1149825 - Create a test page at http://itisatrap.org/firefox/its-a-tracker.html

Status: RESOLVED FIXED

(Core :: DOM: Security, defect)

Description

[François Marier [:francois]]

In order to have a test page for the tracking protection feature, we should have a test page that's like the other ones we use for Safe Browsing:

http://itisatrap.org/firefox/its-a-trap.html
http://itisatrap.org/firefox/its-an-attack.html

Then maybe we could convince disconnect to add it to their list.

Comment 1

[François Marier [:francois]]

Ben, from what I can see on https://github.com/mozilla/itisatrap, you seem to be the maintainer of the existing test pages.

I'd like to have a similar page to test the tracking protection feature. Instead of blocking the whole page though, we'd need that page to iframe a piece of content that should be blocked, so something like:

  firefox/its-a-tracker.html ---(iframe)---> firefox/its-a-tracker-frame.html

The main page could explain that the rest of the page should be empty and the iframe could have a "you've been tracked" message.

Do you know who I should talk to?

Comment 2

[Ben (:bensternthal)]

In the past I helped update these pages. It's sort of a weird fit for my team but if no one else can do it I can help.

Do you have the HTML skills to create the above and create a PR? If so I can help review and get it pushed live.

Comment 3

[François Marier [:francois]]

Thanks Ben. I can certainly do that and submit a PR.

Comment 4

[François Marier [:francois]]

Attachment: Test page

Here's the test page I'm currently playing with. The URLs are obviously temporary and will be decided in bug 1182876.

Comment 5

[François Marier [:francois]]

Attachment: Test page

This test page should have the final test domains (which I just registered).

Comment 6

[François Marier [:francois]]

Attachment: Test page

Here's a version of the test page with support for the whitelist too. This will need to be hosted on the itisatrap.org domain for the whitelist entry to work.

Comment 7

[François Marier [:francois]]

https://github.com/mozilla/itisatrap/pull/6

Comment 8

[François Marier [:francois]]

Attachment: its-a-tracker.html

Matej, if you'd like to review the copy on this new test page for tracking protection, you can click on the HTML I've attached here.

It may be a bit premature because the messaging around that feature is not finalized and the copy is likely to change, but I need to put something up so that we have an easy way to test that TP is working. I'd like to make sure the copy is not too horrible :)

Comment 9

[François Marier [:francois]]

Attachment: Screenshot of the page

Here's a screenshot that's nicer to look at than the unstyled HTML.

Comment 10

[Matej Novak [:matej]]

Copy looks OK, I would just remove the word "mode" after "Private Browsing."

I'm also adding Javaun here as there was a lot of legal back and forth about what we can and can't say wrt to TP. It might not apply in this case, but want to be sure.

Comment 11

[François Marier [:francois]]

Javaun, just to add a bit of context, this is a test page for TP that mimics the existing Safe Browsing test pages (click "Ignore warning"):

http://itisatrap.org/firefox/its-a-trap.html
http://itisatrap.org/firefox/its-an-attack.html
http://itisatrap.org/firefox/unwanted.html

Comment 12

[Matej Novak [:matej]]

This bug is still telling me that there's a flag set for me. Going to clear the ni? for Javaun to see if that fixes it.

Comment 13

[Matej Novak [:matej]]

Nope. How odd. Resetting flag for Javaun.

Comment 14

[Javaun Moradi [:javaun]]

yeah, I hate to be the wet blanket. Suggested edits:

1. I would kill the line "I'm a naughty tracker trying to spy on you" because there is a lot of nuance here and we don't want to make it black/white. For example, we pay extra for Google Analytics on sumo.mozilla.org so that all analytics data stays in Mozilla's account and doesn't go to Google. (FWIW we're also working on supporting DNT on Mozilla pages so that analytics would be turned off for those users). Anyway, we use analytics because it tells us where to apply our very limited support resources. A sudden surge in traffic to a SUMO page might also mean we introduced a product feature that is unclear to users, and that we need to work on our feature UX. TL;DR; it's complicated.
====

2. After the tongue-in-cheek "Ok, not really", could we say something more literal. "This is a test page that simulates first and third-party tracking loads to test Tracking Protection in Firefox."

a. A simulated first-party tracker (allowed)
b. A simulated third-party tracker (blocked)

=======

3. "Firefox 42 and above now features built-in Tracking Protection in Private Browsing windows". I would kill the part about "to help you block trackers" since this is a test page and we don't even need to go into consumer benefit. Anyone coming here is a developer/power user and gets it.  I suggest killing consumer benefit language because that's the one area most scrutinized by legal, the reason is they don't want to give anyone a false sense of security (there may be trackers on the page that aren't yet on the list, or first-party tracking may be particularly invasive and we don't stop that)

4. "If you are running Firefox 42 or later and viewing this page in a Private Window, you should see a shield icon..."

Comment 15

[Javaun Moradi [:javaun]]

I think it's implicit in my #1 above, but I was making that point that analytics -- considered a tracker -- are helpful to users, even to the users who block them. It tells us where to focus scarce resources to help users.

If you're a user who blocks all analytics, you still reap the benefits of those who allow them, because we've improved our support or features based on the feedback we received.

Comment 16

[Javaun Moradi [:javaun]]

Just realized Francois is making HTML changes. Francois,  I'm happy to do these or find someone else, I know you're busy. If you want to hand then off just point us to the repo and let us know if you're doing fork and pull

Comment 17

[François Marier [:francois]]

(In reply to Javaun Moradi [:javaun] from comment #16)
> Just realized Francois is making HTML changes. Francois,  I'm happy to do
> these or find someone else, I know you're busy. If you want to hand then off
> just point us to the repo and let us know if you're doing fork and pull

Sure, if you can get someone to make the changes you want, the repo is here: https://github.com/mozilla/itisatrap

and the pull request that person should base their work on is here: https://github.com/mozilla/itisatrap/pull/6

Note that the visual style (and the copy to an extent) are set to match the existing Safe Browsing test pages: http://itisatrap.org/firefox/its-a-trap.html, http://itisatrap.org/firefox/its-an-attack.html and http://itisatrap.org/firefox/unwanted.html

Comment 18

[François Marier [:francois]]

Javaun, have you found someone to do your copy changes?

Comment 19

[François Marier [:francois]]

Attachment: its-a-tracker.png

Javaun, I've tried to address the bulk of your comments in my latest version.

I'd like to push that to production ASAP because we really need to have all the tools we can to start testing this feature. We can always come back and redesign the test page later.

Comment 20

[Javaun Moradi [:javaun]]

Looks good Francois. I'm sorry I haven't found a copy person yet. I think those edits are good though, the biggest flags are all covered.

Comment 21

[François Marier [:francois]]

I think this is ready to be deployed. Combined with bug 1184773, this will give us the test page we need for quick sanity checks.

Ben, is there anything else you need from me?

Comment 22

[Ben (:bensternthal)]

Can you need info me on the PR? I can then review.

Comment 23

[François Marier [:francois]]

(In reply to Ben (:bensternthal) from comment #22)
> Can you need info me on the PR? I can then review.

Done.

For the record, the PR is at https://github.com/mozilla/itisatrap/pull/6

Comment 24

[François Marier [:francois]]

The test page is now live: https://itisatrap.org/firefox/its-a-tracker.html