Closed Bug 1531174 Opened 7 months ago Closed 7 months ago

Permissions should allow control over popup attributes per-site (whitelist)

Categories

(Firefox :: Preferences, enhancement)

65 Branch
enhancement
Not set

Tracking

()

VERIFIED WONTFIX

People

(Reporter: asoroudi, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:65.0) Gecko/20100101 Firefox/65.0

Steps to reproduce:

Trigger a popup window and click allow to whitelist it on the given site.

Actual results:

Popup windows behave as expected on that site.

Expected results:

Popup windows are allowed, but still restricted by global settings.

tl;dr:
When a user whitelists popups on a site, allow popups on that site to remove window-chrome and don't force prepending the domain to its titlebar.

Regardless of whitelisting, popup windows are still restricted by global browser settings such as what chrome may be removed and forcing the domain to be prepended to windows where the location bar is removed. Users can relax some restrictions by changing the dom.disable_window_open_feature.* settings, however that applies to the whole browser, and there is no setting to not prepend the domain.

There's two problems with this:

  1. Users are forced to allow changes to popups at the browser level instead of only for selected sites.

  2. Even whitelisting a site doesn't grant it permissions and the browser still enforces things, some of which can't even be removed by manually changing settings (eg prepended URL to titlebar).

When a user chooses to whitelist a feature such as cameras, cookies, or popups on a site, they should get control over that; the browser shouldn't continue restricting and limiting that site against users' wishes and needs.

Moving to Firefox:Preferences component.

Component: Untriaged → Preferences

(In reply to Synetech from comment #0)

tl;dr:
When a user whitelists popups on a site, allow popups on that site to remove window-chrome and don't force prepending the domain to its titlebar.

For security reasons, there is no way we would allow this.

Users can relax some restrictions by changing the dom.disable_window_open_feature.* settings, however that applies to the whole browser, and there is no setting to not prepend the domain.

It's not really worth the complexity to add site-specific exceptions for the other stuff, and it's not at all clear that any site where a user allows popups will never abuse that trust by spoofing or dos-ing using malicious popups.

Status: UNCONFIRMED → RESOLVED
Closed: 7 months ago
Resolution: --- → WONTFIX

(In reply to :Gijs (he/him) from comment #2)

(In reply to Synetech from comment #0)

tl;dr:
When a user whitelists popups on a site, allow popups on that site to remove window-chrome and don't force prepending the domain to its titlebar.

For security reasons, there is no way we would allow this.

Users can relax some restrictions by changing the dom.disable_window_open_feature.* settings, however that applies to the whole browser, and there is no setting to not prepend the domain.

It's not really worth the complexity to add site-specific exceptions for the other stuff, and it's not at all clear that any site where a user allows popups will never abuse that trust by spoofing or dos-ing using malicious popups.

I was afraid that Firefox was turning into Chrome and the devs would treat it like the Google devs do: in a dictatorial way that removes control and choice from users. 😒

When a user whitelists popups on a site, allow popups on that site to remove window-chrome and don't force prepending the domain to its titlebar.

For security reasons, there is no way we would allow this.

The excuse is that the URL makes it clear what site it's on since the location bar is gone right? That makes no sense since the user had to explicitly allow the site to create a popup, so what difference does it make afterwards? You are already storing the domain in the site's whitelist that tells the browser that it's allowed to create popups, so that won't suddenly (and in fact can't ever) change (a different URL won't get the same permissions), so the URL is intimately tied to that permission. As for security, if the user has already allowed it to create popups, then what difference does it make to show the user the site every time it creates one? That's like if an anti-virus shows the details for a file after the user clicks Allow and lets it run; any damage it would do is already done. Why not just draw more attention to the URL in the confirmation prompt, and then not hassle users with it after they CHOOSE to let it make popups?

Users can relax some restrictions by changing the dom.disable_window_open_feature.* settings, however that applies to the whole browser, and there is no setting to not prepend the domain.

It's not really worth the complexity to add site-specific exceptions for the other stuff

What? 😕 You already create site-specific exceptions for everything except this. Exceptions for camera, mic, cookie, etc. are all site-specific. Even allowing popups at all is site-specific. The only thing that it doesn't do is to let the sites that have already been granted permission to actually use that permission; it's like if you grant a site permission to use the camera, but arbitrarily restrict it to 640x480 or grant a site permission to set a cookie but force it to expire within a day.

and it's not at all clear that any site where a user allows popups will never abuse that trust by spoofing or dos-ing using malicious popups.

That's true of every permission and every site. Why do you arbitrarily draw the line at this one single aspect? 🤨 I don't see you preventing users from granting camera or cookie permissions just because a site might change. If that happens, a site that has access to cookies and stuff could do much more damage than just making a popup that doesn't have the location bar or URL in the titlebar.

Do not become the Google devs. Do not try to protect users from themselves by assuming everyone is an idiot and nobody could possibly know what they are doing. All that accomplishes is to piss users off by removing their choices, inconvenience, and annoying them. All that does is to push people away from your product.

The much better solution is to provide the choice and control and simply set sensible defaults. That way novices are protected, and advanced users don't get angry.

(In reply to Synetech from comment #3)

When a user whitelists popups on a site, allow popups on that site to remove window-chrome and don't force prepending the domain to its titlebar.

For security reasons, there is no way we would allow this.

The excuse is that the URL makes it clear what site it's on since the location bar is gone right? That makes no sense since the user had to explicitly allow the site to create a popup, so what difference does it make afterwards?

The site can open a popup to anywhere, it doesn't need to be its own site. The permission is for the opening site, not the target site. The page could also navigate after being opened. If the site has XSS or other vulnerabilities, there is no way anymore for the user to tell whether the popup is really at the target site. Also, the user might remember when opening the popup, but if it stays open for longer, they might forget, or confuse it with other sites where they've also allowed popups.

As for security, if the user has already allowed it to create popups, then what difference does it make to show the user the site every time it creates one?

Because the contents of the page aren't a good indication of the site that is serving those contents. Users need to be able to identify the former.

Users can relax some restrictions by changing the dom.disable_window_open_feature.* settings, however that applies to the whole browser, and there is no setting to not prepend the domain.

It's not really worth the complexity to add site-specific exceptions for the other stuff

What? 😕 You already create site-specific exceptions for everything except this. Exceptions for camera, mic, cookie, etc. are all site-specific.

Yes, but there are no "sub"permissions. There are just single permissions. Also, we don't create site-specific exceptions for "everything"...

The only thing that it doesn't do is to let the sites that have already been granted permission to actually use that permission;

It does; without that permission, they couldn't open popups without user interaction... That's the only thing the permission does.

it's like if you grant a site permission to use the camera, but arbitrarily restrict it to 640x480 or grant a site permission to set a cookie but force it to expire within a day.

Those aren't really equivalent things.

And cookie exceptions actually do work that way, that is, if you have an add-on or have configured Firefox to not allow third party cookies, or to treat cookies as session cookies or some other cookie restriction, that will apply to items in the cookie exception list just the same.

And so do camera permissions - after all, we always show a sharing indicator on the tab and on the desktop, even if you've granted permanent permissions to a site, and there is no way for the site or the user to remove that, because it's an important security indicator.

You're asking to be able to site-specifically give a site much more significant popup permissions, among which is defeating explicit security measures that we take to ensure users stay in control of popups and can tell what page they're on. You haven't really given any reasons why you need that level of control.

Even if you yourself have some reasons, most users don't need this level of control, so it's a bad engineering trade-off to try to implement them.

Status: RESOLVED → VERIFIED

(In reply to :Gijs (he/him) from comment #4)

The site can open a popup to anywhere, it doesn't need to be its own site. The permission is for the opening site, not the target site. The page could also navigate after being opened. If the site has XSS or other vulnerabilities, there is no way anymore for the user to tell whether the popup is really at the target site. Also, the user might remember when opening the popup, but if it stays open for longer, they might forget, or confuse it with other sites where they've also allowed popups.

Again, it is up to the user to decide if they trust the site to allow it to create popups. If the site is going to include iframes or pull in stuff from other sites, it is up to that site to keep on top of it and remove them, and the user can always revoke the permission. Likewise, they could forget that they allowed cookies or other permissions, but you don't prevent them from allowing those. Popups are no more special or hazardous than any other permission, so telling users that they are not allowed to have the choice to decide what they allow is bad design, especially since it is easy to default to safe by merely making it opt-in (whitelist).

the contents of the page aren't a good indication of the site that is serving those contents. Users need to be able to identify the former.

Again, you can draw more attention to the URL in the prompt and then leave it to the user. Again, default to not-allow, then let the users choose what they want to allow.

it's like if you grant a site permission to use the camera, but arbitrarily restrict it to 640x480 or grant a site permission to set a cookie but force it to expire within a day.

Those aren't really equivalent things.

Sure it is. You allow users to grant permission to sites to create popups, but then impose a browser-wide restriction that prevents them from reducing the window chrome and force them to waste titelbar space with the URL.

And so do camera permissions - after all, we always show a sharing indicator on the tab and on the desktop, even if you've granted permanent permissions to a site, and there is no way for the site or the user to remove that, because it's an important security indicator.

With the camera, there is a popup in addition to the little icon in the location-bar (redundant), but it makes sense because it's an active thing that they might forget is being used. With popups, the existence of the popup is the indicator that the site has permission to create one. Even then, you could create an unobtrusive indicator.

Besides, you don't provide any sort of visible indicator for cookies, you leave it to users to go through the list and adjust as necessary. It could be the same for popups (and all permissions).

You're asking to be able to site-specifically give a site much more significant popup permissions, among which is defeating explicit security measures that we take to ensure users stay in control of popups and can tell what page they're on. You haven't really given any reasons why you need that level of control.

Except that you are not letting users stay in control of popups; you are making the devs (via the browser) retain control on the assumption that users can't possibly be trusted to do things for themselves. That's exactly what ruined Chrome.

You want a use-case scenario? Easy: an unobtrusive, minimal-chrome video-streaming window in the corner of the screen to allow users to watch videos on their computer while doing other things. Another example would be a game window (especially for things like idle games). Or a stock-market site, a chat box, or any number of other sites that a user might want to tuck away on the side of the screen and monitor in the background while doing other things.

Obviously they would want to minimize the screen foot-print of the window but retain the ability to see information in the titlebar without it being pushed out of sight by the URL.

Even if you yourself have some reasons, most users don't need this level of control, so it's a bad engineering trade-off to try to implement them.

See, that's exactly what ruined Chrome and Windows, and lots of other things that started out good, but turned bad; devs who can't put themselves in others' shoes and assume that just because they don't use something or can't think of a use-case scenario, that it must also be true of all users. 🤦 Please do not become Google. Firefox is our last bastion of hope in a browser landscape of Chromium-based browsers.

The point is that you should allow users to retain control of their browser and allow them to choose what they trust and what they allow. There is no reason to block users from doing what they want/need to do for security if you just set the default settings to deny and then allow them to purposely grant permissions. That way anything that goes wrong is the user's fault, just like with everything else in the browser and in life. Protecting users from themselves by not allowing them to do things under any circumstances is like Windows preventing users from running programs that aren't in a Microsoft-approved list or installing unsigned drivers. It's just wrong. Windows protects users by popping up a confirmation box with a warning and relevant information, and then letting the user decide if they want to take that chance or not (at least for now…) and Firefox does the same for the most part, but is inconsistent.

The world is moving more and more online and most programs are shifting away from desktop apps to web-apps, so there is an ever-growing need for a sort of kiosk-mode for websites. It is no good to have a program cluttered and encumbered with lots of browser-chrome. Such a kiosk mode is already doable by just giving sites the ability to choose what window chrome to include in open.window and allow users to choose what sites get that right.

You need to log in before you can comment on or make changes to this bug.