1996303 - trust panel: "insecure" is displayed next to trust panel on navigation opening new tab

Status: NEW

(Firefox :: Site Identity, defect, P1)

Description

[Manuel Bucher [:manuel]]

Attachment: new-tab.html

There seem to be too many cases where we display "insecure" label next to the tab. Feel free to split up into two bugs if you deem them sepearate.

• In early stages while loading a https page
• On error pages (e.g. server returning 404 not found, even over https)

Attaching a test page. Note that for the second one you need IPv6, however it makes the error more visible by having an artificial additional latency of 100ms.

While writing the test page I noticed that on 404 errors there is also the insecure displayed. This doesn't seem to be correct. Maybe separate bug, but could also have the same root cause.

STR:

1. open attachment page.
2. Click on one of these links.
3. At the beginning of the load "insecure" is displayed.

Expected result: due to never downgrading due to specifying the https origin, don't display insecure. Even when we don't know yet whether the TLS handshake will pass.

Comment 1

[Daniel Veditz [:dveditz]]

In early stages while loading a https page

To be clear, we should not show the Shield either! While the document is loading we don't know the state and we can't show "good" OR "bad" iconography. You could argue we do know the ETP setting for the site before it's loaded, but that is an argument for showing an independent lock icon. If the intact shield includes the meaning "secure connection" then we can't show that until we know.

In the old slow-internet days browsers used to show a loading "throbber". Some people and parts of the world still do have slow internet 😀

Showing "Not Secure" while loading is not a security bug, at least, just likely to annoy users. Showing a "good" icon on a slow-to-load page is a known security problem that will lead to many "spoof" POCs being filed against us in search of easy bug bounty money, so don't do that.

Comment 2

[Daniel Veditz [:dveditz]]

The "while loading" issue will be a very different fix from the others you mentioned and should be kept separate. Let that be this bug.

Some of the error pages are shown this way because about: urls are not handled correctly: that's bug 1997064. I don't see a problem when a 404 page returns a body, https://github.com/mozilla/not_found for example, but if the site doesn't return a body then we would show an about:neterror page.

If there are other cases we should file them as additional bugs because there are likely unique things going on.

Comment 3

[Dale Harvey (:daleharvey)]

To be clear, we should not show the Shield either! While the document is loading we don't know the state and we can't show "good" OR "bad" iconography.

We already do though, if you visit https://example.com then block the learn more link the urlbar shows the secure padlock the entire time, hiding the icon while the page loaded would cause the url to jump around and I would expect be considered a big regression.

Going to go through and compare our current and new behaviour with those examples, but as far as I can see from the code we do not hide the lock icon while in an unknown state currently.