right() {
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  // Set first entry w/o triggering autocomplete
+  doKey("down"); // skip insecure warning
+  doKey("down"); // first
+  doKey("right");
+  yield spinEventLoop();
+  checkACForm("tempuser1", ""); // empty password
+});
+
+add_task(function* test_form1_fill_username_without_autofill_left() {
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  // Set first entry w/o triggering autocomplete
+  doKey("down"); // skip insecure warning
+  doKey("down"); // first
+  doKey("left");
+  checkACForm("tempuser1", ""); // empty password
+});
+
+add_task(function* test_form1_pageup_first() {
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  // Check first entry (page up)
+  doKey("down"); // first
+  doKey("down"); // second
+  doKey("page_up"); // first
+  doKey("down"); // skip insecure warning
+  doKey("return");
+  yield promiseFormsProcessed();
+  checkACForm("tempuser1", "temppass1");
+});
+
+add_task(function* test_form1_pagedown_last() {
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  // test 13
+  // Check last entry (page down)
+  doKey("down"); // first
+  doKey("page_down"); // last
+  doKey("return");
+  yield promiseFormsProcessed();
+  checkACForm("zzzuser4", "zzzpass4");
+});
+
+add_task(function* test_form1_untrusted_event() {
+  restoreForm();
+  yield spinEventLoop();
+
+  // Send a fake (untrusted) event.
+  checkACForm("", "");
+  uname.value = "zzzuser4";
+  sendFakeAutocompleteEvent(uname);
+  yield spinEventLoop();
+  checkACForm("zzzuser4", "");
+});
+
+add_task(function* test_form1_delete() {
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  // XXX tried sending character "t" before/during dropdown to test
+  // filtering, but had no luck. Seemed like the character was getting lost.
+  // Setting uname.value didn't seem to work either. This works with a human
+  // driver, so I'm not sure what's up.
+
+  doKey("down"); // skip insecure warning
+  // Delete the first entry (of 4), "tempuser1"
+  doKey("down");
+  var numLogins;
+  numLogins = LoginManager.countLogins("http://mochi.test:8888", "http://autocomplete:8888", null);
+  is(numLogins, 5, "Correct number of logins before deleting one");
+
+  let countChangedPromise = notifyMenuChanged(4);
+  var deletionPromise = promiseStorageChanged(["removeLogin"]);
+  // On OS X, shift-backspace and shift-delete work, just delete does not.
+  // On Win/Linux, shift-backspace does not work, delete and shift-delete do.
+  doKey("delete", shiftModifier);
+  yield deletionPromise;
+
+  checkACForm("", "");
+  numLogins = LoginManager.countLogins("http://mochi.test:8888", "http://autocomplete:8888", null);
+  is(numLogins, 4, "Correct number of logins after deleting one");
+  yield countChangedPromise;
+  doKey("return");
+  yield promiseFormsProcessed();
+  checkACForm("testuser2", "testpass2");
+});
+
+add_task(function* test_form1_first_after_deletion() {
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  doKey("down"); // skip insecure warning
+  // Check the new first entry (of 3)
+  doKey("down");
+  doKey("return");
+  yield promiseFormsProcessed();
+  checkACForm("testuser2", "testpass2");
+});
+
+add_task(function* test_form1_delete_second() {
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  doKey("down"); // skip insecure warning
+  // Delete the second entry (of 3), "testuser3"
+  doKey("down");
+  doKey("down");
+  doKey("delete", shiftModifier);
+  checkACForm("", "");
+  numLogins = LoginManager.countLogins("http://mochi.test:8888", "http://autocomplete:8888", null);
+  is(numLogins, 3, "Correct number of logins after deleting one");
+  doKey("return");
+  yield promiseFormsProcessed();
+  checkACForm("zzzuser4", "zzzpass4");
+});
+
+add_task(function* test_form1_first_after_deletion2() {
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  doKey("down"); // skip insecure warning
+  // Check the new first entry (of 2)
+  doKey("down");
+  doKey("return");
+  yield promiseFormsProcessed();
+  checkACForm("testuser2", "testpass2");
+});
+
+add_task(function* test_form1_delete_last() {
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  doKey("down"); // skip insecure warning
+  // test 54
+  // Delete the last entry (of 2), "zzzuser4"
+  doKey("down");
+  doKey("down");
+  doKey("delete", shiftModifier);
+  checkACForm("", "");
+  numLogins = LoginManager.countLogins("http://mochi.test:8888", "http://autocomplete:8888", null);
+  is(numLogins, 2, "Correct number of logins after deleting one");
+  doKey("return");
+  yield promiseFormsProcessed();
+  checkACForm("testuser2", "testpass2");
+});
+
+add_task(function* test_form1_first_after_3_deletions() {
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  doKey("down"); // skip insecure warning
+  // Check the only remaining entry
+  doKey("down");
+  doKey("return");
+  yield promiseFormsProcessed();
+  checkACForm("testuser2", "testpass2");
+});
+
+add_task(function* test_form1_check_only_entry_remaining() {
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  doKey("down"); // skip insecure warning
+  // test 56
+  // Delete the only remaining entry, "testuser2"
+  doKey("down");
+  doKey("delete", shiftModifier);
+  checkACForm("", "");
+  numLogins = LoginManager.countLogins("http://mochi.test:8888", "http://autocomplete:8888", null);
+  is(numLogins, 1, "Correct number of logins after deleting one");
+
+  // remove the login that's not shown in the list.
+  setupScript.sendSyncMessage("removeLogin", "login0");
+});
+
+// Tests for single-user forms for ignoring autocomplete=off
+add_task(function* test_form2() {
+  // Turn our attention to form2
+  uname = $_(2, "uname");
+  pword = $_(2, "pword");
+  checkACForm("singleuser5", "singlepass5");
+
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  doKey("down"); // skip insecure warning
+  // Check first entry
+  doKey("down");
+  checkACForm("", ""); // value shouldn't update
+  doKey("return"); // not "enter"!
+  yield promiseFormsProcessed();
+  checkACForm("singleuser5", "singlepass5");
+});
+
+add_task(function* test_form3() {
+  uname = $_(3, "uname");
+  pword = $_(3, "pword");
+  checkACForm("singleuser5", "singlepass5");
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  doKey("down"); // skip insecure warning
+  // Check first entry
+  doKey("down");
+  checkACForm("", ""); // value shouldn't update
+  doKey("return"); // not "enter"!
+  yield promiseFormsProcessed();
+  checkACForm("singleuser5", "singlepass5");
+});
+
+add_task(function* test_form4() {
+  uname = $_(4, "uname");
+  pword = $_(4, "pword");
+  checkACForm("singleuser5", "singlepass5");
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  doKey("down"); // skip insecure warning
+  // Check first entry
+  doKey("down");
+  checkACForm("", ""); // value shouldn't update
+  doKey("return"); // not "enter"!
+  yield promiseFormsProcessed();
+  checkACForm("singleuser5", "singlepass5");
+});
+
+add_task(function* test_form5() {
+  uname = $_(5, "uname");
+  pword = $_(5, "pword");
+  checkACForm("singleuser5", "singlepass5");
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  doKey("down"); // skip insecure warning
+  // Check first entry
+  doKey("down");
+  checkACForm("", ""); // value shouldn't update
+  doKey("return"); // not "enter"!
+  yield promiseFormsProcessed();
+  checkACForm("singleuser5", "singlepass5");
+});
+
+add_task(function* test_form6() {
+  // (this is a control, w/o autocomplete=off, to ensure the login
+  // that was being suppressed would have been filled in otherwise)
+  uname = $_(6, "uname");
+  pword = $_(6, "pword");
+  checkACForm("singleuser5", "singlepass5");
+});
+
+add_task(function* test_form6_changeUsername() {
+  // Test that the password field remains filled in after changing
+  // the username.
+  uname.focus();
+  doKey("right");
+  sendChar("X");
+  // Trigger the 'blur' event on uname
+  pword.focus();
+  yield spinEventLoop();
+  checkACForm("singleuser5X", "singlepass5");
+
+  setupScript.sendSyncMessage("removeLogin", "login5");
+});
+
+add_task(function* test_form7() {
+  uname = $_(7, "uname");
+  pword = $_(7, "pword");
+  checkACForm("", "");
+
+  // Insert a new username field into the form. We'll then make sure
+  // that invoking the autocomplete doesn't try to fill the form.
+  var newField = document.createElement("input");
+  newField.setAttribute("type", "text");
+  newField.setAttribute("name", "uname2");
+  pword.parentNode.insertBefore(newField, pword);
+  is($_(7, "uname2").value, "", "Verifying empty uname2");
+
+  // Delete login6B. It was created just to prevent filling in a login
+  // automatically, removing it makes it more likely that we'll catch a
+  // future regression with form filling here.
+  setupScript.sendSyncMessage("removeLogin", "login6B");
+});
+
+add_task(function* test_form7_2() {
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  doKey("down"); // skip insecure warning
+  // Check first entry
+  doKey("down");
+  checkACForm("", ""); // value shouldn't update
+  doKey("return"); // not "enter"!
+  // The form changes, so we expect the old username field to get the
+  // selected autocomplete value, but neither the new username field nor
+  // the password field should have any values filled in.
+  yield spinEventLoop();
+  checkACForm("form7user1", "");
+  is($_(7, "uname2").value, "", "Verifying empty uname2");
+  restoreForm(); // clear field, so reloading test doesn't fail
+
+  setupScript.sendSyncMessage("removeLogin", "login6A");
+});
+
+add_task(function* test_form8() {
+  uname = $_(8, "uname");
+  pword = $_(8, "pword");
+  checkACForm("form8user", "form8pass");
+  restoreForm();
+});
+
+add_task(function* test_form8_blur() {
+  checkACForm("", "");
+  // Focus the previous form to trigger a blur.
+  $_(7, "uname").focus();
+});
+
+add_task(function* test_form8_2() {
+  checkACForm("", "");
+  restoreForm();
+});
+
+add_task(function* test_form8_3() {
+  checkACForm("", "");
+  setupScript.sendSyncMessage("removeLogin", "login7");
+});
+
+add_task(function* test_form9_filtering() {
+  // Turn our attention to form9 to test the dropdown - bug 497541
+  uname = $_(9, "uname");
+  pword = $_(9, "pword");
+  uname.focus();
+  let shownPromise = promiseACShown();
+  sendString("form9userAB");
+  yield shownPromise;
+
+  checkACForm("form9userAB", "");
+  uname.focus();
+  doKey("left");
+  shownPromise = promiseACShown();
+  sendChar("A");
+  let results = yield shownPromise;
+
+  checkACForm("form9userAAB", "");
+  checkArrayValues(results, ["This connection is not secure. Logins entered here could be compromised. Learn More", "form9userAAB"],
+                            "Check dropdown is updated after inserting 'A'");
+  doKey("down"); // skip insecure warning
+  doKey("down");
+  doKey("return");
+  yield promiseFormsProcessed();
+  checkACForm("form9userAAB", "form9pass");
+});
+
+add_task(function* test_form9_autocomplete_cache() {
+  // Note that this addLogin call will only be seen by the autocomplete
+  // attempt for the sendChar if we do not successfully cache the
+  // autocomplete results.
+  setupScript.sendSyncMessage("addLogin", "login8C");
+  uname.focus();
+  let promise0 = notifyMenuChanged(1);
+  let shownPromise = promiseACShown();
+  sendChar("z");
+  yield promise0;
+  yield shownPromise;
+  let popupState = yield getPopupState();
+  is(popupState.open, true, "Check popup should open");
+
+  // check that empty results are cached - bug 496466
+  promise0 = notifyMenuChanged(1);
+  sendChar("z");
+  yield promise0;
+  popupState = yield getPopupState();
+  is(popupState.open, true, "Check popup stays opened due to cached empty result");
+});
+
+add_task(function* test_form11_recipes() {
+  yield loadRecipes({
+    siteRecipes: [{
+      "hosts": ["mochi.test:8888"],
+      "usernameSelector": "input[name='1']",
+      "passwordSelector": "input[name='2']"
+    }],
+  });
+  uname = $_(11, "1");
+  pword = $_(11, "2");
+
+  // First test DOMAutocomplete
+  // Switch the password field to type=password so _fillForm marks the username
+  // field for autocomplete.
+  pword.type = "password";
+  yield promiseFormsProcessed();
+  restoreForm();
+  checkACForm("", "");
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  doKey("down"); // skip insecure warning
+  doKey("down");
+  checkACForm("", ""); // value shouldn't update
+  doKey("return"); // not "enter"!
+  yield promiseFormsProcessed();
+  checkACForm("testuser10", "testpass10");
+
+  // Now test recipes with blur on the username field.
+  restoreForm();
+  checkACForm("", "");
+  uname.value = "testuser10";
+  checkACForm("testuser10", "");
+  doKey("tab");
+  yield promiseFormsProcessed();
+  checkACForm("testuser10", "testpass10");
+  yield resetRecipes();
+});
+
+add_task(function* test_form12_formless() {
+  // Test form-less autocomplete
+  uname = $_(12, "uname");
+  pword = $_(12, "pword");
+  restoreForm();
+  checkACForm("", "");
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  doKey("down"); // skip insecure warning
+  // Trigger autocomplete
+  doKey("down");
+  checkACForm("", ""); // value shouldn't update
+  let processedPromise = promiseFormsProcessed();
+  doKey("return"); // not "enter"!
+  yield processedPromise;
+  checkACForm("testuser", "testpass");
+});
+</script>
+</pre>
+</body>
+</html>
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_insecure_form_field_no_saved_login.html b/toolkit/components/passwordmgr/test/mochitest/test_insecure_form_field_no_saved_login.html
new file mode 100644
index 000000000..c3a894958
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_insecure_form_field_no_saved_login.html
@@ -0,0 +1,103 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test basic login, contextual inscure password warning without saved logins</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SpawnTask.js"></script>
+  <script type="text/javascript" src="satchel_common.js"></script>
+  <script type="text/javascript" src="pwmgr_common.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+Login Manager test: contextual inscure password warning without saved logins
+
+<script>
+let chromeScript = runChecksAfterCommonInit();
+</script>
+<p id="display"></p>
+
+<!-- we presumably can't hide the content for this test. -->
+<div id="content">
+
+  <form id="form1" action="http://autocomplete:8888/formtest.js" onsubmit="return false;">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+</div>
+
+<pre id="test">
+<script class="testbody" type="text/javascript">
+
+/** Test for Login Manager: contextual inscure password warning without saved logins. **/
+
+// Set to pref before the document loads.
+SpecialPowers.setBoolPref(
+  "security.insecure_field_warning.contextual.enabled", true);
+
+SimpleTest.registerCleanupFunction(() => {
+  SpecialPowers.clearUserPref(
+    "security.insecure_field_warning.contextual.enabled");
+});
+
+let uname = $_(1, "uname");
+let pword = $_(1, "pword");
+const shiftModifier = SpecialPowers.Ci.nsIDOMEvent.SHIFT_MASK;
+
+// Restore the form to the default state.
+function restoreForm() {
+  uname.value = "";
+  pword.value = "";
+  uname.focus();
+}
+
+// Check for expected username/password in form.
+function checkACForm(expectedUsername, expectedPassword) {
+  let formID = uname.parentNode.id;
+  is(uname.value, expectedUsername, "Checking " + formID + " username is: " + expectedUsername);
+  is(pword.value, expectedPassword, "Checking " + formID + " password is: " + expectedPassword);
+}
+
+function spinEventLoop() {
+  return Promise.resolve();
+}
+
+add_task(function* setup() {
+  listenForUnexpectedPopupShown();
+});
+
+add_task(function* test_form1_initial_empty() {
+  yield SimpleTest.promiseFocus(window);
+
+  // Make sure initial form is empty.
+  checkACForm("", "");
+  let popupState = yield getPopupState();
+  is(popupState.open, false, "Check popup is initially closed");
+});
+
+add_task(function* test_form1_warning_entry() {
+  yield SimpleTest.promiseFocus(window);
+  // Trigger autocomplete popup
+  restoreForm();
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  yield shownPromise;
+
+  let popupState = yield getPopupState();
+  is(popupState.open, true, "Check popup is opened");
+  is(popupState.selectedIndex, -1, "Check no entries are selected upon opening");
+
+  doKey("down"); // select insecure warning
+  checkACForm("", ""); // value shouldn't update just by selecting
+  doKey("return"); // not "enter"!
+  yield spinEventLoop(); // let focus happen
+  checkACForm("", "");
+});
+
+</script>
+</pre>
+</body>
+</html>
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_maxlength.html b/toolkit/components/passwordmgr/test/mochitest/test_maxlength.html
new file mode 100644
index 000000000..2b6da33ec
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_maxlength.html
@@ -0,0 +1,137 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for maxlength attributes</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="pwmgr_common.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+Login Manager test: Bug 391514
+<script>
+runChecksAfterCommonInit(() => startTest());
+</script>
+<p id="display"></p>
+<div id="content" style="display: none">
+  <!-- normal form. -->
+  <form id="form1" action="formtest.js">
+    <input  type="text"     name="uname">
+    <input  type="password" name="pword">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+  <!-- limited username -->
+  <form id="form2" action="formtest.js">
+    <input  type="text"     name="uname" maxlength="4">
+    <input  type="password" name="pword">
+  </form>
+
+  <!-- limited password -->
+  <form id="form3" action="formtest.js">
+    <input  type="text"     name="uname">
+    <input  type="password" name="pword" maxlength="4">
+  </form>
+
+  <!-- limited username and password -->
+  <form id="form4" action="formtest.js">
+    <input  type="text"     name="uname" maxlength="4">
+    <input  type="password" name="pword" maxlength="4">
+  </form>
+
+
+  <!-- limited username -->
+  <form id="form5" action="formtest.js">
+    <input  type="text"     name="uname" maxlength="0">
+    <input  type="password" name="pword">
+  </form>
+
+  <!-- limited password -->
+  <form id="form6" action="formtest.js">
+    <input  type="text"     name="uname">
+    <input  type="password" name="pword" maxlength="0">
+  </form>
+
+  <!-- limited username and password -->
+  <form id="form7" action="formtest.js">
+    <input  type="text"     name="uname" maxlength="0">
+    <input  type="password" name="pword" maxlength="0">
+  </form>
+
+
+  <!-- limited, but ok, username -->
+  <form id="form8" action="formtest.js">
+    <input  type="text"     name="uname" maxlength="999">
+    <input  type="password" name="pword">
+  </form>
+
+  <!-- limited, but ok, password -->
+  <form id="form9" action="formtest.js">
+    <input  type="text"     name="uname">
+    <input  type="password" name="pword" maxlength="999">
+  </form>
+
+  <!-- limited, but ok, username and password -->
+  <form id="form10" action="formtest.js">
+    <input  type="text"     name="uname" maxlength="999">
+    <input  type="password" name="pword" maxlength="999">
+  </form>
+
+
+  <!-- limited, but ok, username -->
+  <!-- (note that filled values are exactly 8 characters) -->
+  <form id="form11" action="formtest.js">
+    <input  type="text"     name="uname" maxlength="8">
+    <input  type="password" name="pword">
+  </form>
+
+  <!-- limited, but ok, password -->
+  <!-- (note that filled values are exactly 8 characters) -->
+  <form id="form12" action="formtest.js">
+    <input  type="text"     name="uname">
+    <input  type="password" name="pword" maxlength="8">
+  </form>
+
+  <!-- limited, but ok, username and password -->
+  <!-- (note that filled values are exactly 8 characters) -->
+  <form id="form13" action="formtest.js">
+    <input  type="text"     name="uname" maxlength="8">
+    <input  type="password" name="pword" maxlength="8">
+  </form>
+
+</div>
+<pre id="test">
+<script class="testbody" type="text/javascript">
+
+/* Test for Login Manager: 391514 (Login Manager gets confused with
+ * password/PIN on usaa.com)
+ */
+
+function startTest() {
+  var i;
+
+  is($_(1, "uname").value, "testuser", "Checking for filled username 1");
+  is($_(1, "pword").value, "testpass", "Checking for filled password 1");
+
+  for (i = 2; i < 8; i++) {
+    is($_(i, "uname").value, "", "Checking for unfilled username " + i);
+    is($_(i, "pword").value, "", "Checking for unfilled password " + i);
+  }
+
+  for (i = 8; i < 14; i++) {
+    is($_(i, "uname").value, "testuser", "Checking for filled username " + i);
+    is($_(i, "pword").value, "testpass", "Checking for filled password " + i);
+  }
+
+  // Note that tests 11-13 are limited to exactly the expected value.
+  // Assert this lest someone change the login we're testing with.
+  is($_(11, "uname").value.length, 8, "asserting test assumption is valid.");
+
+  SimpleTest.finish();
+}
+</script>
+</pre>
+</body>
+</html>
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_password_field_autocomplete.html b/toolkit/components/passwordmgr/test/mochitest/test_password_field_autocomplete.html
new file mode 100644
index 000000000..443c8a5e9
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_password_field_autocomplete.html
@@ -0,0 +1,291 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test basic login autocomplete</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SpawnTask.js"></script>
+  <script type="text/javascript" src="satchel_common.js"></script>
+  <script type="text/javascript" src="pwmgr_common.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+Login Manager test: multiple login autocomplete
+
+<script>
+var chromeScript = runChecksAfterCommonInit();
+
+var setupScript = runInParent(function setup() {
+  const { classes: Cc, interfaces: Ci, utils: Cu } = Components;
+  Cu.import("resource://gre/modules/Services.jsm");
+
+  // Create some logins just for this form, since we'll be deleting them.
+  var nsLoginInfo = Components.Constructor("@mozilla.org/login-manager/loginInfo;1",
+                                           Ci.nsILoginInfo, "init");
+  assert.ok(nsLoginInfo != null, "nsLoginInfo constructor");
+
+  // login0 has no username, so should be filtered out from the autocomplete list.
+  var login0 = new nsLoginInfo("http://mochi.test:8888", "http://autocomplete:8888", null,
+                               "", "user0pass", "", "pword");
+
+  var login1 = new nsLoginInfo("http://mochi.test:8888", "http://autocomplete:8888", null,
+                               "tempuser1", "temppass1", "uname", "pword");
+
+  var login2 = new nsLoginInfo("http://mochi.test:8888", "http://autocomplete:8888", null,
+                               "testuser2", "testpass2", "uname", "pword");
+
+  var login3 = new nsLoginInfo("http://mochi.test:8888", "http://autocomplete:8888", null,
+                               "testuser3", "testpass3", "uname", "pword");
+
+  var login4 = new nsLoginInfo("http://mochi.test:8888", "http://autocomplete:8888", null,
+                               "zzzuser4", "zzzpass4", "uname", "pword");
+
+
+  // try/catch in case someone runs the tests manually, twice.
+  try {
+    Services.logins.addLogin(login0);
+    Services.logins.addLogin(login1);
+    Services.logins.addLogin(login2);
+    Services.logins.addLogin(login3);
+    Services.logins.addLogin(login4);
+  } catch (e) {
+    assert.ok(false, "addLogin threw: " + e);
+  }
+
+  addMessageListener("addLogin", loginVariableName => {
+    let login = eval(loginVariableName);
+    assert.ok(!!login, "Login to add is defined: " + loginVariableName);
+    Services.logins.addLogin(login);
+  });
+  addMessageListener("removeLogin", loginVariableName => {
+    let login = eval(loginVariableName);
+    assert.ok(!!login, "Login to delete is defined: " + loginVariableName);
+    Services.logins.removeLogin(login);
+  });
+});
+</script>
+<p id="display"></p>
+
+<!-- we presumably can't hide the content for this test. -->
+<div id="content">
+
+  <!-- form1 tests multiple matching logins -->
+  <form id="form1" action="http://autocomplete:8888/formtest.js" onsubmit="return false;">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+  <form id="form2" action="http://autocomplete:8888/formtest.js" onsubmit="return false;">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword" readonly="true">
+    <button type="submit">Submit</button>
+  </form>
+
+  <form id="form3" action="http://autocomplete:8888/formtest.js" onsubmit="return false;">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword" disabled="true">
+    <button type="submit">Submit</button>
+  </form>
+
+</div>
+
+<pre id="test">
+<script class="testbody" type="text/javascript">
+
+/** Test for Login Manager: multiple login autocomplete. **/
+
+var uname = $_(1, "uname");
+var pword = $_(1, "pword");
+const shiftModifier = SpecialPowers.Ci.nsIDOMEvent.SHIFT_MASK;
+
+// Restore the form to the default state.
+function* reinitializeForm(index) {
+  // Using innerHTML is for creating the autocomplete popup again, so the
+  // preference value will be applied to the constructor of
+  // UserAutoCompleteResult.
+  let form = document.getElementById("form" + index);
+  let temp = form.innerHTML;
+  form.innerHTML = "";
+  form.innerHTML = temp;
+
+  yield new Promise(resolve => {
+    let observer = SpecialPowers.wrapCallback(() => {
+      SpecialPowers.removeObserver(observer, "passwordmgr-processed-form");
+      resolve();
+    });
+    SpecialPowers.addObserver(observer, "passwordmgr-processed-form", false);
+  });
+
+  yield SimpleTest.promiseFocus(window);
+
+  uname = $_(index, "uname");
+  pword = $_(index, "pword");
+  uname.value = "";
+  pword.value = "";
+  pword.focus();
+}
+
+function generateDateString(date) {
+  let dateAndTimeFormatter = new Intl.DateTimeFormat(undefined,
+                             { day: "numeric", month: "short", year: "numeric" });
+  return dateAndTimeFormatter.format(date);
+}
+
+const DATE_NOW_STRING = generateDateString(new Date());
+
+// Check for expected username/password in form.
+function checkACFormPasswordField(expectedPassword) {
+  var formID = uname.parentNode.id;
+  is(pword.value, expectedPassword, "Checking " + formID + " password is: " + expectedPassword);
+}
+
+function spinEventLoop() {
+  return Promise.resolve();
+}
+
+add_task(function* setup() {
+  listenForUnexpectedPopupShown();
+});
+
+add_task(function* test_form1_initial_empty() {
+  yield SimpleTest.promiseFocus(window);
+
+  // Make sure initial form is empty.
+  checkACFormPasswordField("");
+  let popupState = yield getPopupState();
+  is(popupState.open, false, "Check popup is initially closed");
+});
+
+add_task(function* test_form2_password_readonly() {
+  yield SpecialPowers.pushPrefEnv({"set": [
+                                            ["security.insecure_field_warning.contextual.enabled", true],
+                                            ["signon.autofillForms.http", true]
+                                          ]});
+  yield reinitializeForm(2);
+
+  // Trigger autocomplete popup
+  doKey("down"); // open
+  let popupState = yield getPopupState();
+  is(popupState.open, false, "Check popup is closed for a readonly field.");
+});
+
+add_task(function* test_form3_password_disabled() {
+  yield SpecialPowers.pushPrefEnv({"set": [
+                                            ["security.insecure_field_warning.contextual.enabled", true],
+                                            ["signon.autofillForms.http", true]
+                                          ]});
+  yield reinitializeForm(3);
+
+  // Trigger autocomplete popup
+  doKey("down"); // open
+  let popupState = yield getPopupState();
+  is(popupState.open, false, "Check popup is closed for a disabled field.");
+});
+
+add_task(function* test_form1_enabledInsecureFieldWarning_enabledInsecureAutoFillForm() {
+  yield SpecialPowers.pushPrefEnv({"set": [
+                                            ["security.insecure_field_warning.contextual.enabled", true],
+                                            ["signon.autofillForms.http", true]
+                                          ]});
+  yield reinitializeForm(1);
+  // Trigger autocomplete popup
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  let results = yield shownPromise;
+
+  let popupState = yield getPopupState();
+  is(popupState.selectedIndex, -1, "Check no entries are selected upon opening");
+
+  let expectedMenuItems = ["This connection is not secure. Logins entered here could be compromised. Learn More",
+                           "No username (" + DATE_NOW_STRING + ")",
+                           "tempuser1",
+                           "testuser2",
+                           "testuser3",
+                           "zzzuser4"];
+  checkArrayValues(results, expectedMenuItems, "Check all menuitems are displayed correctly.");
+
+  doKey("down"); // select insecure warning
+  checkACFormPasswordField(""); // value shouldn't update just by selecting
+  doKey("return"); // not "enter"!
+  yield spinEventLoop(); // let focus happen
+  checkACFormPasswordField("");
+});
+
+add_task(function* test_form1_disabledInsecureFieldWarning_enabledInsecureAutoFillForm() {
+  yield SpecialPowers.pushPrefEnv({"set": [
+                                            ["security.insecure_field_warning.contextual.enabled", false],
+                                            ["signon.autofillForms.http", true]
+                                          ]});
+  yield reinitializeForm(1);
+
+  // Trigger autocomplete popup
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  let results = yield shownPromise;
+
+  let popupState = yield getPopupState();
+  is(popupState.selectedIndex, -1, "Check no entries are selected upon opening");
+
+  let expectedMenuItems = ["No username (" + DATE_NOW_STRING + ")",
+                           "tempuser1",
+                           "testuser2",
+                           "testuser3",
+                           "zzzuser4"];
+  checkArrayValues(results, expectedMenuItems, "Check all menuitems are displayed correctly.");
+
+  doKey("down"); // select first item
+  checkACFormPasswordField(""); // value shouldn't update just by selecting
+  doKey("return"); // not "enter"!
+  yield spinEventLoop(); // let focus happen
+  checkACFormPasswordField("user0pass");
+});
+
+add_task(function* test_form1_enabledInsecureFieldWarning_disabledInsecureAutoFillForm() {
+  yield SpecialPowers.pushPrefEnv({"set": [
+                                            ["security.insecure_field_warning.contextual.enabled", true],
+                                            ["signon.autofillForms.http", false]
+                                          ]});
+  yield reinitializeForm(1);
+
+  // Trigger autocomplete popup
+  let shownPromise = promiseACShown();
+  doKey("down"); // open
+  let results = yield shownPromise;
+
+  let popupState = yield getPopupState();
+  is(popupState.selectedIndex, -1, "Check no entries are selected upon opening");
+
+  let expectedMenuItems = ["This connection is not secure. Logins entered here could be compromised. Learn More",
+                           "No username (" + DATE_NOW_STRING + ")",
+                           "tempuser1",
+                           "testuser2",
+                           "testuser3",
+                           "zzzuser4"];
+  checkArrayValues(results, expectedMenuItems, "Check all menuitems are displayed correctly.");
+
+  doKey("down"); // select insecure warning
+  checkACFormPasswordField(""); // value shouldn't update just by selecting
+  doKey("return"); // not "enter"!
+  yield spinEventLoop(); // let focus happen
+  checkACFormPasswordField("");
+});
+
+add_task(function* test_form1_disabledInsecureFieldWarning_disabledInsecureAutoFillForm() {
+  yield SpecialPowers.pushPrefEnv({"set": [
+                                            ["security.insecure_field_warning.contextual.enabled", false],
+                                            ["signon.autofillForms.http", false]
+                                          ]});
+  yield reinitializeForm(1);
+
+  // Trigger autocomplete popup
+  doKey("down"); // open
+  let popupState = yield getPopupState();
+  is(popupState.open, false, "Check popup is closed with no AutoFillForms.");
+});
+
+</script>
+</pre>
+</body>
+</html>
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_passwords_in_type_password.html b/toolkit/components/passwordmgr/test/mochitest/test_passwords_in_type_password.html
new file mode 100644
index 000000000..e107cebe6
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_passwords_in_type_password.html
@@ -0,0 +1,122 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test that passwords only get filled in type=password</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="pwmgr_common.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+Login Manager test: Bug 242956
+<script>
+runChecksAfterCommonInit(() => startTest());
+</script>
+<p id="display"></p>
+<div id="content" style="display: none">
+  <!-- pword is not a type=password input -->
+  <form id="form1" action="formtest.js">
+    <input  type="text" name="uname">
+    <input  type="text" name="pword">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+  <!-- uname is not a type=text input -->
+  <form id="form2" action="formtest.js">
+    <input  type="password" name="uname">
+    <input  type="password" name="pword">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+  <!-- two "pword" inputs, (text + password) -->
+  <form id="form3" action="formtest.js">
+    <input  type="text"       name="uname">
+    <input  type="text"       name="pword">
+    <input  type="password"   name="qword">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+  <!-- same thing, different order -->
+  <form id="form4" action="formtest.js">
+    <input  type="text"       name="uname">
+    <input  type="password"   name="pword">
+    <input  type="text"       name="qword">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+  <!-- uname is not a type=text input (try a checkbox just for variety) -->
+  <form id="form5" action="formtest.js">
+    <input  type="checkbox" name="uname" value="">
+    <input  type="password" name="pword">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+  <!-- pword is not a type=password input (try a checkbox just for variety) -->
+  <form id="form6" action="formtest.js">
+    <input  type="text"     name="uname">
+    <input  type="checkbox" name="pword" value="">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+  <!-- pword is not a type=password input -->
+  <form id="form7" action="formtest.js">
+    <input  type="text" name="uname" value="testuser">
+    <input  type="text" name="pword">
+
+    <button type="submit">Submit</button>
+    <button type="reset"> Reset </button>
+  </form>
+
+
+</div>
+<pre id="test">
+<script class="testbody" type="text/javascript">
+
+/** Test for Login Manager: 242956 (Stored password is inserted into a
+    readable text input on a second page) **/
+
+// Make sure that pwmgr only puts passwords into type=password <input>s.
+// Might as well test the converse, too (username in password field).
+
+function startTest() {
+  is($_(1, "uname").value, "", "Checking for unfilled username 1");
+  is($_(1, "pword").value, "", "Checking for unfilled password 1");
+
+  is($_(2, "uname").value, "testpass", "Checking for password not username 2");
+  is($_(2, "pword").value, "", "Checking for unfilled password 2");
+
+  is($_(3, "uname").value, "", "Checking for unfilled username 3");
+  is($_(3, "pword").value, "testuser", "Checking for unfilled password 3");
+  is($_(3, "qword").value, "testpass", "Checking for unfilled qassword 3");
+
+  is($_(4, "uname").value, "testuser", "Checking for password not username 4");
+  is($_(4, "pword").value, "testpass", "Checking for unfilled password 4");
+  is($_(4, "qword").value, "", "Checking for unfilled qassword 4");
+
+  is($_(5, "uname").value, "", "Checking for unfilled username 5");
+  is($_(5, "pword").value, "testpass", "Checking for filled password 5");
+
+  is($_(6, "uname").value, "", "Checking for unfilled username 6");
+  is($_(6, "pword").value, "", "Checking for unfilled password 6");
+
+  is($_(7, "uname").value, "testuser", "Checking for unmodified username 7");
+  is($_(7, "pword").value, "",         "Checking for unfilled password 7");
+
+  SimpleTest.finish();
+}
+</script>
+</pre>
+</body>
+</html>
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_prompt.html b/toolkit/components/passwordmgr/test/mochitest/test_prompt.html
new file mode 100644
index 000000000..1050ab66b
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_prompt.html
@@ -0,0 +1,705 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test prompter.{prompt,promptPassword,promptUsernameAndPassword}</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SpawnTask.js"></script>
+  <script type="text/javascript" src="pwmgr_common.js"></script>
+  <script type="text/javascript" src="prompt_common.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<p id="display"></p>
+
+<div id="content" style="display: none">
+</div>
+
+<pre id="test">
+<script class="testbody" type="text/javascript">
+var state, action;
+var uname  = { value: null };
+var pword  = { value: null };
+var result = { value: null };
+var isOk;
+
+// Force parent to not look for tab-modal prompts, as they're not used for auth prompts.
+isTabModal = false;
+
+let prompterParent = runInParent(() => {
+  const { classes: Cc, interfaces: Ci, utils: Cu } = Components;
+  const promptFac = Cc["@mozilla.org/passwordmanager/authpromptfactory;1"].
+                    getService(Ci.nsIPromptFactory);
+
+  Cu.import("resource://gre/modules/Services.jsm");
+  let chromeWin = Services.wm.getMostRecentWindow("navigator:browser");
+  let prompter1 = promptFac.getPrompt(chromeWin, Ci.nsIAuthPrompt);
+
+  addMessageListener("proxyPrompter", function onMessage(msg) {
+    let rv = prompter1[msg.methodName](...msg.args);
+    return {
+      rv,
+      // Send the args back to content so out/inout args can be checked.
+      args: msg.args,
+    };
+  });
+});
+
+let prompter1 = new PrompterProxy(prompterParent);
+
+const defaultTitle = "the title";
+const defaultMsg = "the message";
+
+function initLogins() {
+  const { classes: Cc, interfaces: Ci, utils: Cu } = Components;
+  var login1, login2A, login2B, login2C, login2D, login2E;
+  var pwmgr = Cc["@mozilla.org/login-manager;1"].
+              getService(Ci.nsILoginManager);
+
+  login1  = Cc["@mozilla.org/login-manager/loginInfo;1"].
+            createInstance(Ci.nsILoginInfo);
+  login2A = Cc["@mozilla.org/login-manager/loginInfo;1"].
+            createInstance(Ci.nsILoginInfo);
+  login2B = Cc["@mozilla.org/login-manager/loginInfo;1"].
+            createInstance(Ci.nsILoginInfo);
+  login2C = Cc["@mozilla.org/login-manager/loginInfo;1"].
+            createInstance(Ci.nsILoginInfo);
+  login2D = Cc["@mozilla.org/login-manager/loginInfo;1"].
+            createInstance(Ci.nsILoginInfo);
+  login2E = Cc["@mozilla.org/login-manager/loginInfo;1"].
+            createInstance(Ci.nsILoginInfo);
+
+  login1.init("http://example.com", null, "http://example.com",
+              "", "examplepass", "", "");
+  login2A.init("http://example2.com", null, "http://example2.com",
+               "user1name", "user1pass", "", "");
+  login2B.init("http://example2.com", null, "http://example2.com",
+               "user2name", "user2pass", "", "");
+  login2C.init("http://example2.com", null, "http://example2.com",
+               "user3.name@host", "user3pass", "", "");
+  login2D.init("http://example2.com", null, "http://example2.com",
+               "100@beef", "user3pass", "", "");
+  login2E.init("http://example2.com", null, "http://example2.com",
+               "100%beef", "user3pass", "", "");
+
+  pwmgr.addLogin(login1);
+  pwmgr.addLogin(login2A);
+  pwmgr.addLogin(login2B);
+  pwmgr.addLogin(login2C);
+  pwmgr.addLogin(login2D);
+  pwmgr.addLogin(login2E);
+}
+
+add_task(function* setup() {
+  runInParent(initLogins);
+});
+
+add_task(function* test_prompt_accept() {
+  state = {
+    msg         : "the message",
+    title       : "the title",
+    textValue   : "abc",
+    passValue   : "",
+    iconClass   : "question-icon",
+    titleHidden : true,
+    textHidden  : false,
+    passHidden  : true,
+    checkHidden : true,
+    checkMsg    : "",
+    checked     : false,
+    focused     : "textField",
+    defButton   : "button0",
+  };
+  action = {
+    buttonClick : "ok",
+    textField   : "xyz",
+  };
+  promptDone = handlePrompt(state, action);
+  isOk = prompter1.prompt(defaultTitle, defaultMsg, "http://example.com",
+                          Ci.nsIAuthPrompt.SAVE_PASSWORD_NEVER, "abc", result);
+  yield promptDone;
+
+  ok(isOk, "Checking dialog return value (accept)");
+  is(result.value, "xyz", "Checking prompt() returned value");
+});
+
+add_task(function* test_prompt_cancel() {
+  state = {
+    msg         : "the message",
+    title       : "the title",
+    textValue   : "abc",
+    passValue   : "",
+    iconClass   : "question-icon",
+    titleHidden : true,
+    textHidden  : false,
+    passHidden  : true,
+    checkHidden : true,
+    checkMsg    : "",
+    checked     : false,
+    focused     : "textField",
+    defButton   : "button0",
+  };
+  action = {
+    buttonClick : "cancel",
+  };
+  promptDone = handlePrompt(state, action);
+  isOk = prompter1.prompt(defaultTitle, defaultMsg, "http://example.com",
+                          Ci.nsIAuthPrompt.SAVE_PASSWORD_NEVER, "abc", result);
+  yield promptDone;
+  ok(!isOk, "Checking dialog return value (cancel)");
+});
+
+add_task(function* test_promptPassword_defaultAccept() {
+  // Default password provided, existing logins are ignored.
+  state = {
+    msg         : "the message",
+    title       : "the title",
+    textValue   : "",
+    passValue   : "inputpw",
+    iconClass   : "authentication-icon question-icon",
+    titleHidden : true,
+    textHidden  : true,
+    passHidden  : false,
+    checkHidden : true,
+    checkMsg    : "",
+    checked     : false,
+    focused     : "passField",
+    defButton   : "button0",
+  };
+  action = {
+    buttonClick : "ok",
+    passField   : "secret",
+  };
+  pword.value = "inputpw";
+  promptDone = handlePrompt(state, action);
+  isOk = prompter1.promptPassword(defaultTitle, defaultMsg, "http://example.com",
+                                  Ci.nsIAuthPrompt.SAVE_PASSWORD_NEVER, pword);
+  yield promptDone;
+  ok(isOk, "Checking dialog return value (accept)");
+  is(pword.value, "secret", "Checking returned password");
+});
+
+add_task(function* test_promptPassword_defaultCancel() {
+  // Default password provided, existing logins are ignored.
+  state = {
+    msg         : "the message",
+    title       : "the title",
+    textValue   : "",
+    passValue   : "inputpw",
+    iconClass   : "authentication-icon question-icon",
+    titleHidden : true,
+    textHidden  : true,
+    passHidden  : false,
+    checkHidden : true,
+    checkMsg    : "",
+    checked     : false,
+    focused     : "passField",
+    defButton   : "button0",
+  };
+  action = {
+    buttonClick : "cancel",
+  };
+  pword.value = "inputpw";
+  promptDone = handlePrompt(state, action);
+  isOk = prompter1.promptPassword(defaultTitle, defaultMsg, "http://example.com",
+                                  Ci.nsIAuthPrompt.SAVE_PASSWORD_NEVER, pword);
+  yield promptDone;
+  ok(!isOk, "Checking dialog return value (cancel)");
+});
+
+add_task(function* test_promptPassword_emptyAccept() {
+  // No default password provided, realm does not match existing login.
+  state = {
+    msg         : "the message",
+    title       : "the title",
+    textValue   : "",
+    passValue   : "",
+    iconClass   : "authentication-icon question-icon",
+    titleHidden : true,
+    textHidden  : true,
+    passHidden  : false,
+    checkHidden : true,
+    checkMsg    : "",
+    checked     : false,
+    focused     : "passField",
+    defButton   : "button0",
+  };
+  action = {
+    buttonClick : "ok",
+    passField   : "secret",
+  };
+  pword.value = null;
+  promptDone = handlePrompt(state, action);
+  isOk = prompter1.promptPassword(defaultTitle, defaultMsg, "http://nonexample.com",
+                                  Ci.nsIAuthPrompt.SAVE_PASSWORD_NEVER, pword);
+  yield promptDone;
+  ok(isOk, "Checking dialog return value (accept)");
+  is(pword.value, "secret", "Checking returned password");
+});
+
+add_task(function* test_promptPassword_saved() {
+  // No default password provided, matching login is returned w/o prompting.
+  pword.value = null;
+  isOk = prompter1.promptPassword(defaultTitle, defaultMsg, "http://example.com",
+                                  Ci.nsIAuthPrompt.SAVE_PASSWORD_NEVER, pword);
+  ok(isOk, "Checking dialog return value (accept)");
+  is(pword.value, "examplepass", "Checking returned password");
+});
+
+add_task(function* test_promptPassword_noMatchingPasswordForEmptyUN() {
+  // No default password provided, none of the logins from this host are
+  // password-only so the user is prompted.
+  state = {
+    msg         : "the message",
+    title       : "the title",
+    textValue   : "",
+    passValue   : "",
+    iconClass   : "authentication-icon question-icon",
+    titleHidden : true,
+    textHidden  : true,
+    passHidden  : false,
+    checkHidden : true,
+    checkMsg    : "",
+    checked     : false,
+    focused     : "passField",
+    defButton   : "button0",
+  };
+  action = {
+    buttonClick : "ok",
+    passField   : "secret",
+  };
+  pword.value = null;
+  promptDone = handlePrompt(state, action);
+  isOk = prompter1.promptPassword(defaultTitle, defaultMsg, "http://example2.com",
+                                  Ci.nsIAuthPrompt.SAVE_PASSWORD_NEVER, pword);
+  yield promptDone;
+  ok(isOk, "Checking dialog return value (accept)");
+  is(pword.value, "secret", "Checking returned password");
+});
+
+add_task(function* test_promptPassword_matchingPWForUN() {
+  // No default password provided, matching login is returned w/o prompting.
+  pword.value = null;
+  isOk = prompter1.promptPassword(defaultTitle, defaultMsg, "http://user1name@example2.com",
+                                  Ci.nsIAuthPrompt.SAVE_PASSWORD_NEVER, pword);
+  ok(isOk, "Checking dialog return value (accept)");
+  is(pword.value, "user1pass", "Checking returned password");
+});
+
+add_task(function* test_promptPassword_matchingPWForUN2() {
+  // No default password provided, matching login is returned w/o prompting.
+  pword.value = null;
+  isOk = prompter1.promptPassword(defaultTitle, defaultMsg, "http://user2name@example2.com",
+                                  Ci.nsIAuthPrompt.SAVE_PASSWORD_NEVER, pword);
+  ok(isOk, "Checking dialog return value (accept)");
+  is(pword.value, "user2pass", "Checking returned password");
+});
+
+add_task(function* test_promptPassword_matchingPWForUN3() {
+  // No default password provided, matching login is returned w/o prompting.
+  pword.value = null;
+  isOk = prompter1.promptPassword(defaultTitle, defaultMsg, "http://user3%2Ename%40host@example2.com",
+                                  Ci.nsIAuthPrompt.SAVE_PASSWORD_NEVER, pword);
+  ok(isOk, "Checking dialog return value (accept)");
+  is(pword.value, "user3pass", "Checking returned password");
+});
+
+add_task(function* test_promptPassword_extraAt() {
+  // No default password provided, matching login is returned w/o prompting.
+  pword.value = null;
+  isOk = prompter1.promptPassword(defaultTitle, defaultMsg, "http://100@beef@example2.com",
+                                  Ci.nsIAuthPrompt.SAVE_PASSWORD_NEVER, pword);
+  ok(isOk, "Checking dialog return value (accept)");
+  is(pword.value, "user3pass", "Checking returned password");
+});
+
+add_task(function* test_promptPassword_usernameEncoding() {
+  // No default password provided, matching login is returned w/o prompting.
+  pword.value = null;
+  isOk = prompter1.promptPassword(defaultTitle, defaultMsg, "http://100%25beef@example2.com",
+                                  Ci.nsIAuthPrompt.SAVE_PASSWORD_NEVER, pword);
+  ok(isOk, "Checking dialog return value (accept)");
+  is(pword.value, "user3pass", "Checking returned password");
+
+  // XXX test saving a password with  Ci.nsIAuthPrompt.SAVE_PASSWORD_PERMANENTLY
+});
+
+add_task(function* test_promptPassword_realm() {
+  // We don't pre-fill or save for NS_GetAuthKey-generated realms, but we should still prompt
+  state = {
+    msg         : "the message",
+    title       : "the title",
+    textValue   : "",
+    passValue   : "",
+    iconClass   : "authentication-icon question-icon",
+    titleHidden : true,
+    textHidden  : true,
+    passHidden  : false,
+    checkHidden : true,
+    checkMsg    : "",
+    checked     : false,
+    focused     : "passField",
+    defButton   : "button0",
+  };
+  action = {
+    buttonClick : "ok",
+    passField   : "fill2pass",
+  };
+  pword.value = null;
+  promptDone = handlePrompt(state, action);
+  isOk = prompter1.promptPassword(defaultTitle, defaultMsg, "example2.com:80 (somerealm)",
+                                  Ci.nsIAuthPrompt.SAVE_PASSWORD_NEVER, pword);
+  yield promptDone;
+  ok(isOk, "Checking dialog return value (accept)");
+  is(pword.value, "fill2pass", "Checking returned password");
+});
+
+add_task(function* test_promptPassword_realm2() {
+  // We don't pre-fill or save for NS_GetAuthKey-generated realms, but we should still prompt
+  state = {
+    msg         : "the message",
+    title       : "the title",
+    textValue   : "",
+    passValue   : "",
+    iconClass   : "authentication-icon question-icon",
+    titleHidden : true,
+    textHidden  : true,
+    passHidden  : false,
+    checkHidden : true,
+    checkMsg    : "",
+    checked     : false,
+    focused     : "passField",
+    defButton   : "button0",
+  };
+  action = {
+    buttonClick : "ok",
+    passField   : "fill2pass",
+  };
+  pword.value = null;
+  promptDone = handlePrompt(state, action);
+  isOk = prompter1.promptPassword(defaultTitle, defaultMsg, "example2.com:80 (somerealm)",
+                                  Ci.nsIAuthPrompt.SAVE_PASSWORD_PERMANENTLY, pword);
+  yield promptDone;
+  ok(isOk, "Checking dialog return value (accept)");
+  is(pword.value, "fill2pass", "Checking returned password");
+});
+
+add_task(function* test_promptUsernameAndPassword_accept() {
+  state = {
+    msg         : "the message",
+    title       : "the title",
+    textValue   : "inuser",
+    passValue   : "inpass",
+    iconClass   : "authentication-icon question-icon",
+    titleHidden : true,
+    textHidden  : false,
+    passHidden  : false,
+    checkHidden : true,
+    checkMsg    : "",
+    checked     : false,
+    focused     : "textField",
+    defButton   : "button0",
+  };
+  action = {
+    buttonClick : "ok",
+    textField   : "outuser",
+    passField   : "outpass",
+  };
+  uname.value = "inuser";
+  pword.value = "inpass";
+  promptDone = handlePrompt(state, action);
+  isOk = prompter1.promptUsernameAndPassword(defaultTitle, defaultMsg, "http://nonexample.com",
+                                             Ci.nsIAuthPrompt.SAVE_PASSWORD_NEVER, uname, pword);
+  yield promptDone;
+  ok(isOk, "Checking dialog return value (accept)");
+  is(uname.value, "outuser", "Checking returned username");
+  is(pword.value, "outpass", "Checking returned password");
+});
+
+add_task(function* test_promptUsernameAndPassword_cancel() {
+  state = {
+    msg         : "the message",
+    title       : "the title",
+    textValue   : "inuser",
+    passValue   : "inpass",
+    iconClass   : "authentication-icon question-icon",
+    titleHidden : true,
+    textHidden  : false,
+    passHidden  : false,
+    checkHidden : true,
+    checkMsg    : "",
+    checked     : false,
+    focused     : "textField",
+    defButton   : "button0",
+  };
+  action = {
+    buttonClick : "cancel",
+  };
+  uname.value = "inuser";
+  pword.value = "inpass";
+  promptDone = handlePrompt(state, action);
+  isOk = prompter1.promptUsernameAndPassword(defaultTitle, defaultMsg, "http://nonexample.com",
+                                             Ci.nsIAuthPrompt.SAVE_PASSWORD_NEVER, uname, pword);
+  yield promptDone;
+  ok(!isOk, "Checking dialog return value (cancel)");
+});
+
+add_task(function* test_promptUsernameAndPassword_autofill() {
+  // test filling in existing password-only login
+  state = {
+    msg         : "the message",
+    title       : "the title",
+    textValue   : "",
+    passValue   : "examplepass",
+    iconClass   : "authentication-icon question-icon",
+    titleHidden : true,
+    textHidden  : false,
+    passHidden  : false,
+    checkHidden : false,
+    checkMsg    : "Use Password Manager to remember this password.",
+    checked     : true,
+    focused     : "textField",
+    defButton   : "button0",
+  };
+  action = {
+    buttonClick : "ok",
+  };
+  uname.value = null;
+  pword.value = null;
+  promptDone = handlePrompt(state, action);
+  isOk = prompter1.promptUsernameAndPassword(defaultTitle, defaultMsg, "http://example.com",
+                                             Ci.nsIAuthPrompt.SAVE_PASSWORD_PERMANENTLY, uname, pword);
+  yield promptDone;
+  ok(isOk, "Checking dialog return value (accept)");
+  is(uname.value, "", "Checking returned username");
+  is(pword.value, "examplepass", "Checking returned password");
+});
+
+add_task(function* test_promptUsernameAndPassword_multipleExisting() {
+  // test filling in existing login (undetermined from multiple selection)
+  // user2name/user2pass would also be valid to fill here.
+  state = {
+    msg         : "the message",
+    title       : "the title",
+    textValue   : "user1name",
+    passValue   : "user1pass",
+    iconClass   : "authentication-icon question-icon",
+    titleHidden : true,
+    textHidden  : false,
+    passHidden  : false,
+    checkHidden : false,
+    checkMsg    : "Use Password Manager to remember this password.",
+    checked     : true,
+    focused     : "textField",
+    defButton   : "button0",
+  };
+  action = {
+    buttonClick : "ok",
+  };
+  uname.value = null;
+  pword.value = null;
+  promptDone = handlePrompt(state, action);
+  isOk = prompter1.promptUsernameAndPassword(defaultTitle, defaultMsg, "http://example2.com",
+                                             Ci.nsIAuthPrompt.SAVE_PASSWORD_PERMANENTLY, uname, pword);
+  yield promptDone;
+  ok(isOk, "Checking dialog return value (accept)");
+  ok(uname.value == "user1name" || uname.value == "user2name", "Checking returned username");
+  ok(pword.value == "user1pass" || uname.value == "user2pass", "Checking returned password");
+});
+
+add_task(function* test_promptUsernameAndPassword_multipleExisting1() {
+  // test filling in existing login (user1 from multiple selection)
+  state = {
+    msg         : "the message",
+    title       : "the title",
+    textValue   : "user1name",
+    passValue   : "user1pass",
+    iconClass   : "authentication-icon question-icon",
+    titleHidden : true,
+    textHidden  : false,
+    passHidden  : false,
+    checkHidden : false,
+    checkMsg    : "Use Password Manager to remember this password.",
+    checked     : true,
+    focused     : "textField",
+    defButton   : "button0",
+  };
+  action = {
+    buttonClick : "ok",
+  };
+  uname.value = "user1name";
+  pword.value = null;
+  promptDone = handlePrompt(state, action);
+  isOk = prompter1.promptUsernameAndPassword(defaultTitle, defaultMsg, "http://example2.com",
+                                             Ci.nsIAuthPrompt.SAVE_PASSWORD_PERMANENTLY, uname, pword);
+  yield promptDone;
+  ok(isOk, "Checking dialog return value (accept)");
+  is(uname.value, "user1name", "Checking returned username");
+  is(pword.value, "user1pass", "Checking returned password");
+});
+
+add_task(function* test_promptUsernameAndPassword_multipleExisting2() {
+  // test filling in existing login (user2 from multiple selection)
+  state = {
+    msg         : "the message",
+    title       : "the title",
+    textValue   : "user2name",
+    passValue   : "user2pass",
+    iconClass   : "authentication-icon question-icon",
+    titleHidden : true,
+    textHidden  : false,
+    passHidden  : false,
+    checkHidden : false,
+    checkMsg    : "Use Password Manager to remember this password.",
+    checked     : true,
+    focused     : "textField",
+    defButton   : "button0",
+  };
+  action = {
+    buttonClick : "ok",
+  };
+  uname.value = "user2name";
+  pword.value = null;
+  promptDone = handlePrompt(state, action);
+  isOk = prompter1.promptUsernameAndPassword(defaultTitle, defaultMsg, "http://example2.com",
+                                             Ci.nsIAuthPrompt.SAVE_PASSWORD_PERMANENTLY, uname, pword);
+  yield promptDone;
+  ok(isOk, "Checking dialog return value (accept)");
+  is(uname.value, "user2name", "Checking returned username");
+  is(pword.value, "user2pass", "Checking returned password");
+});
+
+add_task(function* test_promptUsernameAndPassword_passwordChange() {
+  // test changing password
+  state = {
+    msg         : "the message",
+    title       : "the title",
+    textValue   : "user2name",
+    passValue   : "user2pass",
+    iconClass   : "authentication-icon question-icon",
+    titleHidden : true,
+    textHidden  : false,
+    passHidden  : false,
+    checkHidden : false,
+    checkMsg    : "Use Password Manager to remember this password.",
+    checked     : true,
+    focused     : "textField",
+    defButton   : "button0",
+  };
+  action = {
+    buttonClick : "ok",
+    passField   : "NEWuser2pass",
+  };
+  uname.value = "user2name";
+  pword.value = null;
+  promptDone = handlePrompt(state, action);
+  isOk = prompter1.promptUsernameAndPassword(defaultTitle, defaultMsg, "http://example2.com",
+                                             Ci.nsIAuthPrompt.SAVE_PASSWORD_PERMANENTLY, uname, pword);
+  yield promptDone;
+  ok(isOk, "Checking dialog return value (accept)");
+  is(uname.value, "user2name", "Checking returned username");
+  is(pword.value, "NEWuser2pass", "Checking returned password");
+});
+
+add_task(function* test_promptUsernameAndPassword_changePasswordBack() {
+  // test changing password (back to original value)
+  state = {
+    msg         : "the message",
+    title       : "the title",
+    textValue   : "user2name",
+    passValue   : "NEWuser2pass",
+    iconClass   : "authentication-icon question-icon",
+    titleHidden : true,
+    textHidden  : false,
+    passHidden  : false,
+    checkHidden : false,
+    checkMsg    : "Use Password Manager to remember this password.",
+    checked     : true,
+    focused     : "textField",
+    defButton   : "button0",
+  };
+  action = {
+    buttonClick : "ok",
+    passField   : "user2pass",
+  };
+  uname.value = "user2name";
+  pword.value = null;
+  promptDone = handlePrompt(state, action);
+  isOk = prompter1.promptUsernameAndPassword(defaultTitle, defaultMsg, "http://example2.com",
+                                             Ci.nsIAuthPrompt.SAVE_PASSWORD_PERMANENTLY, uname, pword);
+  yield promptDone;
+  ok(isOk, "Checking dialog return value (accept)");
+  is(uname.value, "user2name", "Checking returned username");
+  is(pword.value, "user2pass", "Checking returned password");
+});
+
+add_task(function* test_promptUsernameAndPassword_realm() {
+  // We don't pre-fill or save for NS_GetAuthKey-generated realms, but we should still prompt
+  state = {
+    msg         : "the message",
+    title       : "the title",
+    textValue   : "",
+    passValue   : "",
+    iconClass   : "authentication-icon question-icon",
+    titleHidden : true,
+    textHidden  : false,
+    passHidden  : false,
+    checkHidden : true,
+    checkMsg    : "",
+    checked     : false,
+    focused     : "textField",
+    defButton   : "button0",
+  };
+  action = {
+    buttonClick : "ok",
+    textField   : "fill2user",
+    passField   : "fill2pass",
+  };
+  uname.value = null;
+  pword.value = null;
+  promptDone = handlePrompt(state, action);
+  isOk = prompter1.promptUsernameAndPassword(defaultTitle, defaultMsg, "example2.com:80 (somerealm)",
+                                             Ci.nsIAuthPrompt.SAVE_PASSWORD_NEVER, uname, pword);
+  yield promptDone;
+  ok(isOk, "Checking dialog return value (accept)");
+  is(uname.value, "fill2user", "Checking returned username");
+  is(pword.value, "fill2pass", "Checking returned password");
+});
+
+add_task(function* test_promptUsernameAndPassword_realm2() {
+  // We don't pre-fill or save for NS_GetAuthKey-generated realms, but we should still prompt
+  state = {
+    msg         : "the message",
+    title       : "the title",
+    textValue   : "",
+    passValue   : "",
+    iconClass   : "authentication-icon question-icon",
+    titleHidden : true,
+    textHidden  : false,
+    passHidden  : false,
+    checkHidden : true,
+    checkMsg    : "",
+    checked     : false,
+    focused     : "textField",
+    defButton   : "button0",
+  };
+  action = {
+    buttonClick : "ok",
+    textField   : "fill2user",
+    passField   : "fill2pass",
+  };
+  uname.value = null;
+  pword.value = null;
+  promptDone = handlePrompt(state, action);
+  isOk = prompter1.promptUsernameAndPassword(defaultTitle, defaultMsg, "example2.com:80 (somerealm)",
+                                             Ci.nsIAuthPrompt.SAVE_PASSWORD_PERMANENTLY, uname, pword);
+  yield promptDone;
+  ok(isOk, "Checking dialog return value (accept)");
+  is(uname.value, "fill2user", "Checking returned username");
+  is(pword.value, "fill2pass", "Checking returned password");
+});
+
+</script>
+</pre>
+</body>
+</html>
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_prompt_http.html b/toolkit/components/passwordmgr/test/mochitest/test_prompt_http.html
new file mode 100644
index 000000000..0dc8fdf9c
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_prompt_http.html
@@ -0,0 +1,362 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test HTTP auth prompts by loading authenticate.sjs</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SpawnTask.js"></script>
+  <script type="text/javascript" src="pwmgr_common.js"></script>
+  <script type="text/javascript" src="prompt_common.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<p id="display"></p>
+
+<div id="content" style="display: none">
+  <iframe id="iframe"></iframe>
+</div>
+
+<pre id="test">
+<script class="testbody" type="text/javascript">
+var iframe = document.getElementById("iframe");
+
+// Force parent to not look for tab-modal prompts, as they're not used for auth prompts.
+isTabModal = false;
+
+const AUTHENTICATE_PATH = new URL("authenticate.sjs", window.location.href).pathname;
+
+let chromeScript = runInParent(SimpleTest.getTestFileURL("pwmgr_common.js"));
+
+runInParent(() => {
+  const { classes: Cc, interfaces: Ci, utils: Cu } = Components;
+  Cu.import("resource://gre/modules/Services.jsm");
+
+  let pwmgr = Cc["@mozilla.org/login-manager;1"].
+              getService(Ci.nsILoginManager);
+
+  let login3A, login3B, login4;
+  login3A = Cc["@mozilla.org/login-manager/loginInfo;1"].
+            createInstance(Ci.nsILoginInfo);
+  login3B = Cc["@mozilla.org/login-manager/loginInfo;1"].
+            createInstance(Ci.nsILoginInfo);
+  login4  = Cc["@mozilla.org/login-manager/loginInfo;1"].
+            createInstance(Ci.nsILoginInfo);
+  let httpUpgradeLogin = Cc["@mozilla.org/login-manager/loginInfo;1"].
+                         createInstance(Ci.nsILoginInfo);
+  let httpsDowngradeLogin = Cc["@mozilla.org/login-manager/loginInfo;1"].
+                            createInstance(Ci.nsILoginInfo);
+  let dedupeHttpUpgradeLogin  = Cc["@mozilla.org/login-manager/loginInfo;1"].
+                                createInstance(Ci.nsILoginInfo);
+  let dedupeHttpsUpgradeLogin = Cc["@mozilla.org/login-manager/loginInfo;1"].
+                                createInstance(Ci.nsILoginInfo);
+
+
+  login3A.init("http://mochi.test:8888", null, "mochitest",
+               "mochiuser1", "mochipass1", "", "");
+  login3B.init("http://mochi.test:8888", null, "mochitest2",
+               "mochiuser2", "mochipass2", "", "");
+  login4.init("http://mochi.test:8888", null, "mochitest3",
+              "mochiuser3", "mochipass3-old", "", "");
+  // Logins to test scheme upgrades (allowed) and downgrades (disallowed)
+  httpUpgradeLogin.init("http://example.com", null, "schemeUpgrade",
+                        "httpUser", "httpPass", "", "");
+  httpsDowngradeLogin.init("https://example.com", null, "schemeDowngrade",
+                           "httpsUser", "httpsPass", "", "");
+  // HTTP and HTTPS version of the same domain and realm but with different passwords.
+  dedupeHttpUpgradeLogin.init("http://example.org", null, "schemeUpgradeDedupe",
+                              "dedupeUser", "httpPass", "", "");
+  dedupeHttpsUpgradeLogin.init("https://example.org", null, "schemeUpgradeDedupe",
+                               "dedupeUser", "httpsPass", "", "");
+
+
+  pwmgr.addLogin(login3A);
+  pwmgr.addLogin(login3B);
+  pwmgr.addLogin(login4);
+  pwmgr.addLogin(httpUpgradeLogin);
+  pwmgr.addLogin(httpsDowngradeLogin);
+  pwmgr.addLogin(dedupeHttpUpgradeLogin);
+  pwmgr.addLogin(dedupeHttpsUpgradeLogin);
+});
+
+add_task(function* test_iframe() {
+  let state = {
+    msg         : "http://mochi.test:8888 is requesting your username and password. The site says: “mochitest”",
+    title       : "Authentication Required",
+    textValue   : "mochiuser1",
+    passValue   : "mochipass1",
+    iconClass   : "authentication-icon question-icon",
+    titleHidden : true,
+    textHidden  : false,
+    passHidden  : false,
+    checkHidden : true,
+    checkMsg    : "",
+    checked     : false,
+    focused     : "textField",
+    defButton   : "button0",
+  };
+  let action = {
+    buttonClick : "ok",
+  };
+  promptDone = handlePrompt(state, action);
+
+  // The following tests are driven by iframe loads
+
+  var iframeLoaded = onloadPromiseFor("iframe");
+  iframe.src = "authenticate.sjs?user=mochiuser1&pass=mochipass1";
+  yield promptDone;
+  yield iframeLoaded;
+  checkEchoedAuthInfo({user: "mochiuser1", pass: "mochipass1"},
+                      iframe.contentDocument);
+
+  state = {
+    msg         : "http://mochi.test:8888 is requesting your username and password. The site says: “mochitest2”",
+    title       : "Authentication Required",
+    textValue   : "mochiuser2",
+    passValue   : "mochipass2",
+    iconClass   : "authentication-icon question-icon",
+    titleHidden : true,
+    textHidden  : false,
+    passHidden  : false,
+    checkHidden : true,
+    checkMsg    : "",
+    checked     : false,
+    focused     : "textField",
+    defButton   : "button0",
+  };
+  action = {
+    buttonClick : "ok",
+  };
+  promptDone = handlePrompt(state, action);
+  // We've already authenticated to this host:port. For this next
+  // request, the existing auth should be sent, we'll get a 401 reply,
+  // and we should prompt for new auth.
+  iframeLoaded = onloadPromiseFor("iframe");
+  iframe.src = "authenticate.sjs?user=mochiuser2&pass=mochipass2&realm=mochitest2";
+  yield promptDone;
+  yield iframeLoaded;
+  checkEchoedAuthInfo({user: "mochiuser2", pass: "mochipass2"},
+                      iframe.contentDocument);
+
+  // Now make a load that requests the realm from test 1000. It was
+  // already provided there, so auth will *not* be prompted for -- the
+  // networking layer already knows it!
+  iframeLoaded = onloadPromiseFor("iframe");
+  iframe.src = "authenticate.sjs?user=mochiuser1&pass=mochipass1";
+  yield iframeLoaded;
+  checkEchoedAuthInfo({user: "mochiuser1", pass: "mochipass1"},
+                      iframe.contentDocument);
+
+  // Same realm we've already authenticated to, but with a different
+  // expected password (to trigger an auth prompt, and change-password
+  // popup notification).
+  state = {
+    msg         : "http://mochi.test:8888 is requesting your username and password. The site says: “mochitest”",
+    title       : "Authentication Required",
+    textValue   : "mochiuser1",
+    passValue   : "mochipass1",
+    iconClass   : "authentication-icon question-icon",
+    titleHidden : true,
+    textHidden  : false,
+    passHidden  : false,
+    checkHidden : true,
+    checkMsg    : "",
+    checked     : false,
+    focused     : "textField",
+    defButton   : "button0",
+  };
+  action = {
+    buttonClick : "ok",
+    passField   : "mochipass1-new",
+  };
+  promptDone = handlePrompt(state, action);
+  iframeLoaded = onloadPromiseFor("iframe");
+  let promptShownPromise = promisePromptShown("passwordmgr-prompt-change");
+  iframe.src = "authenticate.sjs?user=mochiuser1&pass=mochipass1-new";
+  yield promptDone;
+  yield iframeLoaded;
+  checkEchoedAuthInfo({user: "mochiuser1", pass: "mochipass1-new"},
+                      iframe.contentDocument);
+  yield promptShownPromise;
+
+  // Same as last test, but for a realm we haven't already authenticated
+  // to (but have an existing saved login for, so that we'll trigger
+  // a change-password popup notification.
+  state = {
+    msg         : "http://mochi.test:8888 is requesting your username and password. The site says: “mochitest3”",
+    title       : "Authentication Required",
+    textValue   : "mochiuser3",
+    passValue   : "mochipass3-old",
+    iconClass   : "authentication-icon question-icon",
+    titleHidden : true,
+    textHidden  : false,
+    passHidden  : false,
+    checkHidden : true,
+    checkMsg    : "",
+    checked     : false,
+    focused     : "textField",
+    defButton   : "button0",
+  };
+  action = {
+    buttonClick : "ok",
+    passField   : "mochipass3-new",
+  };
+  promptDone = handlePrompt(state, action);
+  iframeLoaded = onloadPromiseFor("iframe");
+  promptShownPromise = promisePromptShown("passwordmgr-prompt-change");
+  iframe.src = "authenticate.sjs?user=mochiuser3&pass=mochipass3-new&realm=mochitest3";
+  yield promptDone;
+  yield iframeLoaded;
+  checkEchoedAuthInfo({user: "mochiuser3", pass: "mochipass3-new"},
+                      iframe.contentDocument);
+  yield promptShownPromise;
+
+  // Housekeeping: Delete login4 to test the save prompt in the next test.
+  runInParent(() => {
+    const { classes: Cc, interfaces: Ci, utils: Cu } = Components;
+    Cu.import("resource://gre/modules/Services.jsm");
+
+    var tmpLogin = Cc["@mozilla.org/login-manager/loginInfo;1"].
+                   createInstance(Ci.nsILoginInfo);
+    tmpLogin.init("http://mochi.test:8888", null, "mochitest3",
+                  "mochiuser3", "mochipass3-old", "", "");
+    Services.logins.removeLogin(tmpLogin);
+
+    // Clear cached auth from this subtest, and avoid leaking due to bug 459620.
+    var authMgr = Cc['@mozilla.org/network/http-auth-manager;1'].
+                  getService(Ci.nsIHttpAuthManager);
+    authMgr.clearAll();
+  });
+
+  state = {
+    msg         : "http://mochi.test:8888 is requesting your username and password. The site says: “mochitest3”",
+    title       : "Authentication Required",
+    textValue   : "",
+    passValue   : "",
+    iconClass   : "authentication-icon question-icon",
+    titleHidden : true,
+    textHidden  : false,
+    passHidden  : false,
+    checkHidden : true,
+    checkMsg    : "",
+    checked     : false,
+    focused     : "textField",
+    defButton   : "button0",
+  };
+  action = {
+    buttonClick : "ok",
+    textField   : "mochiuser3",
+    passField   : "mochipass3-old",
+  };
+  // Trigger a new prompt, so we can test adding a new login.
+  promptDone = handlePrompt(state, action);
+
+  iframeLoaded = onloadPromiseFor("iframe");
+  promptShownPromise = promisePromptShown("passwordmgr-prompt-save");
+  iframe.src = "authenticate.sjs?user=mochiuser3&pass=mochipass3-old&realm=mochitest3";
+  yield promptDone;
+  yield iframeLoaded;
+  checkEchoedAuthInfo({user: "mochiuser3", pass: "mochipass3-old"},
+                      iframe.contentDocument);
+  yield promptShownPromise;
+});
+
+add_task(function* test_schemeUpgrade() {
+  let state = {
+    msg         : "https://example.com is requesting your username and password. " +
+                  "WARNING: Your password will not be sent to the website you are currently visiting!",
+    title       : "Authentication Required",
+    textValue   : "httpUser",
+    passValue   : "httpPass",
+    iconClass   : "authentication-icon question-icon",
+    titleHidden : true,
+    textHidden  : false,
+    passHidden  : false,
+    checkHidden : true,
+    checkMsg    : "",
+    checked     : false,
+    focused     : "textField",
+    defButton   : "button0",
+  };
+  let action = {
+    buttonClick : "ok",
+  };
+  let promptDone = handlePrompt(state, action);
+
+  // The following tests are driven by iframe loads
+
+  let iframeLoaded = onloadPromiseFor("iframe");
+  iframe.src = "https://example.com" + AUTHENTICATE_PATH +
+               "?user=httpUser&pass=httpPass&realm=schemeUpgrade";
+  yield promptDone;
+  yield iframeLoaded;
+  checkEchoedAuthInfo({user: "httpUser", pass: "httpPass"},
+                      SpecialPowers.wrap(iframe).contentDocument);
+});
+
+add_task(function* test_schemeDowngrade() {
+  let state = {
+    msg         : "http://example.com is requesting your username and password. " +
+                  "WARNING: Your password will not be sent to the website you are currently visiting!",
+    title       : "Authentication Required",
+    textValue   : "", // empty because we shouldn't downgrade
+    passValue   : "",
+    iconClass   : "authentication-icon question-icon",
+    titleHidden : true,
+    textHidden  : false,
+    passHidden  : false,
+    checkHidden : true,
+    checkMsg    : "",
+    checked     : false,
+    focused     : "textField",
+    defButton   : "button0",
+  };
+  let action = {
+    buttonClick : "cancel",
+  };
+  let promptDone = handlePrompt(state, action);
+
+  // The following tests are driven by iframe loads
+
+  let iframeLoaded = onloadPromiseFor("iframe");
+  iframe.src = "http://example.com" + AUTHENTICATE_PATH +
+               "?user=unused&pass=unused&realm=schemeDowngrade";
+  yield promptDone;
+  yield iframeLoaded;
+});
+
+add_task(function* test_schemeUpgrade_dedupe() {
+  let state = {
+    msg         : "https://example.org is requesting your username and password. " +
+                  "WARNING: Your password will not be sent to the website you are currently visiting!",
+    title       : "Authentication Required",
+    textValue   : "dedupeUser",
+    passValue   : "httpsPass",
+    iconClass   : "authentication-icon question-icon",
+    titleHidden : true,
+    textHidden  : false,
+    passHidden  : false,
+    checkHidden : true,
+    checkMsg    : "",
+    checked     : false,
+    focused     : "textField",
+    defButton   : "button0",
+  };
+  let action = {
+    buttonClick : "ok",
+  };
+  let promptDone = handlePrompt(state, action);
+
+  // The following tests are driven by iframe loads
+
+  let iframeLoaded = onloadPromiseFor("iframe");
+  iframe.src = "https://example.org" + AUTHENTICATE_PATH +
+               "?user=dedupeUser&pass=httpsPass&realm=schemeUpgradeDedupe";
+  yield promptDone;
+  yield iframeLoaded;
+  checkEchoedAuthInfo({user: "dedupeUser", pass: "httpsPass"},
+                      SpecialPowers.wrap(iframe).contentDocument);
+});
+</script>
+</pre>
+</body>
+</html>
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_prompt_noWindow.html b/toolkit/components/passwordmgr/test/mochitest/test_prompt_noWindow.html
new file mode 100644
index 000000000..92af172ca
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_prompt_noWindow.html
@@ -0,0 +1,81 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test HTTP auth prompts by loading authenticate.sjs with no window</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SpawnTask.js"></script>
+  <script type="text/javascript" src="pwmgr_common.js"></script>
+  <script type="text/javascript" src="prompt_common.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<p id="display"></p>
+
+<div id="content" style="display: none">
+</div>
+
+<pre id="test">
+<script class="testbody" type="text/javascript">
+
+// Force parent to not look for tab-modal prompts, as they're not used for auth prompts.
+isTabModal = false;
+
+let chromeScript = runInParent(SimpleTest.getTestFileURL("pwmgr_common.js"));
+
+runInParent(() => {
+  const { classes: Cc, interfaces: Ci, utils: Cu } = Components;
+  Cu.import("resource://gre/modules/Services.jsm");
+
+  let login = Cc["@mozilla.org/login-manager/loginInfo;1"].
+              createInstance(Ci.nsILoginInfo);
+  login.init("http://mochi.test:8888", null, "mochitest",
+             "mochiuser1", "mochipass1", "", "");
+  Services.logins.addLogin(login);
+});
+
+add_task(function* test_sandbox_xhr() {
+  let state = {
+    msg         : "http://mochi.test:8888 is requesting your username and password. The site says: “mochitest”",
+    title       : "Authentication Required",
+    textValue   : "mochiuser1",
+    passValue   : "mochipass1",
+    iconClass   : "authentication-icon question-icon",
+    titleHidden : true,
+    textHidden  : false,
+    passHidden  : false,
+    checkHidden : true,
+    checkMsg    : "",
+    checked     : false,
+    focused     : "textField",
+    defButton   : "button0",
+  };
+  let action = {
+    buttonClick : "ok",
+  };
+  let promptDone = handlePrompt(state, action);
+
+  let url = new URL("authenticate.sjs?user=mochiuser1&pass=mochipass1", window.location.href);
+  let sandboxConstructor = SpecialPowers.Cu.Sandbox;
+  let sandbox = new sandboxConstructor(this, {wantXrays: true});
+  function sandboxedRequest(sandboxedUrl) {
+    let req = SpecialPowers.Cc["@mozilla.org/xmlextras/xmlhttprequest;1"]
+                           .createInstance(SpecialPowers.Ci.nsIXMLHttpRequest);
+    req.open("GET", sandboxedUrl, true);
+    req.send(null);
+  }
+
+  let loginModifiedPromise = promiseStorageChanged(["modifyLogin"]);
+  sandbox.sandboxedRequest = sandboxedRequest(url);
+  info("send the XHR request in the sandbox");
+  SpecialPowers.Cu.evalInSandbox("sandboxedRequest;", sandbox);
+
+  yield promptDone;
+  info("prompt shown, waiting for metadata updates");
+  // Ensure the timeLastUsed and timesUsed metadata are updated.
+  yield loginModifiedPromise;
+});
+</script>
+</pre>
+</body>
+</html>
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_prompt_promptAuth.html b/toolkit/components/passwordmgr/test/mochitest/test_prompt_promptAuth.html
new file mode 100644
index 000000000..36f53a54a
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_prompt_promptAuth.html
@@ -0,0 +1,406 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test promptAuth prompts</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SpawnTask.js"></script>
+  <script type="text/javascript" src="pwmgr_common.js"></script>
+  <script type="text/javascript" src="prompt_common.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<p id="display"></p>
+
+<div id="content" style="display: none">
+</div>
+
+<pre id="test">
+<script class="testbody" type="text/javascript">
+var state, action;
+var isOk;
+
+var level = Ci.nsIAuthPrompt2.LEVEL_NONE;
+var authinfo = {
+  username : "",
+  password : "",
+  domain   : "",
+
+  flags : Ci.nsIAuthInformation.AUTH_HOST,
+  authenticationScheme : "basic",
+  realm : ""
+};
+
+// Force parent to not look for tab-modal prompts, as they're not used for auth prompts.
+isTabModal = false;
+
+let chromeScript = runInParent(SimpleTest.getTestFileURL("pwmgr_common.js"));
+
+let prompterParent = runInParent(() => {
+  const { classes: Cc, interfaces: Ci, utils: Cu } = Components;
+  const promptFac = Cc["@mozilla.org/passwordmanager/authpromptfactory;1"].
+                    getService(Ci.nsIPromptFactory);
+
+  Cu.import("resource://gre/modules/Services.jsm");
+  let chromeWin = Services.wm.getMostRecentWindow("navigator:browser");
+  let prompter2 = promptFac.getPrompt(chromeWin, Ci.nsIAuthPrompt2);
+
+  let ioService = Cc["@mozilla.org/network/io-service;1"].getService(Ci.nsIIOService);
+  let channels = {};
+  channels.channel1 = ioService.newChannel2("http://example.com",
+                                            null,
+                                            null,
+                                            null,      // aLoadingNode
+                                            Services.
+                                            scriptSecurityManager.getSystemPrincipal(),
+                                            null,      // aTriggeringPrincipal
+                                            Ci.nsILoadInfo.SEC_ALLOW_CROSS_ORIGIN_DATA_IS_NULL,
+                                            Ci.nsIContentPolicy.TYPE_OTHER);
+
+  channels.channel2 = ioService.newChannel2("http://example2.com",
+                                            null,
+                                            null,
+                                            null,      // aLoadingNode
+                                            Services.
+                                            scriptSecurityManager.getSystemPrincipal(),
+                                            null,      // aTriggeringPrincipal
+                                            Ci.nsILoadInfo.SEC_ALLOW_CROSS_ORIGIN_DATA_IS_NULL,
+                                            Ci.nsIContentPolicy.TYPE_OTHER);
+
+  addMessageListener("proxyPrompter", function onMessage(msg) {
+    let args = [...msg.args];
+    let channelName = args.shift();
+    // Replace the channel name string (arg. 0) with the channel by that name.
+    args.unshift(channels[channelName]);
+
+    let rv = prompter2[msg.methodName](...args);
+    return {
+      rv,
+      // Send the args back to content so out/inout args can be checked.
+      args: msg.args,
+    };
+  });
+
+  Cu.import("resource://gre/modules/Services.jsm");
+
+  let pwmgr = Cc["@mozilla.org/login-manager;1"].
+              getService(Ci.nsILoginManager);
+
+  let login1, login2A, login2B, login2C, login2D, login2E;
+  login1  = Cc["@mozilla.org/login-manager/loginInfo;1"].
+            createInstance(Ci.nsILoginInfo);
+  login2A = Cc["@mozilla.org/login-manager/loginInfo;1"].
+            createInstance(Ci.nsILoginInfo);
+  login2B = Cc["@mozilla.org/login-manager/loginInfo;1"].
+            createInstance(Ci.nsILoginInfo);
+  login2C = Cc["@mozilla.org/login-manager/loginInfo;1"].
+            createInstance(Ci.nsILoginInfo);
+  login2D = Cc["@mozilla.org/login-manager/loginInfo;1"].
+            createInstance(Ci.nsILoginInfo);
+  login2E = Cc["@mozilla.org/login-manager/loginInfo;1"].
+            createInstance(Ci.nsILoginInfo);
+
+  login1.init("http://example.com", null, "http://example.com",
+              "", "examplepass", "", "");
+  login2A.init("http://example2.com", null, "http://example2.com",
+               "user1name", "user1pass", "", "");
+  login2B.init("http://example2.com", null, "http://example2.com",
+               "user2name", "user2pass", "", "");
+  login2C.init("http://example2.com", null, "http://example2.com",
+               "user3.name@host", "user3pass", "", "");
+  login2D.init("http://example2.com", null, "http://example2.com",
+               "100@beef", "user3pass", "", "");
+  login2E.init("http://example2.com", null, "http://example2.com",
+               "100%beef", "user3pass", "", "");
+
+  pwmgr.addLogin(login1);
+  pwmgr.addLogin(login2A);
+  pwmgr.addLogin(login2B);
+  pwmgr.addLogin(login2C);
+  pwmgr.addLogin(login2D);
+  pwmgr.addLogin(login2E);
+});
+
+let prompter2 = new PrompterProxy(prompterParent);
+
+add_task(function* test_accept() {
+  state = {
+    msg         : "http://example.com is requesting your username and password. The site says: “some realm”",
+    title       : "Authentication Required",
+    textValue   : "inuser",
+    passValue   : "inpass",
+    iconClass   : "authentication-icon question-icon",
+    titleHidden : true,
+    textHidden  : false,
+    passHidden  : false,
+    checkHidden : true,
+    checkMsg    : "",
+    checked     : false,
+    focused     : "textField",
+    defButton   : "button0",
+  };
+  action = {
+    buttonClick : "ok",
+    textField   : "outuser",
+    passField   : "outpass",
+  };
+  authinfo.username = "inuser";
+  authinfo.password = "inpass";
+  authinfo.realm    = "some realm";
+
+  promptDone = handlePrompt(state, action);
+  // Since prompter2 is actually a proxy to send a message to a chrome script and
+  // we can't send a channel in a message, we instead send the channel name that
+  // already exists in the chromeScript.
+  isOk = prompter2.promptAuth("channel1", level, authinfo);
+  yield promptDone;
+
+  ok(isOk, "Checking dialog return value (accept)");
+  is(authinfo.username, "outuser", "Checking returned username");
+  is(authinfo.password, "outpass", "Checking returned password");
+});
+
+add_task(function* test_cancel() {
+  state = {
+    msg         : "http://example.com is requesting your username and password. The site says: “some realm”",
+    title       : "Authentication Required",
+    textValue   : "outuser",
+    passValue   : "outpass",
+    iconClass   : "authentication-icon question-icon",
+    titleHidden : true,
+    textHidden  : false,
+    passHidden  : false,
+    checkHidden : true,
+    checkMsg    : "",
+    checked     : false,
+    focused     : "textField",
+    defButton   : "button0",
+  };
+  action = {
+    buttonClick : "cancel",
+  };
+  promptDone = handlePrompt(state, action);
+  isOk = prompter2.promptAuth("channel1", level, authinfo);
+  yield promptDone;
+
+  ok(!isOk, "Checking dialog return value (cancel)");
+});
+
+add_task(function* test_pwonly() {
+  // test filling in password-only login
+  state = {
+    msg         : "http://example.com is requesting your username and password. The site says: “http://example.com”",
+    title       : "Authentication Required",
+    textValue   : "",
+    passValue   : "examplepass",
+    iconClass   : "authentication-icon question-icon",
+    titleHidden : true,
+    textHidden  : false,
+    passHidden  : false,
+    checkHidden : true,
+    checkMsg    : "",
+    checked     : false,
+    focused     : "textField",
+    defButton   : "button0",
+  };
+  action = {
+    buttonClick : "ok",
+  };
+  authinfo.username = "";
+  authinfo.password = "";
+  authinfo.realm    = "http://example.com";
+
+  promptDone = handlePrompt(state, action);
+  isOk = prompter2.promptAuth("channel1", level, authinfo);
+  yield promptDone;
+
+  ok(isOk, "Checking dialog return value (accept)");
+  is(authinfo.username, "", "Checking returned username");
+  is(authinfo.password, "examplepass", "Checking returned password");
+});
+
+add_task(function* test_multipleExisting() {
+  // test filling in existing login (undetermined from multiple selection)
+  // user2name/user2pass would also be valid to fill here.
+  state = {
+    msg         : "http://example2.com is requesting your username and password. The site says: “http://example2.com”",
+    title       : "Authentication Required",
+    textValue   : "user1name",
+    passValue   : "user1pass",
+    iconClass   : "authentication-icon question-icon",
+    titleHidden : true,
+    textHidden  : false,
+    passHidden  : false,
+    checkHidden : true,
+    checkMsg    : "",
+    checked     : false,
+    focused     : "textField",
+    defButton   : "button0",
+  };
+  action = {
+    buttonClick : "ok",
+  };
+  authinfo.username = "";
+  authinfo.password = "";
+  authinfo.realm    = "http://example2.com";
+
+  promptDone = handlePrompt(state, action);
+  isOk = prompter2.promptAuth("channel2", level, authinfo);
+  yield promptDone;
+
+  ok(isOk, "Checking dialog return value (accept)");
+  ok(authinfo.username == "user1name" || authinfo.username == "user2name", "Checking returned username");
+  ok(authinfo.password == "user1pass" || authinfo.password == "user2pass", "Checking returned password");
+});
+
+add_task(function* test_multipleExisting2() {
+  // test filling in existing login (undetermined --> user1)
+  // user2name/user2pass would also be valid to fill here.
+  state = {
+    msg         : "http://example2.com is requesting your username and password. The site says: “http://example2.com”",
+    title       : "Authentication Required",
+    textValue   : "user1name",
+    passValue   : "user1pass",
+    iconClass   : "authentication-icon question-icon",
+    titleHidden : true,
+    textHidden  : false,
+    passHidden  : false,
+    checkHidden : true,
+    checkMsg    : "",
+    checked     : false,
+    focused     : "textField",
+    defButton   : "button0",
+  };
+  // enter one of the known logins, test 504+505 exercise the two possible states.
+  action = {
+    buttonClick : "ok",
+    textField   : "user1name",
+    passField   : "user1pass",
+  };
+  authinfo.username = "";
+  authinfo.password = "";
+  authinfo.realm    = "http://example2.com";
+
+  promptDone = handlePrompt(state, action);
+  isOk = prompter2.promptAuth("channel2", level, authinfo);
+  yield promptDone;
+
+  ok(isOk, "Checking dialog return value (accept)");
+  is(authinfo.username, "user1name", "Checking returned username");
+  is(authinfo.password, "user1pass", "Checking returned password");
+});
+
+add_task(function* test_multipleExisting3() {
+  // test filling in existing login (undetermined --> user2)
+  // user2name/user2pass would also be valid to fill here.
+  state = {
+    msg         : "http://example2.com is requesting your username and password. The site says: “http://example2.com”",
+    title       : "Authentication Required",
+    textValue   : "user1name",
+    passValue   : "user1pass",
+    iconClass   : "authentication-icon question-icon",
+    titleHidden : true,
+    textHidden  : false,
+    passHidden  : false,
+    checkHidden : true,
+    checkMsg    : "",
+    checked     : false,
+    focused     : "textField",
+    defButton   : "button0",
+  };
+  // enter one of the known logins, test 504+505 exercise the two possible states.
+  action = {
+    buttonClick : "ok",
+    textField   : "user2name",
+    passField   : "user2pass",
+  };
+  authinfo.username = "";
+  authinfo.password = "";
+  authinfo.realm    = "http://example2.com";
+
+  promptDone = handlePrompt(state, action);
+  isOk = prompter2.promptAuth("channel2", level, authinfo);
+  yield promptDone;
+
+  ok(isOk, "Checking dialog return value (accept)");
+  is(authinfo.username, "user2name", "Checking returned username");
+  is(authinfo.password, "user2pass", "Checking returned password");
+});
+
+add_task(function* test_changingMultiple() {
+  // test changing a password (undetermined --> user2 w/ newpass)
+  // user2name/user2pass would also be valid to fill here.
+  state = {
+    msg         : "http://example2.com is requesting your username and password. The site says: “http://example2.com”",
+    title       : "Authentication Required",
+    textValue   : "user1name",
+    passValue   : "user1pass",
+    iconClass   : "authentication-icon question-icon",
+    titleHidden : true,
+    textHidden  : false,
+    passHidden  : false,
+    checkHidden : true,
+    checkMsg    : "",
+    checked     : false,
+    focused     : "textField",
+    defButton   : "button0",
+  };
+  // force to user2, and change the password
+  action = {
+    buttonClick : "ok",
+    textField   : "user2name",
+    passField   : "NEWuser2pass",
+  };
+  authinfo.username = "";
+  authinfo.password = "";
+  authinfo.realm    = "http://example2.com";
+
+  promptDone = handlePrompt(state, action);
+  isOk = prompter2.promptAuth("channel2", level, authinfo);
+  yield promptDone;
+
+  ok(isOk, "Checking dialog return value (accept)");
+  is(authinfo.username, "user2name", "Checking returned username");
+  is(authinfo.password, "NEWuser2pass", "Checking returned password");
+});
+
+add_task(function* test_changingMultiple2() {
+  // test changing a password (undetermined --> user2 w/ origpass)
+  // user2name/user2pass would also be valid to fill here.
+  state = {
+    msg         : "http://example2.com is requesting your username and password. The site says: “http://example2.com”",
+    title       : "Authentication Required",
+    textValue   : "user1name",
+    passValue   : "user1pass",
+    iconClass   : "authentication-icon question-icon",
+    titleHidden : true,
+    textHidden  : false,
+    passHidden  : false,
+    checkHidden : true,
+    checkMsg    : "",
+    checked     : false,
+    focused     : "textField",
+    defButton   : "button0",
+  };
+  // force to user2, and change the password back
+  action = {
+    buttonClick : "ok",
+    textField   : "user2name",
+    passField   : "user2pass",
+  };
+  authinfo.username = "";
+  authinfo.password = "";
+  authinfo.realm    = "http://example2.com";
+
+  promptDone = handlePrompt(state, action);
+  isOk = prompter2.promptAuth("channel2", level, authinfo);
+  yield promptDone;
+
+  ok(isOk, "Checking dialog return value (accept)");
+  is(authinfo.username, "user2name", "Checking returned username");
+  is(authinfo.password, "user2pass", "Checking returned password");
+});
+</script>
+</pre>
+</body>
+</html>
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_prompt_promptAuth_proxy.html b/toolkit/components/passwordmgr/test/mochitest/test_prompt_promptAuth_proxy.html
new file mode 100644
index 000000000..95dd4c7bc
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_prompt_promptAuth_proxy.html
@@ -0,0 +1,264 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test promptAuth proxy prompts</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SpawnTask.js"></script>
+  <script type="text/javascript" src="pwmgr_common.js"></script>
+  <script type="text/javascript" src="prompt_common.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<p id="display"></p>
+
+<div id="content" style="display: none">
+  <iframe id="iframe"></iframe>
+</div>
+
+<pre id="test">
+<script class="testbody" type="text/javascript">
+var state, action;
+var pwmgr;
+var proxyLogin;
+var isOk;
+var mozproxy, proxiedHost = "http://mochi.test:8888";
+var proxyChannel;
+var systemPrincipal = SpecialPowers.Services.scriptSecurityManager.getSystemPrincipal();
+var ioService = Cc["@mozilla.org/network/io-service;1"].getService(Ci.nsIIOService);
+
+var prefs = Cc["@mozilla.org/preferences-service;1"].getService(Ci.nsIPrefBranch);
+
+var level = Ci.nsIAuthPrompt2.LEVEL_NONE;
+
+var proxyAuthinfo = {
+  username : "",
+  password : "",
+  domain   : "",
+
+  flags : Ci.nsIAuthInformation.AUTH_PROXY,
+  authenticationScheme : "basic",
+  realm : ""
+};
+
+// Force parent to not look for tab-modal prompts, as they're not used for auth prompts.
+isTabModal = false;
+
+const Cc_promptFac = Cc["@mozilla.org/passwordmanager/authpromptfactory;1"];
+ok(Cc_promptFac != null, "Access Cc[@mozilla.org/passwordmanager/authpromptfactory;1]");
+
+const Ci_promptFac = Ci.nsIPromptFactory;
+ok(Ci_promptFac != null, "Access Ci.nsIPromptFactory");
+
+const promptFac = Cc_promptFac.getService(Ci_promptFac);
+ok(promptFac != null, "promptFac getService()");
+
+var prompter2 = promptFac.getPrompt(window, Ci.nsIAuthPrompt2);
+
+function initLogins(pi) {
+  pwmgr = Cc["@mozilla.org/login-manager;1"].
+          getService(Ci.nsILoginManager);
+
+  mozproxy = "moz-proxy://" + SpecialPowers.wrap(pi).host + ":" +
+              SpecialPowers.wrap(pi).port;
+
+  proxyLogin = Cc["@mozilla.org/login-manager/loginInfo;1"].
+               createInstance(Ci.nsILoginInfo);
+
+  proxyLogin.init(mozproxy, null, "Proxy Realm",
+                  "proxuser", "proxpass", "", "");
+
+  pwmgr.addLogin(proxyLogin);
+}
+
+var startupCompleteResolver;
+var startupComplete = new Promise(resolve => startupCompleteResolver = resolve);
+
+function proxyChannelListener() { }
+proxyChannelListener.prototype = {
+  onStartRequest: function(request, context) {
+    startupCompleteResolver();
+  },
+  onStopRequest: function(request, context, status) { }
+};
+
+var resolveCallback = SpecialPowers.wrapCallbackObject({
+  QueryInterface : function (iid) {
+    const interfaces = [Ci.nsIProtocolProxyCallback, Ci.nsISupports];
+
+    if (!interfaces.some( function(v) { return iid.equals(v); } ))
+      throw SpecialPowers.Cr.NS_ERROR_NO_INTERFACE;
+    return this;
+  },
+
+  onProxyAvailable : function (req, uri, pi, status) {
+    initLogins(pi);
+
+    // I'm cheating a bit here... We should probably do some magic foo to get
+    // something implementing nsIProxiedProtocolHandler and then call
+    // NewProxiedChannel(), so we have something that's definately a proxied
+    // channel. But Mochitests use a proxy for a number of hosts, so just
+    // requesting a normal channel will give us a channel that's proxied.
+    // The proxyChannel needs to move to at least on-modify-request to
+    // have valid ProxyInfo, but we use OnStartRequest during startup()
+    // for simplicity.
+    proxyChannel = ioService.newChannel2(proxiedHost,
+                                         null,
+                                         null,
+                                         null,      // aLoadingNode
+                                         systemPrincipal,
+                                         null,      // aTriggeringPrincipal
+                                         Ci.nsILoadInfo.SEC_ALLOW_CROSS_ORIGIN_DATA_IS_NULL,
+                                         Ci.nsIContentPolicy.TYPE_OTHER);
+    proxyChannel.asyncOpen2(SpecialPowers.wrapCallbackObject(new proxyChannelListener()));
+  }
+});
+
+function startup() {
+  // Need to allow for arbitrary network servers defined in PAC instead of a hardcoded moz-proxy.
+  var ios = SpecialPowers.Cc["@mozilla.org/network/io-service;1"].
+    getService(SpecialPowers.Ci.nsIIOService);
+
+  var pps = SpecialPowers.Cc["@mozilla.org/network/protocol-proxy-service;1"].getService();
+
+  var channel = ios.newChannel2("http://example.com",
+                                null,
+                                null,
+                                null,      // aLoadingNode
+                                systemPrincipal,
+                                null,      // aTriggeringPrincipal
+                                Ci.nsILoadInfo.SEC_ALLOW_CROSS_ORIGIN_DATA_IS_NULL,
+                                Ci.nsIContentPolicy.TYPE_OTHER);
+  pps.asyncResolve(channel, 0, resolveCallback);
+}
+
+startup();
+
+add_task(function* setup() {
+  info("Waiting for startup to complete...");
+  yield startupComplete;
+});
+
+add_task(function* test_noAutologin() {
+  // test proxy login (default = no autologin), make sure it prompts.
+  state = {
+    msg         : "The proxy moz-proxy://127.0.0.1:8888 is requesting a username and password. The site says: “Proxy Realm”",
+    title       : "Authentication Required",
+    textValue   : "proxuser",
+    passValue   : "proxpass",
+    iconClass   : "authentication-icon question-icon",
+    titleHidden : true,
+    textHidden  : false,
+    passHidden  : false,
+    checkHidden : true,
+    checkMsg    : "",
+    checked     : false,
+    focused     : "textField",
+    defButton   : "button0",
+  };
+  action = {
+    buttonClick : "ok",
+  };
+  proxyAuthinfo.username = "";
+  proxyAuthinfo.password = "";
+  proxyAuthinfo.realm    = "Proxy Realm";
+  proxyAuthinfo.flags    = Ci.nsIAuthInformation.AUTH_PROXY;
+
+  var time1 = pwmgr.findLogins({}, mozproxy, null, "Proxy Realm")[0].QueryInterface(Ci.nsILoginMetaInfo).timeLastUsed;
+  promptDone = handlePrompt(state, action);
+  isOk = prompter2.promptAuth(proxyChannel, level, proxyAuthinfo);
+  yield promptDone;
+  var time2 = pwmgr.findLogins({}, mozproxy, null, "Proxy Realm")[0].QueryInterface(Ci.nsILoginMetaInfo).timeLastUsed;
+
+  ok(isOk, "Checking dialog return value (accept)");
+  isnot(time1, time2, "Checking that timeLastUsed was updated");
+  is(proxyAuthinfo.username, "proxuser", "Checking returned username");
+  is(proxyAuthinfo.password, "proxpass", "Checking returned password");
+});
+
+add_task(function* test_autologin() {
+  // test proxy login (with autologin)
+
+  // Enable the autologin pref.
+  prefs.setBoolPref("signon.autologin.proxy", true);
+
+  proxyAuthinfo.username = "";
+  proxyAuthinfo.password = "";
+  proxyAuthinfo.realm    = "Proxy Realm";
+  proxyAuthinfo.flags    = Ci.nsIAuthInformation.AUTH_PROXY;
+
+  time1 = pwmgr.findLogins({}, mozproxy, null, "Proxy Realm")[0].QueryInterface(Ci.nsILoginMetaInfo).timeLastUsed;
+  isOk = prompter2.promptAuth(proxyChannel, level, proxyAuthinfo);
+  time2 = pwmgr.findLogins({}, mozproxy, null, "Proxy Realm")[0].QueryInterface(Ci.nsILoginMetaInfo).timeLastUsed;
+
+  ok(isOk, "Checking dialog return value (accept)");
+  isnot(time1, time2, "Checking that timeLastUsed was updated");
+  is(proxyAuthinfo.username, "proxuser", "Checking returned username");
+  is(proxyAuthinfo.password, "proxpass", "Checking returned password");
+});
+
+add_task(function* test_autologin_incorrect() {
+  // test proxy login (with autologin), ensure it prompts after a failed auth.
+  state = {
+    msg         : "The proxy moz-proxy://127.0.0.1:8888 is requesting a username and password. The site says: “Proxy Realm”",
+    title       : "Authentication Required",
+    textValue   : "proxuser",
+    passValue   : "proxpass",
+    iconClass   : "authentication-icon question-icon",
+    titleHidden : true,
+    textHidden  : false,
+    passHidden  : false,
+    checkHidden : true,
+    checkMsg    : "",
+    checked     : false,
+    focused     : "textField",
+    defButton   : "button0",
+  };
+  action = {
+    buttonClick : "ok",
+  };
+
+  proxyAuthinfo.username = "";
+  proxyAuthinfo.password = "";
+  proxyAuthinfo.realm    = "Proxy Realm";
+  proxyAuthinfo.flags    = (Ci.nsIAuthInformation.AUTH_PROXY | Ci.nsIAuthInformation.PREVIOUS_FAILED);
+
+  time1 = pwmgr.findLogins({}, mozproxy, null, "Proxy Realm")[0].QueryInterface(Ci.nsILoginMetaInfo).timeLastUsed;
+  promptDone = handlePrompt(state, action);
+  isOk = prompter2.promptAuth(proxyChannel, level, proxyAuthinfo);
+  yield promptDone;
+  time2 = pwmgr.findLogins({}, mozproxy, null, "Proxy Realm")[0].QueryInterface(Ci.nsILoginMetaInfo).timeLastUsed;
+
+  ok(isOk, "Checking dialog return value (accept)");
+  isnot(time1, time2, "Checking that timeLastUsed was updated");
+  is(proxyAuthinfo.username, "proxuser", "Checking returned username");
+  is(proxyAuthinfo.password, "proxpass", "Checking returned password");
+});
+
+add_task(function* test_autologin_private() {
+  // test proxy login (with autologin), ensure it prompts in Private Browsing mode.
+  state = {
+    msg         : "the message",
+    title       : "the title",
+    textValue   : "proxuser",
+    passValue   : "proxpass",
+  };
+  action = {
+    buttonClick : "ok",
+  };
+
+  proxyAuthinfo.username = "";
+  proxyAuthinfo.password = "";
+  proxyAuthinfo.realm    = "Proxy Realm";
+  proxyAuthinfo.flags    = Ci.nsIAuthInformation.AUTH_PROXY;
+
+  prefs.clearUserPref("signon.autologin.proxy");
+
+  // XXX check for and kill popup notification??
+  // XXX check for checkbox / checkstate on old prompts?
+  // XXX check NTLM domain stuff
+});
+</script>
+</pre>
+</body>
+</html>
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_recipe_login_fields.html b/toolkit/components/passwordmgr/test/mochitest/test_recipe_login_fields.html
new file mode 100644
index 000000000..943bffc52
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_recipe_login_fields.html
@@ -0,0 +1,145 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for recipes overriding login fields</title>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script src="/tests/SimpleTest/SpawnTask.js"></script>
+  <script src="pwmgr_common.js"></script>
+  <link rel="stylesheet" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<script>
+var chromeScript = runChecksAfterCommonInit();
+
+let fillPromiseResolvers = [];
+
+function waitForFills(fillCount) {
+  let promises = [];
+  while (fillCount--) {
+    let promise = new Promise(resolve => fillPromiseResolvers.push(resolve));
+    promises.push(promise);
+  }
+
+  return Promise.all(promises);
+}
+
+add_task(function* setup() {
+  if (document.readyState !== "complete") {
+    yield new Promise((resolve) => {
+      document.onreadystatechange = () => {
+        if (document.readyState !== "complete") {
+          return;
+        }
+        document.onreadystatechange = null;
+        resolve();
+      };
+    });
+  }
+
+  document.getElementById("content")
+  .addEventListener("input", function handleInputEvent(evt) {
+    let resolve = fillPromiseResolvers.shift();
+    if (!resolve) {
+      ok(false, "Too many fills");
+      return;
+    }
+
+    resolve(evt.target);
+  });
+});
+
+add_task(function* loadUsernamePasswordSelectorRecipes() {
+  yield loadRecipes({
+    siteRecipes: [{
+      hosts: ["mochi.test:8888"],
+      usernameSelector: "input[name='uname1']",
+      passwordSelector: "input[name='pword2']",
+    }],
+  });
+});
+
+add_task(function* testOverriddingFields() {
+  // Insert the form dynamically so autofill is triggered after setup above.
+  document.getElementById("content").innerHTML = `
+    <!-- form with recipe for the username and password -->
+      <form id="form1">
+        <input type="text"     name="uname1" data-expected="true">
+        <input type="text"     name="uname2" data-expected="false">
+        <input type="password" name="pword1" data-expected="false">
+        <input type="password" name="pword2" data-expected="true">
+      </form>`;
+
+  let elements = yield waitForFills(2);
+  for (let element of elements) {
+    is(element.dataset.expected, "true", `${element.name} was filled`);
+  }
+});
+
+add_task(function* testDefaultHeuristics() {
+  // Insert the form dynamically so autofill is triggered after setup above.
+  document.getElementById("content").innerHTML = `
+    <!-- Fallback to the default heuristics since the selectors don't match -->
+    <form id="form2">
+      <input type="text"     name="uname3" data-expected="false">
+      <input type="text"     name="uname4" data-expected="true">
+      <input type="password" name="pword3" data-expected="true">
+      <input type="password" name="pword4" data-expected="false">
+    </form>`;
+
+  let elements = yield waitForFills(2);
+  for (let element of elements) {
+    is(element.dataset.expected, "true", `${element.name} was filled`);
+  }
+});
+
+add_task(function* loadNotUsernameSelectorRecipes() {
+  yield resetRecipes();
+  yield loadRecipes({
+    siteRecipes: [{
+      hosts: ["mochi.test:8888"],
+      notUsernameSelector: "input[name='not_uname1']"
+    }],
+  });
+});
+
+add_task(function* testNotUsernameField() {
+  document.getElementById("content").innerHTML = `
+    <!-- The field matching notUsernameSelector should be skipped -->
+    <form id="form3">
+      <input type="text"     name="uname5" data-expected="true">
+      <input type="text"     name="not_uname1" data-expected="false">
+      <input type="password" name="pword5" data-expected="true">
+    </form>`;
+
+  let elements = yield waitForFills(2);
+  for (let element of elements) {
+    is(element.dataset.expected, "true", `${element.name} was filled`);
+  }
+});
+
+add_task(function* testNotUsernameFieldNoUsername() {
+  document.getElementById("content").innerHTML = `
+    <!-- The field matching notUsernameSelector should be skipped.
+         No username field should be found and filled in this case -->
+    <form id="form4">
+      <input type="text"     name="not_uname1" data-expected="false">
+      <input type="password" name="pword6" data-expected="true">
+    </form>`;
+
+  let elements = yield waitForFills(1);
+  for (let element of elements) {
+    is(element.dataset.expected, "true", `${element.name} was filled`);
+  }
+});
+
+</script>
+
+<p id="display"></p>
+
+<div id="content">
+  // Forms are inserted dynamically
+</div>
+<pre id="test"></pre>
+</body>
+</html>
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_username_focus.html b/toolkit/components/passwordmgr/test/mochitest/test_username_focus.html
new file mode 100644
index 000000000..c93c1e9c9
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_username_focus.html
@@ -0,0 +1,263 @@
+
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test interaction between autocomplete and focus on username fields</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SpawnTask.js"></script>
+  <script type="text/javascript" src="satchel_common.js"></script>
+  <script type="text/javascript" src="pwmgr_common.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<script>
+let pwmgrCommonScript = runInParent(SimpleTest.getTestFileURL("pwmgr_common.js"));
+
+let readyPromise = registerRunTests();
+let chromeScript = runInParent(function chromeSetup() {
+  const { classes: Cc, interfaces: Ci, results: Cr, utils: Cu } = Components;
+  let pwmgr = Cc["@mozilla.org/login-manager;1"].getService(Ci.nsILoginManager);
+
+  let login1A  = Cc["@mozilla.org/login-manager/loginInfo;1"].
+                 createInstance(Ci.nsILoginInfo);
+  let login1B  = Cc["@mozilla.org/login-manager/loginInfo;1"].
+                 createInstance(Ci.nsILoginInfo);
+  let login2A  = Cc["@mozilla.org/login-manager/loginInfo;1"].
+                 createInstance(Ci.nsILoginInfo);
+  let login2B  = Cc["@mozilla.org/login-manager/loginInfo;1"].
+                 createInstance(Ci.nsILoginInfo);
+  let login2C  = Cc["@mozilla.org/login-manager/loginInfo;1"].
+                 createInstance(Ci.nsILoginInfo);
+
+  login1A.init("http://mochi.test:8888", "http://username-focus-1", null,
+               "testuser1A", "testpass1A", "", "");
+
+  login2A.init("http://mochi.test:8888", "http://username-focus-2", null,
+               "testuser2A", "testpass2A", "", "");
+  login2B.init("http://mochi.test:8888", "http://username-focus-2", null,
+               "testuser2B", "testpass2B", "", "");
+
+  pwmgr.addLogin(login1A);
+  pwmgr.addLogin(login2A);
+  pwmgr.addLogin(login2B);
+});
+</script>
+
+<p id="display"></p>
+<div id="content">
+  <!-- first 3 forms have a matching user+pass login -->
+
+  <!-- user+pass form. -->
+  <form id="form-autofilled" action="http://username-focus-1">
+    <input  type="text"     name="uname">
+    <input  type="password" name="pword">
+    <button type="submit" name="submit">Submit</button>
+  </form>
+
+  <!-- user+pass form, username prefilled -->
+  <form id="form-autofilled-prefilled-un" action="http://username-focus-1">
+    <input  type="text"     name="uname" value="testuser1A">
+    <input  type="password" name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+  <!-- user+pass form. -->
+  <form id="form-autofilled-focused-dynamic" action="http://username-focus-1">
+    <input  type="text"             name="uname">
+    <input  type="not-yet-password" name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+
+  <!-- next 5 forms have matching user+pass (2x) logins -->
+
+  <!-- user+pass form. -->
+  <form id="form-multiple" action="http://username-focus-2">
+    <input  type="text"     name="uname">
+    <input  type="password" name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+  <!-- user+pass form dynamic with existing focus -->
+  <form id="form-multiple-dynamic" action="http://username-focus-2">
+    <input  type="text"             name="uname">
+    <input  type="not-yet-password" name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+  <!-- user+pass form, username prefilled -->
+  <form id="form-multiple-prefilled-un1" action="http://username-focus-2">
+    <input  type="text"     name="uname" value="testuser2A">
+    <input  type="password" name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+  <!-- user+pass form, different username prefilled -->
+  <form id="form-multiple-prefilled-un2" action="http://username-focus-2">
+    <input  type="text"     name="uname" value="testuser2B">
+    <input  type="password" name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+  <!-- user+pass form, username prefilled with existing focus -->
+  <form id="form-multiple-prefilled-focused-dynamic" action="http://username-focus-2">
+    <input  type="text"             name="uname" value="testuser2B">
+    <input  type="not-yet-password" name="pword">
+    <button type="submit">Submit</button>
+  </form>
+
+</div>
+<pre id="test">
+<script class="testbody" type="text/javascript">
+function removeFocus() {
+  $_("-autofilled", "submit").focus();
+}
+
+add_task(function* setup() {
+  yield SpecialPowers.pushPrefEnv({"set": [
+    ["security.insecure_field_warning.contextual.enabled", false],
+  ]});
+
+  ok(readyPromise, "check promise is available");
+  yield readyPromise;
+});
+
+add_task(function* test_autofilled() {
+  let usernameField = $_("-autofilled", "uname");
+  info("Username and password already filled so don't show autocomplete");
+  let noPopupPromise = promiseNoUnexpectedPopupShown();
+  usernameField.focus();
+  yield noPopupPromise;
+
+  removeFocus();
+  usernameField.value = "testuser";
+  info("Focus when we don't have an exact match");
+  shownPromise = promiseACShown();
+  usernameField.focus();
+  yield shownPromise;
+});
+
+add_task(function* test_autofilled_prefilled_un() {
+  let usernameField = $_("-autofilled-prefilled-un", "uname");
+  info("Username and password already filled so don't show autocomplete");
+  let noPopupPromise = promiseNoUnexpectedPopupShown();
+  usernameField.focus();
+  yield noPopupPromise;
+
+  removeFocus();
+  usernameField.value = "testuser";
+  info("Focus when we don't have an exact match");
+  shownPromise = promiseACShown();
+  usernameField.focus();
+  yield shownPromise;
+});
+
+add_task(function* test_autofilled_focused_dynamic() {
+  let usernameField = $_("-autofilled-focused-dynamic", "uname");
+  let passwordField = $_("-autofilled-focused-dynamic", "pword");
+  info("Username and password will be filled while username focused");
+  let noPopupPromise = promiseNoUnexpectedPopupShown();
+  usernameField.focus();
+  yield noPopupPromise;
+  info("triggering autofill");
+  noPopupPromise = promiseNoUnexpectedPopupShown();
+  passwordField.type = "password";
+  yield noPopupPromise;
+
+  let popupState = yield getPopupState();
+  is(popupState.open, false, "Check popup is closed");
+
+  removeFocus();
+  passwordField.value = "test";
+  info("Focus when we don't have an exact match");
+  shownPromise = promiseACShown();
+  usernameField.focus();
+  yield shownPromise;
+});
+
+// Begin testing forms that have multiple saved logins
+
+add_task(function* test_multiple() {
+  let usernameField = $_("-multiple", "uname");
+  info("Fields not filled due to multiple so autocomplete upon focus");
+  shownPromise = promiseACShown();
+  usernameField.focus();
+  yield shownPromise;
+});
+
+add_task(function* test_multiple_dynamic() {
+  let usernameField = $_("-multiple-dynamic", "uname");
+  let passwordField = $_("-multiple-dynamic", "pword");
+  info("Fields not filled but username is focused upon marking so open");
+  let noPopupPromise = promiseNoUnexpectedPopupShown();
+  usernameField.focus();
+  yield noPopupPromise;
+
+  info("triggering _fillForm code");
+  let shownPromise = promiseACShown();
+  passwordField.type = "password";
+  yield shownPromise;
+});
+
+add_task(function* test_multiple_prefilled_un1() {
+  let usernameField = $_("-multiple-prefilled-un1", "uname");
+  info("Username and password already filled so don't show autocomplete");
+  let noPopupPromise = promiseNoUnexpectedPopupShown();
+  usernameField.focus();
+  yield noPopupPromise;
+
+  removeFocus();
+  usernameField.value = "testuser";
+  info("Focus when we don't have an exact match");
+  shownPromise = promiseACShown();
+  usernameField.focus();
+  yield shownPromise;
+});
+
+add_task(function* test_multiple_prefilled_un2() {
+  let usernameField = $_("-multiple-prefilled-un2", "uname");
+  info("Username and password already filled so don't show autocomplete");
+  let noPopupPromise = promiseNoUnexpectedPopupShown();
+  usernameField.focus();
+  yield noPopupPromise;
+
+  removeFocus();
+  usernameField.value = "testuser";
+  info("Focus when we don't have an exact match");
+  shownPromise = promiseACShown();
+  usernameField.focus();
+  yield shownPromise;
+});
+
+add_task(function* test_multiple_prefilled_focused_dynamic() {
+  let usernameField = $_("-multiple-prefilled-focused-dynamic", "uname");
+  let passwordField = $_("-multiple-prefilled-focused-dynamic", "pword");
+  info("Username and password will be filled while username focused");
+  let noPopupPromise = promiseNoUnexpectedPopupShown();
+  usernameField.focus();
+  yield noPopupPromise;
+  info("triggering autofill");
+  noPopupPromise = promiseNoUnexpectedPopupShown();
+  passwordField.type = "password";
+  yield noPopupPromise;
+
+  let popupState = yield getPopupState();
+  is(popupState.open, false, "Check popup is closed");
+
+  removeFocus();
+  passwordField.value = "test";
+  info("Focus when we don't have an exact match");
+  shownPromise = promiseACShown();
+  usernameField.focus();
+  yield shownPromise;
+});
+
+add_task(function* cleanup() {
+  removeFocus();
+});
+</script>
+</pre>
+</body>
+</html>
diff --git a/toolkit/components/passwordmgr/test/mochitest/test_xhr_2.html b/toolkit/components/passwordmgr/test/mochitest/test_xhr_2.html
new file mode 100644
index 000000000..fa8357792
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_xhr_2.html
@@ -0,0 +1,55 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=654348
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Test XHR auth with user and pass arguments</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="pwmgr_common.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body onload="startTest()">
+<script class="testbody" type="text/javascript">
+
+/**
+ * This test checks we correctly ignore authentication entry
+ * for a subpath and use creds from the URL when provided when XHR
+ * is used with filled user name and password.
+ *
+ * 1. connect authenticate.sjs that excepts user1:pass1 password
+ * 2. connect authenticate.sjs that this time expects differentuser2:pass2 password
+ *    we must use the creds that are provided to the xhr witch are different and expected
+ */
+
+function doxhr(URL, user, pass, code, next) {
+  var xhr = new XMLHttpRequest();
+  if (user && pass)
+    xhr.open("POST", URL, true, user, pass);
+  else
+    xhr.open("POST", URL, true);
+  xhr.onload = function() {
+    is(xhr.status, code, "expected response code " + code);
+    next();
+  };
+  xhr.onerror = function() {
+    ok(false, "request passed");
+    finishTest();
+  };
+  xhr.send();
+}
+
+function startTest() {
+  doxhr("authenticate.sjs?user=dummy&pass=pass1&realm=realm1&formauth=1", "dummy", "dummy", 403, function() {
+    doxhr("authenticate.sjs?user=dummy&pass=pass1&realm=realm1&formauth=1", "dummy", "pass1", 200, finishTest);
+  });
+}
+
+function finishTest() {
+  SimpleTest.finish();
+}
+
+</script>
+</body>
+</html>