Closed Bug 1617861 Opened 1 month ago Closed 1 month ago

Stop prompting for the DNS permission, the message is alarming and confusing, brings little to no security benefit

Categories

(WebExtensions :: Frontend, enhancement)

enhancement
Not set

Tracking

(firefox74 fixed, firefox75 fixed)

RESOLVED FIXED
mozilla75
Tracking Status
firefox74 --- fixed
firefox75 --- fixed

People

(Reporter: remtanmajitenshi, Assigned: zombie, NeedInfo)

References

Details

(Keywords: ue)

Attachments

(1 file)

UI request for https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/dns is confusing enough in English and even worse in Russian translation (maybe in other languages too).
English version: "Access IP address and hostname information".
Russian version: "Доступ к информации об IP-адресе и имени компьютера", literal translation of which is something like: "Access to information about IP-address and name of computer".

Many users think that it is about their computer name (like "John's PC") and their IP-adress, while this permission is about resolving internet domains. See recent 1-star reviews of uBlock Origin that requires this permission in new version (1.25.0): https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/reviews/
English examples:

Ask for your IP and device name in last update, unacceptable. Looks like another good ad blocker gone astray. RIP. Deleting (PS: they started 5star upvoting their changes rapidly after this privacy invasion, beware)

Used to be pretty great... but the latest update, as you may have noticed, asks for your IP address and computer name. You are NOT getting that information. I'll find a new adblocker.

This ad-blocker was great UNTIL the latest update, asking for my IP address and hostname. The whole point of an ad-blocker is to limit my information from being sold. And now the ad-blocker is selling my information.

DO NOT INSTALL THIS ADD-ON, it will steal private information from your device(s). There is absolutely no reason for this add-on to need your IP address and hostname.

Why the hell do you need my ip and my computer name?

What for ip and computer name? HELLO, WHAT ARE U DOING. HELLO?

IP address and computer name? What for?!

Wording of permission request should be more clear and state that it is about web/internet domains/hostnames.

(In reply to Qwerty from comment #0)

confusing enough in English and even worse in Russian translation (maybe in other languages too).

After a quick look at some other translations, I don't see how other languages could do much better given the original English string. It seems your problem is with it, so I'm editing the summary and triaging accordingly.

If you'd like to submit a suggestion for a better Russian translation, you should be able to do so below:
https://pontoon.mozilla.org/ru/firefox/all-resources/?string=176403

Type: defect → enhancement
Component: Untriaged → Frontend
Keywords: ue
Product: Firefox → WebExtensions
Summary: Bad wording and translation of request for DNS API permission for extensions → "Access IP address and hostname information" should be reworded to clarify it's not about the user's system
Duplicate of this bug: 1617873

Jorge, can we get a new string for this? It's causing some confusion now that uBlock Origin is using it.

Flags: needinfo?(jorge)

Or consider just dropping the prompt altogether?

See Also: → 1617876

(In reply to Andrew Swan [:aswan] from comment #4)

Or consider just dropping the prompt altogether?

yeah it seems at least worth considering.

I'm adding a needinfo assigned to Philipp to double-check how he feels about this alternative option.

Flags: needinfo?(philipp)

I second the motion of dropping this permission from the list of required on update. I don't think this one is particularly risky.

I assume we still need a better string for it, though. How about something like "Request IP addresses of web servers"?

Flags: needinfo?(jorge)

What happens with updates if the user doesn't accept the permission? (e.g. by simply clicking another tab!) (See second part of bug 1617873) I understand the current update is blocked but are users left behind or is there a way to recover?

It should stay at the top of the firefox hamburger menu. Obviously not ideal, but UX couldn't come up with a better compromise.

(In reply to Jorge Villalobos [:jorgev] (he/him) from comment #6)

I assume we still need a better string for it, though. How about something like "Request IP addresses of web servers"?

We either prompt for a permission, or have no permission string. Don't think we present permissions without strings anywhere across AMO or about:addons.

Assignee: nobody → tomica
Pushed by tjovanovic@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/7210a39affab
Remove DNS permission prompt string, stop prompting r=mixedpuppy

Comment on attachment 9129136 [details]
Bug 1617861 - Remove DNS permission prompt string, stop prompting

Beta/Release Uplift Approval Request

  • User impact if declined: Users are alarmed from the confusing permission message when updating uBlockOrigin, with little to no security benefit. See quotes and links from bug 1617876 comment 0.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): A purely declarative change, lack of permission string automatically skips the prompt and grants it.
  • String changes made/needed: Removed a localized string from future use.
Attachment #9129136 - Flags: approval-mozilla-beta?
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Summary: "Access IP address and hostname information" should be reworded to clarify it's not about the user's system → Stop prompting for the DNS permission, the message is alarming and confusing, brings little to no security benefit
Status: ASSIGNED → RESOLVED
Closed: 1 month ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla75

Comment on attachment 9129136 [details]
Bug 1617861 - Remove DNS permission prompt string, stop prompting

Low risk and clears up confusion for end users, uplift approved for 74 beta 9, thanks.

Attachment #9129136 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.