Closed Bug 441624 Opened 17 years ago Closed 17 years ago

Add escape & appeal buttons to phishing/malware clickthrough notify bar

Categories

(Toolkit :: Safe Browsing, defect)

Product:
Toolkit
Component:
Safe Browsing
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: johnath, Assigned: johnath)

References

(
URL
)

Details

(Keywords: verified1.9.1)

Attachments

(1 file, 2 obsolete files)

Nits addressed
9.35 KB, patch
johnath
: review+
johnath
: ui-review+
Details | Diff | Splinter Review
Early discussions in bug 415846 envisioned a more discoverable way to report false-positive phishing links, by adding a button to the notify bar displayed when users click through a phishing link. Because bug 415846 is going to be landed on an l10n-frozen branch, though, I'm opening this bug to track the idea which, to do properly, requires the addition of a string to a .properties file. This should be quite straightforward to add to 3.1, for instance.
Flags: blocking-firefox3.1?
When are we talking for 3.1? This is a huge problem for us, as the menu item is basically buried and we aren't going to be getting any reports of false positives, which will lead to people being angry at Firefox (Why is this legitimate site being blocked), and angry at Google. Can we somehow get this in for 3.0.1?
Any update for when we expect to fix this bug?
I'm on vacation but when I get back, this is something I'd like to work on. If I can do it without string changes, and I think I can, then it might make 3.0.x, but if not, it should certainly make 3.1
Attached patch Working patch, wrong url (obsolete) — Splinter Review
This does the job, adds "Get Me out of Here!" and "This is not a [Web Forgery|Attack Site]" buttons to the notify bar, which I think will be a lot better for discoverability. Ian/Marria - what URL should we be using for malware error reporting? We'll set up a mozilla.org bouncer like we do for the other URLs, but we need to know what the actual target is.
Summary: Add "This isn't a web forgery" to phishing clickthrough notify bar → Add escape & appeal buttons to phishing/malware clickthrough notify bar
None. There is no error reporting for malware - it's not something that most users are capable of recognizing, unlike the case of phishing. You really have to dive deep into the source, and/or run it in a VM and see what happens. We provide steps for webmasters to file for review (linked to off the diagnostic page and our help center), but there is no link for end-users.
Sigh. That should read "there is no error reporting for malware except by webmasters". Clearly we do provide (and want to provide) a way for webmasters to report that they have addressed the issue that led to their page being compromised, but an end user really has no way of knowing if whatever problem led to the infection was actually fixed (e.g. script updated to close sql-injection holes and database cleaned up). (In reply to comment #5) > None. There is no error reporting for malware - it's not something that most > users are capable of recognizing, unlike the case of phishing. You really have > to dive deep into the source, and/or run it in a VM and see what happens. We > provide steps for webmasters to file for review (linked to off the diagnostic > page and our help center), but there is no link for end-users.
(In reply to comment #5) > None. There is no error reporting for malware - it's not something that most > users are capable of recognizing, unlike the case of phishing. You really have > to dive deep into the source, and/or run it in a VM and see what happens. We > provide steps for webmasters to file for review (linked to off the diagnostic > page and our help center), but there is no link for end-users. I understand that, definitely, and the "Why was this site blocked" link off our blocking page does link to the webmaster tools, but we still see site owners asking for appeal process. In the absence of anything else, we could send them to the generic stopbadware appeal page - are you saying you would prefer nothing at all?
It might be good in that case to link directly to the help page documenting the appeals process, e.g. link to http://www.google.com/support/webmasters/bin/answer.py?answer=45432
Depends on: 457682
Attached patch Now using redirect URLs (obsolete) — Splinter Review
Attachment #340199 - Attachment is obsolete: true
Attachment #344928 - Flags: review?(tony)
Status: NEW → ASSIGNED
Comment on attachment 344928 [details] [diff] [review] Now using redirect URLs looks good
Attachment #344928 - Flags: review?(tony) → review+
Comment on attachment 344928 [details] [diff] [review] Now using redirect URLs On the browser blurbs
Attachment #344928 - Flags: review?(gavin.sharp)
Comment on attachment 344928 [details] [diff] [review] Now using redirect URLs >diff --git a/browser/app/profile/firefox.js b/browser/app/profile/firefox.js >+pref("browser.safebrowsing.provider.0.reportMalwareURL", "http://{moz:locale}.malware-report.mozilla.com/?hl={moz:locale}"); >+pref("browser.safebrowsing.provider.0.reportMalwareErrorURL", "http://{moz:locale}.malware-error.mozilla.com/?hl={moz:locale}"); Can you update the comment in sb-loader.js about possible values for getReportURL()? >diff --git a/browser/base/content/browser.js b/browser/base/content/browser.js >+ var bundle = document.getElementById("bundle_browser"); nit: please use gNavigatorBundle >+ var buttons = [{ >+ label: bundle.getString("safebrowsing.getMeOutOfHereButton.label"), nit: fix the indent here?
Attachment #344928 - Flags: review?(gavin.sharp) → review+
Attached patch Nits addressedSplinter Review
Carrying over reviews, call it my ui-r or beltzner's, it's been ok'd, anyhow. I'll land once the tree goes green.
Attachment #344928 - Attachment is obsolete: true
Attachment #344951 - Flags: ui-review+
Attachment #344951 - Flags: review+
Checked in. http://hg.mozilla.org/mozilla-central/rev/653cd7bf1bb4
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Automated testing will tend to be brittle here since we care most that button presses go somewhere "sensible" and that's tough to check for in an automated way. I believe there are already litmus tests about ensuring the notify bar appears, my hope is that testing the function of these buttons can attach itself to the existing test.
Flags: in-litmus?
(In reply to comment #15) > Automated testing will tend to be brittle here since we care most that button > presses go somewhere "sensible" and that's tough to check for in an automated > way. I believe there are already litmus tests about ensuring the notify bar > appears, my hope is that testing the function of these buttons can attach > itself to the existing test. Juanb, Tomcat, can either of have a look at this? If our existing tests already cover this new work, please ensure that in the bug here, and minus the in-litmus flag. Thanks.
Edited tests 6260 and 6988 in Litmus to accommodate added notification bar elements.
Flags: in-litmus? → in-litmus+
(In reply to comment #18) > Verified on Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b2pre) > Gecko/20081028 Minefield/3.1b2pre, and latest Mac trunk. ... > Report malware url: Not sure how to trigger this one. Yeah, that one needs bug 388446. Should have mentioned that, sorry.
One nit: on clickthrough page, Help -> shows "Report Web Forgery" and not "This isn't a web forgery" as it does on the notification bar. Similar would be expected regarding malware post bug 388446 (hmm malware part should probably wait till mentioned bug is fixed).
Can I persuade you to file that as a separate bug? We should fix that, but it might be a little tricky.
Flags: blocking-firefox3.1? → blocking-firefox3.1+
Keywords: verified1.9.1
Keywords: fixed1.9.1
Attachment #344951 - Attachment is patch: true
Attachment #344951 - Attachment mime type: application/octet-stream → text/plain
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: