Closed Bug 102269 Opened 23 years ago Closed 21 years ago

Cookie Manager: "Server Secure" is unclear

Categories

(Core :: Networking: Cookies, defect)

Product:
Core
Component:
Networking: Cookies
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.7beta

People

(Reporter: andre.bugs2, Assigned: mconnor)

References

Details

(Whiteboard: checklinux)

Attachments

(1 file, 4 obsolete files)

patch v2 including dialog update
9.42 KB, patch
mvl
: review+
alecf
: superreview+
Details | Diff | Splinter Review
In the Cookie Manager, on the Stored Cookies tab, there is a label called "Server Secure:____". I really think that should be replaced by "Secure Server: ____". Below I will attach a patch that does that.
to cookies.
Assignee: blakeross → morse
Component: XP Apps: GUI Features → Cookies
Keywords: patch
QA Contact: sairuh → tever
We are going round in circles here. Take a look at bug 51145. I'm not sure I agree with this patch. "Secure Server" sounds like "secure" is a verb (rather than an adjective) and you are going to "secure the server". Frankly I'm not happy with either "secure server" or server secure" since neither reflect what is happening. The meaning of this field is that if it is "true", then the cookie will not be sent back to a server that doesn't use https. So a correct label would be "send cookie to a secure server only". But abreviating it to either "secure server" or "server secure" doesn't capture that meaning at all. Therefore I'm marking the target milestone as "future" which is my way of saying that it won't get fixed. If someone can come up with a descriptive word or two that can better describe this field, then please post it here and I'll reconsider the target milestone. Maybe just "secure" would do but I'm sure that we had that at one time and it got changed. cc'ing german on this for the usual reason.
Status: NEW → ASSIGNED
Target Milestone: --- → Future
Same wording occurs on all platforms. Changing platform from linux to all.
OS: Linux → All
Morse, we are going around in circles because you change this wording between version 1.8 and 1.9 without describing why. In bug 51145 Henrik Gemal asked for the wording to be changed from "Secure Server?" to "Secure Server:". But when this was checked in it ended up as the horrible "Server Secure".
Oops, you are correct about that. In any case, I find either wording to be meaningless for the reasons I gave above. Can you suggest something that describes what is really going on?
How about "Send Securely"?
That would imply that there is something that we would do to the cookie at send time to make it secure (such as encrypting it). It does not convey the concept that we won't send it if the site can't receive it securely.
we haven't sparred over this in over a month.
timeless: did you CC us for ideas? How about "Keep Secret:"? "Keep Secret: yes" means that we won't do anything to compromise the secrecy of the cookie. "no" means we don't care. "Keep Secure" or "Keep Private" might be other options. Gerv
cc:ing Sean, who's the writer for this area. He's on sabbatical until early December, so I'll jump in. I like Gerv's suggestion "Keep Secure", or "Secure Connection".
[Mozilla/5.0 (Windows; U; Win95; en-US; rv:1.3) Gecko/20030312] Some ideas to revive the discussion on this bug: (They are all keywords: feel free to mix between them !) *HttpS (sites) only *SSL (servers) needed *Secure (connections) checked Unlike comment 11, I don't like "Keep xxx" because it could be related to the storage on the user computer, Nor "Secure connection" because (as written in comment 3) it looks like a verb ("Keep xxx" too !).
Severity should be changed from 'Normal' to 'Trivial' !?
.
Assignee: morse → dwitte
Status: ASSIGNED → NEW
Target Milestone: Future → ---
hmm, adding myself to cc since bugzilla apparently doesn't fwd me bugmail on this one, even though it's assigned to me... I also like Gerv's suggestion, "Keep Secure". -> mvl since he's the "cookie UI guy" :)
Assignee: dwitte → mvl
"HTTPS only" is short enough and describes this flag quite well, I think. I also agree that "Keep Secure" could mean lots of things like encrypting on storage media and such.
The meaning of this field in cookies is too complicated to convey accurately in a tag line (I'd use "secure-only" if I had to). What we need to do is find a way of getting the full explaination to the user easily.
QA Contact: tever → cookieqa
Summary: Bad choice or wording in the Cookie Manager: "Server Secure" should be "Secure Server". → Cookie Manager: "Server Secure" should be "Secure Server"
I've been working on some test cases in this area, after thinking about this some more, and finding that "secure" cookies can only be sent to an HTTPS server, I like #17.
How about "Require HTTPS:". It should Translate well into other languages as well.
"Does your grandmother know what HTTPS Only means?" I don't know if any of the alternatives are any better. How many users understand this flag, let alone care? And would a different string really make any usability difference? Most people would still need to look at the Help file to understand this. Keep Secure is probably the best of the bunch, IMO.
Attachment #143010 - Flags: review?(timeless)
Comment on attachment 143010 [details] [diff] [review] patch. alternative approach using tooltip timeless, please do review this if you so desire, but i think mconnor should look at this too
Attachment #143010 - Flags: review?(timeless) → review?(mconnor)
Comment on attachment 143010 [details] [diff] [review] patch. alternative approach using tooltip Adding a tooltip would be quite inconsistent with pretty much the rest of the Navigator UI (excluding toolbars, obviously). Being inconsistent for something as obscure as this flag is a bad idea. If someone is curious, the Help file does have an excellent description of what this does. I'm almost in agreement of Morse's original assessment that there really isn't a good fix for this. HTTPS Only actually is the closest to what it does, but is that any more clear? I'm almost thinking we should just mark this WONTFIX and move on to more important things.
Attachment #143010 - Flags: review?(mconnor) → review-
-> wontfix
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → WONTFIX
I'm sorry, I don't agree. Just because it can't be perfect doesn't mean it can't be better. If we want to move on, let's switch to "Keep Secure" using attachment 87806 [review], as several people seem to think that's an improvement. Gerv
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
Comment on attachment 87806 [details] [diff] [review] New patch for helpfile and cookie manager with "Keep Secure" r=gerv. Who's the module owner associated with Cookies these days? Gerv
Attachment #87806 - Flags: review+
darin's the MO, i'm a peer. mconnor's the UI guy, so i think any patch that touches cookiemgr should have his blessing. mconnor, what do you think of the patch gerv r+'ed?
the problem with "Keep Secure" that became apparent to me later is that it implies that we're keeping it in some sort of secure storage. If we're going to change for the sake of changing it, I think HTTPS Only would be the better choice.
Assignee: mvl → mconnor
Status: REOPENED → NEW
Comment on attachment 87806 [details] [diff] [review] New patch for helpfile and cookie manager with "Keep Secure" This really would be misleading/confusing. We don't keep these cookies in any sort of secure format. Better solution forthcoming.
Attachment #87806 - Flags: review+ → review-
Attached patch patch (obsolete) — Splinter Review
Instead of Server Secure: yes || Server Secure: no Use Send For: Encrypted connections only || Send For: Any type of connection
Attachment #51308 - Attachment is obsolete: true
Attachment #87806 - Attachment is obsolete: true
Attachment #143010 - Attachment is obsolete: true
Attachment #143117 - Flags: review?(mvl)
Attachment #143117 - Attachment is obsolete: true
Attachment #143120 - Flags: review?(mvl)
Attachment #143117 - Flags: review?(mvl)
Comment on attachment 143120 [details] [diff] [review] patch v2 including dialog update >Index: mozilla/extensions/cookie/resources/content/cookieAcceptDialog.js > document.getElementById('ifl_isSecure').setAttribute("value", > cookie.isSecure ? >- cookieBundle.getString("yes") : cookieBundle.getString("no") >+ cookieBundle.getString("forSecureOnly") : cookieBundle.getString("forAnyConnection") This line is getting pretty long... Anyway, i think this improves the wording, so lets go for it. r=mvl
Attachment #143120 - Flags: review?(mvl) → review+
Comment on attachment 143120 [details] [diff] [review] patch v2 including dialog update alec, this one is pretty trivial if you have time before freeze...
Attachment #143120 - Flags: superreview?(alecf)
Comment on attachment 143120 [details] [diff] [review] patch v2 including dialog update sr=alecf
Attachment #143120 - Flags: superreview?(alecf) → superreview+
updating bug summary since Secure Server was rejected around 2002 checked in 03/07/2004 00:25
Status: NEW → RESOLVED
Closed: 21 years ago21 years ago
Resolution: --- → FIXED
Summary: Cookie Manager: "Server Secure" should be "Secure Server" → Cookie Manager: "Server Secure" is unclear
Hardware: PC → All
Target Milestone: --- → mozilla1.7beta
Blocks: 216743
V/fixed: Mac OS X, Mozilla 1.7rc2.
Keywords: verifyme
Whiteboard: checkwin checklinux
V/fixed: mozilla 1.7.2/Win XP
Keywords: verifyme
Whiteboard: checkwin checklinux → checklinux
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: