Open Bug 453077 Opened 16 years ago Updated 2 years ago

"Warn me when sites try to redirect..." should distinguish between same or differing domains

Categories

(Firefox :: Settings UI, enhancement)

Product:
Firefox
Component:
Settings UI
Platform:
x86
All
Type:
enhancement

Tracking

()

People

(Reporter: strata_ranger, Unassigned)

References

(Blocks 1 open bug)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1

The option to display a warning about meta redirects/reloads embedded in the current webpage should be extended with an option to only warn about redirects towards a different site or domain than the original web page it is embedded on.

It is not uncommon for online forum software packages (e.g, phpBB2), upon a user posting a new topic or reply in that forum, to display a confirmation message about the post being made successfully, with a meta-redirect back to the topic or forum in which they posted their message.  Allowing Firefox to implicitly allow these kinds of meta-redirects (i.e. ones with a relative URI and/or within the same domain as the originating page) while still explicitly blocking/warning about other http-redirects in general would be a welcome addition.

Reproducible: Always
I agree that this would be an excellent change. However, I think there should also be a 4th option

-Always allow
-Always block
-Allow for same subdomain only (allow foo.baz.bar.tld -> foo.baz.bar.tld)
-Allow for same domain name only (allow *.bar.tld -> *.bar.tld)

And, as a side notes to all of this:
- I also think that warning about redirects are reloads should be 2 separate options, as they are 2 different actions.
- I think these settings might be more at home under the Security tab.

Mockup:

Warn me when a site tries to
[*] Install add-ons [Exceptions]
[ ] Reload the page
[*] Redirect to [combo box]

And the combo box would be:
+------------------------+
| * Any Page             |
| A different domain     |
| A different subdomain  |
+------------------------+
I also propose that the default settings should be to warn users about inter-site redirects (showing the target URL), but not about intra-site redirects.

My reasoning for this is to (by default) provide users with some warning about where URL shortening services are sending them, as described here:

https://patrickwbarnes.com/blog/2009/07/url-shortener-design-flaw/

As for domain/subdomain options, this would also be nice, though I would suggest slightly different wording in the "combo box" idea from above:

+---------------------------------+
| Anywhere                        |
| * A different domain            |
| A different domain or subdomain |
+---------------------------------+

(Make it explicitly clear that the third option includes both different domains and different subdomains.)
Blocks: redirect-warn
Confirming enhancement. This would hopefully also distinguish between just refreshes of the same page (which could be harmless) and redirects to other pages (which I think are main reason for implementing the warning and notifying the user).
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows XP → All
Version: unspecified → Trunk
I suggest simply giving the option to disable the warning Dropdown message, but still keep the security functionality running.

I.E: do it, but don't keep bugging the user about it.  Most users are capable of doing a manual page refresh when it is actually needed, and at least in my case the problem is not with what the feature does, but that it has no option to do it silently.
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.