Created attachment 8743195 [details] Possible identity indication example for a moz-extension: page From https://discourse.mozilla-community.org/t/webextensions-anti-phishing-for-add-on-pages/8060 moz-extension:// URIs include random strings. Although this is good for privacy, it is not nice for UX. An add-on can handle security-sensitive things. Users cannot remember or recognize trusted URIs. Teaching about the moz-extension scheme is not enough: users have different expectation for each add-on. The add-on responsible for a moz-extension: page must be clear. We have Identity box. We use that for indicating EV certs, for example. We can use that to address this problem, too. __________________________________________________________________________________ [Generic "extension" icon] | Extension ([Add-on Name]) | moz-extension://<uuid>/ ---------------------------------------------------------------------------------- This should be easy, but will greatly increase security against identity spoofing.
This does seem like a good idea, but I'm not really sure how much it would increase security. Thoughts, Markus, Kev?
I think this is a very good suggestion. I especially like that this proposal is re-using the identity box as it is already a known patter for users. I think that increased visibility of what add-on is responsible for that page will help security, as it will link the add-on to the content, and maybe remind the user about an add-on they had forgotten about, or maybe aren't even aware of.
Adding Javaun as well, because this crosses a couple of domains (I swear I'm not trying to make an Awesomebar pun), and I think the identity box is his domain. The Identity box is used to identify the creator of the page content (who vs. where), so the question for me here is are we look to identify what the content is, or who (which entity) created it. Agree it could be useful for helping users identify unfamiliar content (similar to some about: URIs), but should we be looking at author or type? It is a bit of a different paradigm. I like the idea, but I'd like to understand if it'd be more consistent with identifying the source of the content directly (named addon) vs. a generic addon indicator.
Javaun - just to put this on your radar (I think Identity box is you) - what's the approach you'd recommend here, and is identifying content such as specific add-ons something that fits in with goals with identity? We have no way to validate the identity of the author (we don't use author-specific certs), so the goal would be "this content is from (this) add-on", with the info box pointing to the add-on manager or the installed add-on specifically, with a little extra metadata about the add-on.
Chatted to a few people about this one and it got a broad thumbs up as a good idea. We thought as first pass it could just show an add-ons logo (the jigsaw peice), the name of the add-on and that's about it. I don't know if it needs much more UX than that, but Markus if you want to do more, please let me know.
Great idea. Maybe instead of only the add-on name, we can add "extension" as a qualifier like in the initial proposal so that the name will not be mistaken for a trusted entity or even a message from Firefox approving this page. This is something where :dveditz might have some security input.
You could, but I suspect it would be uglier than it would be helpful. Ideally the plug-piece (or other) icon conveys it's an extension well enough, and users can click on it and get a longer explanation in the drop-down. e.g. about: pages say the URL and "This is a secure Firefox page". In this case it would be the name of the add-on on the first line--repeated from the box, but we should stick to the format users expect in the drop-down--and something like "This is an extension-generated page". We should always use the same icon, of course! It would be spoofy to allow extensions to provide their own icons and users wouldn't learn the association between a consistent icon and extension content. The add-on's name might itself be spoofy but that's malicious behavior. We should be able to catch it for AMO-hosted add-ons, and for signed non-hosted add-ons that's the least of the malicious things it could do. If it's a minor problem we blocklist, and if it's a major problem we need to re-think our policies on signing non-hosted content.
Created attachment 8796343 [details] Screenshot 2016-09-29 18.41.39.png Attached a version of how this could look. The only add-on customizable part of this is the "Add-on Title". I note that the green text is used in the identity part in other places, but it fits well with the green of the icon. Any suggestions on that appreciated.
Looks good. In the URL-bar I would however use Extension instead of Add-on. Same in the second line on the panel as only extensions can create such pages, not all add-ons. I like that you follow the pattern used with Firefox pages. And green matches great with the icon. However I am not sure about the color. Firefox pages are orange, and only secure pages are green. I wonder if this might suggest a false sense of safety with extension pages. If so we might just use black text. Wonder what :dveditz thinks. And for the copy of the second line in the panel I would like to get input from Michelle: This page is loaded from an extension. This is an extension-generated page. This is a page provided by an extension. For reference: Currently this line is used to indicate how secure a page is. HTTPS: Secure Connection HTTP: Connection is Not Secure about:home: This is a secure Firefox page. extension: ?
My only (minor) security concern is about the use of green text, which looks like a trusted EV page. That's not the lock icon, though. If the text is the fixed string "Add-on" (or "Extension") it should be OK, I only start to worry if that's add-on settable text. Markus notes "Firefox" pages are orange, but Nightly pages are black text and that could work fine, too. From a power-user POV I'd find putting the name in the URL bar more useful than relegating it to the drop-down, and it doesn't really matter if it pushes more of the real URL out of view because the moz-extension://<random> junk is mostly meaningless. If you do then it's more important not to use green text, and maybe to use a fixed prefix like "Add-on: ". However, it certainly simplifies the security spoofing worries if you ignore my desires and go with the fixed text in your screenshot; I recommend you go with simple first. Most places in our UI (e.g. the Tool and Hamburger menus, our AMO site) use the word "Add-on" rather than "Extension". It will be less confusing to users to stick with that. Our internal distinction between types of add-ons are unknown or confusing to users.
So, making sure I understand the issue. Is the point to communicate Reliability "the information on this page was created by the add-on, so take if for what it's worth" or is it Security "the page itself was generated by the add-on, not by Firefox, so you're on your own here if anything happens" If the former, I'd say "This content is published by an add-on." If the latter, I'd say "This page is generated by an add-on."
(In reply to mheubusch from comment #11) > > ... Security "the page itself was generated by the add-on, not by Firefox, > so you're on your own here if anything happens" > ... > I'd say "This page is generated by an add-on." As this panel is about security we will go with "generated". Thanks.
(In reply to Daniel Veditz [:dveditz] from comment #10) > Most places in our UI (e.g. the Tool and Hamburger menus, our AMO site) use > the word "Add-on" rather than "Extension". It will be less confusing to > users to stick with that. Our internal distinction between types of add-ons > are unknown or confusing to users. Michelle, the question if we should use "Add-on" or "Extension" has come up here. From the Firefox Voice and Tone Guide I understand that we should always use the most distinct term for a given description. Which here would be "Extension". https://docs.google.com/document/d/1SjIg4ccoZvfTA6bph1er0mBIyMHbRxlXztMYpy-eYuA/edit#heading=h.z8j563g1zrme Can you please comment on that.
Hi Markus - yes, I saw that and didn't call out my rationale. Sorry. I do think we should go with add-ons in this case and probably need to modify the style guide advice. Per the thread with Scott DeVaney in the disco pane copy doc (here: https://docs.google.com/document/d/1rGBaMwpr_qbdah_LE1oZkTVIPZKNEAwRfH0zRbd0YaY/edit#) I think we are tending to use add-ons more now as it is the predominant term and are attempting to only use extension as a distinguisher when necessary. I also note that the icon in the designs you've created is the one we use to indicate add-ons in the browser pancake menu panel so wanted to train users to recognize it as such. Let me know if you want to discuss in greater detail - I can set up a Vidyo meeting.
Let's chat outside of this bug about general application of those terms. For here we have a decision to label it add-ons. Thanks.
Created attachment 8807291 [details] [diff] [review] identity.patch Rough, work in progress, no tests.
fwiw I'm happy to help move this forward if you need someone for feedback/review/advice. Also, not sure if you're aware, but Chrome has this now.