Open Bug 1404918 Opened 8 years ago Updated 7 months ago

Allow the user to type 'badidea' to confirm security exceptions

Categories

(Firefox :: Security, enhancement, P5)

Product:
Firefox
Component:
Security
Version:
57 Branch
Type:
enhancement

Tracking

()

People

(Reporter: gut.kevin, Unassigned)

References

(
URL
)

Details

(Keywords: parity-chrome)

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 Steps to reproduce: Visit a site with invalid certificate (for example: https://cable.ayra.cg:8243) Actual results: Certificate warning is shown that has to be bypassed with multiple clicks Expected results: As a developer I would like an additional method to bypass the warning with keyboard only. Chrome for example provides this even if the warning could not be confirmed otherwise (HSTS error) by typing "badidea". The feature does not needs to be advertised and is something developers will mainly be using
URL: https://expired.badssl.com/
Severity: normal → enhancement
Status: UNCONFIRMED → NEW
Has STR: --- → yes
Component: Untriaged → Security
Ever confirmed: true
Whiteboard: [parity-chrome]
This might be a bad idea for some reason, but unless proven otherwise I'd take a patch for it :)
Priority: -- → P5
Dan, do you think we have any general concerns about this?
Flags: needinfo?(dveditz)
(In reply to kevin Gut from comment #0) > As a developer I would like an additional method to bypass the warning with > keyboard only. Accessibility is important to us and you can, in fact, bypass this with the keyboard only. I'm sure the required tabbing between fields isn't what you had in mind, and our current page style makes it somewhat hard to tell which field has focus sometimes. On the other hand it's about the same number of keystrokes (maybe even less) than <some magic chord>+b+a+d+i+d+e+a Let's see: Tab // focus to advanced button Space // activate advanced button Tab // error code Tab // Exception button Space // bring up exception dialog Shift+Tab // back to cancel button Shift+Tab // back to confirm button Space // add the exception Same number of keystrokes. Bonus: people can actually figure this out as opposed to some magic alt-shift combination. If you toggle the pref "browser.xul.error_pages.expert_bad_cert" to true you can save a keystroke (or mouseclick) because the advanced information will already be open. With that pref set it's only two mouseclicks to add an exception. Really doesn't seem worth the work to me.
Flags: needinfo?(dveditz)
Part (most?) of the utility of this comes from being able to forcibly override HSTS errors, which can’t be skipped using that method. Right now, to get around that in Firefox, you have to go to History, Forget This Site, and then reload. Having badidea available to skip that process during dev time (ex. Putting a proxy in between you and your site) with minimal fuss is useful. Or, put another way, this ticket could be renamed “Offer a quick and temporary way to ignore HSTS on a per-site basis”.
Worth noting that Chrome has now updated this shortcut to be "thisisunsafe" instead of "badidea".
Mass bug change to replace various 'parity' whiteboard flags with the new canonical keywords. (See bug 1443764 comment 13.)
Keywords: parity-chrome
Whiteboard: [parity-chrome]

Yes... please implement this. I understand the need to secure regular users but developers need to be able to bypass ssl errors sometimes. Hell I'm even partial to needing to activate this feature first in about:config before we could use it or in developer tools...

Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.