Closed Bug 102269 Opened 23 years ago Closed 20 years ago

Cookie Manager: "Server Secure" is unclear


(Core :: Networking: Cookies, defect)

Not set





(Reporter: andre.bugs2, Assigned: mconnor)



(Whiteboard: checklinux)


(1 file, 4 obsolete files)

In the Cookie Manager, on the Stored Cookies tab, there is a label called
"Server Secure:____". I really think that should be replaced by "Secure Server:
____". Below I will attach a patch that does that.
to cookies.
Assignee: blakeross → morse
Component: XP Apps: GUI Features → Cookies
Keywords: patch
QA Contact: sairuh → tever
We are going round in circles here.  Take a look at bug 51145.

I'm not sure I agree with this patch.  "Secure Server" sounds like "secure" is a 
verb (rather than an adjective) and you are going to "secure the server".

Frankly I'm not happy with either "secure server" or server secure" since 
neither reflect what is happening.  The meaning of this field is that if it is 
"true", then the cookie will not be sent back to a server that doesn't use 
https.  So a correct label would be "send cookie to a secure server only".  But 
abreviating it to either "secure server" or "server secure" doesn't capture that 
meaning at all.

Therefore I'm marking the target milestone as "future" which is my way of saying 
that it won't get fixed.  If someone can come up with a descriptive word or two 
that can better describe this field, then please post it here and I'll 
reconsider the target milestone.  Maybe just "secure" would do but I'm sure that 
we had that at one time and it got changed.

cc'ing german on this for the usual reason.
Target Milestone: --- → Future
Same wording occurs on all platforms.  Changing platform from linux to all.
OS: Linux → All
Morse, we are going around in circles because you change this wording between
version 1.8 and 1.9 without describing why. In bug 51145 Henrik Gemal asked for
the wording to be changed from "Secure Server?" to "Secure Server:". But when
this was checked in it ended up as the horrible "Server Secure".

Oops, you are correct about that.

In any case, I find either wording to be meaningless for the reasons I gave 
above.  Can you suggest something that describes what is really going on?
How about "Send Securely"?
That would imply that there is something that we would do to the cookie at send 
time to make it secure (such as encrypting it).  It does not convey the concept 
that we won't send it if the site can't receive it securely.
we haven't sparred over this in over a month.
timeless: did you CC us for ideas?

How about "Keep Secret:"?

"Keep Secret: yes" means that we won't do anything to compromise the secrecy of
the cookie. "no" means we don't care.

"Keep Secure" or "Keep Private" might be other options.


cc:ing Sean, who's the writer for this area. He's on sabbatical until early
December, so I'll jump in. I like Gerv's suggestion "Keep Secure", or "Secure
[Mozilla/5.0 (Windows; U; Win95; en-US; rv:1.3) Gecko/20030312]

Some ideas to revive the discussion on this bug:
 (They are all keywords: feel free to mix between them !)
*HttpS (sites) only
*SSL (servers) needed
*Secure (connections) checked

Unlike comment 11,
I don't like "Keep xxx" because it could be related to the storage on the user
Nor "Secure connection" because (as written in comment 3) it looks like a verb
("Keep xxx" too !).
Severity should be changed from 'Normal' to 'Trivial' !?
Assignee: morse → dwitte
Target Milestone: Future → ---
hmm, adding myself to cc since bugzilla apparently doesn't fwd me bugmail on 
this one, even though it's assigned to me...

I also like Gerv's suggestion, "Keep Secure".

-> mvl since he's the "cookie UI guy" :)
Assignee: dwitte → mvl
"HTTPS only" is short enough and describes this flag quite well, I think. I also
agree that "Keep Secure" could mean lots of things like encrypting on storage
media and such.
The meaning of this field in cookies is too complicated to convey accurately in
a tag line (I'd use "secure-only" if I had to).

What we need to do is find a way of getting the full explaination to the user
QA Contact: tever → cookieqa
Summary: Bad choice or wording in the Cookie Manager: "Server Secure" should be "Secure Server". → Cookie Manager: "Server Secure" should be "Secure Server"
I've been working on some test cases in this area, after thinking about this
some more, and finding that "secure" cookies can only be sent to an HTTPS
server, I like #17.
How about "Require HTTPS:". It should Translate well into other languages as well.
"Does your grandmother know what HTTPS Only means?"

I don't know if any of the alternatives are any better.  How many users 
understand this flag, let alone care?  And would a different string really make 
any usability difference?  Most people would still need to look at the Help 
file to understand this.   Keep Secure is probably the best of the bunch, IMO.
Attachment #143010 - Flags: review?(timeless)
Comment on attachment 143010 [details] [diff] [review]
patch. alternative approach using tooltip

timeless, please do review this if you so desire, but i think mconnor should
look at this too
Attachment #143010 - Flags: review?(timeless) → review?(mconnor)
Comment on attachment 143010 [details] [diff] [review]
patch. alternative approach using tooltip

Adding a tooltip would be quite inconsistent with pretty much the rest of the
Navigator UI (excluding toolbars, obviously).  Being inconsistent for something
as obscure as this flag is a bad idea.	If someone is curious, the Help file
does have an excellent description of what this does.

I'm almost in agreement of Morse's original assessment that there really isn't
a good fix for this.  HTTPS Only actually is the closest to what it does, but
is that any more clear?

I'm almost thinking we should just mark this WONTFIX and move on to more
important things.
Attachment #143010 - Flags: review?(mconnor) → review-
-> wontfix
Closed: 20 years ago
Resolution: --- → WONTFIX
I'm sorry, I don't agree. Just because it can't be perfect doesn't mean it can't
be better. If we want to move on, let's switch to "Keep Secure" using attachment
87806 [review], as several people seem to think that's an improvement.

Resolution: WONTFIX → ---
Comment on attachment 87806 [details] [diff] [review]
New patch for helpfile and cookie manager with "Keep Secure"

r=gerv. Who's the module owner associated with Cookies these days?

Attachment #87806 - Flags: review+
darin's the MO, i'm a peer. mconnor's the UI guy, so i think any patch that
touches cookiemgr should have his blessing.

mconnor, what do you think of the patch gerv r+'ed?
the problem with "Keep Secure" that became apparent to me later is that it
implies that we're keeping it in some sort of secure storage.  If we're going to
change for the sake of changing it, I think HTTPS Only would be the better choice.
Assignee: mvl → mconnor
Comment on attachment 87806 [details] [diff] [review]
New patch for helpfile and cookie manager with "Keep Secure"

This really would be misleading/confusing.  We don't keep these cookies in any
sort of secure format.

Better solution forthcoming.
Attachment #87806 - Flags: review+ → review-
Attached patch patch (obsolete) — Splinter Review
Instead of 
Server Secure: yes || Server Secure: no
Send For: Encrypted connections only || Send For: Any type of connection
Attachment #51308 - Attachment is obsolete: true
Attachment #87806 - Attachment is obsolete: true
Attachment #143010 - Attachment is obsolete: true
Attachment #143117 - Flags: review?(mvl)
Attachment #143117 - Attachment is obsolete: true
Attachment #143120 - Flags: review?(mvl)
Attachment #143117 - Flags: review?(mvl)
Comment on attachment 143120 [details] [diff] [review]
patch v2 including dialog update

>Index: mozilla/extensions/cookie/resources/content/cookieAcceptDialog.js
>         document.getElementById('ifl_isSecure').setAttribute("value",
>                                                                  cookie.isSecure ?
>-                                                                    cookieBundle.getString("yes") : cookieBundle.getString("no")
>+                                                                    cookieBundle.getString("forSecureOnly") : cookieBundle.getString("forAnyConnection")

This line is getting pretty long...

Anyway, i think this improves the wording, so lets go for it. r=mvl
Attachment #143120 - Flags: review?(mvl) → review+
Comment on attachment 143120 [details] [diff] [review]
patch v2 including dialog update

alec, this one is pretty trivial if you have time before freeze...
Attachment #143120 - Flags: superreview?(alecf)
Comment on attachment 143120 [details] [diff] [review]
patch v2 including dialog update

Attachment #143120 - Flags: superreview?(alecf) → superreview+
updating bug summary since Secure Server was rejected around 2002

checked in 03/07/2004 00:25
Closed: 20 years ago20 years ago
Resolution: --- → FIXED
Summary: Cookie Manager: "Server Secure" should be "Secure Server" → Cookie Manager: "Server Secure" is unclear
Hardware: PC → All
Target Milestone: --- → mozilla1.7beta
Blocks: 216743
V/fixed: Mac OS X, Mozilla 1.7rc2.
Keywords: verifyme
Whiteboard: checkwin checklinux
V/fixed: mozilla 1.7.2/Win XP
Keywords: verifyme
Whiteboard: checkwin checklinux → checklinux
You need to log in before you can comment on or make changes to this bug.