Closed Bug 46400 Opened 20 years ago Closed 1 year ago

Netscape servers contacted for panel options

Categories

(SeaMonkey :: Sidebar, defect)

defect
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: BenB, Unassigned)

References

Details

(Keywords: helpwanted, Whiteboard: [nsbeta3-])

Attachments

(1 file, 1 obsolete file)

Split-off from bug 37877.

------- Additional Comments From Ben Bucksch 2000-07-07 19:25 -------

[...] I seem to
be fed by a Netscape server with panel opens (not just panel contents). My
custom, direct from cvs Mozilla build shows as panel options:

 What's Related
 Search
 Bookmarks
Lieblinge [(extremely bad translation of "Favorites" into German)]
  ConSors Discount-Broker
  DAB Online Brokerage
  eBay Germany
  investorworld
  lastminute.com
  TicketOnline
My Netscape Network
  Gesamtes Netzwerk
 International

I get not hit searching for "consors" on our CVS rep, so this data must be
fetched from the net. The localized content suggests an embedding in the
Netscape Network. So, this bug got security-relevant.

Please, I am here to work. I don't want to be snooped, nor distracted by
commercial stuff. If you need to test network-fetched content,
- provide an option to disable it
- set up test cases on mozilla.org servers, not Netscape servers
*before* you check it into the tree and enable it.



------- Additional Comments From Ben Bucksch 2000-07-07 19:26 -------

BTW: I wrote this *after* I took a deep breath :).



------- Additional Comments From dveditz@netscape.com 2000-07-25 10:41 -------

[...]
We should consider what might need to be done from a privacy standpoint for 
PR3. The panel list should only be requested when you try to customize, and if 
you don't have any netscape-hosted panels there shouldn't ever be a request to 
netscape.com for anything. If you think the sidebar is pinging netscape.com 
when all you have is mozilla.org panels then we've got a problem I'm interested 
in but it should be filed as a separate bug. Assign that to me for now if you 
like since I'm the manager of some privacy-related stuff like cookies.
Blocks: 44845
CC'ing various others who might be interested, and nominating for nsbeta3, at 
least we should look and see what's really going on. We don't need another 
SmartDownload.

Contacting Netscape for the panel list when you customize is certainly 
reasonable (and hopefully the customization service is a pref setting that 
could be pointed elsewhere), but if you had no netscape.com panels in your 
sidebar we shouldn't ever ping netscape.com

What about the default panels like "What's Related"? Is it "obvious" they're 
there and that they need to contact Netcenter to do what they do, or is it 
another potential PR disaster?
No longer blocks: 44845
I may have stomped on changes from Ben. The collision detector said the 
"blocks" field was all he changed and it seemed easier to just add that than 
redo all my edits. Sorry if you also made other changes (and if you did we 
should file a bug on bugzilla's collision detector).
Blocks: 44845
What an irony:
<quote src="http://home.netscape.com/browsers/6/su_setup.html">
My Sidebar is yours
</quote>
reassigning to morse to check the privacy implications since he is doing 
similar work already. This is an investigatory meta bug, the "+" is not 
authorizing code changes, and this bug itself can be closed when the 
investigation is complete (spawning new bugs if any changes are necessary).
Keywords: meta, nsbeta3
Whiteboard: nsbeta3+
(didn't actually reassign, oops)
Assignee: dveditz → morse
Status: NEW → ASSIGNED
Target Milestone: --- → M18
I'm not completely understanding something here.  Are you saying that merely 
bringing up the sidebar but not clicking on any of its contents will cause a 
ping to netcenter?  Using a sniffer I'm not seeing that at all.  Or do I have to 
click on some content in the sidebar to effect the ping?  If so, which one?
Target Milestone: M18 → ---
I don't know, that's why it needs investigating :-)

Who does it ping and when?  If the sidebar's closed it'd better be nobody. If 
the sidebar is open (as it is by default) does it ping netscape? When tabs are 
loaded does it ping netscape? When you select a non-Netscape tab does it ping 
Netscape?

This needs to be tested in a commercial build moreso than in Mozilla.
You have to "Customize" or "Add" panels.
To be clear: Some of the contents you see in the customize dialog (i.e. the
available panels) are fetched from Netscape servers.

> this bug itself can be closed when the investigation is complete

Please please this bug open as tracking bug until the issue raised here are
resolved.
I have no problem with Mozilla hitting netscape servers when you choose 
customize. Netscape is providing a sidebar service and so far no one else is. 
There is a pref to change sidebar servers once there is an alternative, so 
maybe what you want instead is to create a different bug saying 1) mozilla.org 
should provide a sidebar service, and 2) the pref should be changed to that by 
default.

The privacy issue is if we're hitting the sidebar (or other Netscape) server at 
times other than when a user makes an explicit action that they can reasonably 
expect is getting data from the net.
Daniel, I certainly do *not* expect the browser to hit the net, if I choose
"Customize Sidebar".

1. I want an option to turn off all hits to the net.
2. I want Mozilla to never hit Netscape servers unless I explicitly say "go to
Netscape" (e.g. through urlbar or links).

If mozilla.org doesn't provide a sidebar service, then turn it off by default.
In answer to the questions raised, here is the pinging when using the sidebar 
in the commercial product:

Bring up sidepanel itself does not cause any pings.

By default the CNN tab is opened.  That causes some pings to netcenter to get 
the content.

Similarly when you open the stocks tab.

Opening the buddylist tab or search tab does not do any pinging (signing on to 
the buddy list or using the search will do pinging as expected).

Similarly opening the what's-related tab on a blank screen does not do any 
pinging.
When "customize sidebar" is selected, there are several pings to netscape to get 
information on what panels are available.
Now for mozilla product.  By default the bookmark tab comes up open.  Bringing 
up the sidebar panel and the resulting open bookmark panel does not cause any 
pinging.

Customize sidebar does ping netcenter, just as was done in the commercial 
product, because netcenter is currently the only provider of customized content.
Setting the nsbeta3- to get off the beta3 radar.
Whiteboard: nsbeta3+ → nsbeta3-
Target Milestone: --- → M20
> Customize sidebar does ping netcenter

Yes, this is the bug.

requesting fix for ASAP.
Whiteboard: nsbeta3-
Thanks, Steve, for looking into this.

Resetting to [nsbeta3-], which means only that it isn't important for Netscape 
to fix this before the *Netscape* beta. If you find a non-netscape person to do 
it feel free to reassign.

Reassigning to slamm to change the pref in Mozilla to some non-Netscape sidebar 
server should one ever be created. Created bug 49367 (set up a mozilla.org 
sidebar server) as a blocker of this one.
Assignee: morse → slamm
Status: ASSIGNED → NEW
Depends on: 49367
Summary: [PRIVACY] Netscape servers contacted for panel options → Netscape servers contacted for panel options
Whiteboard: [nsbeta3-]
> which means only that it isn't important for Netscape 
> to fix this before the *Netscape* beta.

Netscape beta is irrelevant. In fact, this bug is irrelevant for *any* NS
product. This is a Mozilla bug.

> If you find a non-netscape person to do it feel free to reassign.

Why should non-Netscape people clean the dirt of Netscape employees?

BTW: Should be pretty easy to fix for somebody who knows the relevant line.
Exactly, this is not relevant for Netscape's release, the nsbeta3- is 
telling Steve it ranks lower in priority than his nsbeta3+ bugs. Since he 
is a Netscape employee that makes a lot of sense, don't you think?

Ben, it turns out lots of non-Netscape mozilla developers think Netscape's 
sidebar service is useful, at least the ones who use the sidebar. If you don't 
use the sidebar then what does it matter what happens if you customize it?

I doubt "Netscape" gives a fig whether Mozilla points at the netscape server. 
If the mozilla community would rather set up their own server or even have the 
feature go dark then go for it. But you are the only person I've heard complain 
about this. Netscape obviously isn't going to spend effort creating a 
second alternate sidebar service ("why are you spending time doing X when you 
could be fixing the browser faster instead?" is a constant complaint), *you* 
aren't offering to create one, *no* one has shown any interest in creating one. 
So you'd rather we just turn the thing off?

I'm sure mozilla.org folks would be happy to turn the pref off if you can 
demonstrate that a majority of mozilla developers want it turned off. Maybe you 
can lobby someone on IRC to start a discussion at the mozilla conference here 
on 8/18 (tomorrow), or start one in a newsgroup.
Keywords: meta
If I'm alone with this opinion, I will mark this WONTFIX and shut up. Would
still be nice, if somebody could tell me how I can prevent my local Mozilla to
contact Netscape servers.
That's easy (and easy to find in lxr), change the 
"sidebar.customize.all_panels.url" pref in all.js

Don't know what would happen if you set that to nothing, might be safer to 
point at a valid, if empty, all-panels.rdf file locally using a resource: URL. 
Also don't know if the code would choke if it couldn't find the %LOCALE% or 
%SIDEBAR_VERSION% tokens to replace, but those would presumably be bugs if it 
couldn't.
> (and easy to find in lxr)

Not if you don't know what to search for.

> change the "sidebar.customize.all_panels.url" pref in all.js

Thanks.

> Don't know what would happen if you set that to nothing

Nothing, i.e. only local panels are listed, just what I want.

Taking bug, easy to fix. (Assuming it won't be WONTFIX.)
Assignee: slamm → mozilla
I'm tempted to just remove the dynamic listing from Mozilla completely (i.e. set
the pref to null). Mozilla ships with some local panels, which will still be
listed, and others can be added via links (see tinderbox). Engineers working on
this can set their prefs to point to Netscape servers.
Blocks: 14532
Status: NEW → ASSIGNED
Keywords: approval, review
Target Milestone: M20 → M18
Attached patch Fix, version 1. (obsolete) — Splinter Review
The only problem that I have with this is that we are loosing the ability to
easily test Mozilla's ability to download rdf off the net from the sidebar.
Quality is Job One.  Ben, are you offering to host another default RDF
datasource for testing?
I've thought about this a little more.  I really want to see testing for the
networking in place.  How about a dialog that pops up that asks you if you want
to download the rdf with a button that asks if you ever want to be asked again?
 That sounds like a reasonable comprimise that lets users choose their own level
of security and still allows testing.  Ben, does that sound reasonable?
> we are loosing the ability to
> easily test Mozilla's ability to download rdf off the net from the sidebar

Netscape engineers/Qa propably uses Netscape builds anyway, and they can have
the pref enabled. Even if not, they can enabled it in their default pref.

I sincerely doubt that individuals working on/testing Mozilla will want to test
this feature. It is mostly an ad space (just like Netscape's default bookmarks)
IMO.

> How about a dialog that pops up that asks you if you want
> to download the rdf with a button that asks if you ever want to be asked
> again?

Sounds good, any volunters? Until we have that, I'd like to disable it. Don't
make network queries without my explicit request.
CC'ing Brendan to get Mr. Mozilla's perspective

While I would much rather have a non-commercial sidebar server than Netscape's 
in the mozilla build, it would be *extremely* presumptious of you to 
unilaterally turn off this feature entirely without feedback from the mozilla 
community and mozilla.org staff. There are people--non-Netscape people--who 
*like* this feature, and the repository at sidebar.netscape.com is a pretty big 
one full of interesting stuff (Slashdot, Segfault, Hacker News Network, Perl 
News, BetaNews.com, and of course commercial sites like CNN and Wired).

This discussion needs to move out of the dark corners of this bug and into a 
newsgroup before any change is made. If you had an alternate sidebar server 
that'd be one thing, but if the choice is between Netscape's server and nothing 
then the people who want nothing can just not click on the customize button. Or 
put the pref discussed above in their prefs.js
I think we should definitely change how this works.  First, let me say that I do
use some of the sidebars that download from netscape, namely CNN and a few other
news sites.  I think the problem here though is that it is not obvious that
clicking on customize sidebar is going to contact some server on the internet.
I think that until we have a mozilla.org sidebar server the netscape sidebars
should be available.  But, you should have to click a button that says "Download
additional sidebar panels from Netscape" in the Customize Sidebar UI.  It
shouldn't just automatically do it.  This could cause major PR problems.  If you
don't believe me just look at the recent AOL/NS SmartDownload fiasco.
Someone want to come up with a patch that does what David proposes, and confirms
that the user wants to download additional sidebar panels?  Until then, I see no
reason to change things.  It would be foolish to remove all panels until a
mozilla.org server is set up.  Sidebar would rust, bugs would not be found, etc.

/be
> it would be *extremely* presumptious of you to unilaterally turn off this
> feature entirely without feedback from the mozilla community and mozilla.org
> staff.

This wasn't my intention.


> and the repository at sidebar.netscape.com is a pretty big
> one full of interesting stuff (Slashdot, Segfault, Hacker News Network, Perl
> News, BetaNews.com, and of course commercial sites like CNN and Wired).

Interesting. I see *none* of these. See the inital descriptiobn for the complete
list I saw.

> then the people who want nothing can just not click on the customize button

No, this is not an option. I must be able to explore Mozilla without being
scared that it does something I don't want it to do.

Anyway, how do I *remove* "What's related" from the fly-out-list, if not via
"Customize Sidebar"?

> It would be foolish to remove all panels until a mozilla.org server is set up.
> Sidebar would rust, bugs would not be found, etc.

Mozilla *ships* with some panels.


IMO, this feature doesn't fit into the free Internet world, which is
distributed. This feature is AOL(-AIM)-like, where a central server provides
(nearly) all available options - control by a single company.

I don't see evidance that the user can specify more than one panel list
provider. Also, there is no UI to change the server.

IMO, shipping with some integrated panels and giving the option to add more via
links on the websites which provide the panels is just fine.

I agree that this should be discussed on a newsgroup first. Which one?
Blocks: 47778
This bug does not depend on bug 47778. I have an empty string as sidebar
provider url, and never got such an error msg (which is correct). Removing
dependency.
No longer blocks: 47778
Target Milestone: M18 → ---
asa, I think this is that sidebar panels load from netscape site bug we were 
looking for...
Filed bug 52997 about adding UI to change the panel list provider.
Keywords: approval, review
Marking blocking bug 37877 [yes it's not a clean block, but it could be argued 
that it might regress and reopen that unless it is fixed].

endico: weren't we going to have a directory on dmoz or something?
Blocks: 37877
Keywords: helpwanted
timeless, if anything, the depedancy is the other way around. If there is no
Netscape content in the sidebar, the sidebar won't query netscape.com anymore.
Removing depending bug.
No longer blocks: 37877
Changing personal priorities. Giving away most of my bugs :-( (reassigning to
default owner).

I will still track these bugs closely. If you need my input, feel free to ask me.

New owner: Please do *not* close these bugs (as WONTFIX or whatever you may
find) unless they are fixed. Rather, reassign to <nobody@mozilla.org>, if you
don't want to work on them.
Assignee: mozilla → matt
Status: ASSIGNED → NEW
spam : changing qa to sujay (New Sidebar QA)
QA Contact: shrir → sujay
-> nobody@mozilla.org
Assignee: matt → nobody
-> Future.
Target Milestone: --- → Future
Attachment #13161 - Attachment description: Fix, version 1. Please r=. → Fix, version 1.
Attachment #13161 - Attachment is obsolete: true
Hi Ben,

you are NOT the only one bothered by this. If not for privacy reasons (which I
consider not so grave in this case) then for PR reasons: It may make a scandal
that Mozilla phones home to Netscape (by the way: why does Mozilla try to act as
a SERVER directly after the installation?).

I would prefer if this contacting Netscape could be switched off somewhere in
the settings (and maybe be switched off as a default in Mozilla, since it is not
Netscape).

By the way: I do use the sidebar - but for bookmarks only - so, why should
Netscape be contacted when I configure the sidebar?

Regards

Andreas
Product: Browser → Seamonkey
Has this been fixed in later edits to the file? Is this still an issue?
If so, please update this bug.
QA Contact: sujay → sidebar
Priority: P3 → --
Target Milestone: Future → ---

No activity for 13 years, let's close it.

Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.