Closed Bug 2008317 Opened 6 months ago Closed 4 months ago

[unified trust panel] http-only "Not Secure" shield loses its red slash (making it look more-trustworthy) when you turn off tracking protection

Categories

(Firefox :: Address Bar, defect)

defect

Tracking

()

VERIFIED FIXED
150 Branch
Tracking Status
firefox-esr140 --- unaffected
firefox146 --- unaffected
firefox147 --- unaffected
firefox148 --- disabled
firefox149 --- verified
firefox150 --- verified

People

(Reporter: dholbert, Assigned: daleharvey)

References

(Regression)

Details

(Keywords: blocked-ux, regression)

Attachments

(3 files)

STR:

  1. Visit http://http.badssl.com/ (note, this is an insecure http-only website)
  2. Look at the shield at the left side of the URL bar (notice the red slash).
  3. Click the shield and click the slider to turn off tracking protection.
  4. Look at the shield at the left side of the URL bar again.

ACTUAL RESULTS:
The shield does not have a red slash after step 4. (i.e. it loses the red slash if you've turned off tracking protection.)
It does gain a small "x", but that's less prominent and has less of a color-enhanced "warning" feel.

EXPECTED RESULTS:
We should probably preserve some redness (maybe the same red slash) to indicate that this is an insecure HTTP connection.

I'm using Nightly 148.0a1 (2025-12-29)

INFO: Last good revision: 7c6e6dc03dc0fd5049e5cba70fcf669cb2e772d7 (2025-12-09)
INFO: First bad revision: 193270a369a8a26ae3dc8689656cc09748f37811 (2025-12-10)
INFO: Pushlog:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=7c6e6dc03dc0fd5049e5cba70fcf669cb2e772d7&tochange=193270a369a8a26ae3dc8689656cc09748f37811

Looks like this is part of the new "trustpanel" UI, enabled in bug 1988726. Before we enabled that, we showed a lock icon next to the shield, and the lock icon is what got the red slash through it (and retained the red slash regardless of ETP enablement).

--> Marking as regression from bug 1988726, though it's Nightly-only right now, I think:

https://searchfox.org/firefox-main/rev/aee7c0f24f488cd7f5a835803b48dd0c0cb2fd5f/browser/app/profile/firefox.js#427-431

#ifdef NIGHTLY_BUILD
pref("browser.urlbar.trustPanel.featureGate", true);
#else
pref("browser.urlbar.trustPanel.featureGate", false);
#endif
Keywords: regression
Regressed by: 1988726

Set release status flags based on info from the regressing bug 1988726

:daleharvey, since you are the author of the regressor, bug 1988726, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Summary: "Not Secure" shield loses its red slash (making it look more-trustworthy) when you turn off tracking protection → [unified trust panel] "Not Secure" shield loses its red slash (making it look more-trustworthy) when you turn off tracking protection
Component: Security → Address Bar
Summary: [unified trust panel] "Not Secure" shield loses its red slash (making it look more-trustworthy) when you turn off tracking protection → [unified trust panel] http-only "Not Secure" shield loses its red slash (making it look more-trustworthy) when you turn off tracking protection
Blocks: 2008405

Feature not currently enable on release so not affecting release.

This was implemented as per the design spec, the ETP display was prioritised over the not secure, possibly chosen because the text "Not Secure" is already quite prominent right there. I will forward on to the UX team to consider though, it may be possible to make the X red.

Flags: needinfo?(dharvey)
Keywords: blocked-ux

Also as this isnt a bug, a potential design change gonna take off it blocking release

No longer blocks: 2008405

Set release status flags based on info from the regressing bug 1988726

The severity field is not set for this bug.
:jteow, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(jteow)

I set this to P2 since it was enabled for 149, so we may want to ensure we get UX's take on this sooner rather than later.

Severity: -- → N/A
Type: enhancement → defect
Flags: needinfo?(jteow)
Priority: -- → P2
Type: enhancement → defect
Type: enhancement → defect
Severity: N/A → S4
Priority: P2 → --

Hmm because of the tracking flags, it remains a defect so I'll keep it as that. I've set the severity to S4 since it's a visual change and left the priority open until we get UX feedback.

:jteow did we hear back from UX regarding priority for this?

See Also: → 2017369
Assignee: nobody → dharvey

Discussing with UX and they have recommended prioritising the not secure icon when a site is not secure and etp protections turned off.

Pushed by dharvey@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/eaa1b65e8642 https://hg.mozilla.org/integration/autoland/rev/7a29a535a217 Prioritise insecure icon over etp disabled. r=daisuke,desktop-theme-reviewers,urlbar-reviewers,Itiel
Status: NEW → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
Target Milestone: --- → 150 Branch

The patch landed in nightly and beta is affected.
:daleharvey, is this bug important enough to require an uplift?

For more information, please visit BugBot documentation.

Flags: needinfo?(dharvey)
QA Whiteboard: [search] [qa-triage-done-c150/b149]

firefox-beta Uplift Approval Request

  • User impact if declined: This code fixes a regression in a security related area of the UI
  • Code covered by automated testing: yes
  • Fix verified in Nightly: no
  • Needs manual QE test: yes
  • Steps to reproduce for manual QE testing: Open httpforever.com with etp disabled, should see insecure icon
  • Risk associated with taking this patch: low
  • Explanation of risk level: Small patch with tests
  • String changes made/needed: N/A
  • Is Android affected?: no
Attachment #9549904 - Flags: approval-mozilla-beta?
Flags: qe-verify+

Yup made an uplift request for this

Flags: needinfo?(dharvey)
QA Whiteboard: [search] [qa-triage-done-c150/b149] → [search] [qa-triage-done-c150/b149][uplift][qa-ver-needed-c150/b149]
Attachment #9549904 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Hello! I can confirm that the issue is fixed with firefox 150.0a1(2026-03-05) on Ubuntu 22.04, macOS 15.6.7 and Windows 10.

I will update the flags and status for this issue.

Have a nice day!

Status: RESOLVED → VERIFIED
QA Whiteboard: [search] [qa-triage-done-c150/b149][uplift][qa-ver-needed-c150/b149] → [search] [qa-triage-done-c150/b149][uplift][qa-ver-done-c150/b149]
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: