Closed Bug 184074 Opened 20 years ago Closed 11 years ago
Syntax highlighting in url bar
3.85 KB, image/png
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Build Identifier: Could syntax highlighting not be used in the url bar? A basic version would just make the hostname bold, purely to make it stand out. A more complex version would use different colours for the protocol, hostname, query string etc. Reproducible: Always Steps to Reproduce: Type a url in the url bar Actual Results: N/A Expected Results: Mozilla would neatly and automatically make the hostname bold and use appropriate colours for the different parts of the url
I would find that kind of clutter in the urlbar very distracting. Can you give any reasons for why you think it's needed?
URLs in themselves are very cluttered (take this one, http://bugzilla.mozilla.org/show_bug.cgi?id=184074, for instance). I think it'd be useful to emphasise what host you're on as that's the important bit. The rest of it is pretty much irrelvant (as you either bookmark the page or find it via a search engine). Hostnames are probably the only part you ever type in, so emphasising it helps out if you're not au fair with the anatomy or a URL. In the same vain, the whole url bar could turn red if on a secure site - much more striking that a teeny tiny padlock symbol and a million pop-up dialogs. And if you don't like the 'clutter', you could turn it off.
How do you mean it helps someone unfamiliar with the "syntax" of an URL? If they don't know which part the domain is, why would it mean any more if written in pink? As you say..the hostname is about the only part you ever type in. It's something users get familiar with during their very first session with a browser. This is pure bloat. Recommend WONTFIX.
I disagree with your point - 'normal' users don't get used to the concept of hostnames. It's a weird tekky thing. Making the hostname bold adds a link between what the user typed into the url bar and what appears when the page loads.
I'm sure some people wouldn't like it, but others might. worth considering, particularly as it would help with some security issues with misleading URLs like http://www.microsoft.com\thisisarealURLhonest@mozilla.org/ or whatever... confirming as an RFE...
Status: UNCONFIRMED → NEW
Ever confirmed: true
Hardware: PC → All
Just two minor things I'd like to add: - highlighting in a colour (eg blue) might be less obtrusive than highlighting bold (and under most circumstances equally distinguishable). - any such syntax highlighting would IMO only really need to occur after the resource starts actually loading (ie, after any redirects and *not* during typing) so as to make the user aware if they have loaded a spoofed URL.
Personally, I think that this is an excellent idea. If you don't like it, don't use it. But for those who would find it useful, it would be a big boon. I'm not sure if I (personally) would use it or not, but I'd certainly like to have the option - I'd at least turn it on and see what I thought. I also think that it would help educate non-technical people as to the nature of what they're seeing in the location bar - typically, I'm sure, it's all just a mass of unintelligable characters. If it's broken down into its component parts in this fashion, it would help make things clearer.
There is also some discussion of this idea at MozillaZine here: http://www.mozillazine.org/talkback.html?article=4078#17 This is in relation to the recent Microsoft security flaw, that Mozilla is partially affected by, whereby the URL shown is not the actual URL visited. (In Mozilla, it's the status bar display that's incorrect.) Thinking on this, the same kind of highlighting of the location bar URL could/should also be applied to the status bar URL displayed when hovering over a link. As the other discussion mentions, this would help cut down on "phishing" by explicitly drawing your attention to the fact that what the page says you're getting is not what you're actually getting.
Many sites actually educate users to look at the URL in determining that the site is really what it should be (I think PayPal was mentioned as an example). Color can not be the only distinguishing way because of color blindness and two-color (B&W) devices - bold host name seems like the best option to me. (But please note that bold hostname would still not fix the spoofing issue completely, because you could push the host name outside the visible area in URLbar, and you could also force open a window without a URLbar.)
would underlining up to and including an @ work for this ? http://email@example.com/show_bug.cgi?id=184074#c10 type URIs would then be more spottable including bold bugzilla.mozilla.org as well wouldn't hurt
Initially this bug report seems like a good idea. However after I reviewed it more, I don't think it's appropriate to be highlighting the host name in the address bar. I think overall it will look silly and people won't "get it". We are talking about the subject of user education and I asked some users who I consider slightly above average in computer skills and knowledge. If they could tell what website/domain the would be at by looking at just the following spoofed url: http://firstname.lastname@example.org/security/ex01/vun2.htm They all replied microsoft. Mozilla users tend to be more knowledgeable than the average IE user and I still belive syntax highlighting will not work. Considering it will be a piece of cake for the website spoofer to change the above url to be: http://email@example.com/security/ex01/vun2.htm Until the host name is outside the visible area. The average user doesn't know the difference between a URL and a hostname. If the hostname is highlighted you will still have to train people to know what that means. So telling them that the hostname is after the @ or the hostname is highlighted will still be a great undertaking. I suggest a reasonable thing would be to display the URL as we do now then display the hostname seperately. As users surf legitamite sites they will notice that the url, the website content they see and the hostname all correspond. When they get a spoofed site it will be clear what the hostname is and they will know not to trust it. This solution doesnt require education because the GUI interface will be intuiative. See the attached jpeg, look for the 4 stars where i suggested the hostname appear. My personal favorite is below the tab title, but the tabs arent always long enough. any input or better placement suggestions are welcome. I know layout changes are going to be hard to make in 1.X so this may be a 2.0 solution.
> They all replied microsoft. Which would, obviously, be wrong. If the real host name were highlighted, then it would help them to understand their error. This is actually an argument in *favour* of highlighting, not against it... > Until the host name is outside the visible area. Which can happen with any part of the URL, and not, I think, something that will happen with *any* kind of regularlity at all. What you're proposing is an edge case that will almost never happen - certainly not often enough to be considered here. (You could always open another bug that implemented a horzontal scroll for the location bar.) > I suggest a reasonable thing would be to display the URL as we do now then > display the hostname seperately. First, I don't like it. Especially as a solution to correct the problems with highlighting you mention that I don't see as problems. I think it makes things too cluttered, and we should make use of the text that we're already displaying. Secondly, that's not this bug. If you want to see that, you should file another bug and bring it up there. This bug isn't about possible solutions to bring users' attention to the actual host being visited - rather it's about one solution specifically, that of highlighting URL text.
Jason, I'm trying to make a case against this feature request, that is why I mention other possible solutions. >Which can happen with any part of the URL, and not, I think, something that will >happen with *any* kind of regularlity at all. What you're proposing is an edge >case that will almost never happen - certainly not often enough to be considered >here. (You could always open another bug that implemented a horzontal scroll >for the location bar.) I pointed out that the highlighted hostname could be moved outside the visible address bar, which would defeat the security solution that highlighting would provide, that is the number 1 reason this feature request would not solve the spoofing problem. Which you added to this discussion. Spoofer don't normally make the password field long because they can trick the user, if the user was able to see the hostname clearly then they would push it beyond the visible area with a greater frequency.
I just filed bug 228612, which proposes a solution to the long-username problem.
> I pointed out that the highlighted hostname could be moved outside the visible > address bar, which would defeat the security solution that highlighting > would provide I beg to differ. The absence of visible highligh is a pretty good clue that something is amiss (why www.microsoft.com is no longer bold ?). For the user, visible highlight == good, no visible highlight == bad. I think the only security argument that can be made is that the clue may be too subtle for most users, and they will just ignore it, whereas a popup is "in your face" (and that's why we hate popups ;-). Note that this RFE is not purely about improving security, highlighting has other advantage like making it easier to cut'n'paste bits of the URL or remocing components. For example, I don't think highlighting of "view page source" was done for security reasons.
One possible solution is to be very explicit and instead of displaying the URL in the status bar display something like location:http://microsoft.com username:mozilla.org password:foobar for a url like mozilla.org:firstname.lastname@example.org or just site:http://mozilla.org/projects/firebird/index.html for a URL like http://mozilla.org/projects/firebird/index.html Even if the URL is truncated, the user would see part of the hostname (rather than part of the username). It also makes the URL bar user friendly for people who don't read RFCs about URI formats (i.e. everyone). Just out of interest, would the patch (this *doesn't* mean I'm planning to write a patch!) for this be to nsWebShell::OnOverLink so that it: 1) It extracted the protocol host, path, username and password from the URI using aURI->GetScheme(), aURI->GetHost(), aURI->GetPath(), aURI->GetUsername() and aURI->GetPassword() 2)Use the StringBudleService to get some localised prefixes ("Location") 3)Concatenate the strings as required for display 4) Call UnEscapeURIForUI on the combined string <-- would you have to do this on each part of the URI individually? 5) Call SetStatus, passing the new string.
Argh, sorry, I didn't read the summary properly <blush> My suggestion obviously applies to the status bar not the url bar (typos notwithstanding).I really want a different bug.
Comment on attachment 137389 [details] Possible locations to display host name Discussed in bug 122445. Dup? And adding a hostname filed (mockup attachment) is offtopic here.
Attachment #137389 - Attachment is obsolete: true
*** Bug 232792 has been marked as a duplicate of this bug. ***
Hi everyone. Just to say that I had the same idea (url syntax highlighting) some days ago, and today I've found that ra_hardy proposed it in 2002. Well, I agree that syntax highlighting (SH) is a very good idea in order to improve the url bar. SH makes it easier to view/understand the url_bar contents, in a similar way that in source code files (i.e. html source code). I've made a image to show how it would look like. The image is attached to this bugzilla page, and can be accesed here: http://bugzilla.mozilla.org/attachment.cgi?id=143118&action=view I think it would be a very useful innovation for the user interface, specially for medium-advanced users, and of course it would have an option in Preferences in order to be enabled/disabled. And probably the suggestion is also easy to implement, since the browser parses a url when a page is going to be loaded, so the structure/parts of a url are known - they only have to be colourized. Thanks guys!
*** Bug 243292 has been marked as a duplicate of this bug. ***
Can this feature-request be implemented in Firefox 1.5 release?
*** Bug 315329 has been marked as a duplicate of this bug. ***
This type of feature would be useful in helping people spot phishing sites. One thing I should note is that in HTTPS mode the hostname is actually placed in the status bar, but not in FTP or HTTP. It would be useful for the actual host name to always be present in the status bar. Though I must admit it was only today when visiting an HTTPS site did I notice the host name in the status bar. I wonder how many people would miss that too.
Looks like IE8 is implementing this http://blogs.msdn.com/ie/archive/2008/03/11/address-bar-improvements-in-internet-explorer-8-beta-1.aspx
Assignee: hewitt → nobody
QA Contact: claudius → location-bar
The IE8 implementation is excellent: it's discreet but unambiguous, and quite clearly indicates when something funny is going on with the URL. We should adopt the same solution.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 689139
You need to log in before you can comment on or make changes to this bug.