Closed Bug 414789 Opened 18 years ago Closed 16 years ago

Add-on install dialog should display eTLD + 1 instead of full URI

Categories

(Toolkit :: Add-ons Manager, defect)

Product:
Toolkit
Component:
Add-ons Manager
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: sdwilsh, Unassigned)

Details

Like the download manager - brought this up with beltzner, madhava, and mconnor, who all seemed to be in agreement.
Flags: blocking-firefox3?
I disagree; I think it needs to show the full hostname. An XPI from "google.com" or "blogspot.com" sounds a lot more trustable than an XPI from "attachments.mail.google.com" or "theevilone.blogspot.com".
This doesn't block, but I think we should consider it. Jesse's points in comment #1 are well founded, though inversely, I might argue that: http://addons.from.google.com.evilbadass.com is more likely to fool someone than google.com
Flags: wanted-firefox3+
Flags: blocking-firefox3?
Flags: blocking-firefox3-
Product: Firefox → Toolkit
Johnath, is this your sort of ballpark?
(In reply to comment #3) > Johnath, is this your sort of ballpark? Sure, but it's not cut and dry. In the download manager case, you're mostly just providing a memory cue, the user has already made the trust decision downloading the thing in the first place. Here, they really might make trust decisions based on what we show them. I do think that the top level (eTLD+1) should always have some responsibility to bear here - if a company X decides, by way of webmail hosting, or geocities-style subdomains or what-have-you - I feel like you are still on company X's machine, and they really oughtn't get carte blanche. We are not accountable to their business model. Having said that, it happens. The risk Jesse identifies is not that we'll slander Google, it's that we'll hurt our users by making something seem to come from Google that doesn't, and that's a tough thing to do based on a principled stance. In bugs like bug 414627 I supported eTLD+1 because it felt like a good *trade-off* - the accountability argument mixed with the need to conserve space and provide an ever-present, at-a-glance cue. In the download manager, I think a similar argument held - that it was a priority to make it easy to scan and reduce false positives when searching, so eTLD+1 was more appropriate. Here, the user is making an important, relatively rare decision with (comparatively) more space available. Given all that, I think showing the full domain name is probably the right thing to do. I would support WONTFIX here, even though I understand where Shawn's coming from. Now, when I look at the dialog on current trunk, I see the whole url, not just the hostname. That makes the parsing that much harder, I wonder if there's value in either a) just showing the hostname, b) emphasizing the hostname somehow. Maybe I'm missing something obvious there, though?
(In reply to comment #4) > Now, when I look at the dialog on current trunk, I see the whole url, not just > the hostname. That makes the parsing that much harder, I wonder if there's > value in either a) just showing the hostname, b) emphasizing the hostname > somehow. Maybe I'm missing something obvious there, though? I think there is something in this. Particularly when SSL is in use the hostname is about the only sort of identifying information saying where the add-on is coming from.
So we can morph this bug, but I think the better play is to resolve this one WONTFIX if we agree, and open a new bug for the other thing. I suspect this exact bug will come up again at some point, since there is an inconsistency there, and it would be nice to have a simple bug to dup it against.
Filed follow-up bug 489908
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.