Closed Bug 388219 Opened 17 years ago Closed 8 years ago

Rephrase "SuperfluousAuth" to ask the right question.

Categories

(Core :: Networking: HTTP, defect)

x86
Windows XP
defect
Not set
normal

Tracking

()

RESOLVED INCOMPLETE

People

(Reporter: bugzilla, Assigned: bugzilla)

Details

Attachments

(1 file, 1 obsolete file)

At the moment, the SuperfluousAuth dialogue asks for something different than it should, making the consequences of the decision not too clear. The difference is subtle, but should be fixed IMHO. Additionally, making this change makes it easier to localise at least in german.

Actual String: 
  SuperfluousAuth=You are about to log in to the site "%1$S" with the username 
  "%2$S", but the website does not require authentication. This may be an attempt 
  to trick you.\n\nIs "%1$S" the site you want to visit?

Proposed new string:
  SuperfluousAuth=You are about to log in to the site "%1$S" with the username 
  "%2$S", but the website does not require authentication. This may be an attempt 
  to trick you.\n\nShould the credentials from "%2$S" be sent to "%1$S"?
Attached patch make proposed change (obsolete) — Splinter Review
Assignee: nobody → bugzilla
Status: NEW → ASSIGNED
Attachment #272395 - Flags: superreview?
Attachment #272395 - Flags: review?
Attachment #272395 - Flags: superreview?(cbiesinger)
Attachment #272395 - Flags: superreview?
Attachment #272395 - Flags: review?(cbiesinger)
Attachment #272395 - Flags: review?
I just fear you need to rename the ID of the string to something like SuperfluousAuth2 so that localizers are forced to retranslate it, as this is a semantic change.

Of course, this has to be done in the .properties as well as in http://mxr.mozilla.org/seamonkey/source/netwerk/protocol/http/src/nsHttpChannel.cpp#3114
After further discussion via IRC it became clear that I misunderstood the original wording. However, it doesn't really reflect the intention of this dialogue: warning about a potential phish (see bug 232567) - so this bug is still valid.

This dialogue is only triggered by a URL containing a username pointing to a site not requiring authentication, so I think we should completely drop mentioning the username, as displaying a username like "www.ebay.com" may lead to premature clicks on [YES] by inattentive users.

Supplying new patch with revised, discussed text:
String ID changed to trigger new l10n.
Last sentence changed to facilitate german translation.
Attachment #272395 - Attachment is obsolete: true
Attachment #272398 - Flags: superreview?(cbiesinger)
Attachment #272398 - Flags: review?(cbiesinger)
Attachment #272395 - Flags: superreview?(cbiesinger)
Attachment #272395 - Flags: review?(cbiesinger)
Comment on attachment 272398 [details] [diff] [review]
revised string and new string ID

I'll let beltzner review the new string
Attachment #272398 - Flags: superreview?(cbiesinger)
Attachment #272398 - Flags: superreview+
Attachment #272398 - Flags: review?(cbiesinger)
Attachment #272398 - Flags: review?(beltzner)
Comment on attachment 272398 [details] [diff] [review]
revised string and new string ID

I don't think we need to include detail about how it's trying to use a username, since that's really irrelevant to the attack we're trying to prevent.

How about:

SuperfluousAuth2=This link may be an attempt to trick you. Is %1$S the site you want to visit?
Attachment #272398 - Flags: review?(beltzner) → review-
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: