[unified trust panel] http-only "Not Secure" shield loses its red slash (making it look more-trustworthy) when you turn off tracking protection
Categories
(Firefox :: Address Bar, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr140 | --- | unaffected |
| firefox146 | --- | unaffected |
| firefox147 | --- | unaffected |
| firefox148 | --- | disabled |
| firefox149 | --- | verified |
| firefox150 | --- | verified |
People
(Reporter: dholbert, Assigned: daleharvey)
References
(Regression)
Details
(Keywords: blocked-ux, regression)
Attachments
(3 files)
STR:
- Visit http://http.badssl.com/ (note, this is an insecure http-only website)
- Look at the shield at the left side of the URL bar (notice the red slash).
- Click the shield and click the slider to turn off tracking protection.
- Look at the shield at the left side of the URL bar again.
ACTUAL RESULTS:
The shield does not have a red slash after step 4. (i.e. it loses the red slash if you've turned off tracking protection.)
It does gain a small "x", but that's less prominent and has less of a color-enhanced "warning" feel.
EXPECTED RESULTS:
We should probably preserve some redness (maybe the same red slash) to indicate that this is an insecure HTTP connection.
I'm using Nightly 148.0a1 (2025-12-29)
| Reporter | ||
Comment 1•6 months ago
|
||
INFO: Last good revision: 7c6e6dc03dc0fd5049e5cba70fcf669cb2e772d7 (2025-12-09)
INFO: First bad revision: 193270a369a8a26ae3dc8689656cc09748f37811 (2025-12-10)
INFO: Pushlog:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=7c6e6dc03dc0fd5049e5cba70fcf669cb2e772d7&tochange=193270a369a8a26ae3dc8689656cc09748f37811
Looks like this is part of the new "trustpanel" UI, enabled in bug 1988726. Before we enabled that, we showed a lock icon next to the shield, and the lock icon is what got the red slash through it (and retained the red slash regardless of ETP enablement).
--> Marking as regression from bug 1988726, though it's Nightly-only right now, I think:
#ifdef NIGHTLY_BUILD
pref("browser.urlbar.trustPanel.featureGate", true);
#else
pref("browser.urlbar.trustPanel.featureGate", false);
#endif
| Reporter | ||
Updated•6 months ago
|
Comment 2•6 months ago
|
||
Set release status flags based on info from the regressing bug 1988726
:daleharvey, since you are the author of the regressor, bug 1988726, could you take a look? Also, could you set the severity field?
For more information, please visit BugBot documentation.
| Reporter | ||
Comment 3•6 months ago
|
||
| Reporter | ||
Updated•6 months ago
|
| Reporter | ||
Updated•6 months ago
|
| Reporter | ||
Updated•6 months ago
|
| Assignee | ||
Comment 4•6 months ago
|
||
Feature not currently enable on release so not affecting release.
This was implemented as per the design spec, the ETP display was prioritised over the not secure, possibly chosen because the text "Not Secure" is already quite prominent right there. I will forward on to the UX team to consider though, it may be possible to make the X red.
| Assignee | ||
Comment 5•6 months ago
|
||
Also as this isnt a bug, a potential design change gonna take off it blocking release
Comment 6•6 months ago
|
||
Set release status flags based on info from the regressing bug 1988726
Updated•6 months ago
|
Comment 7•5 months ago
|
||
The severity field is not set for this bug.
:jteow, could you have a look please?
For more information, please visit BugBot documentation.
Comment 8•5 months ago
•
|
||
I set this to P2 since it was enabled for 149, so we may want to ensure we get UX's take on this sooner rather than later.
Updated•5 months ago
|
Updated•5 months ago
|
Updated•5 months ago
|
Comment 9•5 months ago
|
||
Hmm because of the tracking flags, it remains a defect so I'll keep it as that. I've set the severity to S4 since it's a visual change and left the priority open until we get UX feedback.
Comment 10•5 months ago
|
||
:jteow did we hear back from UX regarding priority for this?
| Assignee | ||
Updated•4 months ago
|
| Assignee | ||
Comment 11•4 months ago
|
||
Discussing with UX and they have recommended prioritising the not secure icon when a site is not secure and etp protections turned off.
| Assignee | ||
Comment 12•4 months ago
|
||
Comment 13•4 months ago
|
||
Comment 14•4 months ago
|
||
| bugherder | ||
Comment 15•4 months ago
|
||
The patch landed in nightly and beta is affected.
:daleharvey, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- See https://wiki.mozilla.org/Release_Management/Requesting_an_Uplift for documentation on how to request an uplift.
- If no, please set
status-firefox149towontfix.
For more information, please visit BugBot documentation.
Updated•4 months ago
|
Comment 16•4 months ago
|
||
firefox-beta Uplift Approval Request
- User impact if declined: This code fixes a regression in a security related area of the UI
- Code covered by automated testing: yes
- Fix verified in Nightly: no
- Needs manual QE test: yes
- Steps to reproduce for manual QE testing: Open httpforever.com with etp disabled, should see insecure icon
- Risk associated with taking this patch: low
- Explanation of risk level: Small patch with tests
- String changes made/needed: N/A
- Is Android affected?: no
| Assignee | ||
Comment 17•4 months ago
|
||
Original Revision: https://phabricator.services.mozilla.com/D285426
Updated•4 months ago
|
Updated•4 months ago
|
Updated•4 months ago
|
Comment 19•4 months ago
|
||
| uplift | ||
Comment 20•4 months ago
|
||
Hello! I can confirm that the issue is fixed with firefox 150.0a1(2026-03-05) on Ubuntu 22.04, macOS 15.6.7 and Windows 10.
I will update the flags and status for this issue.
Have a nice day!
Description
•