This prevents an active MITM attacker from enumerating all your saved
passwords. The attacker will now only be able to access passwords saved
on http:// sites. That's by design, though; users are now warned when
focusing insecure password forms and should think twice before saving
such passwords.

Unfortunately this does introduce a migration issue, in that no
previously-saved passwords will be available on https:// websites
anymore, and all previously-saved passwords will still be enumerable by
attackers. I'm not sure how to handle migration. We might be able to
handle it nicely by using the history service to guess whether a
password should be migrated from http:// to https://, but that is not a
simple project.

https://bugzilla.gnome.org/show_bug.cgi?id=752738