Closed Bug 1244022 Opened 4 years ago Closed 4 years ago

Wrong mouse over message for crossed out lock icon

Categories

(Firefox :: Security, defect, P1)

46 Branch
Unspecified
macOS
defect

Tracking

()

VERIFIED FIXED
Firefox 48
Iteration:
48.2 - Apr 4
Tracking Status
firefox48 --- verified

People

(Reporter: drno, Assigned: jkt)

References

(Blocks 1 open bug)

Details

(Whiteboard: [fxprivacy])

Attachments

(2 files, 3 obsolete files)

Attached image lockicon.png
For the new crossed out lock icon in Fx 46 (highlighted with an arrow in the attached screen shot - sorry the mouse over message disappears whenever I take a screen shot) which warns me that passwords over HTTP are not secure I get this mouse over help message: "This website does not supply identity information"

Which is a duplicate of the mouse over message from the blue icon on the left. I'm assuming that the crossed out lock should have some warning about the safety of my passwords instead.
If you click on the lock, there will be text explaining the issue.

Do we want a tooltip for the crossed out lock?  The i icon and the crossed out lock serve as one anchor, so it may not to be easy to give them separate tooltips.
Whiteboard: [fxprivacy] [triage]
From an implementation standpoint, we can easily have different tooltips for each different icon.

We should check with the User Experience team as well, but I think a specific tooltip is a good idea. We already do this for the Tracking Protection shield.
I was actually surprised that the two icons have the same tool tip, but different explanations once you clicked the icon(s). I think that is main reason I'm concerned it will be confusing to users. And having a dedicated tool tip for the crossed out lock would also help raise awareness of the issue we try to warn the user (where the current tool tip does not related at all to the problem from my point of view).
(In reply to :Paolo Amadini from comment #2)
> From an implementation standpoint, we can easily have different tooltips for
> each different icon.
> 
> We should check with the User Experience team as well, but I think a
> specific tooltip is a good idea. We already do this for the Tracking
> Protection shield.

Bryan, can you advise on this?  Can we have a tooltip for the crossed out lock.  The control center message is:
Logins entered on this page could be compromised.

Perhaps we can use a shortened version for the tooltip, or just use the same string.  If we use the same string, we can uplift to aurora.
Flags: needinfo?(bbell)
Priority: -- → P2
Whiteboard: [fxprivacy] [triage] → [fxprivacy]
I'm not opposed to having separate mouse-over tool tips for each icon. It makes total sense to me. Seem that repeated tool tips should be avoided however. 

Could the tool tip for the (i) simply read something like: View important information about this site. 

Later when the permissions stuff is added in there we can say something like: Manage permissions for this website.
Flags: needinfo?(bbell)
(In reply to bbell from comment #5)
> I'm not opposed to having separate mouse-over tool tips for each icon. It
> makes total sense to me. Seem that repeated tool tips should be avoided
> however. 
> 
> Could the tool tip for the (i) simply read something like: View important
> information about this site. 
> 
> Later when the permissions stuff is added in there we can say something
> like: Manage permissions for this website.

Having the "verified by" text or something related to SSL on hover over of the lock (for a fully encrypted page) seems useful because the purpose of the lock is to convey SSL information.  The i icon can have different text, that is not related to SSL.  Manage permissions would be great when we get to that.
Priority: P2 → P3
Assignee: nobody → jkingston
Doing this as a first XUL bug.


Tanvi I will move the text to only apply to the lock instead of both.

Then change the the text to 'Manage permissions' as the interface is all there already once you click (using about:permissions to give permissions shows it etc).

Let me know if that will be ok.
Thanks
This is a super simple patch based on the discussion on this issue. It keeps the hover tooltip that is present for all of the gray area before the http[s]? however changes the (i) icon to 'Manage website permissions'.

There doesn't seem to be any context to if this tooltip should ever change left in the comments.
Attachment #8729975 - Flags: review?(dtownsend)
Comment on attachment 8729975 [details] [diff] [review]
Changes tooltip of i icon in url bar

> This is a super simple patch based on the discussion on this issue. It keeps
> the hover tooltip that is present for all of the gray area before the
> http[s]? however changes the (i) icon to 'Manage website permissions'.

Thanks for the patch! This is an r+ from me on the technical part, but we'll need to discuss the actual text more so I'm not setting the flag yet, as this is not ready to land.

I think something like "Show information about this site", which is closer to the other alternative from comment 5, is a better description for this icon for the general case. In fact, most websites won't request any permission.

Tanvi, Bryan, do you have an opinion? We may also need a review on the text.

> There doesn't seem to be any context to if this tooltip should ever change
> left in the comments.

Yeah, I think it could be possible that we'll use the tooltip on the "i" icon to provide some key indications about the site in the future. In fact, another approach would have been to use the "tooltip" attribute and specify the text in a DTD file, but it won't give us the flexibility we may want here.

Note that the current patch sets the same value at every refresh, but given the above I don't think it's a serious problem in practice, and it does improve simplicity.
Flags: needinfo?(tanvi)
Flags: needinfo?(bbell)
Attachment #8729975 - Flags: review?(dtownsend) → feedback+
Wow thanks Paolo that was quick. Yeah this was just one of the quick bits I did on the plane after realising how simple it was.

Yeah was waiting for comments on the actual text.

Happy to make the patch a little more rigid on how the tooltip is set, however I did see mention to this being different in some contexts so happy to wait for text advice before changing.

Thanks again!
We have so many different scenarios for the icons in the url bar and the information associated with them in the control center[1].  Trying to cover all the cases with tool tips would be tricky.  It looks like this bug starts off by just separating the two icons so that they can have separate tooltips, and creates text for the i icon.  This seems like the right way to go.  Then in followup bugs we can work on changing the tooltips for the various lock icons[2].

The text "Manage website permissions" is not good for the i icon right now because we haven't properly integrated all permissions, and the control center also includes other things like tracking protection.  Here are some text proposals:
1) Manage website settings (this covers the tracking protection setting and the permissions already there.  But since not all website settings are configurable via the control center, this may be misleading.)
2) Show information about this site (proposed by Bryan and Paolo)
3) Website information (shorter version of 2)


Bryan, what do you think?  Also cc'ing Matej to see if he has suggestions.


[1] Note all the below scenarios have the i icon.
* HTTP page - just i icon
* HTTP page with password field - grey lock with strikethrough
* HTTPS page that required a certificate override - grey lock with yellow triangle
* HTTPS page with mixed display content - grey lock with yellow triangle
* HTTPS page with mixed active content blocked - green lock with grey triangle
* HTTPS page with mixed active content blocked and mixed display content loaded - grey lock with yellow triangle
* HTTPS page with mixed active content loaded - grey lock with strikethrough
* HTTPS page

[2]
Currently, fully encrypted pages have a tooltip of "Verified by: CA_NAME" and all other pages have the tooltip "This website does not supply identity information".  The latter is not always accurate.
Flags: needinfo?(tanvi)
(In reply to Tanvi Vyas - please needinfo [:tanvi] from comment #11)
> We have so many different scenarios for the icons in the url bar and the
> information associated with them in the control center[1].  Trying to cover
> all the cases with tool tips would be tricky.  It looks like this bug starts
> off by just separating the two icons so that they can have separate
> tooltips, and creates text for the i icon.  This seems like the right way to
> go.  Then in followup bugs we can work on changing the tooltips for the
> various lock icons[2].
> 
> The text "Manage website permissions" is not good for the i icon right now
> because we haven't properly integrated all permissions, and the control
> center also includes other things like tracking protection.  Here are some
> text proposals:
> 1) Manage website settings (this covers the tracking protection setting and
> the permissions already there.  But since not all website settings are
> configurable via the control center, this may be misleading.)
> 2) Show information about this site (proposed by Bryan and Paolo)
> 3) Website information (shorter version of 2)
> 
> 
> Bryan, what do you think?  Also cc'ing Matej to see if he has suggestions.

You could also say "Show site information" as a combination of 2 and 3.
 "Show site information" sounds good.
Changes text to 'Show site information'
Attachment #8729975 - Attachment is obsolete: true
Attachment #8732330 - Flags: review?(paolo.mozmail)
Comment on attachment 8732330 [details] [diff] [review]
Changes tooltip of i icon in url bar

Thanks!
Attachment #8732330 - Flags: review?(paolo.mozmail) → review+
Keywords: checkin-needed
Sorry, same file as before with commit info.
Attachment #8732330 - Attachment is obsolete: true
Flags: needinfo?(bbell)
Attachment #8732999 - Flags: review?(paolo.mozmail)
Attachment #8732999 - Attachment is obsolete: true
Attachment #8732999 - Flags: review?(paolo.mozmail)
Jonathan, I landed this with the following commit message:

Bug 1244022 - Change the tooltip of the "i" icon to "Show site information". r=paolo
https://hg.mozilla.org/mozilla-central/rev/767606cd6c63
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 48
Iteration: --- → 48.2 - Apr 4
Flags: qe-verify?
Priority: P3 → P1
Flags: qe-verify? → qe-verify+
QA Contact: paul.silaghi
(In reply to Tanvi Vyas - behind on needinfos [:tanvi] from comment #11)
> It looks like this bug starts
> off by just separating the two icons so that they can have separate
> tooltips, and creates text for the i icon.  This seems like the right way to
> go.  Then in followup bugs we can work on changing the tooltips for the
> various lock icons[2].
We should change the bug title to reflect the current implementation here.

> [2]
> Currently, fully encrypted pages have a tooltip of "Verified by: CA_NAME"
> and all other pages have the tooltip "This website does not supply identity
> information".  The latter is not always accurate.
+ sites with security exceptions show: "you have added a security exception for this site"

"i" icon shows: "show site information" for all pages.
Verified fixed FX 48.0a1 (2016-04-06)
Status: RESOLVED → VERIFIED
I'm not longer able to add an exception for https://rc4.badssl.com/. Any idea what broke it?
Flags: needinfo?(tanvi)
rc4 can't be exempted in stable either 45.0. Pretty sure these certs are not able to be exempted any more, can someone confirm?
Changing needinfo to keeler to respond to the below.  I'm not sure what version we stopped supporting rc4 overrides.

(In reply to Paul Silaghi, QA [:pauly] from comment #23)
> I'm not longer able to add an exception for https://rc4.badssl.com/. Any
> idea what broke it?

(In reply to Jonathan Kingston [:kingstonTime] from comment #24)
> rc4 can't be exempted in stable either 45.0. Pretty sure these certs are not
> able to be exempted any more, can someone confirm?
Flags: needinfo?(tanvi) → needinfo?(dkeeler)
The backend (intentionally) stopped advertising the flag that would show the RC4 fallback UI in bug 1253166 (note that Chrome doesn't have an RC4 fallback UI either).
Flags: needinfo?(dkeeler)
You need to log in before you can comment on or make changes to this bug.